Print Article

Internet 'Back Door' Security
by Chris Smith

IT Security has now reached a state of both importance and priority it has always deserved. With most organisations having dedicated security personnel or defined IT Security policies to protect them from both internal and external attack.

It has long been said that a Security Policy is only as effective as the weakest link, the trouble is many organisations would need to employ the services of a certain Anne Robinson to determine where exactly is the weakest link?

Internal attack is obviously related to employees, or ex-employees, who engage in either damaging or destructive activities, the actual incidence of internal theft via the IT infrastructure is relatively small, although still un-quantified.

External attack is much more difficult to guard against, especially as most Organisations are welcoming access to their websites, drawing people to them as a sales and marketing tool, actively promoting remote access. Significant investment in Firewalls, IDS, and VPNs have gone a long way to protect this interface to the World. Significant emphasis and Investment on securing this 'Front Door' has been made, because everyone from the CEO down has visibility, and understands the risks.

However, how many PSTN lines does your Organisation have with a modem connected to it?

How many console ports of Routers, Firewalls, IDS, or even PABXs exist in your organisation? How many of these are accessed by a Managed Service Provider, Manufacturer, or maintenance Company? Research shows that it most cases the answer from the IT Department would be 'Don't know'. Why is this? Since the first PABX was installed they have been managed remotely for diagnostic or upgrade purposes. It may be old technology but it is cost effective and quick. Who is responsible for ensuring this 'Back Door' is secure?

A recent Security Audit of a major Investment Bank in the City revealed it had no less than 34 console ports with modems attached accessed by Service Providers or product vendors with merely username/password protection and some with nothing at all.

Who is responsible to secure the 'Back Door'? If you are a Managed Service Provider say providing managed routers to a large corporation, where ownership and responsibility remains with you, are you liable for any proven security breaches? What is contained within your contract regarding Consequential Loss as a result of a security breach?

The reality is that remote access to console ports is not sexy, it is about as dull as a wet Wednesday in Wednesbury it does not appear to be important to the success of the business like a website is, essentially they are considered a maintenance necessity, or worse, not considered at all.

The message is clear: We all lock up our houses at night before retiring to bed, it would be inconceivable to think that we would put the latch down, slide across top and bottom bolts and click in place the security chain of the front door, where we traditionally welcome invited guests through. Yet we just push closed the back door the route that most unwanted guests, get in. A simple analogy true, but one that is very appropriate when looking at an organisation's IT security practices. It all comes down to one of the opening statements, Where is the weakest link? Not what is the highest profile? Or where do we get most hits? Or where have we invested most money?

There are solutions that are easy to implement, provide good management, and robust security. But first it requires every IT Department to recognise the risk and commit to locking that 'Back Door'.