Readers comment on security SunWorld Online respondents say the biggest threat is from within By Mark Cappel

August  1996

Mail this article to a friend

The comments are reproduced as received; only some minor spelling and punctuation errors have been corrected. -- Editors

Date: Mon Jul 1 06:40:49 PDT 1996

Keeping systems *usable* and *secure*. Pick one.

Date: Mon Jul 1 07:59:46 PDT 1996

Getting users to understand the risks is the hardest thing to overcome Most think that because they switch THEIR machine off theres no way anyone can get into their information, few realise the significance of servers, passwords, or the time their machine is actually switched. Perhaps more difficult still is convincing the 'dumb users', usually at management level, that there is a finite limit to the accessibility of a machine, and the level of security you can enforce. For example, I constnatly have to explain why a non TCP/IP capable machine is completely secure from an Internet connection...

Date: Tue Jul 2 04:21:39 PDT 1996

Synchronizing the Novell identity base with UNIX/NIS. Whether the average Internet wanderer can spew packets onto my wires. Wintel Wintel Wintel. Viruses present a larger threat to PC operations than real intruders.

Date: Tue Jul 2 05:15:09 PDT 1996

Competitors trying to crack us, installing security patches ASAP, keeping up with sendmail versions. I don't really worry about most race conditions, because most of the crackers out there just use a little toolkit and really don't understand the way the holes really work.

Date: Tue Jul 2 06:10:12 PDT 1996

Internet connections.

Date: Tue Jul 2 06:30:36 PDT 1996

Remembering Passwords...(grin)

Date: Tue Jul 2 06:58:55 PDT 1996

Providing customers access to real-time data without compromising our information system Privacy of E-mail, orders, proposals and other business sensitive data sent/received over the net.

Date: Tue Jul 2 07:55:58 PDT 1996

Changing the mindset of staff.... those that use the systems and those that ok the money to spend on improving the security.

Date: Tue Jul 2 09:10:29 PDT 1996

People trying to use my ftp site for illegal distribution of commerical software or "warez" on my linux box.

Date: Tue Jul 2 12:23:43 PDT 1996

Upper management doesn't have a clue. They either over react when the latest hacker of the week story shows up in the media or they do nothing because they can't grasp the basic concepts of the internet and how it works.

Date: Tue Jul 2 13:43:32 PDT 1996

Running X though the firewall and across the net for "direct" product tests at customer sites. Enabling access to our internal e-mail for mobile users.

Date: Tue Jul 2 16:38:56 PDT 1996

Insiders trying to gain access as `jokes' re-writing/customizing ALL daemons/services/etc keeping up w/ CERT Security advisories and the like

Date: Tue Jul 2 17:44:30 PDT 1996

Repeated security patches to SunOS.

Date: Tue Jul 2 20:57:27 PDT 1996

Having reasonably tight security to prevent unauthorized access to servers, especially client (bank) data, while still allowing free access to authorized users, including telecommuting. It becomes a real pain to have to drive to the office just to test how a program you've worked on for two nights runs on the Cray or SPARCcenter 2000E with client data.

Date: Wed Jul 3 09:22:36 PDT 1996

(Unix-)Operating systems generally have wery low profile on security. The newer the system, the more security has had to say in the overal desing of the system. It is a nightmare to run a SunOS 4 based system today, too many flaws and too many ready-to-use breaking tools floating around in the net. Even with all security patches installed, the system can be breaked in less than 10 minutes.

Date: Fri Jul 5 05:43:53 PDT 1996

Managment in "lightswitch" mode. The company I reported on above assigned security issues to the accounting department worldwide. In most cases, they are unwilling to even release corporate security manuals. If an error occurs, however... it's somewhat different.

Date: Fri Jul 5 12:19:19 PDT 1996

At my site I am the sys admin and the security person of several "secure" sys's but must go with the flow as it were with the overall plan. This is the major issuse that I face as the rest of the system is just about unprotected. While I do have crypto to help secure the sys's that I worke on I know there are to many ways into the general LAN/WAN for me to feel protected. With all of the "bug's" in any OS all one can do is weave a pach of fixes and tools to attempt to stop someone from the outside with our without help form the inside from getting in.

Date: Fri Jul 5 14:02:53 PDT 1996

Maintaining access in a user friendly manner for authorized users while still maintaining an adequate and appropriate level of security and confidentiality for our clients.

