Computers & Security, 17 (1998) 564-574
Security Views Dr. Bill Hancock, CISSP
Windows-98, RIP and My Adrenaline Rush
As some of you are aware, I have been an avid student of the martial arts since age 4. I did rather well in competition in the 70s and 80s at very large, interna- tional tournaments. Its come in quite handy on a couple of unfortunate times, but has always been part of my life and has been there for me when I needed it most.
What does this have to do with anything? Well, I still get an adrenaline rush when I step into a tournament ring - even if I am just one of the other old fossils who judge the efforts of the younger and more agile. Of course, us old fossils have a saying:
Youth md exuberance does riot stand a clzance against age arld deceit.. .
But, martial arts tournaments give me an adrenaline rush. Probably always will.
Of course, other things do as well. One is when I come to a realization of how nasty a security problem some feature or another is in an operating system that I am fooling around with. With that, I recently had a small one that grew in scope when I put two-and-two together and came up with a much larger number.
After recently purchasing a new Pentium II with all
the bells and whistles on it, it came pre-installed with the standard, buggy release of Windows-98. As the proper geek that I am, once I was happy that every- thing was working, I parked myself on the Microsoft Windows-98 CD-ROM that came with my system and started looking into items that are optional installs such as theValuPack and other goodies that are on the CD-ROM.
Whilst browsing the CD-ROM, I discovered that an install existed for Routing Information Protocol (RIP).This was a bit of a surprise as making a desktop system a router is not always a good idea for lots of network control reasons and even more security reasons. But, being curious as to whether it worked or not, I installed it and started playing with it.
I was quite successful in getting an ISP connection via modem with PPP to route properly to an Ethernet/802.3 connection on the system itself. This meant that I could dial up an ISP and allow other nodes on my constructed testing LAN to communi- cate with the ISP and, therefore, the Internet. A little further extrapolation caused the revelation that any laptop running W98 with the optional RIP installed would allow the laptop to back door connect the laptop to the ISP on the modem side and the laptop to the corporate LAN on the Ethernet side of the connection. Hence an adrenaline rush - a secu- rity problem, and a pretty serious one, waiting to happen.
564 0167-4048/98$19.00 0 1998 Elsevier Science Ltd. All rights reserved
Computers & Security, Vol. 17, No. 7
For example, one of my customers has a site with 2000 telephone handsets on the property. They also have over 950 analogue lines. Of those 950 analogue lines, over 700 are modem connection lines for desktop systems as the users got sick and tired of getting the IS department to help them connect out to the world. Using RIP with a W98 upgrade would now allow these users to connect out to the world and also route information from the local network to the Internet and vice-versa.
Of course, using this type of network technique is not new. Products such as WinGate have allowed this
capability on W95 for some time now. Other Network Address Translation (NAT) products for W95 and MS- DOS accomplish much the same thing. But, you must purchase WinGate after the trial period for a small fee and RIP comes included in the W98 distribution kit. Further, you would also be required to do a little snooping around the Net to figure out that there was a WinGate in existence. Inclusion of RIP on the distribution CD is much easier to discover and use.
I fully expect a lot of small businesses to implement this optional component. 1 also fully expect large cor- porate laptop users to do the same. In either situation, compromise of the internal networks via unautho- rized connectivity and access will become much more commonplace. It also follows that if your company does not have policies about what is allowed to be connected to the corporate network and, importantly, how, then be prepared to have your network compro- mised by a desktop near you soon.
Stealth Probing of Internet-connected Sites
A recent series of long-term, low packet-count probing has been going on within various large network sites belonging to the military and other large sites. Low-bandwidth, or group, hacking involves numerous hackers working together from different locations. Together, they intermittently send sets of IP packets against a network to test for vulnerabilities. Because the packets come from different hosts and at varying intervals, they come in, in effect, under the
radar of most intrusion-detection applications currently on the market.
