The cold war may be over, but not all of the spies came in from the cold. They bought computers. One might be a mole in your organization, stealing information assets for a competitor or foreign government. Another could be sneaking through your network firewall as you read this.
These aren't scenarios for late-night movies or best-selling spy thrillers.
They're everyday occurrences in the real world. Last March someone broke in to NASA's network and crashed 8,000 computers.
Incidents like these underscore the mounting concern CIOs have over the safety of the intellectual assets stored on their networks. Security experts say the number of incidents reported in the press are only the tip of the iceberg. The biggest threat, as much as 80 percent of all intrusions, comes from disgruntled employees who plant time bombs that explode after they leave or steal proprietary information before joining a competitor.
Such digital burglaries can often go undetected for months or years, like the recently publicized case of the high-ranking General Motors executive who copied an estimated 40,000 documents and took them with him to Volkswagen.
However, you can stop the tigers at your network gates and identify the trail of in-house burglars-if you have intrusion detection systems on your network.
Up until the last year or two, network intrusion detection systems were used primarily by select government agencies, the military, aerospace contractors and biomedical and financial companies. They were both expensive and difficult to maintain. And while they were high on CIO shopping lists, the finance folks considered such systems an extravagance.
That attitude is rapidly changing. With the arrival of less expensive off-the-shelf solutions, senior management is loosening the purse strings, says Jim Hurley, an industry analyst with Boston-based Aberdeen Group Inc. He estimates conservatively that the market for intrusion detection systems will double from US$50 million in 1997 to $100 million in 1998. Others predict the market could soar to a half-billion dollars by 2002.
Organizations that conduct Internet commerce or provide extranet access to business partners and remote employees are at the top of the risk ladder, says an April 14, 1998, report released by the International Computer Security Association (ICSA) in Carlisle, Pennsylvania. The report reveals that over the last year, 93 percent of 200 Web-connected small businesses, Fortune 500 companies and federal agencies surveyed had security flaws that left them vulnerable "to even the most rudimentary malicious attacks"-in spite of the fact that all had firewalls at their network perimeters and good security policies in place.
"Intrusion detection systems won't stop determined hackers from tunneling through your firewalls, but they can alert you that suspicious activity is taking place, " says William Boni, a Los Angeles-based intellectual property protection consultant for Coopers & Lybrand LLP. That gives you a chance to assess the threat and take appropriate action.
Intrusion detection systems generally consist of hardware probes and software that reside in a networked PC just inside a firewall. They scan incoming packets for signatures of known attack programs similar to the way antivirus programs hunt for signatures of computer viruses. These systems can be reconfigured to react in different ways when they detect suspicious packets.
They can be set to issue an automatic disconnect, reconfigure the access rights inside the router (which unfortunately warns the intruder that a security system is on to him), display an alarm on the management console and send e-mail and pager alerts.
"We use intrusion detection to tell us when there are violations to any of our standard security policies," says Jim Patterson, vice president of security and telecom for OppenheimerFunds Inc. of Englewood, Colo., which has $90 billion in investment assets. Patterson runs Axent Technologies Inc.'s OmniGuard/ Enterprise Security Manager daily on all of his Unix, NT and Novell platforms.
"It tells us if there were any violations of any of our standard security policies," he says. Axent's Intruder Alert runs on all servers that have interfaces to the outside world. Patterson installed intrusion detection because OppenheimerFunds planned to expand security selling to 3 million customers over the Internet. "We knew that could make us a tempting target, and I wanted to be prepared."An IT executive with a major Mid-western bank holding company, who requested anonymity, agrees with Patter-son. He admits to having detected several attacks since installing CyberCop from Network Associates Inc. "And we expect those to increase when we implement Internet banking for our customers," he says. "When you announce to you customers that they can get access to their accounts over the Internet, the hacker says, 'Socan I.'"Leading security experts recommend that you not disconnect all attacks the moment they're detected. See what the intruder is up to, even route him to a neutral server and capture all the IP addresses attached to the signature for possible criminal investigation by authorities, they suggest.
