Security As Part Of The Strategic Gameplan
By Jon Haynes
Meeting the Modernising Government Agenda and bringing services online by 2005. will enable citizens to choose how to interact with their council. The services range from tasks as simple as booking a squash court to complex processes such as paying council tax. All methods of communication including face-to-face, by telephone, email and Internet will be available to the citizen, allowing he/she to select their preferred method. The benefit to the local citizen is clear.
But what about the increased security risks to Local Authorities’ computer networks? Successful E-government means that highly confidential citizen information will be accessible online at all times. In addition, regulatory requirements such as the Freedom of Information (FOI) Act and the Data Protection Act (DPA) require newly created public records to be electronically stored. All of this means increased security risks to a Local Authority’s network.
Placing all this information online makes Local Authorities a target, just like any other commercial organisation, for security ‘hackers’ anywhere in the world. In the private sector, heightened awareness of security issues and the need to safeguard mission-critical, highly confidential data has catapulted security to the top of organisations’ agendas. Despite this, companies are suffering from more security violations than ever before. The Department of Trade and Industry (DTI) recently reported that 78 percent of businesses suffered from some form of breach, such as file corruption or stolen data in 2002, compared to just 24 percent in 2000. Likewise, the public sector needs to recognise that they are just as vulnerable and that there is a need to put security measures in place to prevent security violations occurring.
Many private sector companies, faced with similar issues, have chosen to hire management consultants to take an external look at their organisation and assess where they are going wrong. For a Local Authority, with neither the budget nor the inclination to turn to a consultant, it is not so easy. Although the threat of potential security violations is clearly recognised, many Local Authorities have no idea where to begin. A casual glance across security options available will identify numerous security fixes for vulnerable networks. Detailed technology information, although useful for the knowledgeable user, tends to cloud the issue for many.
Putting security plans in place does not have to be a complicated or lengthy process. It does, however, require some forethought by Local Authorities and must be followed through in terms of a strategic security programme. For Local Authorities adopting a tick in the box approach, there is a preconception that procurement of an IT security kit is enough. Unfortunately, this is not the case.
There are a number of options for Local Authorities looking to implement a successful and effective security strategy depending upon their budget and expertise. A good, cost effective solution is to sign up to an advisory service such as the Computer Emergency Response Team (CERT), a non-profit making organisation set up by the US government and run by the Carnegie Mellon University. Organisations such as CERT supply information on how to protect an organisation’s system against potential problems and advise on what to do if a security breach occurs. This involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems and developing information and training to help improve security at a Local Authority’s site.
The advisory service takes the form of a free email, which is issued to anybody who wants to subscribe. However, although these services are a good source of information, they are just that. They do not give advice about how a violation will affect a Local Authority’s individual requirements or the business impact of a security breach.
Some Local Authorities may choose to employ a specific security administrator, responsible for updating their computer systems to respond to any threat. This is perhaps the most costly solution of all, but certainly a very essential resource in today’s E-Government age.
Local Authorities can also employ an external third party to conduct vulnerability scans and penetration tests of their network on a regular basis. A vulnerability scan is an automatic process undertaken by a remote server with a library of known vulnerabilities, testing a network against each. These scans are usually carried out on each IP address and can take place daily, weekly, monthly or as often as the Local Authority chooses. These scans produce an automated report that can be used to close the system vulnerabilities down. The cost of these services is relatively low, due to their automated nature.
A penetration test will involve a person actually physically trying to hack into a Local Authority’s network using known hacking tools. Although this is a far more costly exercise, the tester will also use social engineering to break into the network. This can include calling up the Local Authority and finding out people’s names and trying to hack using common passwords (it is surprising to note how many people use “password” as their own password). At the end of this period, a Local Authority can expect a very detailed report, not just into the system’s vulnerabilities, but also the Authority as a whole.
Certain types of vulnerabilities are most common. If a Local Authority does not have a firewall, designed to prevent unauthorised access to private resources, it is most likely to be hacked within a matter of days. Hackers will scan entire IP address ranges and an unprotected network stands out like an elephant at a mouse convention. Hackers can take over servers or desktop machines and either access the servers at the root level and copy or delete all their data, or install malicious programs that will take over their machines and attack other networks.
For Local Authorities that have firewalls, these too can be exploited if they are not properly set up and monitored. Hackers can exploit known vulnerabilities and get the network to break its own firewall. Devices most commonly affected include the web server, email server, file and print servers.
When choosing an Internet Service Provider (ISP), Local Authorities need to have confidence that a service provider is protecting itself. If not, catastrophes can happen which can affect the Local Authority that partners with the provider. For example, public service bodies, such as the Police, often share links to a Local Authority’s website. In the event of a security breach at the ISP, both the Local Authority’s and its partner organisations’ networks could be affected. Local Authorities need to ensure that their provider fully explains its security procedures and its policies towards denial of service (DOS) attacks and unauthorised hacking. The provider will need to demonstrate that it has its own security administrator and is regularly auditing its own network.
Need for accountability
In summary, a Local Authority ideally needs to employ a security administrator if possible or, at the very least, somebody that is responsible for security of the network. This individual should have knowledge of all the Authority’s systems and all versions of software it operates, carry out regular network scans and change passwords frequently. The monitoring of security alerts and patch announcements can be managed through advisory services such as CERT as they are usually the best form of alerts, as well as the vendor’s own advisory service. Also third party vulnerability checks can provide invaluable insight into an unprotected network
A final point to note is that a successful security programme is most effective if it has the full endorsement of the Chief Executive Officer (CEO) of a Local Authority. In addition, the person responsible for security needs to have an avenue to communicate with the CEO. Perhaps most importantly, a security policy needs to be enforced throughout the Local Authority. Each individual within the Local Authority has a role to play in maintaining a secure computer network. Numerous security technologies can be installed but if there is no uniform security policy across the Local Authority that everyone buys into and adheres to, a Local Authority will always be vulnerable.
Jon Haynes is Hosting and Security Product Manager at GX Networks UK Limited