Washington Post ARTICLE Today::The Guardians Of Computer Security
Three Companies Probe For Weak Spots in Clients' Systems and Tell How To Prevent Break-Ins
By Rajiv Chandrasekaran
Washington Post Staff Writer
Monday, March 16, 1998; Page F12
Locked in a small room on the fourth floor of a Washington area office building, Denis Hein starts his invasion. Computer printouts stacked around his chair, he begins tapping away on two gray Toshiba Tecra laptops as tiny white text scrolls across the screens. The messages that say "Login Incorrect" don't faze him. He stretches his neck and tries a new set of commands, this time coming up with slightly more encouraging results. Fifteen minutes later, he throws a smirk at a colleague. He's in.
Hein's target is a file "server" computer named Moscow stashed in a file room somewhere else in the building. An employee of Trusted Information Systems Inc., a Glenwood, Md.-based computer-security firm, his job is to find the weak links in a client's data network, the way a security guard jiggles doors and windows to make sure they're locked. More often than not, the 27-year-old "professional hacker" finds a way in. Sometimes he can pry open almost every entrance.
The takedown of Moscow took place earlier this month at a Trusted Information client that can only be identified as a large engineering company inside the Beltway. Hein and a co-worker had been given the task of determining how vulnerable the company's 24 servers are. Those servers are home to sensitive files and schematic drawings that unscrupulous competitors would love to see.
All Hein and his colleague were given by the company was an office with a phone jack that connected into its data network, the same sort of access a janitor could have at night. With nothing fancier than his two laptops, Hein fired up a variety of programs that are commonly used by hackers. The programs generated reams of numerical data indicating which "ports" -- or windows -- on a server appeared ajar.
The Moscow server seemed like a particularly ripe target. Not only did it house a trove of data, including electronic-mail messages, but it looked relatively unguarded.
Once Hein was inside the server, the real action began. He dug around through various directories looking for the system administrator's password file, but when he found it, the data was scrambled. No matter. Another file he found indicated what type of data-scrambling system the server used. Emboldened, he configured his computer to search for the password by scrambling every word from Webster's Dictionary, the dialogue of all three "Star Wars" movies, each "Star Trek" episode and every J.R.R. Tolkien novel -- all favorites of the techie class.
A little more than two hours later, Hein became "root" on Moscow, allowing him to access every single file on the machine and giving him the ability to delete any or all of them. "On that server," he remembers, "I was God."
Trusted Information was hired by a middle manager at the engineering firm who wanted to show his superiors that despite a raft of basic protections, the company's network was far from secure. Hein expects the company to spend "several million dollars" upgrading its systems after it receives a detailed accounting of his exploits.
That's where Trusted -- and two other fast-growing Washington area companies -- really come into the picture. Among other products, Trusted makes "firewalls," which act like doors to parts of a network, only admitting authorized users. Firewalls are commonly used to prevent visitors to a company's World Wide Web site from gaining access to the organization's internal network.
Joining Trusted in the local computer-security business are Axent Technologies Inc. of Rockville and V-One Corp. of Germantown. Axent's flagship product helps system administrators manage security across their network while V-One specializes in "virtual private network" technology, which provides secure data transmission over the Internet.
All three -- particularly Trusted and Axent -- have seen demand for their products surge over the last two years, as corporations have decided to connect more of their computers to local area networks and the Internet. Over the past year, for example, Axent's revenue jumped 89 percent and Trusted's rose 54 percent. That success has spurred major business deals recently for both companies.
In early February, Axent acquired Raptor Systems Inc., a Waltham, Mass., firewall maker, for about $245 million in stock. The purchase helps round out Axent's product line and makes the company the nation's third-largest computer-security firm, according to analysts.
Late last month, Network Associates Inc., a fast-growing security company based in Santa Clara, Calif., said it would spend $307 million to buy Trusted. The deal, which has not yet closed, would make Network Associates the biggest player in the security market, filling a strategic hole in its firewall business. Trusted will continue its operations in the Washington area after the acquisition.
Executives and industry analysts say the deals largely were driven by a need to offer one-stop shopping to corporate customers, who have begun to view security products not as disparate utilities that can be picked up from various vendors but as a central component of their computing strategy that they want to buy from a large firm.
