IT security becomes imperative
Electronic procurement depends on secure, dependable Internet access, whether for an entire federal department or a tiny school board. We know that access is at risk. The last major threat was the Year 2000 rollover. Now the terrorist attacks of Sept. 11, 2001 and the counterattacks in early October make the Y2K transition look like something that took place long ago in another world.
On Jan. 1, 2000, there was a collective sigh of relief and a round of self-congratulation as IT personnel all around the world looked back on a job well done. Looking ahead, administrators began to revive the projects that had been postponed for the "Millennium Bug." Some of those projects may be on hold again. In the wake of Sept. 11, security agencies like the Federal Bureau of Investigation (FBI) were warning public and private network administrators to prepare for an unprecedented wave of cyber-attacks.
Speaking shortly after the Sept. 11 attacks, Jim MacPhee, Industry Canada's director of IT Architecture, was not convinced that network security had become a priority. "People are much more conscious, much more willing to undergo physical security checks. Whether here has been a shift on the PKI front, on security issues, how it translates to the electronic world, that still remains to be seen," he said.
MacPhee had no doubt, however, that visible and verifiable security like PKI (Public Key Infrastructure) was critical to the success of end-to-end e-procurement in Canada.
"If you want to leverage a common infrastructure, so that everybody is doing things the same way - that it's secure - you do need something like a PKI infrastructure," he said. "I know that the intent of the Secure Channel project is to be able to deploy digital certificates to business, to organizations, to citizens, so that they can do business in a secure and electronic way with the Government of Canada."
Terrorists can attack computer networks with minimal resources and little risk to themselves. Unfortunately, many system administrators make the assaults easier by ignoring some simple precautions. The time for managers to insist on updated network security is now. The FBI and the SANS (System Administration, Networking, and Security) Institute have posted a list of the top 20 system vulnerabilities that show many organizations have not even started to protect themselves.
At the top of the list was "default installs of operating systems and applications." This is a convenient and easy way to install software, but it loads components that aren't used. That means system administrators not only don't patch those components to prevent security breakdowns, they may not even know they exist.
Incredibly, weak password protection is number two on the list. Hackers look for systems with default accounts, where the user name is "user" and the password is "test." Even organizations that think they do regular backups may be at risk of losing their information, because they never verify that the data can actually be restored from the tapes. "Non-existent or incomplete backups" happen because managers don't insist on seeing randomly selected files completely restored from backup.
The good news from the people who compiled the list is that checking off the items on their list is simple, inexpensive and should deter most attacks. The bad news is that they believe worse attacks are on the way.
The lesson of September 11, 2001 is clear. The unthinkable
can happen. Nobody with access to a computer can now shift the
responsibility for security to someone else. Individual users can no
longer surf the Web and send and receive email attachments, without
thinking about security. System administrators cannot sit back and wait
for somebody else's system to go under before patching up their own.
Government services and functions depend on telecommunications networks.
There are no alternatives to comprehensive and universal security