Date: Fri Jul 5 22:49:19 PDT 1996

Physical security

Date: Sun Jul 7 07:39:44 PDT 1996

Integration of two networks: one of a traditionally very paranoid organizition, one developed with a somewhat more relaxed attitude.

Date: Sun Jul 7 15:34:03 PDT 1996

loss or damage to data base, resulting in exreme time and cost to rebuild engineering data. please note that even with data backups losses in some area's might not be discovered for months or maybe years. sincearly, peterb

Date: Mon Jul 8 08:12:12 PDT 1996

Inadequate time and resources to deal with the problem.

Date: Mon Jul 8 12:52:54 PDT 1996

• Worldwide encryption issues
• acceptable commercial security products
• enterprise-wide deployment
• multi-company wide area network security

Date: Tue Jul 9 06:59:09 PDT 1996

Too much concern with peripheral issues, ie, credit card transmission, external exploitation of security holes, etc, and not enough concern with good basic practices including password selection, securing unattended workstations, backups, preparing to recover from user error, etc.

Date: Wed Jul 10 10:08:46 PDT 1996

password decoding file access permisions packet catching

Date: Thu Jul 11 17:51:39 PDT 1996

Keeping up with the rapid number of changes and amount of security-related information.... Especially as it is seen as a "side task"

Date: Fri Jul 12 05:23:22 PDT 1996

If someone breaks into our site, I would worry less about the loss of data and more about the length of time it would take to restore all our computers after an damaging attack.

Date: Sun Jul 14 21:34:23 PDT 1996

not much on a professional level. we aren't too concerned by outside attacks in my company. i am concerned about electronic privacy and authenticity.

Date: Thu Jul 18 10:29:13 PDT 1996

developing a comprehensive security plan acceptable to business units.

Date: Thu Jul 18 14:55:13 PDT 1996

Mainly human problems

Date: Fri Jul 19 08:53:33 PDT 1996

I can't believe that you are asking people the OS and the type of security measures that they have instituted over the internet!

Date: Fri Jul 19 09:11:00 PDT 1996

LAN in separate building which requires access to main building classified data.

Date: Fri Jul 19 16:29:20 PDT 1996

void Bitching() { You failed to include Linux among other Unices when asked what OS one uses in his/her organization. Please do this otherwise I'll post about it on 5 Linux-mailing lists and in appropriate newsgroups. I hope you fix the bug in question #15 soon. I do not face too many issues. If there's a security bug, I fix it immediately because unlike commercial Unixes, I do not have to pay for updates/upgrades/fixes, and a word of mouth is a very fast communication method in Linux community. BTW, there are more Linux machines on the Net than those lame NT boxes. Just make a search using any search engine for `NT' and `Linux'; you'll get many more docs where `Linux''s mentioned. }

Date: Mon Jul 22 13:42:56 PDT 1996

We often send software engineers to field sites, where they need access to our source code repository, but we do not want to give access to the PPP/SLIP lines, and customer networks connected to the internet. Building a security system that is flexible enough and secure enough has not been simple, nor have we really finished the problem. We could be vulnerable to password snooping over the network, or to port probing tools recognizing certain services. We are also in the process of building a problem database front-ended by a web server. We would like to allow access to all company personnel, including remote sites; this is why we choose to use a web server for the front end. Secure access to pages on a publicly accessible web server is a worrisome prospect; this database will certainly contain information we do not want competitors or customers to see without restriction. As our distributed computing systems grow, our security problems grow. Organizations must carefully balance access with their own security needs. We seem to have struck a fairly good balance for now, although I could argue for more security in a few areas. Disallowing services is not truly a solution, users need these services in order to keep up with their responsibilities.

Date: Wed Jul 24 13:23:20 PDT 1996

Establishing an easy-to-use firewall that only allows connections to my site from authorized outside sites

Date: Thu Jul 25 04:03:29 PDT 1996

• Invasive client-side data
• Phreaking
• Commercial security

Date: Mon Jul 29 13:29:02 PDT 1996

Outside attacks from other Internet sites, keeping all known security holes patched, keeping systems monitored.

SunWorld Online is published by Web Publishing Inc., an IDG Communications company, independently of Sun Microsystems Inc., which is not responsible for its contents. The opinions expressed in SunWorld Online are those of the authors or the publisher, WPI/IDG, and do not necessarily reflect the opinions of its advertisers, or of Sun Microsystems, Inc. or its affiliates.

If you have problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-08-1996/swol-08-security.comments.html
Last update: 1 August 1996

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-08-1996/swol-08-security.comments.html
Last modified: