Network Security's No Mystery at Nexpo : Safeguarding Newspapers' Nervous Systems by Jim Rosenberg
Rosenberg, Jim, Editor & Publisher
Plan, protect, and maintain were the messages of the three sessions of a two-day "Demystifying Networks" workshop at Nexpo '99 in Las Vegas earlier this month. The workshop drew on the know-how of managers and business partners of The Atlanta Journal-Constitution.
With virtually all dailies using at least some local computer networking, and most likely having access to the Web from at least one machine, the age of the Internet arrived along with hacking hazards (unauthorized system access) and contagious code (transmissible, unauthorized computer instructions). So it was no surprise that the sessions, pulled together by AJC computer services director Ed Baer, opened with an examination of systems security. The matter is of immediate concern to managers, regardless of their network plans or future needs -- topics of the next two sessions. (See the technology section in the upcoming July 31 E&P.)
Inattention to network security, says Baer, risks a newspaper's ability to publish. Neither firewalls between internal and public networks nor protective software is enough, he contends, because security is not always a technical issue. Baer urged managers everywhere to be alert to possible vulnerabilities and to communicate with network users, educating them in the proper response to hazards.
Still at work on an employee-awareness campaign, Mike Goss, AJC security administration manager, says the paper's human-resources department now assists network security by adding safe computing to its other musts for getting hired -- passing a drug test and a background check.
Goals for system safety, says Goss, are security against outside access, round-the-clock availability, data integrity, and privacy (need-to-know internal access).
Goss says his newsroom's mainframe-and-terminal Atex system, in use through the early 1990s, "didn't even allow dial-in back in the early days." Now, he says, "that environment has completely changed." That's true inside and outside his or anyone else's paper. By year-end, the Internet will have an estimated 132 million users.
The Internet or other external access amounts to the "biggest threat" to a business network, says Goss, who says he's bothered most by hackers because of "how well they can hide."
Outside access is possible with such products as Timbuktu and Copycat (use of which should be controlled, he says) and with hackers' tools available on the Web.
For protection, Goss recommends:
* changing IDs and passwords often;
* controlling dial-up environments;
* using defensive software;
* allowing vendors access only via secure identification;
* routing all external communications to an isolated network "so the integrity of your production network remains;" and
* writing simple scripts that check and report if the sizes of programs change significantly or if there is a rapid succession of guest IDs applying for access.
Other dangers lurk in e-mail, where Goss cites the examples of the federal government using Microsoft e-mail to refute Bill Gates' video testimony and Chevron settling with employees offended by others' e-mail postings.
Protective policies can include allowing only company-sanctioned activities, recognizing no e-mail as private, allocating limited storage capacity (20 megabytes), and scheduling regular purges (every 20 days for all but critical information). …