Security Considerations for Y2K

Sponsored by Cylink Corporation

Introduction

Years ago, or even months ago, most of us thought of Y2K as a simple "roll over" problem. The year will roll from 1999 to 2000 and confuse applications that were hard coded to 19_ _. As we get closer to January 1, 2000, we are realizing that the Y2K phenomenon is more that a simple application problem. Many prudent business managers are making plans for the side-affects of the Y2K which include:

• personnel issues

• disruption of critical infrastructure, e.g. electrical

• failure of embedded micro controllers

• disruption of supply chains

This paper addresses another Y2K side-affect: information security.

You might ask: "What does information security have to do with Y2K?" The answer is similar to the question: "What does looting and arson have to do with earthquakes?" Both situations provide the chaos that is conducive for illegal activities. In the case of natural disasters, the police are busy, power is out, travel is disrupted, and properties are unattended. In the case of Y2K, network administrators are busy mediating failures, the network and applications are disrupted, and network security devices are unpredictable. The similarities between a natural disaster and a Y2K disruption are striking. We can expect unscrupulous people to take advantage of Y2K to "hack" into information systems.

This Y2K security window actually provides the network administrator, the application owners, and the information security officers the luxury of knowing the timing of the attacks. This allows us to prepare for Y2K attacks through the following activities:

1. Begin now to assess your information security needs and apply appropriate solutions to protect your information and the systems and networks that are supporting the critical information.

2. Begin planning for specific actions for protecting your information and systems around the Y2K time frame. For example, a draconian plan might demand that all systems be shut down the first week of January.

3. Begin making contingency plans for detecting and reacting to information attacks during potential Y2K disruptions. Make sure that the network and system administrators fully understand their role and responsibilities during this time frame. Also make sure that the executive team understands the threat and the consequences of protective actions: e.g. the systems or network might be isolated and hence unable to support business functions.

4. Begin educating the business managers on the possibilities of Y2K attack and the actions planned to thwart those attacks. This education process is great vehicle to get the business managers to participate in information security assessments.

All four of these activities are important and interrelated -- you really can't do one without the others. So, let's look at each of these in turn.

Y2K provided many organizations with a specific reason to modernize their business systems. By replacing systems developed in the 1960s and '70s with modern systems, these businesses not only avoided the Y2K bug, but they also gained the efficiencies of modern systems. Recently the US Federal Reserve Board suggested that more efficient use of information technology is a major factor in the productivity increases and the sustained economic growth in the US.

We should look at the impending Y2K security threats in a similar vein. Most of us realize that our information and systems are not as secure as they should be. We are willing to accept the risk because we do not have a compelling reason to change -- yesterday's risk is acceptable tomorrow. The security threats associated with Y2K break this cycle. In planning for January 1, 2000, we should assess our information as systems and provide protection as necessary.

Similar to Y2K planning for applications, the assessment begins with an inventory of the information that is used in your business. For each piece of information you should assess its vulnerability to the following:

Denial of Use: What are the consequences if the information is not available? Denial of use assessment if very important because denial of use attacks against servers is one of the easiest attacks to mount.

Piracy: What are the consequences if an unauthorized party gains access of the information? Examples of sensitive information includes:

• personnel records

• information handled on behalf of clients

• customer base

• proposals

• product plans

Since sensitive information is distributed throughout a modern organization, it is possible for attackers to access this information and use it themselves or sell it to others.

Unauthorized modification: What are the consequences if an unauthorized party modifies the information? This is the worst nightmare of an information security administrator. A corrupted database is not necessarily detectable, yet might result in millions of dollars of damage to the business.

A complete assessment of information security needs is a daunting task for most organizations. However, don't let this put you off. Fortunately, a common sense approach should lead the business managers very quickly to the critical information assets, and these can be assessed very quickly.

After the assessment is complete, the next step is to identify and implement security solutions that protect the information according to the information's value and exposure. The solutions are more than likely combinations of education, procedures, and products as discussed below:

Education: Make sure that the people assessing the information understand the importance of security and that they follow the procedures. Most information is lost through the action of trusted employees.

Procedures: Make sure that the information is handled in such a manner as to make it available to those who need it, yet keep the information protected. Unfortunately, many planners treat this as a balancing act: level of security versus convenience of access. Fortunately, newer security products provide high levels of security with ease of use.

Products: Deploy products that secure the information and systems without disrupting flow of information through the business processes. Information security should make the information more useful, not less accessible. Products based on cryptographic technology provide high levels of security with low cost of ownership. These products support one or more of the following security functions:

• identification, authentication, and authorization of individual and systems hosting or accessing the information to prevent unauthorized access of the information

• privacy through encryption to prevent piracy

• integrity to ensure that the information has not been adulterated

• non-repudiation to enforce "digital signatures" on electronic contracts

Security products can be added to the application, system, or network. Network security tends to be easier to deploy and protects the infrastructure (network and computers) as well as the information.

It is unlikely that an organization starting now will fully secure its network, servers, and applications in time for Y2K. Therefore, proactive planning is necessary to further protect the network during the hours, days, or weeks when Y2K disruptions make information more vulnerable to attack.

Unlike the assessment and solution phase, the actions produced through proactive planning are Y2K specific and tend to disrupt normal business practices. Examples, of proactive planning might be:

• shut down of the systems supporting critical information

• isolation of some systems from the rest of the network

• isolation of the corporate network from the internet

• disabling remote access

It is unlikely that your proactive planning will shut down all systems -- the cost of such a step to the business is far too high. Therefore, we can expect most systems and most information to be active during the Y2K period. The networks, computers, and applications must be monitored carefully during this time to detect and counter attacks.

The most important component of this planning is the action plan: what steps should be taken in the event that an attack is detected or suspected. The administrators of the networks, servers, and applications must have clear instructions since the response to attacks must be effective and swift. Furthermore, it is highly likely that the responses will disrupt the normal business flow, so there must be prior agreement between the business managers and the administrators that even draconian actions (e.g. shutting down a server) are acceptable during certain scenarios.

It is time to begin the education of the senior management concerning information security and Y2K. Unfortunately most managers are unaware of the security implications of Y2K. Many managers are under the assumption that their applications and systems are Y2K compliant (after the expenditure of large amounts of money) so there is nothing to worry about. It is far more effective to educate these managers before a Y2K security problem than during one.

In summary, there are many components to Y2K -- it's not just about year roll over. Information security is an important, but generally overlooked Y2K issue. Fortunately, there is time to address information security before Y2K and the resulting solutions will provide your business a secure and efficient information infrastructure for years to come.

Visit the Author's Web Site

The Business Forum Inc., it's Officers, partners, members and
 all other parties with which it deals or is associated with, accept absolutely no responsibility or liability for what is published 
upon this web site. For details please refer to our

  legal description.