Technology Edge logo

Detect and prevent computer intruders
By Jeffrey S. Locketz, CPA, CNA and Yan L. Kravchenko, CISSP, MCSE

Return Home  //  Table of Contents





Business information systems are so integrated in our offices that:

  • e-mail is as essential as the telephone;
  • the Internet is a critical information resource; and
  • the organization's Web site allows us to gain international exposure and opportunities.

How secure is this critical resource?

According to the CERT® Coordination Center (The Center of Internet Security Expertise), the number of computer security violation incidents is growing at an alarming rate. In 2003 alone, CERT/CC recorded more than 137,500 incidents. That's a 68 percent increase from 2002 and 162 percent increase from 2001. What makes these statistics even more staggering is that most incidents still go unreported and sometimes even undetected.

The consequences of each incident may have any number of effects on an organization, including:

  • loss of time and productivity related to system recovery and restoring normal operation;
  • loss of revenue;
  • loss of business goodwill through bad public and business relations;
  • loss of ability to effectively compete in the market place; and
  • exposure to legal liability.

In 2003, CERT/CC reported more than 3,700 new system vulnerabilities. Hacker communities are growing, even high school and college students without any advance knowledge of technology have the ability to break into systems. Hackers randomly select thousands of Internet addresses, searching for weak systems.

The frequent misconception

The belief that an organization's firewall is its only and best defense against hackers is certainly a misconception.

The firewall should function only as the first line of defense against attacks from the Internet. Think of it as a lock on a door, protecting the organization's private network from the public network (the Internet). Just as you may tug on the door handle and turn the knob to ensure the door is locked, you should periodically test the firewall.

Testing the firewall

Testing the firewall is accomplished using a procedure known as penetration testing (self-hacking), an attempt to break into the organization's private network.

Penetration testing can reveal problems with misconfigured and vulnerable areas, such as:

  • firewalls,
  • servers,
  • routers and
  • other devices visible from the public network.

Additionally, penetration testing is useful in understanding the information available to hackers, thus avoiding becoming an easy target.

If your organization got hacked, how would you know?

New ways of hacking are developed every day; therefore the organization must assume any firewall can and will be broken. For this reason, the information security industry does not consider any single technology foolproof against hackers. Without appropriate detection technologies in place, most security incidents would go undetected.

Intrusion Detection System (IDS)

IDS technology is capable of detecting activity that may lead to a security breach, including an attempt to bypass the firewall. IDS systems help organizations prepare for and deal with attacks by detecting an illegal entrance into a computer system. It collects information from a variety of vantage points within computer systems and networks and analyzes this information for symptoms of security problems. IDS technologies allow organizations to protect themselves from losses associated with network security problems.

There are two varieties of IDSs:

  • Network-based IDS (NIDS) is designed to support multiple hosts and uses probes located on local area network (LAN) segments that report to a monitoring workstation.
  • Host-based IDS (HIDS) is software installed on a host device (i.e., server, firewall, router, etc.) set up to detect illegal actions within that host.

The solid defense

To harden an organization's defenses against Internet threats, the organization should:

  1. Install a firewall to protect its private network from the Internet.
  2. Maintain the firewall with the latest software and patches.
  3. Configure the firewall to reject all incoming traffic not deemed necessary for business operations. This means closing access to all unnecessary Internet services.
  4. Perform penetration testing on the firewall at least four times a year to disclose any new vulnerabilities.
  5. Review the results of the penetration tests, mitigate any of the vulnerabilities found and re-scan the firewall once necessary changes have been made.
  6. Install and configure an IDS to monitor all traffic outside the firewall. The IDS logs should be reviewed on a regular basis. If an attack is detected, network administration should be notified so they can take corrective action.
  7. Replace the firewall if the vendor no longer supports it.

Protect your system

Your network is a vital part of your business, and information stored in computers must be protected. If you don't protect the network, which holds such confidential information, you may be accused of negligence. Adequate protection and follow through is the best defense. e

Jeffrey S. Locketz is a partner with Lurie Besikof Lapidus & Company LLP. Yan Kravchenko is a manager with LBL Technology Partners.