"If there's an intrusion in the network, system administrators don't want to have to deal with 12 different companies. They want to make one phone call," said Steven Foote, a vice president for research strategies at the Hurwitz Group Inc., a consulting firm in Framingham, Mass.
The consolidation comes as the network-security business has started to surge. It's a market that's projected to grow from a little more than $2 billion last year to almost $7 billion by 2000, according to securities firm Volpe Brown Whelan & Co.
Analysts expect about half the revenue in the market to come from two basic products: firewalls and anti-virus software.
Viruses are generally small files, passed along when people swap disks or download material from the Internet, that can erase data, freeze up machines or crash an entire network. Although viruses have been around for years, newer strains have become more pernicious, forcing businesses and consumers to regularly update their scanning software.
Likewise, analysts predict that the demand for firewalls will continue to increase as more businesses set up Web sites with different levels of access to employees, suppliers, customers and ordinary people.
But the big growth in the security market is expected to occur in two other areas -- places where Axent, Trusted and V-One are widely viewed as industry leaders.
The first is virtual private networks, or VPNs. Today, businesses that want to send sensitive information from one office to another typically shell out thousands of dollars a month to lease private data lines from phone companies because they believe the Internet isn't safe enough. VPN technology, projected to grow into a $4 billion business by 2000, scrambles data so it can be sent across the Internet without worry about snooping.
"It takes the fear out of putting your secrets on the Internet," said David Dawson, the chief executive of V-One, whose SmartGate VPN technology is aimed at mobile workers who want to connect to the office networks over the Internet instead of making a long-distance phone call.
The other set of growing technologies involves foiling inside-the-building intruders. Security experts long have focused on erecting virtual fences, moats and minefields around their networks, but if somebody's on the inside, going from the file room to the president's office or the research division often is much easier. Now, firms such as Axent and Trusted are pushing products that try to detect intruders and monitor activity inside the network.
"We're telling people it's not enough to put deadbolts on the door," said Stephen T. Walker, Trusted's chief executive. "You've got to install the motion detectors too."
Insider attacks have become an increasingly important concern for corporate information security managers. According to an informal survey of 520 security professionals conducted by the Computer Security Institute for the FBI's International Computer Crime Squad, 64 percent reported at least one unauthorized entry into their computer systems last year. Of those, 70 percent reported at least one network attack committed by their own employees.
Trusted and Axent have developed "intrusion detection" software that sounds an alarm for security managers when people venture into unauthorized areas. It's a market that's still getting off the ground, but both firms contend the proliferation of insider attacks will generate a new wave of demand for their products.
"In the old mainframe days, all you had to do was lock up your computer in a room," said John C. Becker, Axent's chief executive. "As you network machines, though, everyone has access to sensitive material -- secretaries, janitors at night, people in the mailroom."
That's something that Walker never imagined when he founded Trusted in 1983 with his $30,000 government retirement package. A former National Security Agency and Defense Department researcher, he started the company as a consulting shop, advising firms such as International Business Machines Corp. and MCI Communications Corp. on ways to secure their mainframes. By the early 1990s, Walker's small company, working under a contract for the Defense Advanced Research Projects Agency, had developed an early firewall.
"Back then, nobody knew what a firewall was," Walker said. So he gave the software away over the Internet.
"As soon as we did that, we started getting all these calls," he said. "They said, 'I don't want it for free. I want you to come in and install it.' "
Today, Walker's 20 percent stake in Trusted is worth about $60 million. Trusted sells its Gauntlet firewalls for $5,000 to $17,000 a pop, depending on the installation required, and the company continues to offer a free version over the Internet.
It's a business, however, that hasn't escaped the notice of computer industry giants, including IBM, software giant Microsoft Corp. and networking powerhouse Cisco Systems Inc., all of which are integrating more firewall technology into their software and hardware products. Such moves lead some analysts to take a dim view of independent security firms.
"If these big companies weave more security functions into their products, it's going to be tough to be viable as a stand-alone player," said Fred McClimans, president of Current Analysis, a Sterling-based market research firm.
