 t h
i r d w a
v e
|
by robert d. mcrae
Protecting
Corporate Assets
It's 3 a.m. and someone is rifling through your company files, but neither
your state-of-the-art alarm system nor the police will detect this thief. Your company has
been invaded by a computer hacker.
The hacker's tools of entry are not the traditional screwdriver and pry
bar, but a computer, modem, and telephone line. These techno-felons tend to be young and
they view access restrictions as challenges to be conquered. Somehow, they have all the
free time they need to continue to prod and poke at your system until they get in.
Hackers can cause tremendous damage to unprotected and under-protected
systems. If your company is connected to the Internet, how do you stop computer hackers
from penetrating your corporate database? Your best defense is to disconnect your system
from the outside world. That's not much of a solution, however, since many businesses rely
on electronic communication among their systems and others. So, the only feasible
alternative is to install adequate security measures to protect the data.
How do hackers break into your computer? One of the most prevalent ways
is called Internet Protocol (IP) spoofing. The information transmitted between systems
contains the address of the transmitting computer. Spoofing is the duplication of that
address by a third party who uses it to gain access to a system. Once in, various other
tools can be brought to bear against your computer and the data stored in it.
As methods of protecting data have improved, so have hackers improved
their skills. An organization with a connection to the Internet may also provide
electronic mail (e-mail) for their employees and customers. Since e-mail systems require
the flow of data in both directions from the corporate server, hackers have begun to use
the socket (like a door into the computer system) to gain access. They then use software
to defeat the e-mail system and gain access to other areas of the system.
What You Can Do
Firewalls offer an excellent way of restricting access to corporate
data. Essentially a firewall provides an electronic firebreak between the outside and your
corporate data. Your Web server exists on the unprotected side of the firewall, your
corporate information server on the protected side. The firewall allows only authorized
access to information behind the firewall.
The most secure of these are application-level firewalls, which are
hosts running proxy servers. They permit no traffic directly among networks, and they log
and audit the traffic passing through them.
Ever-adaptable hackers can and have found other ways to attack systems.
To fight back, make sure that passwords are required for access to all non-public areas of
your system. All users should select passwords that can't easily be broken. Using
birthdays or social security numbers, a spouse's name, or a street address won't do.
Choosing such an obvious password is like putting out an open invitation to an intruder.
Have a computer security specialist review your system to determine its
weak points and offer suggestions for improving the system.
While firewalls and passwords provide a measure of security and
comfort, your information systems personnel must remain vigilant. Remember, when someone
closes a door, a window is opened. And all the hacker needs is a slight crack in the
window to gain access.
Robert D. McRae is senior vice president and
information services director for Associated Industries of Florida.
Jan/Feb 1998 -- Florida Business Insight, PO Box 784, Tallahassee, Fla. 32302,
(850)224-7173, insight@aif.com |
