Sitting Ducks

by Cassimir Medford

Here is a dark side to the fast, always-on broadband connections that are quickly creeping across the communications landscape: they’re turning small businesses into sitting ducks for a growing army of Internet predators. Customers seeking the benefits of the Internet and e-commerce are flocking to high-bandwidth, low-priced services, but many don’t realize that, in the process, they’re opening up their internal systems to outsiders. Businesses need to be diligent, vigilant, and smart to keep themselves secure.

“The fact is broadband customers are out there on very naked connections with absolutely no protection from their carrier or ISP,” says Ronald Ruprecht, vice president of vulnerability assessment for Global Integrity, a Reston, Va., security firm. “Carriers take no responsibility for their customers’ security, so small businesses should be very vigilant. They are out there at the whim of the hacker.”

Even the mighty are susceptible to the efforts of clever hackers. Recently someone (or ones) actually gained access to Microsoft’s internal network and stole valuable, secret source code. The company and the FBI are still investigating how much damage was done, but investigators are focusing on a “Trojan Horse” program that may have compromised an employee’s laptop. Security analysts speculate that the program, which transforms a computer into a gateway for hackers, was transferred to the computer via a broadband connection.

If Microsoft can be compromised, small businesses should be vigilant at the very least and take precautions. While they may believe that they can avoid trouble by keeping a low profile on line, this isn’t necessarily true. “A common misconception that a lot of small businesses have is that they have to announce their presence on the Internet to be at risk,” says Greg Vogel, development manager for security and utility software maker Symantec. “They believe that they can go low-key — get e-mail, do some Web surfing — and no one will know they are there. There are people with very easy-to-find tools out there looking for them.”

The “always-on” aspect of broadband services such as cable modems and Digital Subscriber Lines (DSLs) has made them attractive, but “always-on” has come to mean “always vulnerable” to security experts. “Broadband makes things a lot easier for the hacker,” says Polymorf, a white-hat hacker who requested anonymity (see sidebar). “It is inherently insecure.”

Open Season
Hackers have found happy hunting as broadband adoption rates continue to grow. Cable modems currently lead the market, but they’re mainly consumer services with few business customers. DSL, after a slow start, has taken off. Though still not universally available, DSL should continue to increase in popularity. The number of subscribers will grow from around 300,000 in 1999 to about 3.3 million in 2002, the Yankee Group predicts.

DSL prices for business users range from about $100 a month to $1,000 a month, depending on speed, which ranges from 128 Kbps to 1.5 Mbps. ISDN, by contrast, took more than a decade to become available and affordable to small businesses and still costs about $100 a month for the line and an additional $200 per month or more for 128 Kbps service. T1 lines targeted at business customers offer faster speeds but start at $1,250 a month and top out at $3,000 a month. That isn’t affordable for most small businesses: Analysts say that after almost two decades of availability, only 10% of small businesses have purchased T1 service.

DSL has proven to be a major hit not just among small businesses but also among large businesses that use it as a link to remote offices or as an Internet- access technology. It’s taking “always-on” network access to the hinterland of the American business landscape and holds great appeal for small and midsize businesses that don’t have or need complex and expensive private networks or super high-speed network connections. Unfortunately, these companies also may not have the technological know-how to understand the way that a new, fast line can compromise their security.

With dial-up connections, businesses change IP addresses every time they connect to the Internet, so they can hop on and off the Internet or the corporate VPN before hackers can locate them and get a clean shot off. With broadband, however, they are sitting out there on a statically defined IP address, “always-on” and very attractive to hackers. Many companies discover that broadband services, which strip away the built-in anonymity of dial-up access, pose tough challenges, but there are defenses.

Once More Into the Breach
Unless you specialize in some sort of crucial intelligence gathering or in an industry in which your stock in trade is lucrative intellectual property, serious hackers are probably not out there looking for you. Your problem is that thousands of hackers make anonymous, usually automated, attempts to breach your computer’s security. They may do it solely for kicks or for some more insidious purpose. So-called denial-of-service attacks, for instance, use idle broadband-connected PCs as drones from which they can launch programs that bombard Web sites with hits. (I recently installed a personal firewall on my own computer, which is connected to the Internet via Verizon DSL, and discovered I attract at least five attempted intrusions per day.)

Shakespeare and Co., new to the world of broadband access, doesn’t expect to be attacked by hackers. Nevertheless, the company has taken action to limit exposure to its critical systems. The Manhattan bookseller occupies a precarious market niche, surrounded by national superstores such as Barnes & Noble Inc. and Borders Inc., which have used economies of scale to drive many small booksellers out of the market. Shakespeare and Co. has survived by seeking specific markets to escape the unrelenting price competition in an industry notorious for its thin margins.

It must keep this high-wire act going in an area where real estate is among the most expensive in the world and changes in market conditions must be quickly communicated. The company had been using ISDN supplied by local telephone company Bell Atlantic (now Verizon) and was unhappy with the cost and performance of the service. It switched to a DSL-based virtual private network at the first opportunity.

“Our ISDN performance was sporadic,” says Bill Spath, co-owner of Shakespeare and Co. He says the phone company assigned Shakespeare and Co.’s network ID number to another company. “Many times we had no service, and it took Bell Atlantic weeks to figure out the problem.”

That was unacceptable. “The network is critical to us,” Spath says. “We run all our sales reports off a single computer at our main site, so when we had the opportunity to switch to a DSL virtual private network, we did.”

