NATIONAL7Spotlight Weekly)]

Are We Safe Enough?

The security of government computer systems comes under greater scrutiny amid the global campaign against terrorism

By AKSHAY SHARMA

One major fall-out of the September 11 attacks in the United States has been a growing focus on the need to ensure the security of government computer systems. There were notable security weaknesses in such systems, including Internet networks, well before the horrific suicide attacks in New York City and Washington DC. The global campaign against terrorism has revitalized efforts to thwart attacks in cyberspace.

Nepal, too, has been stepping up efforts to ensure cyber security. "Government computer security systems are quite easy to get into," says a 24-year-old Kathmandu University graduate working for a leading computer firm in Kathmandu, on condition of anonymity. The arrest of a hacker a few weeks ago has highlighted the urgency of drawing up proper security measures and instituting effective legal measures to fight cyber crime.

Money is the main reason why many companies choose to overlook Internet security altogether. While it's true that computer security audits are usually costly, they're important because they identify security weaknesses and benchmark where the company needs to make improvements.

"The Nepalese government has never thought of a program to regularly inspect the computer systems of government agencies and reports their findings to," says Sayyed Nabed Shah, a computer science graduate.

"There has been growing media attention on security issues recently. Yet not much coverage is given to the really important stories, such as attempts to deface government agency Web sites in recent years," he adds.

"Another glaring omission in many of these reports is the notable security breaches of government

contractors in the past year. One interesting report concerns a breach of security that allowed hackers to access a large amount of the source code for a noted satellite and the defense secrets of an organization," says another computer expert.

In a recent speech at Microsoft's Trusted Computing Conference, Richard Clarke, the Bush administrationís special adviser on computer and Internet security, reiterated his call for a separate Internet for government use.

If the private sector follows the lead of the government, many analysts say, it's doubtful that the Internet will continue to be the business tool it is. "Segmenting the Internet into a public and private version does not address the core problems with Internet security. Unless the problems of government computer and network systems are addressed, it makes no difference whether the government physically or logically separates its networks from the rest of the Internet," says Shaket Shrestha, who recently completed computer studies abroad.

Good computer and Internet security can be expensive, but in the long run, the only way to solve these security issues is to fix them at the source rather than trying to hide from them. "Itís time for the government in Nepal to focus on the security of the Internet services used by governmental agencies," a network security manager says.

In Denial of Service (DoS) attacks, hackers flood Web servers and networks with sudden and overwhelming bursts of network data, slowing down server performance and eventually crashing the Web site. Unlike a virus or worm, which can cause severe damage to databases, a DoS attack only interrupts network service for a limited period.

Even an hour of service outage can mean serious losses and angry customers. In February 2000, DoS attacks took down five of the 10 most popular Web sites in the world, including Amazon, Yahoo, and eBay. Yankee Group has estimated that these attacks have caused an at least $1.2 billion in lost revenues and subsequent drops in market capitalization.

Hackers gain unauthorized access to computer resources to steal data or sabotage systems. According to current research, in early 2001, as many as 210 hacker groups made attacks on about 1,280 Web sites across the world.

While we commonly associate hackers with the image of a professional cyber terrorist, we now know that there are a variety of different kinds of hackers with different motives. A forensic psychology expert describes one type of hacker: the so-called "script kiddies," who have little hacking skill.

They use other hackersí programs and like to cause malicious damage such as defacing Web sites. Security experts attribute the rise of this threat in part to the proliferation of simple, point-and-click programs that make it easy to exploit known holes in server software. The temporary shutdowns of Amazon, eBay, and Yahoo in 2000 were blamed on script kiddies armed with software they downloaded from the Internet.

Insider's malicious hackers are not the only threats to companies. Disgruntled company insiders like current employees and former workers often represent the most dangerous security threats. They understand the business and how the computer systems work and, more importantly, they have authorized access to network resources and critical company information.

In-house security breaches account for 70 to 90 percent of all security breaches, according to experts. The percentage is probably even higher than that because most insider attacks go undetected. Strategies said for every in-house attack reported, as many as 50 go unreported or undetected.

"The majority of high-value breachesóthose costing $250,000 or moreóare perpetrated from the inside," says Shah, "because insiders often know how and where to access the most valuable data."

Virus and worm attacks cost businesses up $17.1 billion in 2000, according to an independent research firm based in Kathmandu. The costs incurred include cleaning viruses from computer systems and networks, restoring lost or damaged files, and lost productivity of workers caused by system outages and downtime.

"It is estimated that the Code Red worm and its variants have infected 760,000 servers worldwide to the tune of $2.05 billion in system repairs and lost productivity. The Love Bug attacks, including the 50-plus variants of the virus that rampaged through systems worldwide in May 2000, have cost businesses up to $8.7 billion in lost productivity and system repairs," says Shah.

All your firewalls, virus scanners, and encryption measures are useless if a malicious individual gains unauthorized, physical access to your premises and destroys or steals computing equipment, including all the valuable project data contained within.

"Sometimes, data thieves don't even have to break into the office. Portable computing and information devices like laptops and PDAs make it easy for your remote team members to touch base with your project and exchange files, plans, and information. But this portability also makes it an easy target for data thieves, especially in conferences and airport lounges where a moment's inattention can give thieves the chance to walk away with your equipment and gain easy access to all the confidential information stored on the portable machines," says Shah.

The situation gets a little more critical if your machines are set up to access corporate networks via a remote dial-up or virtual private network (VPN) connection: The data thief is potentially only one click away from all

your project secrets, since any password mechanisms you have can be easily defeated by the plethora of password-cracking tools available on the Internet, say experts.

Information is power is the slogan of the century and contrary to what many people may think, Internet security isn't the sole responsibility of the IT staff. You can't simply throw inexpensive firewalls and antivirus software at the problem and hope that everything will turn out for the better. Effective security requires a comprehensive, holistic policy. n