Network security: mission impossible? - security obstacles and solutions - includes related article on biometrics - Technology Information

Software Magazine, Jan, 1997 by Deborah Radcliff

A phoned-in bomb scare prompts the evacuation of an industrial management systems manufacturer headquartered in California's Silicon Valley. Outside the building, a man clips on a badge that reads "Security Management" and strolls in against the stream of fleeing employees, past police and fire officials.

Everywhere, doors stand ajar. The man ascends a staircase and breezes into the central computer room, where terminals sit aglow with open programs. He sits down at a control console and helps himself to all the password and control files his floppy can store.

Sound far-fetched? Not to network security investigator Randy Terpstra, who waited with police at the bottom of the stairs to catch the perpetrator when he tried to exit the building with his booty.

Incidents like these are not isolated; in corporations everywhere, company secrets -- both big and small -- are walking out the door. Revenue reports, product development information and customer data regularly fall prey to unscrupulous competitors or disgruntled employees. With a 323% rise over the last year, intellectual property theft is now costing corporate America an estimated $24 billion annually, according to a March report from the American Society for Industrial Security (ASIS). "The 1990s are the age of industrial espionage," says Terpstra, who left law enforcement and private detective work 11 years ago to co-found the Security Operations Group at Network Systems Corp., Louisville, Colo., a division of StorageTek Corp.

Many believe the proliferation of the Internet has spawned this rash of attacks. Not true -- some 74% of these security breaches come from the inside, usually perpetrated by employees and competitors, according to ASIS. The corporate network is still an easy target, especially since only 54% of businesses have any type of security policy, according to a 1996 survey published by Datapro Information Services Group, Delran, N.J. This is particularly troubling given that respondents to the survey work in industry segments -- government, financials and health care where security is of utmost importance. "Most firms are in what psychologists call 'deep denial,'" says William Malik, vice president and research director at Gartner Group, Stamford, Conn.

Given the critical nature of corporate information and the costs should it be compromised, why are so many organizations lacking top-notch security? For one thing, there's no complete, multiplatform solution capable of handling every variable on any given network. Add to that cost constraints. Budget allocations typically go to the visible parts of the network -- hardware and software -- with little or nothing left over for implementing security. A scaled-down, single-server solution may start as low as $5,000, but some solutions run up to $100,000. Combine that with point protection, such as encryption and authentication, and the figure easily climbs into the millions.

Third, there's the issue of who should be responsible for network security. Experts agree it should not be a system administrator, network manager or the like. "There should be a disinterested, central security figure within a company who handles the implementation of system-wide security," says Shirley Perini, director of security and loss prevention for L.A. Cellular in Cerritos, Calif. "IS people and engineers will have competing viewpoints. You need a person who doesn't have allegiance to either. These people are extremely difficult to find. Right now, I'm trying to hire a security administrator, but can't find one to meet my qualifications." Vendors are toiling to catch up with the security demands of corporate intranets, LANs and WANs. But the market for such products is still immature. "Right now, 400 vendors are chasing $1 billion in revenue," Gartner's Malik notes. However, he adds, "We're going to see a real shakeout -- from 400 to 40 to 14 in about four years." Most vendors are developing point solutions, such as encryption, authentication and password-generating programs. Meanwhile, vendors such as Microsoft are working to wrap solutions in their server and operating system products.

Some analysts question the effectiveness of this approach. "Security has not been built into NT or anywhere else in any real way," says Richard Power, a senior analyst at the San Francisco-based Computer Security Institute (CSI). "We had a teleconference with hackers not too long ago, and they are already laughing about the vulnerabilities of NT."

Still, effective network security takes more than software. Organizations must begin by identifying their security needs and establishing a policy. "First, assess your existing general security policies and procedures -- not just the Internet and intranet, but sexual harassment, DOD contractor policies, export control, protection of intellectual property, and so on," says Peter Adler, an attorney with Oppenheimer Wolff & Donnelly, a Minneapolis-based law firm that specializes in electronic and intellectual property law. Oppenheimer has allied itself with The Guidry Group, a Houston-based physical security firm that specializes in high-tech crimes; Terpstra's Security Operations Group; and the WheelGroup Corp., a technology security firm in San Antonio, Texas, to evaluate security policies and deliver software and policy solutions.