Shakespeare and Co. hired Public Access Network Corp., a New York network services firm known as Panix, to install and manage its DSL connections. Shakespeare and Co. opted for firewalls and a relatively closed system with a limited area of exposure to the outside world. Panix installed R7100 SDSL routers from Netopia Inc., which cost $400 to $900, as the basic building blocks of a DSL-based VPN. The routers have built-in firewalls that provide the first line of defense against hackers. “As long as you configure it correctly, a firewall provides a lot of protection,” says Bill Kurland, the other co-owner of Shakespeare and Co. “We aren’t offering any exotic services. We’re only getting mail and Internet access from the outside, so it’s tough to break in.”

Firewall Protection
Firewalls are the best way to protect exposed networks. “A firewall is your first and best investment,” Polymorf says. “Using a firewall generally increases the user’s awareness of security issues. The firewall will assist you in knowing what the vulnerabilities are. With that knowledge, you can adjust the configuration to arm it for problems against which it may not currently protect.”

Like everything else in this crowded market, firewalls run the gamut in price, quality, and ease of use. Check Point’s Software Technologies Inc.’s Firewall-1, a complex but feature-rich product, starts at $2,995. Symantec Inc.’s Norton Personal Firewall (priced at $50) and its firewall suite, Norton Internet Security 2001 ($70) may be suitable for small businesses that require uncomplicated protection. They are easy to configure and come with default settings that allow basic protections.

Be aware, however, of exactly what the firewall keeps out and what it lets in, and don’t depend on it as your sole anti-hacking tactic. “Firewalls are only as good as the person implementing them,” says Todd Waskelis, vice president of managed security services for Network Security Technologies (NETSEC), a computer security firm in Herndon, Va. “You have to stay on top of everything. There are a lot of devices and software you can load on your machine, but it can’t be a ‘fire-and-forget’ kind of mentality.”

Locking Down
Any number of minor or overlooked problems can compromise a system — even one protected by a firewall. For instance, running certain operating systems on servers or PCs connected to the Internet can compromise networks that aren’t configured correctly.

Services-laden operating systems such as Windows NT, 98, and 2000 can open businesses up to attack as soon as they install the systems. High-end operating systems often come with advanced services, including file transfer protocol (FTP), Simple Mail Transfer Protocol (SMTP), and protocols such as NetBIOS, active by default. These services are crucial to the operation of any networked PC. FTP assists with file transfer, SMTP is the protocol the Internet employs to send and receive e-mail, while NetBIOS is one of the ways a computer addresses the network.

But if the connected computer isn’t being used as an FTP server, for instance, that service should be shut down. Otherwise, it can create an area of unnecessary vulnerability for companies of any size. “Services are usually what get exploited by hackers,” Waskelis says. “The default, out-of-the-box install for Windows NT and 2000 offers too many services to be considered safe. Services such as NetBIOS, where another machine can easily connect to your machine and retrieve information such as user names, need to be adjusted. Keeping too many open makes you vulnerable.”

Waskelis recommends turning off the services that aren’t in use and configuring the system to resist attempts to exploit services that are open and in use. Technology managers should institute rules and policies on all machines to restrict access in and out of certain ports on the machines. The process is called “locking down” the network, and it is absolutely essential.

Staying On Top
Locking down a system and protecting it with a firewall requires not only a fairly intimate knowledge of the potential vulnerabilities of the network but also a good working understanding of operating systems and Internet protocol. For small companies, that may mean hiring outside experts such as NETSEC and Panix. Larger ones may hire or train an in-house expert. In any case, someone must be responsible for making the tough decisions and following through on them.

Decision-makers at Shakespeare and Co. had security in mind even when they chose a Mac as mail-server hardware. Security experts say Macs are less open and tougher to crack than PCs that run the Windows operating system. The store’s mail server also faces “inward”: It serves only the company’s employees.

Another good example of the other types of strategies a savvy IT expert can use to protect the company is setting up Network Address Translation through routers. NAT is a method of “spoofing” hackers (in other words deceiving them) by using a published IP address on the Internet and a different, hidden one internally. If a hacker tries to compromise the machine through its published IP address, he comes up empty.

But security is a moving target, so what passes as locked-down security today could be an open invitation to a hacker tomorrow. Whoever is in charge of security needs to stay up to date.

A Moving Target
Consider the cost of firewalls and other security measures as simply part of the cost for a broadband connection. Further, take into account how much you’ll have to spend on tech support or sending IT staff to ongoing training. For most small businesses, complex firewalls like Firewall 1 would require expert input from an outside source, but not every company needs to look outside for expertise.

Comtelligence LLC in Garden Grove, Calif., a 15-person company, both sells and uses DSL services. So it’s hyper-aware of security problems. “We’re a technology company, but we’re also a typical small business,” says Don Reese, Comtelligence’s manager of technical services. Comtelligence has two locations it needs to protect: its corporate offices and its computing and communications facilities at a data center owned by Qwest Communications International Inc.

Reese believes that most companies that use DSL can be adequately protected by a router-based firewall, but for companies with large, highly available, and highly vulnerable systems, he would recommend more complex ones. These tactics will become commonplace in the next few years as millions of businesses and consumers use DSL, but they require extra work and attention from network managers.

Attack programs change, and because computers are connected around-the-clock, attacks can come at any time from anywhere. Businesses must keep vigilant if they want to protect themselves.

The best way to avoid being a sitting duck, after all, is to become a moving target yourself.

Previous articleRing in the New Gear
Next articleBursting at the Seams

Must Read