While it has achieved a robust interconnection of computers, the Internet's design has inherent security weaknesses as a platform for commerce. These weaknesses are largely due to the fact that the underlying technologies were originally designed for a network of trusted defense research computers. Basic security requirements such as authentication and encryption are completely missing in these standards. As a result, the Internet provides only a weak foundation for secure business communication, and its weaknesses are magnified for those using broadband connections.

RISKS

These vulnerabilities can lead to loss of data, corruption of software, and interruption of use. Broadband security risks are often attributable to the packet-switching architecture of Transmission Control Protocol/Internet Protocol (TCP/IP), design flaws in operating systems and application software, and other factors.

The packet-switching design of the Internet is vulnerable because the packets travel through a public data network. Packets are routed from one computer to another using IP addresses. If someone has access to any portion of the route, and if they can identify which packets are yours based on the IP address, they can observe, modify, and/or redirect those packets. Unfortunately, the Internet is full of ways for others to observe and access your packets, including packet sniffing, packet spoofing, and manin-the-middle attacks.

Software called packet sniffers can be configured to capture packets going to or from a computer. Once captured, these packets can be reassembled, making your original message or file available to the eavesdropper. While packet sniffers can be used to scan a large number of packets and to search for key words or names, they are most effective when the intruder knows the IP address of the sender or recipient.

Cable and DSL technologies can create a "persistent" IP address. For a dial-up user, IP addresses are usually assigned at the beginning of a session. For a typical home or small business user, this IP address is highly transient. Each time they establish a dial- up connection with their Internet service provider (ISP) they are given an IP for that particular session. But as soon as that session is terminated, that IP address is released back to the ISP to be reassigned to another user.

When broadband users initially connect, they are assigned an IP for that session. But because many users either always leave their computers on or are connected via a home network device that is always left on, these sessions can last for days or months. As a result, the assigned IP address becomes "persistent" even though it is technically assigned only temporarily. If an attacker knows a persistent IP address, they can set up a packet sniffer targeting the specific IP address they want to scan.

Figure 1:

Figure 2:

Cable modems have one additional feature that creates risk. Most cable modem networks are wired in what is called a trunk and branch system. This system creates something similar to a local area network for each neighborhood that is connected. The majority of these systems are configured so every packet that is originated by, or bound for, a computer connected to the cable system in a given neighborhood flows past all the other computers connected in that neighborhood. If poorly designed, this system would allow any computer attached to the cable network to listen to the packets of another computer. Many office local area network designs have the same exposure, but in an office everyone works for the same company, so the level of exposure is different. Figure 1 depicts a typical packet-sniffing scenario.

IP spoofing. While a persistent IP can expose a computer to packet sniffing, other, more insidious attacks are possible. Besides listening, it's possible for someone else who knows your IP address to create packets that appear to originate from your computer but, in fact, originate from theirs. This is called IP spoofing. Other systems that rely on the source IP address alone to determine the identity of the packets could be fooled in this manner. (See Figure 2.)

Man-in-the-middle attack. In this type of attack, the packets being sent between two computers are captured and modified by a third party. As a result, the two parties may share trusted information or may rely on information they think is trustworthy but isn't. (See Figure 3.)

Viruses represent another major risk to computers connected to the Internet. Many are sent through e-mail. For example, the Melissa macro virus was delivered as an e-mail attachment. The attachment was a Microsoft(R) Word document that contained the virus code. Opening the attachment executed a Visual Basic program that sent the virus out to the first 50 people in the user's address book. The speed at which Melissa spread was amazing. The first instances of the virus were detected on a Friday. By Monday the virus had infected more than 100,000 computers and disrupted or shut down e- mail service at a number of companies. One firm reported having over 32,000 Melissa-infected e-mails.

Other viruses exploit weaknesses in common Internet protocols, including TCP/IP. For example, a hacker tool called Back Orifice was released by the Cult of the Dead Cow (cDc) in 1998 and has been circulating on the Internet ever since. It runs on Windows 9x and NT systems, and once a computer has been infected with Back Orifice and is connected to the Internet, it can be completely controlled by another computer. Files and directories on the infected computer can be copied and deleted, and programs can be sent to the infected computer and executed. A complete log of all keystrokes also can be created, allowing the attacker to capture user names and passwords.

While these risks are significant, the majority of them can be eliminated or substantially reduced. Here are three steps you can take to protect a computer connected to the Internet, even with an always-on broadband connection.

