Security expert makes point by breaking in
That’s exactly what Todd Clark did the other day to an agency he declined to name. It took him about one hour.
"I didn’t even need a password to get in," he said. "I had ’back door’ access."
Clark wasn’t out to destroy files. He was proving a point to a potential customer about how vulnerable most networks are. Clark, owner of a newly formed company called Denalitek, Inc. is drumming up business by offering a free evaluation of any company’s network security -- and then charging a fee to make the network safe and keep it safe.
Clark specializes in Microsoft products, with knowledge of both the company’s operating systems and its software. He said that gives him a competitive advantage, since most attacks consist of small programs custom written to go after vulnerabilities in the operating system.
Clark’s software credentials include writing a program called Autopilot, which automatically created a custom menu for each user of a network based on what files they were allowed to see. He said he sold the pre-Windows software for royalties.
In 1988, Clark was hired by Network Business Systems of Anchorage, where he stayed for 12 years, rising to the level of vice president. In early June, he left the company to devote his energies full-time to Denalitek.
The new company provides network management for companies that are too small to afford their own information technology staff. While Clark acknowledges that there are many other firms offering such a service in Anchorage, he says he differentiates his service by providing unique task tracking software for his customers.
The software, called AdminPoint, is accessible via a Web browser. It allows clients to leave requests for repairs or changes for their service technician. The technician, who typically visits the company once per week, can log into the same area and see those requests, along with other regular maintenance tasks.
Those tasks, says Clark, include installing "patches," which are software changes provided by Microsoft that are designed to block newly found vulnerabilities. Clark said failure to keep up with the frequently released patches can leave networks very vulnerable to attack. So can improper installation of the network in the first place, he said. It’s those kinds of oversights that Clark can find with his security audits.
Clark said protecting the information on computer networks is becoming increasingly important because two federal laws now require it. One is aimed at protecting the privacy of medical records, which affects the entire health care industry.
Another federal law requires financial services companies to take steps to protect their customers’ privacy -- and to tell their customers what those steps are. Clark said people should have been receiving notices from their mortgage and credit card companies in recent weeks because the disclosures were required by July 1.
In addition, Clark said VISA is requiring any merchant accepting so-called "card not present" purchases over the phone or the Internet to have a full array of security features installed on their systems to guard against fraud.
Clark said that in addition to keeping up with software upgrades, businesses wishing to beef up their security can install a "firewall," a mix of software and hardware that keeps most attackers at bay by limiting the kinds of traffic allowed into the network.
Clark said firewalls can range from software on an individual PC to a separate box that plugs in between a corporate network and the Internet. In an era with "always on" cable modem or digital subscriber line connections, he said such protection is highly recommended.
Without it, Clark said intruders can remotely install software that records every keystroke on a PC -- including passwords to Internet banking and other sensitive sites.
"This is why people should be concerned," he said. "It’s like asking people to stand and watch over your shoulder while you use an ATM machine."