But Walker contends that security functions that are bundled with other products won't be current or powerful enough for many large businesses. "We don't see this market going away any time soon," he said.
He points to that engineering firm.
On Friday, Hein and Jody Patilla, Trusted's director of network analysis and testing services, set about compiling their report for the client. The findings weren't going to make people happy. Hein, who spent nine days at the client's office, invaded all 24 servers he was asked to attack. On seven of them, he achieved the godlike root status. On others, he was able to copy e-mail messages and view reams of research data.
Getting into Moscow, said Patilla, opened many other doors. "All it takes is one hole and you can burrow inside," she said. "Once you cross the outer shell you can get anywhere, and it shouldn't be like that."
Starting today, however, Hein and his fellow Trusted hackers will get a little competition from the local rival. Axent plans to release a piece of software called NetRecon that tests the vulnerability of a network -- automatically. The software will attempt to break in using a host of common hacking methods.
"The hacking community already has this tool," said Robert Clyde, an Axent vice president. "This allows [security managers] to anticipate what could happen to them."
The Trusted hacking team expects an intrusion test -- either human or automatic -- at almost any company to have results similar to that at the engineering firm. It was "pretty weak," Patilla said. "But it's par for the course."
Keeping a Business Secure
While the world of network security may seem hopelessly complex, the measures it takes are very comparable to the locks, metal detectors and motion sensors that more traditional security systems use to keep out intruders. If you imagine a computer network as a building, here are some of the systems used to keep it free of intruders.
INTERNET TRAFFIC
Off-site network
Like a branch office, it needs its own door that only admits authorized users.
Firewalls
Like a fence or a locked door, a firewall blocks parts of a network to people who don't have the proper authorization. Firewalls are commonly used to prevent visitors to a company's World Wide Web site from gaining access to the organization's internal network.
Virtual Private Networks
Like a locked briefcase that lets employees carry sensitive material when walking on a public sidewalk, virtual private network technology allows companies to send scrambled data across the Internet without fear of snooping.
THE BUSINESS
Network management
Like a video-monitor-laden security control center, management software allows system administrators to keep tabs on activity throughout the network. Such software also helps administrators determine the employees who should have access to certain areas and whether their passwords need to be changed, then implements modifications on firewalls and authentication servers.
Digital certificates
Like an identification badge, digital-certificate technology identifies employees within the network, enabling them to enter some electronic filing cabinets, but not others.
Intrusion detection
Like security cameras and motion-sensing burglar alarms, intrusion-detection software monitors various parts of the network, looking for people who either have slipped into sensitive areas or are misbehaving in public areas.
Authentication
Like the magnetic badge reader outside a locked door, authentication software determines whether a user is authorized to enter through a firewall. The software relies on a password, usually in conjunction with another form of verification.
Virus detection
Like metal detectors and bomb scanners at building entrances, virus detection software examines the data files employees transfer onto the network. Viruses are generally small files that can cause big problems, such as erasing data, freezing up machines or crashing the entire network. The detection software alerts system administrators and prevents the entry of virus-infected files.
Reconnaissance
Like the guard who jiggles the doors and windows looking for ones that are unlocked, reconnaissance software lets system administrators pretend they have a hacker trying to enter their network. The software identifies systems that could be vulnerable to an attack.
Security Companies in Profile
TRUSTED INFORMATION SYSTEMS INC.
Headquarters: Glenwood, Md.
Ticker symbol: TISX on Nasdaq
Chief executive: Stephen T. Walker
Number of employees: 235
1997 revenue: $42.2 million
1997 loss: $8.6 million
V-ONE CORP.
Headquarters: Germantown
Ticker symbol: VONE on Nasdaq
Chief executive: David Dawson
Number of employees: 79
1997 revenue: $9.4 million
1997 loss: $9.2 million
AXENT TECHNOLOGIES INC.
Headquarters: Rockville
Ticker symbol: AXNT on Nasdaq
Chief executive: John C. Becker
Number of employees: 157
1997 revenue: $41.7 million
1997 loss: $19.4 million
c Copyright 1998 The Washington Post Company
|
