Security

Dear Bill: Tighten up!

How would you protect critical data from unauthorized access? Respondents to this Microsoft Challenge offered some creative solutions. Others were more realistic, suggesting better authorization and consistent security.


Last month, Microsoft stunned the world by admitting that hackers in Eastern Europe had successfully broken into the servers that hold the company's crown jewels—source code for Windows, Office, and early versions of next-generation .Net services. Microsoft claims the hackers didn't get away with anything valuable, but who outside Redmond really knows?

So for this week's Microsoft Challenge, I asked TechRepublic members to share their years of experience managing mission-critical data with Bill Gates and company. How would you protect critical data from unauthorized access? With tens of thousands of users, can you really run a safe, secure network? "Be creative," I said. "Be outrageous; be blunt." Maybe I should have added, "Be realistic," because more than half of the responses crossed the line into fantasy.

"Have them use a 300 baud connection," TechRepublic member mjs said. "There isn't a hacker in the world that would put up with that kind of wait." Others suggested ditching all Microsoft e-mail software, assembling a protective phalanx of Red Hat Linux firewalls, replacing e-mail communication with three-part carbon forms, and (my favorite) making the Windows source code freely available as part of the Open Source movement.

Great ideas all, but experienced Microsoft-watchers know that the odds that Microsoft would voluntarily take any of those measures is roughly equivalent to the chances that Bill Gates will give up his Lake Washington mansion for a trailer park in Tukwila. Not gonna happen, even if it does make fun reading. But three TechRepublic members zeroed in on key security issues that apply to any company, including Microsoft.

Remember, this particular security breach occurred because one or more employees allowed a password-stealing Trojan horse program to sneak onto the corporate network. After that, the crackers were able to masquerade as legitimate users accessing the network from a remote location. That's a huge flaw in network security, according to TechRepublic member erikdr, who argued forcefully for better authentication and authorization. "Userid/password might be enough for in-building access, but not for remote access. Use some kind of challenge/response system with a 56- or 128-bit key. Even a worm can only see the challenges and responses, not the algorithm inside the central CHAP server and the employee's authentication device (e.g., SmartCard or standalone calculator)."

TechRepublic member dlw6, whose name sounds like a top-secret spy agency, proposed "three layers of defense for the corporate network and an additional layer for R&D." First line of defense is "a DMZ between the edge router and a firewall....The firewall should require authentication using public key encryption for outsiders to get to the corporate intranet." Next, monitor the DMZ with an adaptive security product like Internet Security Systems' RealSecure "to detect suspicious activity and make a number of preconfigured responses in real time. Responses include warning the admins, reconfiguring the firewall, and cutting the connection via TCP Reset." For the third line of defense, "periodically perform proactive vulnerability testing with a network security scanner. This can detect users who change their configuration and, in the process, create security holes."

Finally, TechRepublic member mhawkins reminds us that humans are always the weakest link in any security system. "Many people would attempt to fix Microsoft's security breach by using a specific application or hardware designed to fend off attacks. Although technology is part of the answer, untrained or sloppy employees can defeat even the most secure network. They can simply turn off features designed to secure the network." His recommendations include consistent security policies with no exceptions (difficult when dealing with stubbornly independent developers), severe penalties for breaches of those policies, and ongoing testing "to find weaknesses before hackers outside the company can detect them."

My thanks to all the TechRepublic members who contributed to this week's Challenge.

Here's Ed's new Challenge
Last week, I asked for your opinions on how Microsoft can improve the Windows interface when it releases its next version, code-named Whistler, sometime in 2001. This week, I continue the theme, focusing on tools for power users and network administrators. What sort of utilities do you want to see included with the next version of Windows? Antivirus software? Firewall programs? If you've got a favorite third-party utility that deserves to be integrated into the OS, here's your chance to make your case. Be specific, and be sure to include solid reasons for your choices. Click here to tackle this week's Microsoft Challenge and take a crack at earning 2,000 TechPoints.

Editor's Picks

Free Newsletters, In your Inbox