Hackers: Should Agents Worry?
This months question: How vulnerable is an independent agencys computer system to hackers? Should they care and what should they do?
A: Yes, many agents are very vulnerable to hackers. But, should agents stay up all night worrying about their networks? The answer is no. Should they consider the security of essential information in their agency? Yes.
The two primary areas of concern agents should have are for operating system vulnerabilities and an unprotected perimeter. An example of an unprotected perimeter would be where an agency has unwittingly exposed their computers to inbound access via the Internet.
Computers on the Internet communicate using certain "ports" in order to share information. However, vandals can use a special tool to search for such ports that have been inadvertently left open and gain access to an agents computer system. Its important that users only expose those ports to the Internet that are absolutely necessary to the services the agency requires. The proper implementation of firewall software solves this problem.
There are two types of firewalls. Most agencies with multiple users sharing an Internet connection need a hardware-based firewall. This is a device that resides between the agencys network hardware and the physical connection to the Internet.
This typically does a very good job. What a lot of agencies forget, however, is their home connections, where they may have one person accessing agency information. The home computer should also have protection via a personal software firewall. There are a number of different products that fall into this category. Two that I am personally familiar with that work well are by Norton and ZoneAlarm.
Every agency should have a security policy in place. But before implementing this security policy, agencies need to develop a baseline, or a benchmark, through a security audit. The audit can be done by the agency itself, but it is recommended that this be outsourced to a third-party vendor. There are many network or security consultants available to do this.
The typical security audit includes perimeter testing, operating system vulnerability testing, as well as testing for vulnerability to authentication system subversion, which is essentially password cracking.
Once the audit is finished, a written security policy, which is a high-level plan for the agencys operation of its computer system and how it makes its information secure, is needed.
The security policy includes:
A definition of what is acceptable use of the Internet for users within the agency.
Guidelines for system administrators on how to manage the agencys systems.
Risk analysis that identifies an agency's assets, the threats that exist against those assets and the cost of asset loss.
And finally, guidelines for reacting to a system compromise.
Many organizations overlook numerous security exposures by limiting their security policies to the use of systems within the agency office. They need to realize that anyone working from home or using a mobile unit needs to fall within these guidelines.
Agents should realize that hackers are not looking to break into their industry. Hackers are looking to break into their systems or hardware.
Their purpose may be to steal the information within the agencys system or to use the system to launch a denial of service attack. A denial of service hijacks the agencys computer and launches an attack, lets say the sending of a massive number of pings, to another computer system. This is meant to clog up the other computer systems access so no one else can access it.
In the end, the damage a hacker might inflict upon an agencys system might range from a simple nuisance to the loss of data, defacement of the agencys Web site or a denial of service attack.
This answer was supplied by Steven Finch, vice president of Computers By Design Inc., based in Tampa, Fla.
Got an agency tech question? E-mail Ara Trembly (atrembly@nuco.com) or Mark Ruquet (mruquet@nuco.com).
Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, December 5, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.