Hire a Hacker
At Para-Protect Services, Chuck Downs was surprised but not shocked that McNeal was able to break into MBA Management's systems in just two hours. Doing what Mugnolo did -- relying on his ISP to configure his connection to the Net -- meant by definition that it was an open connection, Downs says.
But if Downs wasn't appalled, Mugnolo certainly was. His business's competitive edge -- the reason companies go to him rather than to other headhunters -- is his deep compilation of information on thousands of potential employees. Included in that data is sensitive information on job openings, including postings that haven't been made public -- perhaps because an employee doesn't yet know that he or she is on the way out. Companies can unwittingly reveal a lot about their strategic plans, for example, by listing the specific skills required for various jobs. "The last thing in the world the client wants is for that information to get back to his staff or to a competitor," says Denne.
In particular, a company that's developing a new product doesn't want anyone to know the nature of its work. "A breach in a program could spell the end of the whole market for their idea," Denne adds.
Still, it's not surprising that few people spend a lot of time worrying about Internet security. As the user looks out onto the superhighway of the Web, it's easy to see it as a one-way street. But in fact, when you open a Web page or do virtually anything on the Internet, you send a request to the faraway computer on which that Web page is stored, and that computer sends you back information, which is opened by your browser or other software. That means your computer -- and, in a company setting, the server -- must be constantly open and able to receive data feeds from the outside. That openness is exactly where vulnerability lies.
For a fee of about $10,000, Para-Protect restricted the openness of MBA Management's systems in two ways. First, the company installed a simple firewall from Prism Servers Inc., in Allison Park, Pa., at a cost of less than $3,000. The firewall was configured according to a simple rule, Downs says: "Anything coming from the Internet that is not requested from the inside is denied." It does that by using a Unix filter to distinguish between information -- like a Web page -- that is coming in at a user's request and any unknown traffic that arrives unbidden. When someone inside the network requests something from outside the firewall, the firewall issues a tag number with the request. If incoming data packets don't contain a matching tag, the firewall won't let them in.
There are two big exceptions. One is E-mail, which arrives unrequested. Downs put MBA Management's E-mail system onto a separate server, which redirects incoming mail and scans it for viruses before users can access it. The other exception is the company's own Web site, which anyone from the outside should be able to access. MBA Management disconnected the site from its corporate network and arranged to have it hosted off-site.
Second, Downs made sure that each computer went on the internal network, which is invisible to outsiders. In a normal office network with Internet access, each workstation has a unique Internet Protocol (IP) address. It was those addresses that McNeal was able to identify and attack in the penetration test. Downs changed each workstation's IP address to a nonroutable address -- meaning that outsiders can only see the address of the firewall. The result: nobody from outside can discover the IP address of an internal computer and use it as a port into the network -- a common hacking procedure. Downs says that the firewall's logs reveal that hackers have frequently scanned MBA Management's system looking for ports since Downs put the firewall in place.
Although $3,000 is low-end for a commercial firewall, Downs says, it's all that a small company needs. "The only thing you limit is the number of people you can service," he says, since the small firewall has limited bandwidth capacity. The Prism product, he says, can easily handle 200 users. That should cover the short-term needs of MBA Management, which plans to double its number of networked users within a year. As the company has grown, it has periodically added servers behind the main firewall and is now running six of them.
Now that Downs feels the company is secure from outside intruders, the next move is to provide greater internal security for the databases. Currently, MBA Management uses a proprietary database running on NT servers. It is about to split the database into several parts using software called Adapt, which will allow the company to use the operating system's security-administration features to carefully control who can have access to different levels of data.
Since installing the firewall, Para-Protect has conducted monthly tests as part of a routine security checkup. That is not to say that MBA Management's security is 100% foolproof. But the company has put a pretty solid defense in place -- solid enough to send hackers on to easier targets. And that's a big part of what Internet security is about: making sure yours is not the easiest lock to pick.
Virtual Privacy
You could say that a kindergarten play cost entrepreneur Dana Dodds $120,000 a year, and you wouldn't be that far off.
One afternoon in 1996, Dodds, CEO of San Diego auto insurer Reliant General Insurance Services Inc., left work to watch his daughter perform in a school play. He was immediately struck by guilt. "I had a customer-service rep whose daughter was in that class, too, but she couldn't be there, and it bugged me," Dodds says.
A virtual private network lets Dana Dodds's employees work from home without sacrificing security.
Soon, about 15 of Reliant General's employees were working from home, with no time clock -- just quotas for the number of applications they processed and standards for the quality of the work they did. Back then, the workers connected to the corporate network directly through a dial-in 800 number. The phone bills for those lines ran about $120,000 a year.
