Advertisement
Quick Links
W H I T E P A P E R
The Coming of Age of Client Security: Top Managers Realize The y
Have to Lock Down the Point of Entry
Sponsored by: IBM Corporation
Roger L. Kay
January 2003
S U M M A R Y
Although security technology has progressed tremendously over time, awareness of
the need for security on the part of people who use computers — both consumers
and businesspeople — has not in general kept pace. Essentially, there is plenty of
technology on hand, but the understanding of what it does and how to use it has
lagged. However, much has changed since the attacks of September 11. CEOs and
IT managers everywhere drew lessons from the differing fates of companies that had
backup and restore procedures and those that didn't. Data recovery is, of course, only
one piece of the security pie, but as political tensions have increased on the macro
level, this and other security concerns have risen in visibility with top managers. "To
what degree is our data — and therefore our business — safe?" CEOs are now
asking in ever greater numbers and with increasing vehemence. "Just where are we
with security?" they want to know of their CIOs.
This shift in attitude represents an evolution from the pre–September 11 state, which
was characterized by a vague awareness of some subset of security issues but a
misunderstanding of the complete security picture and a widespread lack of adoption
and deployment.
Now managers are beginning to assess their vulnerability and to ask what their
alternatives are.
In most corporations, the security infrastructure is still inadequate and full of holes.
Even the most sophisticated organizations are vulnerable. In one incident, widely
reported in the press, that had an impact of major but unknown proportions — the
degree of penetration was difficult to assess — a hacker from St. Petersburg, the
intellectual seat of the old Soviet Union, broke into Microsoft's network and
absconded with a large number of important files, including, purportedly, an unknown
quantity of Windows source code files. Naturally, Microsoft never advertised the
extent of the damage — if, indeed, it is actually known. And if a company at the
epicenter of the information technology business is vulnerable (and by inference
should know better), truly, no company is safe from attack.
The security threat is growing in several dimensions at once. The amount of value
flowing across the network — in the form of actual money, but also business plans,
intellectual property, and strategic documents — is rising by leaps and bounds. And
value is at risk in less obvious ways. A reputation can be damaged irreparably by an
attack, business can be lost as a result of downtime, and the trust on which ebusiness
is based can be destroyed permanently. To the growing list of imaginative crimes
must be added identity theft, which has become a veritable cottage industry. In
addition, malicious hackers are getting more sophisticated. Malevolent programmers
are not only figuring out more effective ways to harm businesses and individuals but
are also publishing their tricks on Web sites for other less creative, but perhaps more
vindictive, people to find and use.
"To what degree
is our data
and therefore our
business safe?"
CEOs are now
asking.
The security threat
is growing in several
dimensions at once.
Advertisement
Summary of Contents for IDC NetVista
- Page 1 W H I T E P A P E R The Coming of Age of Client Security: Top Managers Realize The y Have to Lock Down the Point of Entry Sponsored by: IBM Corporation Roger L. Kay January 2003 S U M M A R Y “To what degree Although security technology has progressed tremendously over time, awareness of is our data ...
- Page 2 In this environment, client security can be one of the weakest links in the chain. In this environment, Despite the availability of operating systems with improved security features, desktop client security can be one of the weakest and notebook PCs still often have only a Windows password protecting them, and, in links in the chain.
- Page 3 The Microsoft intrusion was a so-called "lunchtime attack," named for the archetypical scenario in which an employee goes out to lunch, leaving his or her computer on, and an intruder simply sits down at the absent worker's desk to feast on whatever privileges that user enjoys, including access to files, programs, and services.
- Page 4 and a denial-of-service attack on the Internet's 13 root servers successfully crippled traffic on the Internet as recently as October 2002. This attack has been connected to cyberterror, and IDC is expecting at least one major cyberterror attack on the Internet infrastructure in the not-too-distant future.
- Page 5 And even with the best of intentions, IT departments do not always upgrade all their systems with the latest security patches, sent out by application, antivirus, and operating systems companies when they discover flaws that allow outside penetration. The hacker community knows about these flaws and cruises the Internet, looking for systems that lack the updates.
- Page 6 F I G U R E 1 WORLDWIDE ECOMMERCE SPENDING BY TYPE, 2000–2003 1,600 1,400 1,200 1,000 2000 2001 2002 2003 Source: IDC's Internet Commerce Market Model version 8.1, February 2002 Authorities in the United States recently cracked the case of a professional hacker based in the United Kingdom who had access to about 100 unclassified military networks during most of 2002.
- Page 7 Companies are subject not only to fraud and the direct loss of assets but also to the value of lost business. When their services are denied by a deliberate overload of bogus requests, they lose the value of the potential business that would have been transacted during the period of denial.
- Page 8 For many years, encryption algorithms were quite simple. The offsets used by Mary Queen of Scots relied on the slowness of human decipherers, who were often as much psychologists as mathematicians. If every letter in the encrypted message was, say, five letters up the alphabet from the original (wrapping around again at Z), then decoding one word was enough to break the whole text.
- Page 9 nature of computer operating environments, DES slows down data flow considerably when executed in software, and Triple DES slows down the system three times more. Rijndael was Thus, in the late 1990s, the National Institute of Standards Technology (NIST), chosen partly formerly the National Bureau of Standards, put out a call for new algorithms, and a because it was both competition ensued.
- Page 10 Public key encryption is based on the idea that some mathematical operations are easy to do — but hard to undo. A simple example is a square versus a square root. If you already have the square root of three (which, although approximately 1.73205080756888, has no finite answer), multiplying it by itself easily yields three, but trying to find the root given only the number three is a lot more difficult.
- Page 11 In the public version of security, a world of ecommerce, where people can freely trust the Net and all the clients and services that they run into, there would be no inelegance. But in the real world, people of a certain disposition and skill can game the system and filch unprotected private keys, forcing the owners to go back to the authority and ask it to disallow that pair.
- Page 12 Biometry — authentication by fingerprint, retinal scan, voice, or facial geometry — is particularly good for matching employees or customers with systems and data records. While biometry represents a key piece of the security puzzle, biometric information carries no data and cannot in itself support PKI. An improvement over passwords, biometry provides better security because users cannot alter their biological qualities.
- Page 13 cryptographic operations through the chip. Cryptographic middleware automatically routes function calls to the hardware. The chip is compliant with Microsoft's CAPI and PKCS #11, industry-standard interfaces, which many of the PKI providers, such as Entrust, Baltimore, and Microsoft itself, use for applications such as email (e.g., Outlook and Notes), VPN clients (e.g., Cisco, SonicWALL, and L2TP), or network log-on clients (e.g., NetWare).
- Page 14 Unlike software encryption, which can't keep a counter, the chip can keep track of log- in attempts, and it won't let the count-per-time rise too high, interpreting repeated assays as hammering behavior. Each failed attempt increases the length of the delay before a user can try again —...
- Page 15 T H E T R U S T E D C O M P U T I N G P L A T F O R M A L L I A N C E E V O L V E S IBM has put together one of the most comprehensive suites of security products in the computer industry.
- Page 16 ! Combined with a full security suite, the chip enables the peace of mind necessary to make ebusiness viable. But while widespread adoption of PKI is still some way off in the future, security implementations that require cooperation between fewer parties are here now, such as secure support for email and for Microsoft's Outlook via CAPI.
Need help?
Do you have a question about the NetVista and is the answer not in the manual?
Questions and answers