|
|
Surfing the Net and Other Dangerous Computer TricksEveryone knows that over the past few years, the Internet's World Wide Web (WWW) has become a household term. Just a few short years ago, the Internet was some mysterious entity to those few who knew about it. Today, the Web helps students and professionals alike do more research with less cost and effort than ever before. The Web draws crowds to coffee shops and provides a common, virtual meeting place for like minded people of all stripes. Even those who don't know anything about computers want to Surf the Web, so vendors have introduced or are introducing television sets with built in web browsers. From obscurity to fame in a few short years. How can something so useful, so inexpensive, and so popular be anything but good and fun? Read on. Client Becomes HostIn computing, surprises are seldom good. Over the last two years, powerful new technologies have brought web pages to life. Java and ActiveX are two such examples. Now, a web site can launch a mini application (applet) or a script that executes on the client. This applet can perform an alarmingly wide range of functions. It can investigate your local hard drive, it can investigate any mapped drive on any attached server, it can survey the local computer's architecture and attached peripherals, and can compile a list of installed software. In short, it can obtain confidential, even proprietary information, without the users knowledge. Surprise! Your client browser has just become a host. One WWW even demonstrates the power of ActiveX by exiting Windows and powering down the computer of any Windows 95 users accessing the site using Microsoft Internet Explorer 3.0. Java programs can be just as devastating, taking advantage of the users network privileges to retrieve files and transmitting them. All of this occurs, of course, without the users permission. Scary? Of course. Preventable - not completely, but adequately. A combination of user awareness training, web browser configuration requirements, and a solid Internet policy can provide sufficient protection. In extreme cases, logging off of servers containing sensitive information may be required. Usually, some good sense and reasonable precautions bring the risk down to acceptable levels. Viruses, Cookies and Other SurprisesAll the while, don't neglect to use the protections already at your disposal. Downloaded files, executable or otherwise, can become troublesome sources of virus infections. Tackle that problem by installing resident Anti-Virus detectors - do not rely on regular scanning. Enable virus detection upon download and within compressed files. Ensure that browser security features are enabled, and that security warnings and alarms are set to appear and not disabled. Train users to disable Java and ActiveX except when visiting trusted sites. Warn your users to reject cookie files from any unknown web site. Accept them only from sites that have a reasonable level of trust. Watch for Changing TechnologyOn mountain roads, motorists are instructed to watch for falling rocks. On the Information Superhighway, the vest advice is to watch for changing technology. The new browser and new features can cause more damage than a falling rock. Connecting a Business to the InternetWhat about business use and connecting legacy systems to the Internet? Each day that passes, we hear from companies grappling with the issue of whether to connect their business systems to the Internet. Some are developing WWW sites of their own; others are considering making their mail systems Internet accessible. Still others are trying to find ways to use the Internet for commerce. All face the same issue: can Internet connections be secure? Internet security is the topic of many discussions. Some of the discussions are among knowledgeable professionals and are held within useful meetings, evaluations and conferences. These discussions help companies make informed decisions. Other discussions are quite different. They take the form of sensationalism, or are inadequately researched articles on the latest security features and failings. On one day, there were two stories from major news organizations about Internet security. One story included the statement, "…on-line credit card use is actually no riskier for consumers than traditional 'low-tech' transactions." The other stated, "The business stakes in the Internet security gamble are high…Businesses connecting to the Internet need to tackle security issues head-on rather than ignoring them as is often the practice today." Whom should you believe? Public ReactionsWhen the latest Netscape Navigator 2.0 security vulnerability was discovered by Princeton University researchers in late March, Netscape announced they would provide a software fix within days. This was the third major Navigator 2.0 vulnerability to be discovered since the version was released. The discovery was widely acknowledged to be an important security flaw in the software. The reaction was quite different on another occasion. When security experts discovered a file containing 10,000 valid credit card numbers in a hacker's computer, local authorities said there was no real threat since none of the credit card numbers had been used. Internet security is a fuzzy subject to the general business computing community. It is quite clear, however, that there are major security issues to be understood and solved during any business connection to the Internet. But, is it safe? A Level of SecurityEvery system can achieve some level of security. The key is to attain a security level that is appropriate for the systems involved. A WWW page that represents your company to the world, but is not directly linked to any other internal systems requires a level of protection very different from the protection required for your corporate financial systems. This does not mean that your public page requires no protection. On the contrary, your image often depends upon the state of your web page. Electronic graffiti and other unauthorized tampering with information, and denial of service attacks can be embarrassing to your company, even though no "sensitive" internal files were damaged. The safety protections your Internet connections require depend upon the systems involved. Perform a security assessment on your company systems, assign levels of sensitivity to your information, and use that information to determine the levels of trust your connection needs. Insist upon the level of safety and security you need, but no more. This is the road to cost-effective security. This is how you can answer the question, "Is it safe?"
|
|
