Internet security provider
13 November 2000
Internet and security are two words that do not sit comfortably together and the perilous notion of safety in cyberspace was further undermined by the recent electronic break-in at Microsoft. If a company of that stature can fall victim to hackers, is anyone safe?
There is more than a whiff of media panic about much of the coverage of online security lapses, but the latest breach might have given the City firms that have spent the year falling over themselves to launch virtual dealrooms something to think about.
Firms are quick to dismiss online scare stories as software industry hype. But IT security consultant Peter Wood has had some sobering experiences. He has just hacked his way into one company's extranet within 45 minutes, recovering a spreadsheet containing the names, addresses and financial details of 10,000 people.
Many law firms are sitting ducks, says Wood, who works as a 'white hat', or ethical hacker, testing the security of networks. He is a senior partner at internet security consultancy First Base, whose clients include City law firms, large corporates and the Bank of England.
The company in question was not a legal practice but he has advised many law firms with near-zero protection.
Wood says that the biggest danger is not the expert hacker, but the growing legions of "script kiddies". He says that to access a system you no longer have to be a "whizz-bang programmer". Instead, all you need to do is down-load information from the internet. High-profile security breaches - such as the Filipino love bug in May and the Microsoft hack - are not the work of sophisticated techies. "They are messy, scruffy bits of programming done by people who have more emotion than skill," he says.
So what is at stake for the lawyers? Credibility for a start, says legal IT expert Charles Christian. He says that if a major City firm were hit it would be a disaster, not least because it may be advising on internet security and data protection.
There have been plenty of high-profile blunders this year that have shaken the online business community. Barclays Bank was forced to shut down its service after customers were left staring at the financial details of complete strangers. And electricity company Powergen was heavily criticised when someone inadvertently stumbled upon the names, addresses and financial details of 7,000 customers.
Michael Chissick, head of e-commerce at Field Fisher Waterhouse, sums up the firm's position on e-security as "not particularly paranoid", but concerned about security issues generally. He says: "We're conscious of the fact that the internet is not a secure environment and, we expect people to think about whether they send their documents over the net." Documents are pass-worded on certain matters and digital signature technology is used when required. But Chissick says that there has not been a great demand for that technology.
There are two ways for firms to hook up to the internet - a dial-up account via an ISDN line or a modem, or for most large firms, a permanent connection to the web. If a firm has a permanent connection it advertises itself, George Gardiner, the partner at City firm Tarlo Lyons who has responsibility for IT security issues, says. "People know you're out there and if anyone wants to hack into you they know where they can find you, and they can keep on hacking away until they break through your e-security."
Connecting to the World Wide Web through an internet service provider (ISP) - such as AOL or Freeserve - means that the ISPs provide the first line of defence with their own anti-virus software.
But Christian says that if firms are running their own network they need their own "firewall" - the hardware that sits between them and the public internet. "All the data goes in there and is filtered before it goes out to the internal network and lands on the desktop," he says. Other software can be added to the firewall, such as access control or monitoring programmes, as well as anti-virus programmes on the individual users' desktop.
Gardiner says that the firm has spent an enormous amount of money on its firewall. The software acts as the security guard at the door, he says. He compares electronic data to more traditional correspondence, where the internet protocol corresponds to the envelope and the data is the letter. He says: "The firewall looks at every envelope - who it's for and who it has come from and what part of the system it is going to."
But a big IT budget is not enough. Gardiner says firms have to persuade employees to buy into the system. "There are stories in every firm about how somebody faxed the wrong document to the wrong person because they misread the fax number or pressed the wrong button." He says that the same problems arise with the internet but that "it's just harder to prove and establish what has gone wrong".
According to Gardiner, it is good practice, and now almost a requirement, for firms to have an internet policy. But he adds: "It's a defensive measure and what you have to do is stop the problems arising in the first place."
According to Wood, most businesses have a "silver bullet mentality". He says: "They think if they've bought a product the problem goes away - but almost the reverse is true." In fact, almost all successful attacks start with insider knowledge of the technology. The extranet which Christian had just cracked featured a firewall but the highly commercially sensitive information was placed outside of it.
During the past 12 months, four of the five magic circle firms have launched extranets which allow them to manage high-value transactions over the internet. Clifford Chance was first off the mark with Fruit Net (which remains a working title) in January, closely followed by Allen & Overy's newchange.com, Clients@Linklaters went live last month and Freshfields Bruckhaus Deringer also has transaction extranets.
None of the firms are prepared to give away too many details about security issues. "The whole point of good security is not to tell people about it," says Brian Collins, international IT director at Clifford Chance. "If I told you precisely the shape of my front door key and said I have good security - as soon as I told you that level of detail, it isn't good security."
David Hamilton, IT director at Freshfields, is also careful about what he says. "We don't wish to labour the [security] point. There are loads of people buzzing around the City on motorbikes and bicycles to whom lawyers from all firms are quite happy to give documents. They send faxes all over the world and yet because the internet is a hot topic they query the security," he says.
Paul Rogers, a network security analyst at MIS Corporate Defence Solutions, advises a number of large law firms and manages a virtual private network (VPN), or secure extranet, for a global group of law firms. A VPN uses the internet but creates "virtual tunnels" from site to site where everything within the tunnels is encrypted.
But Rogers warns that the network is only as secure as the two common points. If one office is hackable then it is far easier to attack it and watch the information come in and out rather than break the VPN itself.
Marcus Lambert, an application developer who worked on Allen & Overy's newchange.com, says that its network relies upon the security and encryption standards used in the banking industry. In particular, the encryption deployed is 128-bit secure socket lair technology, which is the maximum available strength.
Lambert says that every time the system is changed new penetration tests are conducted. "We have to be secure in our own minds that it is safe because we expect our clients to use it," he says. It is the same encryption standard that Clifford Chance uses, but Brian Collins stresses that it is only one facet of security. He says: "We are using state of the art technological measures, presumably the same as Microsoft, but our expectation is that we will not suffer what they have suffered."