WHILE THE RECENT widely-publicized crash of thousands of NT-based computers in universities and military bases across the country the night before Bill Gate’s testimony to Congress may have brought chuckles in the anti-Microsoft community, the actual implications of such attacks are no laughing matter in the business world. In banking and insurance, customers could be denied account information for hours; on Wall Street, such an incident could shut down trading activities for an entire day at a high cost to investors and traders alike; and in healthcare, providers and administrators would be unable to access patient insurance or lab tests stored online, delaying timely treatment for sick patients. News that Pentagon computers were hacked in February, allegedly by two bored California high school students, is further evidence that even the DoD is unprepared to fight computer crime.
According to a recent study by the Computer Security Institute, San Francisco, 64 percent of more than 500 organizations reported computer security breaches in the last 12 months--an increase of 16 percent over 1997--and at a loss of $136 million for the roughly 241 respondents that could provide figures. The security problem is likely a great deal worse than any of us have been lead to believe because a large proportion of security crimes are never reported. "Security crime has a stigma right now. It’s sort of like AIDS was 10 or 15 years ago--if you had it you didn’t talk about it," notes Chip Mesec, director of product management at Network Associates, a leading provider of security products and services in Santa Clara, Calif.
While in this industry, the biggest security risks are violations of patient privacy and confidentiality through unauthorized access to patient information, healthcare must also consider the cost of cleaning up after security breaches. Consider a patient lawsuit for one violation: that could run in the neighborhood of several million dollars, not to mention the resulting loss of business if the suit became public.
The exponential growth of the Internet has greatly contributed to the security problem by creating countless new ways for intruders to find a back door into a private network. The number of organizations in the study citing their Internet connection as a frequent point of attack rose from 47 percent in 1997 to 54 percent this year.
Yet viruses may be a bigger problem in the immediate future than random hackers because viruses can easily infiltrate operating systems through email attachments and ActiveX programs or from Web sites, according to Dixie Baker, PhD, chief scientist at SAIC’s center for information security technology, San Diego. "If you’re able to browse the Web you can also very easily, without even intending to, download malicious code that can cause denial of service or corrupt your applications," she says.
Still, evidence continues to mount that careless or disgruntled employees are causing a lot of the damage. Forty-four percent of breaches reported in the study were from unauthorized access by employees, compared with 24 percent from external attacks.
For organizations with an Internet connection, a complete security program will involve more than one product. Anti-virus software, firewalls and encryption are some basic building blocks, but the choices are vast and the technologies complex. Digital envelopes, public key/private key encryption, DES, certificate authorities, virtual private networks, tunneling, biometrics, smart cards--it’s enough to make the non-security expert break down and cry.
So what’s a hassled IS director with little time and no dedicated security staff to do? It may be as simple as attending a one-day security course or doing some research on the topic, says Mesec. "One of the smartest things you can do is do some reading and figure out what you can do cheaply to protect your network," he says. Mesec warns organizations against looking for a "magic bullet" solution to enterprise security. "If they want the most bang for the buck, what I always recommend is that they train their IS staff on security procedures… rather than buying a bunch of products." Simple things like policies for passwords and email can make a big difference in how secure an organization is, he says.
Adds Baker, chief investigator on a SAIC/UCSD security project for Internet access to patient records: "A firewall is only as effective as the security policy it is configured to enforce."
According to Mesec, there are four key components of a security program: "prevention" systems such as firewalls that block outsiders from the internal network; monitoring and detection systems, such as anti-virus software, that alert users or shut systems down in the event of a security problem; response systems, such as disaster recovery; and education.
User-friendly solutions coming…
Network Associates represents a growing trend of companies wanting to provide the whole security shebang through a one-stop shopping suite of products and services. The company has gone through a spate of acquisitions in the last year, including Pretty Good Privacy, Inc., the company that owns the popular PGP encryption, and Trusted Information Systems, a provider of firewalls, encryption key recovery and security training. Other players are Security Dynamics Technologies, Needham, Mass., which owns encryption giant RSA Data Security; and Secure Computing Corp., a consolidator in St. Paul, Minn. Big companies such as IBM, Sun and Cisco Systems also are getting more interested in security: Cisco picked up three security firms through acquisitions in the last year; IBM is making a big push in key recovery and digital certificate services; and Sun markets virtual private network, firewall and IP encryption tools.