Small & Home Office
The Bad News: Desktops and Laptops May Now Be Vulnerable to Security Threats
The good news: relatively simple steps can dramatically reduce your risk.
By Eric Steele and Thomas Scharbach
UNTIL RECENTLY, few small to mid-size firms or home-based lawyers needed to worry about computer security beyond protection against viruses and e-mail interception. Networks were "local" and used relatively safe dial-up connections. Internet hackers focused on large enterprises and Internet servers.
But the picture has changed. Desktop and notebook computers connected to the Internet now are at risk. The new danger arises from a combination of factors:
- The availability of high-speed "always on" Internet connections means that desktop and notebook computers are exposed to risk for longer periods of time.
- Computers often are linked to local networks at work and at home and networked configurations open additional windows for hackers to exploit.
- A variety of new and sophisticated tools allow hackers to explore large numbers of computers for security weakness in a short period of time.
The good news: Relatively simple steps can dramatically reduce risk.
Dial-up connections are relatively safe when compared to high-speed connections. Dial-up Internet sessions are typically short, and most dial-up connections randomly assign a new Internet address to a computer each time the user signs on, frustrating hackers who use "robots" to identify Internet addresses worth exploring, and then return to those Internet addresses at a later time to hack. Less time online means less exposure to hacking.
By contract, cable modems, ISDN/ ASDL lines, and in-building fiber optic networks are connected to the Internet 24/7, and typically use fixed Internet addresses, ensuring that the computer will be at that address when the hacker returns.
Hackers are opportunists who look for valuable information that is easy to get. Law firm computers typically contain files that fit hacker profiles: files with "confidential" headers; client social security numbers and tax identification numbers; tax data, etc. Most of this information is not encrypted. The nature of the information contained on law firm computers lights up the radar on hackers' automated scanners; automated scanners can scan millions of computers.
Most academic, corporate and military servers use operating systems that are designed to protect sensitive information from outside intrusion, and also are protected by sophisticated monitoring software and firewalls. Not so with desktop and notebook computers, because the Microsoft Windows 95/98 and Windows NT Workstation default network configurations were optimized for ease of use and sharing information among computers on local networks. As a result, security protections are relatively weak unless special precautions are taken to protect the computers. (Note: The new Windows 2000 operating system includes new security functions).
Vulnerability arises, for the most part, from: (1) insecure Microsoft networking configurations that enable the computer to operate on both the Internet and a local network without building a wall between the two, and (2) applications that open "doors" into the computer independent of network configuration -- applications like personal Web servers, Internet Relay Chat, Telnet, Web browsers, file transfer protocols, e-mail, remote access and so on.
Insecure network configuration presents the greatest risk because network configuration errors are so common that hackers typically set automated scanners to probe that single vulnerability efficiently. Scanning for doors opened by applications is less common, although security holes in Microsoft Web Server and Microsoft Outlook are targeted with enough frequency to be a realistic concern. Other doors are less common and harder to open.
The vulnerability is greatest when two conditions are met: the computer is configured to connect to both the Internet and a local network using Client for Microsoft Networks; and file and printer sharing is enabled.
Computers using Windows 95/98 and Windows NT Workstation default to an open network configuration. The reasons for the open network configuration are sound -- default configurations were designed for ease of use and easy local networking for smaller businesses and SOHO/home users. They were designed to reduce the need for technical knowledge when installing/maintaining the computers and networks rather than for tight security.
Windows networking default settings bind all active components on each layer to all active services on the other layers. The default settings bind the active Network Services Layer to the Internet's TCP/IP Transport Layer Protocol, opening the individual desktop and notebook computers connected to the Internet (and by extension, every other desktop and notebook computer on the local network with that computer) to hacking from the Internet.
A computer configured in "bind everything" mode is vulnerable whenever it is connected to the Internet, even when not attached to a local network. For example, a lawyer who takes a notebook computer home from the office and logs on to the 'Net to check e-mail is vulnerable if the notebook is not properly configured. Because the vulnerability is in the computer itself, law firms and law departments cannot depend solely on network firewalls at work for protection -- any computer that connects to the Internet when outside the network is open to hacking.
The key to safeguarding desktop and notebook computers using Microsoft networking under Windows 95/98/NT Workstation is to (1) configure Windows to "unbind" the components needed for the local network from the components needed for Internet access, if feasible, and (2) if that is not possible, use a "personal firewall" on the computer.
Key #1: Configure Windows to Reduce Risk
The first alternative, while not always possible, is the simplest and most effective way to achieve a reasonable level of security. The core idea is to use TCP/IP for Internet connections, and either NetBEUI or IPX/SPX for local network connections, and to keep the two functions separate. This removes Microsoft's default bindings between the TCP/IP and services and adapters needed to operate the local network; and removes Microsoft's default bindings between the NetBEUI protocol and the adapters used for Internet connection.
The methods by which this can be accomplished will vary, depending on the network operating system nd many other factors. A caution: unilaterally unbinding the layers on a desktop or notebook computer without taking the firm's network configuration as a whole into consideration will mostly likely result in disaste, knocking you off your firm's network.
Key #2: Use a "Personal Firewall" to Reduce Risk
Separating the two networks is feasible only when the local network can be configured to use NetBEUI or IPX/SPX as the local network transport protocol. In some cases, NetBEUI or IPX/SPX is not a workable alternative, because TCP/IP is or must be used as the transport protocol (e.g. UNIX local networks, ISDN (digital phone lines) Internet connections, and virtual private networks).
In addition, some applications (e.g. Microsoft Personal Web Server and remote access programs) open the computer to access from the Internet, regardless of the transport protocol used for the local network, rendering Internet/local network separation inadequate to protect a notebook or desktop computer. In all of these cases, a personal firewall is needed to protect notebook and desktop computers.
Properly designed personal firewalls create a security zone around the individual computers -- effectively protecting against intrusion originating anywhere outside the computer from the Internet, from other users of an office local network or from curious neighbors poking around a virtual network created by some kinds of high speed Internet connections.
When a computer is attached to local network protected by a network firewall, the personal firewall adds a layer of protection -- providing a second barrier to hacking from the Internet and protecting the desktop or notebook computer from unauthorized access by co-workers. When the computer is outside the office at home or on the road -- the personal firewall provides primary protection for the computer from the Internet, from other computers on a home network and from other users connected to a virtual network using certain types of high-speed Internet connections.
How secure is secure? Nothing --absolutely nothing at all -- will render a desktop or notebook computer 100 percent secure. Security is an ongoing exercise, a series of technological skirmishes between security experts and hackers, flanking and maneuvering for advantage. What works today may not work three months down the road.
At present, these safeguards -- Internet/local network separation and personal firewalls -- will provide reasonable levels of protection against hacking.
Thomas Scharbach and Eric Steele are principals of Steele Scharbach Associates L.L.C., a Chicago-based consulting firm.