Computer Repair : Computer Networks : Outsource Computer Maintenance : Computer Network Installation : |
|
  |
|
Rolling
the Internet Out To The Desktop – The Security Perspective
2.
Introduction
However,
connecting an organisation to the Internet brings with it many
security issues. While some of these can be addressed by using
technology (including firewalls, content checking, software etc.)
technical solutions alone are far from all-encompassing. Many of
these issues concerned can not be solved by a technical solution
and are actually more to do with human resources and company
policy. There
a number of threats to the well-being of the organisation which
need to be considered. These arise both from inside and outside
the organisation and these are treated in more detail below, but
perhaps the most important way to view these threats is to ask
whether the problem is truly Internet-related. For example, if an
employee was to download pornography from the Internet, how does
this differ from having the same material sent to them by
traditional mail, and are there appropriate procedures in place to
deal with this? This
briefing paper examines the threats to an organisation posed by
connecting to the Internet, and discusses the countermeasures,
both technical and non-technical, which can be employed to reduce
those threats. 3.
Connecting to the Internet
There
are a number of different ways for an organisation to connect to
the Internet. Many smaller companies use a dial-up link, using
either PSTN (Public Switched Telephone Network) or ISDN
(Integrated Services Digital Network), to an ISP (Internet Service
Provider) and will rely on their ISP to provide security, backups,
resilience and sufficient bandwidth. However,
as a company’s use of the Internet grows, it becomes more
advantageous and cheaper to have a leased line. This also puts
control of the company’s Web site, Mail server and other similar
facilities into its own hands. However, a leased line can also
allow undesirable people to attempt to access the network. In this
case, the use of a firewall is strongly advised. 3.1
Firewalls
A
firewall, such as Smoothwall,
consists of software running on a dedicated machine that you place
between your internal network and the Internet. On the firewall
you can define which network traffic is permitted and which is
disallowed. For example, you may allow incoming E-mail from
anywhere in the world, but only allow people on your network to
access certain World Wide Web sites. Increasingly, firewalls are
also being used to segregate internal networks (Intranets). The
firewall effectively acts as a gatekeeper, examining each network
packet and deciding whether it should be passed on or rejected.
This can be done on the basis of the address the packet is coming
from or going to, the application involved, the time of day and
day of week, or a combination of all of these. 4.
E-mail
While
E-mail is by far the most commonly used application on the
Internet, message content security is an issue that has only
recently been addressed. Although most organisations have rules
about what material is appropriate to be sent on company headed
notepaper, or which members of staff can deal with the media, it
is rare to find equivalent rules applied to electronic forms of
communication. Yet the power of E-mail means that it is very easy
for people within an organisation to send information to a wide
variety of recipients anywhere in the world, under the company’s
name, without any controls being placed on them. A
further complication is that E-mail over the Internet uses a
‘store and forward’ mechanism (i.e. an E-mail message is
stored on each server in the route from sender to recipient until
a connection to the next server is available) and may take any
number of paths, depending on network and server loading,
availability of connections and servers and routing tables. This
means that an E-mail message resides on a number of servers at
different times whilst in transit, and can be read by anyone who
has access to those servers. A useful rule of thumb is not to send
anything by E-mail over the Internet that you would not write on
the back of a postcard. Various
encryption products are available to protect the confidentiality
of In
a recent court case reported in the national press, Norwich Union
had to pay Western Provident Association £450,000 plus legal
costs due to defamatory comments which had been distributed by
Internet E-mail. In other cases which eventually went to court for
other organisations, a line manager who had been using E-mail to
bully a member of staff was convicted on the basis of E-mail
evidence, and a member of staff who had been ordering drugs and
sending sexually explicit messages by E-mail was dismissed on the
basis of these messages. 4.1
Outgoing E-mail
In
the worst case, abuse by members of staff could mean that your
computer systems are acting as a server for a mailing list and are
re-distributing tasteless or illegal material world wide with your
company’s name in the header of every message. Some
people regard E-mail is a transitory medium, like a telephone
call. However, legally it is a form of publication, and the laws
of libel can apply to E-mail. It is important therefore to ensure
that the same rules of acceptability that apply to any written
communication, internally or externally (e.g. memos, letters,
faxes) are also applied to E-mail and that this is communicated to
users throughout the organisation. All
E-mail which is sent outside the organisation (and some of that