That might work for some companies, says the anonymous banker, but he prefers to disconnect intruders. "Attacks come in at all hours of the day and night, and usually [don't last] very long. Chances of a console operator seeing an attack happening are very slim."Merger ManiaWhile incentives for beefing up network security are often compelling, there are several reasons why shrink-wrap intrusion detection solutions have been received cautiously by CIOs, says Aberdeen's Hurley. The industry is still maturing and there are too many niche players targeting point solutions.
Because development times for network security products are long, the industry has reached the consolidation and merger phase. In February Cisco Systems Inc. bought Wheelgroup Inc., known for its NetRanger product and a library of intrusion signatures, which Cisco can bundle with its firewall technology. That same month, Network Associates bought Trusted Information Systems Inc., which in October purchased Haystack Labs Inc., maker of the WebStalker product. Once these products are integrated with CyberCop, McAfee Associates Inc.'s antivirus products, Cisco's Centri Firewall and Network General's Sniffer products, the company will have the foundation of an enterprise security suite.
The remaining independents are Internet Security Systems Inc. of Atlanta, which has the lion's share of the intrusion detection market (35 percent, according to an Aberdeen survey), and newcomer Centrax Corp., in San Diego, whose cofounders developed some of the earliest intrusion detection systems for the U.S. government.
The result of these consolidations: Vendors can integrate a core set of products into an enterprisewide framework, similar to what Computer Associates International Inc. is doing in the system and network administration arena. But don't expect all the products to be alike, cautions Hurley.
"All have functional and management weak points," says Hurley. "The functional weak point is that no one supplier has a complete solution yet. They all have started from a strength." That strength may be proactive network scanning to find weaknesses; it may be reactive intrusion to determine what has happened.
It may even be vulnerability and risk assessment, which goes about trying to collapse identified information into some prioritized scheme that will allow IS to improve security in the network.
Some users express concern about how individual products will mesh with enterprise management architectures. They also worry about the ease of setting triggers, parameters and thresholds, and from which vantage point the product will scan the network.
That particular facet became a bone of contention with the anonymous banker, who ran a side-by-side comparison of two leading detection systems. "Basically, both saw the same stuff, and they recognized everything we threw at them. But in each case, each saw something the other didn't, and sometimes named them differently," he says.
And while he felt both products were relatively equal, he rejected one because the probe required him to poke holes in his own firewall in order to view incoming packets. That made him nervous.
Finding the Culprits
With respect to preventing potential inside burglaries, experts recommend placing the most valuable corporate information on one or more departmental servers with rigidly controlled access rights, possibly through an internal firewall layer. Intrusion detection systems that log event records can then provide information on unauthorized attempts to gain access to those servers.
While network-based intrusion detection systems are good at examining packets of misuse, their reliability can sometimes be affected by encryption. It's an issue that the vendor community still has to address. Another eagerly awaited enhancement: a software agent that sits on every desktop PC. It would monitor which workstations access sensitive files and which files are copied (and when), providing the kind of evidence it takes to put handcuffs on an industrial spy.
Even so, intrusion detection systems are still just one piece of the security arsenal. "You need a comprehensive solution," insists Keith Bowyer, network infrastructure manager for The Money Store Inc. in West Sacramento, California.
Bowyer's solution includes intrusion detection systems; he lists firewalls, strong authorization policies, file encryption and anti-virus programs. When it comes to security these days, he laments, "you can't rely on a single solution like a firewall anymore."Oppenheimer's Patterson concurs, echoing the importance of all the items on Bowyer's list. Intrusion detection systems, he adds, "are not a silver bullet, but they can add an extra level of comfort."(Peter Ruber is a technology writer on Long Island, New York. He can be contacted at firstname.lastname@example.org.)