Two of the nation’s top computer security specialists have grim news for any company that relies on computers and has a link to the Internet: You will be attacked."There are two kinds of organizations: those that have been hit and those that will be hit," said Gary Sullivan, president of Galaxy Computer Services Inc. of Manassas, Va. "Expect to be hit, and plan to survive."Sullivan made the comments during a morning-long conference Feb. 14 at the Egan Civic & Convention Center in Anchorage. The conference was sponsored by the Alaska Hi-Tech Business Council.Sullivan’s credentials include 20 years of management and security experience for large defense contractors like General Electric and Lockheed Martin.He was joined at the conference by Galaxy’s founder and chief technology officer, Lara Baker. Baker has been involved with top-level government security, including work at Los Alamos National Laboratory and as an adviser to the Central Intelligence Agency.Galaxy provides a variety of computer security consulting services. The company has more than 50 employees, most with federal government security clearances. Besides the government, the company advises corporate clients, specializing in the financial and health care industries.At the Feb. 14 conference, Sullivan explained how businesses can protect their information from attackers, alternating with Baker, who provided a series of computer security horror stories and detailed information on how intruders find security flaws and exploit them.Sullivan began the morning by pointing out that information is a business asset like any other."Businesses must take measures to protect that asset just as they would a more tangible asset," he said.He said protecting the integrity, accuracy and availability of information, what he calls information security, is more than safeguarding computers and networks. "If I get it out of your dumpster, information is information."But these days, most information doesn’t exist on paper, Sullivan said. So protecting computers and networks has become the way to protect information.To make the point, Baker urged managers to walk around and look at every computer for which they are responsible."You should ask what happens if the data on that computer goes away; what happens if the computer goes away; and what happens if the person running the computer and the computer go away," he said.Sullivan quoted a recent FBI report that found that 80 percent of organizations can improve their security, and that 20 percent of organizations have "significant security issues," meaning they can be crippled for days or longer. The study also found that most organizations do not have an electronic security professional on staff, relying instead on third-party vendors.Sullivan said that the Internet, and especially electronic commerce, has changed the rules of security and vastly increased the risks facing companies that rely on computers to conduct business."Pre-Internet, the role of security was to keep everybody out," he said. "Post-Internet, it’s let everyone in, but minimize the malicious effects."He said e-commerce adds to the risk because transactions have no delay time and there’s no direct control over the end users."You don’t really know who’s on the line, filling out a loan form," he said.Sullivan said another problem is the rate of technology change, where companies are often forced by vendors to upgrade to the latest version of software without time to assess any new vulnerabilities."There has to be a structure in the organization to manage change," he said.Sullivan and Baker were particularly critical of Microsoft Corp., whose operating systems suffer from numerous security flaws. They said it’s why 80 percent of all Web servers, the computers that actually store and serve information to visiting surfers, do not use Microsoft software.Sullivan quoted a 2001 survey of 40 community banks whose networks were scanned for vulnerabilities. He said the survey found that 28 were using Microsoft software and that of those, nine were susceptible to a virtually undetectable exploit that would allow retrieval and modification of account data.Microsoft routinely issues software "patches" that fix vulnerabilities once they’ve been discovered. But, Sullivan said, many companies fail to install them, leaving their systems open to attack."Security is not a one-time thing," Sullivan said. "It can’t be done once. It must be done daily as a business process."Building a secure networkSafeguarding a company’s information assets includes hardware and software, but it also must take into account the people in an organization, because, as both Sullivan and Baker pointed out, some of the worst computer attacks have been carried out by disgruntled employees.Sullivan said the main way to protect a network is to control who gets to see different types of information, with access defined by job function. The primary method of authentication is the password, which Sullivan said should be at least eight characters long, should never spell a word, and should include numbers and special characters. It should also be changed regularly.Sullivan said the most difficult part of using passwords is that if they get to be too long, or are changed too often, people start writing them down, thus defeating their purpose."The goal is security that is appropriate for the organization," he said."Passwords are like your toothbrush," he said. "Use them regularly; change them often; and don’t share them."As for protecting a network from outside intruders, the most common defense is a firewall, usually a combination of software and hardware that defines what parts of a company’s network are visible to the rest of the world. Unfortunately, many companies install a firewall and forget it. That’s dangerous, Sullivan said, because firewall software needs to be properly configured and regularly maintained."No firewall can protect against that which it is programmed to allow," Sullivan pointed out. "Your firewall rules are your external security policy."Other security measures include: Virus scanning software:. Again, Sullivan stressed the importance of regularly updating the software as new defenses are devised against the latest computer virus. Virtual private networks: These are highly encrypted links between different corporate locations. Sullivan said companies should use a single vendor for both ends of the link because not all systems work well together. Intruder detection software: Sullivan said this sophisticated approach, which evaluates patterns of traffic in a network, is difficult to configure and must be trained, or fine-tuned so it doesn’t constantly sound an alarm.Sullivan said a new challenge for security is wireless networking, since it works by broadcasting a network to anyone with the right receiver. That has led to what he called "drive-by hacking," which involves people driving up to a building and tapping into a corporate network from their car.He said the security of such systems is weak but is rapidly improving, especially in the health care industry, which makes extensive use of wireless technology within hospitals.Sullivan concluded by reminding the audience that hardware and software are only part of what’s needed to protect a company’s information assets. The others are: Physical control of access to data;Disaster protection and recovery; User education; and A security information plan.The security information planHelping companies plan for computer attacks is what Sullivan and Baker do for a living. Their approach is comprehensive, beginning with an audit of what information assets a company has, which are the most vital to its survival and the current state of the firm’s security.They then define what steps should be taken to protect the company’s information and how to do it.The next step is to put in place systems that detect attacks, ideally before a company’s information has been compromised.Then, the company must decide how to react to an attack. Baker said an organization can either fix the problem or go after the attacker. But, he warned, that pursuing and prosecuting requires a great deal of preparation. That includes making sure that the servers on a network save a record of everything that happens on the network, a feature Baker said many companies turn off to save on disk space."Are you collecting evidence on an ongoing basis?" he said. "You need to collect it to have forensics success."Baker said the plan should also define specific steps to take once an attack has occurred. They include notifying the appropriate law enforcement authorities and service providers; stopping or containing the attack; assessing the damage; eradication of any viruses; and recovery.The final phase on any plan should include a reflection phase: a post-mortem where the organization figures out what worked and what did not. Then, Baker said, "Go out and make the changes. Don’t just talk about it."