Monday, April 30, 2001		Article

Part1
Rely on e-security to avoid ‘intruders’
By H.S.Jatana

THE Internet is a collection of loosely connected networks that are accessible by individual computer hosts in a variety of ways — through gateways, routers, dial-up connections, Internet service providers. These are accessible to anyone regardless of national or geographic boundaries or time of day. This aspect has both advantages and disadvantages. Risks involved are that valuable information may be lost, stolen, corrupted or misused.

Today we find that information available on networked computers is more vulnerable than the same information locked in a file cabinet. Over the Net anyone can steal or tamper with information without touching a piece of paper or a photocopier. "Net burglars" can create anonymous files, carry out the desired crime and do not have to fear of leaving any physical evidence or being chased by police dogs. It is easier to detect and delete any electronic clue.

Seemingly innocuous information on the Net can expose a computer system to compromise information that intruders find useful, including the hardware and software being used, system configuration, types of network connections, phone numbers, access and authentication procedures. Security-related information can enable unauthorised individual to get access to important files and programs, thus compromising the security of the system.

No one on the Internet is immune. Banks and financial companies, insurance companies, brokerage houses, consultants, government, contractors, hospitals, and utility companies can be the most affected.

A typical attack pattern consists of gaining access to a user’s account gaining privileged access and using the victim’s system as a launch platform to accomplish all these steps manually is as little as 45 seconds.

The damages inflicted by an "attack" can vary from loss of time in recovering from the problem, decrease in productivity, significant loss of money or staff hours and a devastating loss of credibility or market opportunity.

Counter-measure available is e-security. Just like any physical body that can be given security, electronic data and e-transaction too can be provided with e-security.

Security can be provided at three levels —

• Client side
  
  

• Application side
  
  

• Network level / rooter level

Three basic security concepts important for the Internet to function are confidentiality, integrity and availability. Concepts relating to the persons who use that information are authentication, authorisation and non-repudiation.

This occurs when information is read or copied by someone not authorised to do so. This can occur with information where confidentiality is an important attribute like in research data, medical and insurance records, new product speculations and corporate investment strategies. It may also happen in credit cards like banks and financial institutions, agencies that collect taxes, etc.

Information on an insecure network can be corrupted. Modification of information in unexpected ways is known as loss of integrity. This means that unauthorised changes are made to information, whether by human errors or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as electronics funds transfers, air traffic control and financial accounting.

Information can be erased or made inaccessible resulting in loss of availability. This means that persons who are authorised to get information cannot get what they need thereby meaning that they are subjected to denial of service. Availability is often the most important attribute in service-oriented business that depends on information (e.g. airline schedule etc). Availability of the network itself is important to anyone whose business relies upon a network connection. When a user cannot get access to the network or specific services provided on the network, they experience a denial of service.

It is difficult to characterise persons who cause such incidents. An intruder may be an adolescent who is curious about what he can do on the Internet, a college student who just created new software tool, an individual seeking personal gain, or a paid spy seeking information for monetary considerations. The reasons can be many — entertainment, intellect challenge, sense of power, political attention, or financial gain. They are often called hackers.

In the next issue we will deal with the types of incidents and the vulnerability of the Internet