which internal) should be archived and retained for the same
period of time as equivalent paper communications, in case of
dispute. 4.2
Incoming E-mail
Incoming
mail may bring its own problems. Computer viruses are a major
headache for any organisation, and prior to the widespread
adoption of inter-organisation E-mail, the only point of access on
a personal computer that needed to be protected against viruses
was the floppy disk drive. Now
E-mail messages can also bring viruses into the organisation, and
many of the latest macro-based viruses cannot always be detected
by traditional virus checkers. These viruses utilise the features
of the little-known programming language built-in to some word
processors and spreadsheets, and can perform malicious actions
such as formatting a hard disk as soon as the user opens the
infected document. Incoming
E-mail can also bring with it problems of legality (for example,
what happens if someone in your organisation receives information
which is illegal to possess and which is then stored on your
company’s hard disks or file servers?) and availability (where
your hard disks could be filled up with junk mail as part of a
‘mail bomb’ or ‘spam’ attack). Software
(an example is MAILsweeper) is now available that can scan all
E-mail both incoming and outgoing, and make decisions based on the
content of the message. It could disallow, for example:
Content
scanning needs to be applied with caution one American ISP refuses
to allow any connections from Scunthorpe, and banning any with the
word ‘sex’ would preclude access to Essex County Council or
support groups for victims of sexual abuse. Some level of
intervention by a human being is still required to examine those
messages which have been stopped and to determine the reason why. Software
can also be used to place a copyright notice, or standard terms
and conditions of business, at the end of each E-mail, there needs
to be no possibility of repudiation of either sending or receipt
of the message, or of alteration to the message contents. Digital
signatures are a mechanism which is used to improve that a message
was sent at the stated date and time, and that it was received by
the intended recipient. A unique ‘signature’ which is based on
the originator and content of the message, as well as the time and
date sent, is generated, using the secret algorithm. This
signature is then appended to the message. A reply is then sent
from the recipient to the originator, also containing a digital
signature. Any
alterations to the message causes the signature to be invalid, and
the use of the sender, time and date when generating the signature
mean that these can be established beyond doubt. Various software
solutions are available to implement digital signatures. 4.4
Privacy
The
right of a company to read the content of its employees’ E-mail
can be a hotly contested issue. On the one hand, some companies
assert that any data held on company-owned computer systems belong
to the company and it has full rights to access and read it.
Others claim that employee E-mail is private to the individual and
that a company attempting to read it is an invasion of civil
liberties. Perhaps the easiest way to resolve this issue is to
have a clearly defined and publicised policy which is incorporated
in the Terms and Conditions of Employment of the company. 5.
The World Wide Web
Although
actually only a small part of the Internet, many people tend to
equate the Internet with the World Wide Web. This is a tremendous
source of useful information on almost any topic, and increasingly
allows a more diverse range of activities, ranging from
calculating mortgage repayments and car insurance rates to
ordering groceries and viewing sports results. 5.1
Browsers
Some
of the more popular browsers used to access the World Wide Web
have known security holes in them. The browser manufacturers
usually respond very quickly once a security hole is discovered,
so it is desirable to always use the latest version of the
browsers. These are usually available for download from the
browser vendor’s Web sites. 5.2
Cookies
When
a user visits a Web page, they are sometimes asked to provide
information about themselves. This could be their name, address,
items on a shopping list or particular preferences depending on
the nature of the Web page (for example, a visitor to a Web site
selling cars may only be interested in one particular marquee).
These details are then stored in a file (called a ‘cookie’) on
the user’s local hard disk, so that next time they visit the Web
site it can be customised for their preferences. There
is a security issue involved, however, as there is nothing to stop
any Web site that is accessed from reading all the cookies on the
user’s machine and therefore finding out information about the
user. This could contain sensitive information such as credit card
details or passwords. Most
Web browsers can be configured so that they either do not accept
cookies or give a warning every time they are offered one.
However, refusing to accept a Web site’s cookie may mean that
some or all of the functionality of that site will be lost. If it
is essential that such a site be accessed, one possibility is to
set up a stand-alone computer which contains no sensitive data and
use it to access these Web sites. 5.3
Undesirable Sites
Whilst
the vast majority of the information available on the Web is
useful, there is also a small amount of undesirable, including
pornography and terrorist sites. Equally, many employers will not
want their staff to access leisure sites during working hours.
