By: JIM ROSENBERG
no mystery at Nexpo
Safeguarding newspapers’ nervous systems
by Jim Rosenberg
Plan, protect, and maintain were the messages of the three sessions of a two-day “Demystifying Networks” workshop at Nexpo ’99 in Las Vegas earlier this month. The workshop drew on the know-how of managers and business partners of The Atlanta Journal-Constitution.
With virtually all dailies using at least some local computer networking, and most likely having access to the Web from at least one machine, the age of the Internet arrived along with hacking hazards (unauthorized system access) and contagious code (transmissible, unauthorized computer instructions). So it was no surprise that the sessions, pulled together by AJC computer services director Ed Baer, opened with an examination of systems security. The matter is of immediate concern to managers, regardless of their network plans or future needs ? topics of the next two sessions. (See the technology section in the upcoming July 31 E&P.)
Inattention to network security, says Baer, risks a newspaper’s ability to publish. Neither firewalls between internal and public networks nor protective software is enough, he contends, because security is not always a technical issue. Baer urged managers everywhere to be alert to possible vulnerabilities and to communicate with network users, educating them in the proper response to hazards.
Still at work on an employee-awareness campaign, Mike Goss, AJC security administration manager, says the paper’s human-resources department now assists network security by adding safe computing to its other musts for getting hired ? passing a drug test and a background check.
Goals for system safety, says Goss, are security against outside access, round-the-clock availability, data integrity, and privacy (need-to-know internal access).
Goss says his newsroom’s mainframe-and-terminal Atex system, in use through the early 1990s, “didn’t even allow dial-in back in the early days.” Now, he says, “that environment has completely changed.” That’s true inside and outside his or anyone else’s paper. By year-end, the Internet will have an estimated 132 million users.
The Internet or other external access amounts to the “biggest threat” to a business network, says Goss, who says he’s bothered most by hackers because of “how well they can hide.”
Outside access is possible with such products as Timbuktu and Copycat (use of which should be controlled, he says) and with hackers’ tools available on the Web.
For protection, Goss recommends:
?changing IDs and passwords often;
?controlling dial-up environments;
?using defensive software;
?allowing vendors access only via secure identification;
?routing all external communications to an isolated network “so the integrity of your production network remains;” and
?writing simple scripts that check and report if the sizes of programs change significantly or if there is a rapid succession of guest IDs applying for access.
Other dangers lurk in e-mail, where Goss cites the examples of the federal government using Microsoft e-mail to refute Bill Gates’ video testimony and Chevron settling with employees offended by others’ e-mail postings.
Protective policies can include allowing only company-sanctioned activities, recognizing no e-mail as private, allocating limited storage capacity (20 megabytes), and scheduling regular purges (every 20 days for all but critical information).
Though encryption is available, Goss points out that it works only when the creator/sender and user/receiver have the same algorithm. Its advantage is that even if a network is hacked, communications will likely remain incomprehensible to snoopers.
Malicious or merely mischievous code can make its way onto networks via e-mail attachments, vendors’ and users’ infected disks, downloaded shareware, and remote-access software.
Not only is the number of viruses and similar rogue programs growing, says Goss, but so too is their prevalence, according to AJC monthly comparisons of instances of detection. To deal with this in a quick and coordinated fashion, Goss established a virus-response team with representation from all departments.
With each new virus came another warning. So, because employees eventually began ignoring the warnings, says Goss, “we try to key on the viruses that are really dangerous.” The best protection, he says, is routine scanning for viruses on PCs. Other measures include using only licensed software copies; scanning all media before distributing it; re-evaluating antivirus software monthly; and reporting all incidents.
That danger multiplies, says Baer, because “as you move to a network world, you evolve to a single network.” Where hacking and infection were once confined to departments, a single network ? for all its possible efficiency and maintenance gains ? exposes the entire company.
Networks may be overwhelmed as easily as they are invaded. “Like anyone else,” says Goss, “spamming occurs at the AJC on a regular basis.” Last fall, one such unsolicited, inexpensive mass e-mailing (ads for pornography) began arriving on a weekend and took down its system.
Filters and e-mail upgrades able to block unwanted messages help prevent spam. Whatever does get through can be identified from an e-mail’s delivery information or by contacting www.networksolutions.com. The information, says Goss, is best sent to the paper’s Internet service provider,which can shut down the source.
Urging wariness of chain e-mails, the network security chief says staffers can recognize the often helpful-sounding messages by their alarming hook, elaboration of an imaginary threat, and request to copy the message to others.
A last threat to a network is from within. Pirating software is a federal offense punishable by imprisonment, fines, and damage awards. Goss suggests putting one person in control of original disks (or purchases receipts or documentation) and periodically auditing departments.
Goss recommends an electronic communications policy to establish access authorization and responsibility; create guidelines with defined restrictions and system-related accountability; and provide for temporary exceptions. (“You’re never going to develop a policy that all departments can comply with 100%,” he says.) The policy document should include an acknowledgement form to be signed by the network user.
Beyond management commitment, legal department approvals, and third-party cooperation, says Goss, successful implementation requires departmental buy-in.
“We advertise it on AJC-TV” and communicate the policy “through voice and e-mail messages,” says Goss.
?(Editor & Publisher Web Site:http:www.mediainfo.com) [Caption]
?(copyright: Editor & Publisher June 26, 1999) [Caption]