1. CLOSE THE FRONT DOOR.

The first step is to secure your computer's operating system. The Microsoft(R) Windows(R) operating system supports a service called Print and File Sharing. This service can be quite useful for computers connected to LANs, but it does expose computers connected to the Internet. If these services are turned on, someone might be able to view, modify, or delete any of the files on your computer. To make matters worse, this service basically advertises itself to the outside world. Hacker tools have been designed to search across the Internet looking for the IP addresses of computers that have this service turned on, and computers with persistent IP addresses are more vulnerable. You can configure this service to require a password, but the password system is highly vulnerable and can be hacked. The Apple Macintosh operating system also has this vulnerability. Fortunately, you can disable File and Print Sharing.

Figure 3:

The version of the operating system you choose also matters. In general, the consumer versions of Microsoft Windows (including Windows 3.1, 95, 98, and Me) are less secure than the corporate versions (including Windows NT 3.5,4.0, and Windows 2000). For example, a computer running Windows 95 doesn't have to be configured to require a password before it is used, while a Windows NT machine does. Similarly, the file system used on most of the consumer versions of Windows doesn't support subdirectory and/or file level password protection, whereas the corporate versions can be configured to protect both subdirectories and files with special passwords. The latest Windows operating system, Windows XP, was supposed to offer a higher level of security in the consumer version of the product, but it also has proven vulnerable to hacker takeovers. With XP you have to decide whether to turn on its firewall utility.

A final step in basic protection is to have a virus protection program installed and running on your computer. Most popular virus scanning software can be configured to scan all e-mail attachments and other downloads for malicious code. (See sidebar, p. 42, for providers.)

Some virus scanning systems require that you manually initiate a virus scan for them to detect changes in your system. This configuration is weaker than having a system configured to be running anytime your computer is turned on. Also, you must regularly update your virus scanner.

2. LOCK THE DOOR.

The next step in securing your computer is to install and configure a firewall. A firewall is a set of security policies implemented through hardware and/or software.

Most personal firewall software comes with a set of predetermined settings. For example, one of the popular programs lets you choose low to medium to high security during installation. Once you've selected a particular level of security, the firewall goes to work. Now comes the fun. As the firewall goes about enforcing the security policies that you have set, it will report attempts from the outside to breach those policies. Of course, the tighter the setting, the more items to re\port. (See sidebar for personal firewall products.)

The difficulty is in understanding the information provided by the firewall and determining how or if you should change the settings. For example, it isn't uncommon for a firewall to report one or more attack events per day. Many intruders conduct large- scale port scans over a range of IP addresses to identify vulnerable targets for attack. Addresses used by broadband vendors are often the target of these probes.

During the port probe, the attacker uses software to examine what ports exist on your system and if they are open or vulnerable for attack. For example, a NetBIOS port probe can be run across a large number of IP addresses to see if the file and print sharing services are turned on. Similar probes to examine FTP ports, pcAnywhere(TM) ports, and UDP (User Datagram Protocol) ports are common.

While many, if not most, of the probes don't represent a serious attack on your machine (provided you've taken proper security precautions), the attacker could gain useful information that may lead to an attack. For example, a common probe is called the TCP OS probe. Using sophisticated tools, an attacker can scan a large number of systems to determine what operating system each is using. If vulnerability in your operating system is discovered, then your system may be entered into the attacker's database for future exploit.

One of the biggest challenges in using a firewall is determining when to either close or allow a hole in the firewall. If a tight or very secure stance is initially taken (don't let anything through that you are not specifically told to let through) you guarantee that your firewall will report a number of blocked attempts-both in and out of your system. Depending on how your system reports and manages these blocked attempts, you may find the first few sessions using the firewall rather confusing and frustrating. You also can be confronted with firewall warnings and messages as you do the things you have always done on your computer. This is a critical stage. Be careful of creating a hole that can later be exploited by a hacker. Most firewall vendors offer both telephone and Web support that describes particular events and whether or not they are really critical.

3. PULL DOWN THE SHADES.

For many users, the first two steps are all you need, but if you plan to access private data networks, such as a corporate computer system or intranet, one further step is worth considering. The measures taken so far have reduced the opportunity for those outside to access your computer and the programs and files stored on it, but what about the information flowing between your computer and your company? Remember, information that is transmitted online is exposed to eavesdropping. Virtual private networking (VPN) is a technology that allows a public data network such as the Internet to be used to transmit information in a secure manner. (See sidebar for VPN resources.)