Recent court rulings indicate that the presence and display of
offensive material of a sexual nature may be used as evidence of
sexual harassment and could land the company involved in court. The
criterion most often used for trying to decide what is acceptable
is legality. This is very difficult to determine, while some
things are clearly illegal (child pornography) and other clearly
legal (sports results), there is a huge grey area of material that
may be regarded as tasteless by some, but whose legality is
underdetermined. Furthermore, the legality of material differs in
different jurisdictions. What is the position for an image that is
legal in the country in which the server resides on is sited, but
illegal in the country where it is being displayed? In general,
when deciding which material to allow staff to access, it is
better to be safe than sorry and to restrict them to generally
acceptable material. To
help with this, software solutions such as
Netpartners’ WebSENSE allow the sites which can be accessed
to be controlled. For example, WebSENSE contains a list over 100,000 URLs which is divided into 27
categories and which is updated daily. These URLs have all been
examined by human beings, avoided the potential keyword scanning
problems noted above. A high granularity of control is available,
with access controllable by user, category of site and time of
day. Thus it would be possible to block access to the
‘vehicle’ category to everyone except the company’s fleet
manager, and to allow everybody to have access to the ‘sport’
category, but only at lunchtime. A special version for educational
establishments is also available which allows teachers to tightly
control the material which students can access. 5.4
Certificates
Certificates
are a mechanism used to determine whether a Web site which is
being accessed is regarded as ‘trusted’ or not. Such a site
will have information and/or software on it which has been
verified. A
Web site certificate is used when a secure Web site sends you
browser a certificate that provides certain information about
security for that Web site. A certificate is issued to a
particular organisation for a specific period of time. If you try
to open that organisation’s Web site, the browser verifies the
Internet address stored in the certificate and that the current
date precedes the expiration date. If not, the browser can display
a warning. For example, a Web site certificate would contain
information verifying that the site is secure and genuine. This
ensures that no other Web site can assume identity of the original
secure site. 5.5
Time Wasting
One
of the main reasons quoted for not connecting to the Internet is
time wasting. However, like other forms of time wasting, whether
spending too much time on social phone calls or spending all at
the coffee machine (or someone else’s desk) this is a line
management issue. It should be death with as such, especially of
the employee’s productivity is suffering. An
IT department can help by producing management reports detailing
which sites the person has been accessing and for how long. Such
information can be obtained from software such as Smoothwall. 5.6
Embarrassment
More
than one organisation (including a major UK political party) has
found that having an insecure Web site has led to mischievous
attempts to alter the information on the site. Not only has this
caused embarrassment, but it could involve links being placed on
the Web site which lead people to your competitors. By
their very nature, Web sites are accessible by anyone, and
therefore need to be especially secure. Ideally they should be
protected by a firewall, on a protected network segment which is
sometimes termed a De-Militarised Zone (DMZ). 5.7
Copyright and IPR
The
ease of copying disseminating information on the Internet has
caused problems for copyright and Intellectual Property Rights
holders. Pirated software (called ‘warez’) and song lyrics
were among the first items to be widely distributed, but with
advances in technology, whole audio and video clips are now
available, and complete CDs and films will become more prevalent.
This is a major problem both for those who create this material
and for those on whose systems it may be stored. Copyright
and Intellectual Property Rights may be the most important factors
in forcing regulation of the Internet, due to the huge potential
losses that could be involved. Already one very well known band
has taken legal action against the owners of Web sites that have
published their song lyrics or audio files, and this is a trend
which is likely to increase. As
the Internet undergoes the transition from a niche medium to mass
market, some form of regulation is very likely, even though this
goes against the academic culture which originated the Internet
and which was one of sharing information freely. However, the
commercial imperative of preventing copyright information being
distributed indiscriminately is likely to win out in the end. 6.
Software of unknown Integrity
One
of the major risks inherent in connecting an enterprise to the
Internet is that of downloading software which could cause damage,
either by deleting files, corrupting data, causing system crashes
or hogging resources. 6.1
Viruses
Virus
scanners can only detect viruses if they are configured and
utilised correctly. They require frequent updates, usually
monthly, and not all users will have the time, inclination or
expertise to continually update them. Some networks run software
which automatically downloads such software to attached PCs, and
this is the ideal solution, although even then laptops which do
not connect to the network will still be vulnerable. Software
of unknown integrity, while possibly virus-free, can nevertheless
cause problems with installed software, and there will rarely be
any comeback on the supplier for any problems caused. Users
need to be educated about ‘safe computing’ and told not to
download software over the Internet. If it is necessary to obtain
such software (for example, a demo version of a product), it
should be downloaded by the IT department and tested in a suitable
test environment before being deployed in a live environment. An
organisation’s procedures for preventing employees from
importing undesirable material should cover all possible routes
into the organisation (e.g. download from Internet, disks from the
front cover of magazines, E-mail) and emphasis should be placed on
the material itself rather than the method by which is was
acquired. 6.2
Public Domain Software
Public
domain software or ‘freeware’ is software which the author has
given away freely, and for which no licence fee needs to be paid.
