REPORT ON SOFTWARE
Network intruders nabbed by detection software
GRANT BUCKLER
Special to The Globe and Mail
The alarm went off, but the intruder didn't realize
he'd given himself away until security staff nabbed him red-handed.
No, it wasn't a robbery. It was a break-in on the
computer network of Saskatchewan Environment and Resource Management (SERM). And intrusion
detection software had found someone poking around in the network who shouldn't have been
there. Information-systems staff were able to pinpoint his location in minutes and called
the company where he was located.
It isn't always that simple, acknowledges Ian Bishop,
manager of systems for the province's Environment Ministry's northern region in Prince
Albert. Still, SessionWall, the intrusion detection software from Computer
Associates International Inc. of Islandia, N.Y., that spotted the
intruder, has alerted SERM to several others who otherwise might have gone undetected.
As companies get into electronic commerce, they must
link their internal networks to the outside world, making intrusion more of a concern.
High-profile hacker attacks
have helped draw attention to the issue.
Sales of intrusion detection products grew to $100-million (U.S.)
last year from $40-million in 1997, largely because of growing incidences of
computer-security breaches, according to ICSA Inc., an affiliate of New York research firm
Gartner Group Inc.
An intrusion detection package alerts you to
suspicious activity on your network. "The way the Internet and networking in general
works," Mr. Bishop notes, "someone could be attacking you or attempting to
attack you and you really wouldn't know it until they've accomplished their
objectives."
Increasingly, intrusion detection packages are able
to create a record that will stand up in court, so that if you track down the intruder and
want to take legal action, you have useful evidence.
Kurt Ziegler, senior vice-president and general
manager of security software for Computer Associates, says this reflects changing
attitudes about how hacking can be fought. Although businesses used to believe they could
build intrusion-proof systems, he says, they now realize that sometimes the only recourse
is legal action after a break-in has occurred.
Prices for the detection products vary.
Network Flight Recorder Inc. of Washington sells a package by the
same name for $3,500. RealSecure, from Internet Security Systems Inc.
of Atlanta, costs $8,995 for the network component, plus $495 for components to monitor
individual computer servers.
At its most basic, an intrusion detection tool spots
something suspicious happening on the network and sounds an alarm -- by flashing a message
on a network manager's screen or possibly sending a page or dialling a phone number to
alert the right person. The software looks for sequences of data bits that indicate a
questionable action, such as an attempt to change a particular user's privileges or to
read a database of passwords.
This technique does have its weaknesses. For one
thing, it will not recognize a normally acceptable action taking place at a suspicious
time, says Patrick Taylor, vice-president of strategic marketing at Internet Security
Systems. For example, it may be reasonable for a certain person to retrieve financial data
when budgets are due, but software would not find it suspicious when the same person did
so at another time.
Marcus Ranum, chief executive officer at Network
Flight Recorder, says some products simply analyze the individual packets in which data
travel over most networks. Although this will catch simple attempts at intrusion, there
are relatively simple ways to fool such systems, he says -- such as by sending extra
characters that disguise the pattern for which the software is looking.
More flexible packages let you tell them what to look
for. This gives you more leeway to try to outwit intruders and, Mr. Bishop says, also lets
you stop false alarms that such packages can generate when they see patterns that look
like illicit activity but in fact are simply something legitimate but unfamiliar.
This flexibility also means the software is not
limited to watching for outside intruders. It also can spot improper behaviour by
employees -- which, Mr. Bishop says, is really a larger problem.
Intrusion detection is just part of the puzzle
because it can only warn when security is breached, not stop intruders. It should be
coupled with network "firewalls" that stop unauthorized traffic from passing
between internal and public networks, and with passwords to control access to computers
and data. This is why International Business Machines Corp. of
Armonk, N.Y., plans to incorporate the CrossSite For Security intrusion detection software
from its Tivoli Systems unit into a suite of security tools called SecureWay FirstSecure,
says Bob Kalka, product-line manager for security products in IBM's software group.
The most important warning about intrusion detection
software is that it is no substitute for doing all you can to make your systems hard to
penetrate. Mr. Taylor likens it to a home burglar alarm: "Even though I turn on the
alarm," he says, "I still go check the doors every night to see if they're
locked. . . . You should think the same way about your network."
Product
Review