Figure 4:

Similar to firewall technology, the technical details of VPN can be quite overwhelming and should be left to security professionals. But here are some basics. (See Figure 4.)

A virtual private network between your home computer and an office system first authenticates you as a valid user of the office system and then establishes a secure tunnel. While the concepts behind virtual private networks are relatively straightforward, the actual technology is complex and somewhat immature. Currently, there is no single standard for establishing a virtual private network connection between two systems. For example, a variety of encryption techniques are available including DES, DES3, MDS, and Blowfish, each with varying degrees of sophistication and security.

The most significant attempt to establish a standard for VPNs is the IPSec (IP Security Protocol), but it has been criticized as too complex to provide adequate protection (generally the more complex a security system, the higher the chance it can be improperly configured and therefore broken). As an additional challenge, the VPN implementation in Microsoft(R) Windows 2000(R) combined IPSec with another technology called L2TP, potentially making Windows 2000 incompatible with other pure IPSec products.

Nevertheless, VPN technology represents the future for business on the Internet. A new standard for the IP protocol is currently under review that includes, among other changes, support for VPN and packet encryption.

INTEGRATED SOLUTIONS

Operating systems, virus protection, firewalls, and virtual private networks can be used to form an integrated security solution for your computer. In fact, some of the products offered combine one or more of these tools. For example, several firewall products come with virus protection software included. Similarly, firewall/VPN products are being introduced that allow a corporate security policy to be established and verified before a computer connects to the VPN server. A natural extension of the integration of these services is for them to be included in the operating system. For example, Windows 2000 Professional comes with a VPN client integrated into the operating system.

The availability of affordable broadband connections to the Internet is creating a second wave of users and opportunities. But users should weigh the risks and take appropriate precautions. Remember to first close the front door by turning off the file and print sharing service, maximizing your available password protection, and utilizing current virus protection software. Then lock the door by installing a well-configured firewall. Corporate and intranet users should pull down the shades with a virtual private network. With these measures you can minimize the risks of a broadband Internet connection while you enjoy the fantastic speed it provides.

VIRUS PROTECTION SOFTWARE

* Norton Antivirus from Symantec Corporation (www.symantec.com)

* McAfee VirusScan from McAfee.com Corporation (www.mcafee.com)

* PC-cillin 2000 from Trend Micro (www.antivirus.com)

PERSONAL FIREWALLS

* BlackICE Defender from Network ICE Corporation (recently acquired by Internet Security Systems) (www.iss.net) [A security hole was discovered in BlackICE Defender, ver. 2.9, for systems running on Microsoft Windows 2000 and XP A patch is available for download from the ISS website or through the program itself.]

* Norton Personal Firewall from Symantec Corporation (www.symantec.com)

* ZoneAlarrn Pro from Zone Labs (www.zonelabs.com)

* McAfee.com Personal Firewall by McAfee.com Corporation (www.mcafee.com)

* Sygate Personal Firewall by Sygate Technologies (www.sygate.com)

VIRTUAL PRIVATE NETWORKING RESOURCES

* Internet Engineering Task Force, Network Working Group, "Security Architecture for the Internet Protocol," located at www.ietf.or/rfc/rfc2401.txt. The same group has a number of other technical documents describing various aspects of IPSec. For an overview, see "IP Security Document Roadmap," located at www.ietf.org/rfc/rfc2411.txt.

* Microsoft provides a number of background papers and technical resources related to their integration and support for virtual private networking (www.microsoft.com/vpn).

* RedCreek Communications (recently acquired by Sonic Wall) is focused on delivering both hardware and software to create virtual private networking solutions. Their website (www.redcreek.com) contains a number of helpful resources.

* Cisco Systems supports a variety of virtual private network solutions built on their router technologies. Their website (www.cisco.com) provides product descriptions and technical background resources.

BY JACK M. CATHEY, CPA, AND CASPER E. WIGGINS, CPA

Jack M. Cathey, CPA Ph.D., is an associate professor in the Department of Accounting of the Belk College of Business Administration at the University of North Carolina, Charlotte. You can reach him at (704) 687-4408 or jmcathey@email.uncc.ed.

Casper E. Wiggins Jr., CPA, DBA, is the Big Five Distinguished Professor of Accounting in the Department of Accounting of the Belk College of Business Administration at the University of North Carolina, Charlotte. You can reach him at (704) 687-3620 or cwiggins@email.uncc.edu.

Copyright Institute of Management Accountants Mar 2002