Such software invariably comes without any warranty or support,
and if imported into an organisation could cause problems due to
incompatibility with existing software, bugs in program,
proprietary data formats and lack of upgrade options. Many
of these comments also apply to ‘shareware’ – software which
can be used for limited evaluation period, after which is must
either be removed from the system or properly licensed. Some such
software will cease to function at the end of the evaluation
period, or could have other undesirable effects, such as deleting
data. In addition, continued use of such software after the
evaluation period has expired could lead to the organisation being
prosecuted. 6.3
Java and ActiveX
As
Web sites become more complex, companies are converging the
technologies of Web pages and back-end databases, allowing, for
example, mortgage calculators and shopping trolleys to be
implemented. Trivially seen behind moving graphics, Java and
ActiveX are the technologies that are used to implement these
features. These
technologies are both powerful and useful. They do, however, bring
with them their own PC and run locally. In the worst case, these
programs could perform malicious actions such as hogging all the
machine’s resources or deleting files. While most browsers can
be configured not to run these applets, this relies on the user
being willing not to have this capability. Some firewalls can also
be used to block these applets, but this will also stop users from
accessing any of the useful functionality that these technologies
allow. Digitivity’s
Java CAGE
is a software solution which allows Java applets to run safely in
‘quarantine’ on a separate dedicated machine, removing the
possibility of damage to machines attached to the local network. 7.
Monitoring of Internet Usage
Adequate
monitoring is essential to gain management information about what
is being made of the organisation’s Internet access. As well as
security considerations, this can also be a useful tool for
understanding the use being made of the network, and for
preserving network bandwidth. This can be done in conjunction with
software that controls the use of bandwidth by particular
applications or users, such as Smoothwall. Very
often, once users know that they are being monitored, this is
sufficient to prevent them from accessing dubious sites, in the
same way that companies which employ telephone call monitoring
systems often see a drop in the number of calls made. 7.1
Authentication
One
vital prerequisite for accurate monitoring is strong user
authentication. Users must identify themselves to the system and
this then allows them to access the Internet resources which they
require, while simultaneously logging this information. Most
authentication schemes are based on (a) something the user has and
(b) something the user knows. Examples of authentication schemes
include:
7.2
System Time
Although
it may appear a trivial issue in some contexts, maintaining
correct system time can vital on some systems. When a number of
systems communicate, the time stamp when a file was last modified
can determine whether or not a particular action is taken. If the
clocks on the two systems are not synchronised, it is possible
that an order processing run, for example, might be delayed by a
day. Another
issue arises if an unauthorised user is to be prosecuted and the
logs showing their activities used as forensic evidence in court.
Accurate time stamps would be vital to the accuracy of this
evidence. Various
technical methods can be used to ensure that the system time is
kept accurate, including atomic clocks, radio receivers which are
turned to transmitters like Rugby, or NTP (Network Time Protocol)
servers. 8.
Roles and Responsibilities
Whilst
everybody in the organisation has a role to play in maintaining
security, some people have particular responsibilities. These
should be documented in their Contract of Employment. 8.1
Contract of Employment
This
should be the main instrument for informing employees what the
organisation deems acceptable usage of company IT and Internet
facilities. Many
misunderstandings and potentially disciplinary proceedings can be
avoided by clearly stating company policy in a legally binding
document that is shared by both the employer and employee. For
example, is personal use of the Internet permitted? An analogy can
be drawn with personal use of the telephone or computing
facilities, many organisations allow ‘reasonable’ personal use
of these, with Line Management making the decision what it
‘reasonable’. Just a few organisations would permit staff to
receive pornography through the Royal Mail at their place of work,
downloading or viewing pornography on the Internet would probably
be prohibited. Some
of the topics which should be covered include:
8.2
Role of the Line Manager
The
Line Manager plays an important role in deciding what is
acceptable. Requirements to access particular Internet sites
should be countersigned by the Line Manager and be based on
business needs. Equally
the Line Manager should be supported by the IT department, when
required, by timely and relevant management information showing
which sites are being accessed by people in their team, and for
how long. Company
directors, in particular, have ultimate responsibility in law, and
could end up being fined or imprisoned for the actions of their
companies. 8.3
Role of IT Department
The
IT department normally provides an organisation’s Internet
connection and is responsible for managing it securely, so the
burden of controlling the material that passes through the
connection often is placed within its domain of responsibility. While
the IT department can deploy technology to assist in this, it is
important that they are not seen as ‘moral policemen’ by the
rest of the organisation, damaging the working relationships that
may have been built up over time with their end users. 8.4
Role of Human Resources Department
The
Human Resource department should ensure that the Contract of
Employment for new employees and the Terms and Conditions of
Employment for existing employees contain suitable directives
regarding the use of Internet resources. Breaches
of the organisation’s policies on acceptable Internet use should
be dealt with by the Human Resources department in the same manner
as any other breach of policy. 9.
Conclusions
While
technical measures can go so far towards controlling an
organisation’s Internet access, many of the issues involved are
actually Human Resource issues, and as such require Human Resource
and Line Manager Involvement. The
main things to remember when rolling the Internet out to the
desktop are:
|