index_22
Auerbach Publications
© 2001 CRC Press LLC
08/01
formation and review it for quality control and engineering issues. Fur-
ther discussions proved that he knew when he last accessed the data
based on work habits and general memory. It was at this point that he
told me this had been going on for some time and he just got around to
calling me. He wanted to try anti-virus programs and freeware first so
that he wouldnt bother me with a false alarm. Subsequently, we collec-
tively decided to access the system to try to determine what was accessed
and when.
The first thing we found was BackOrifice with basic plug-ins, which
led me to believe that this may not have been intentionally directed at
him, but rather someone wanting to play with a wide-open Windows
system sitting on the Internet. We started checking files for access times;
many were accessed in the middle of the night several weeks ago. More
investigation turned up hidden directories and questionable e-mails he
had received sometime before. At this point, I simply stopped and told
him to assume the worst and try to think of anything else that may have
been on his system. It turned out that a backup of his TurboTax database
not password protected was on the system along with approved
human resource documents for employees in his department who had
recently received a raise.
The entire phone conversation lasted about three hours thats all it
took. I suspect that the call to his manager was much more painful and
felt much longer. But was it his fault? His company provided him the In-
ternet connection and the VPN software, and access from home was en-
couraged. It seemed logical to him and his manager. He needed access to
the Internet for research, and he typically got more done at home then at
the office. However, an unknown assailant on the Internet, who could be
either a hired gun to get the information or a script-kiddie that stumbled
into a pot of gold, accessed extremely sensitive information. In either
case, it was out there and could have an impact on the business for years.
SOLUTIONS
There is, of course, no easy solution to the security dilemma that is pre-
sented by the implementation of VPNs. Even with sophisticated technol-
ogy, organizations still cannot stop hackers. They continue to access
systems in heavily protected networks with apparent ease. Much of this
can be attributed to poor design, gaps in maintenance, improper config-
uration, or simple ignorance. In any case, with focused attention on the
perimeter, unauthorized access is still happening at an alarming rate. Giv-
en this scenario of hundreds if not thousands of remote computers on
the Internet, what can be done to protect them? Simply stated, if an in-
ternal network cannot be protected when the best efforts are thrown at
the problem, there is little hope in protecting the masses at home and on
the road.