This type of attack has been rumored about for several years, but it wasnt until last month that it was documented by the Shadow project of the US Department of the Navys Surface Warfare Center. With these new low-bandwidth attacks, hackers have found a way to make the most obvious part of their attacks - probing for vulnerabilities - virtually undetectable. That frees them up to do the real damage by racing through those holes to capture data before they can be shut down. So far, there have been three distinct patterns that have emerged:
Slow scans for machines and services: Attacker inter- mittently checks for machines and services to develop a picture of the target network. Once vulnerabilities are mapped, attacker can go back through that hole.
Multisourced attack: Attacker tries to access or crash a server, also known as denial of service, from multiple points of origin.
Multisourced attacks to multiple targets: Attacker dilutes the so-called attack density, making it look like normal traffic that is converging on the same data.
So far there has been a lot of vendor posturing and assurances of product upgrades coming out to fight this new method of probing for weakness. We will see. What is already known is that this type of probing requires monitoring consisting of various database and neural network methods as well as macho computing hardware to handle the performance issues that are sure to be an issue. This type of monitoring comes at a price and its not going to be cheap to implement nor simple to solve.
Lotus Domino Security Flaws Redux Another security glitch on Lotus Developments Domino Web server may make it possible to view sensitive credit card, address, and phone data from the Web. The breach was reported last week by LOpht Heavy Industries, a group dedicated to security research.Their advisory is located on their web site at:
Security Vie ws/Dr. Bill Hancock
http://www.lOpht.com (thats a zero, not an O).This flaw could make Lotus Domino application-based payment and client data available from a Web browser. LOphtS website said it received reports regarding a vulnerability in some implementations of Domino- based applications, which result in the Internet publi- cation of sensitive information belonging to customers of Lotus/IBM and their business partners.
LOpht said Web browser users can access database information simply by navigating to the payment entry part of a Domino site, then substituting open after -.nsf database names in the URL. LOpht suggests developers use reader and author names fields to prevent unauthorized access to sensitive data. It also suggests disallowing anonymous access to names.nsf, catalog.nsf, log.nsf, domlog.nsf, and domcfg.nsf databases.
Ironically, while Lopht was posting the advisory about the security-flaw on its website, Lotus outlined details of its E-commerce and public-key infrastructure security plans at its developers conference. To address security concerns, Lotus placed its IETF PKI compli- ant implementation in the public domain last summer. Lotus officials said Microsoft, Intel, and Security Dynamics Technologies pledged to support the reference implementation. Having a single PKI imple- mentation will keep down the number of certificate authorities businesses will have to maintain for trading partners and foster greater extranet development. PKI functionality for Notes/Domino will be completed and available in the next six to 18 months.
European Companies Not Impressed With E-Commerce
A recent survey by Andersen Consulting shows that many European business executives are slow to incor- porate electronic commerce into their operations. While 82% of executives said they believe E-com- merce will have a strategic impact on their business in the future, only 39% are taking steps today to incor- porate the technology into their strategy. Only 19%, the survey found, regard E-commerce as a serious competitive threat.
Moreover, one-half of the respondents believe that consumers lack an understanding of E-commerce. A majority view privacy and security as major barriers. Eight percent cited the need for governments to work together to form a common, international E-com- merce framework. The survey, conducted between December 1997 and July 1998, involved more than 300 senior executives throughout Europe
Vendor-Supplied Security for Computers Dell Computer Corp. is working overtime to help IS managers secure the data in their users notebooks, desktops and servers. Dell recently announced DellGuard, a security initiative that features password- protected hard drives for notebooks and desktops, along with an 800-number that assists in tracking stolen PCs. In the first half of 1999, the company plans to add smartcard hardware to its notebooks and desktops that will provide a single point of user authentication.
The smartcard solution, which would require a card reader and be used during logon, would reduce the number of passwords needed and lessen the chance of an unauthorized user gaining access to data stored on a PC or network. Dells smartcard security product is expected on Latitude notebooks and OptiPlex desktops, sources said. While the company is consider- ing using third-party smartcard devices, it is also devel- oping its own reader, which could add about $100 to the price of the notebook, sources said. Dell is also evaluating biometric security technology, including a fingerprint sensor developed by Veridicom Inc., in Santa Clara, Calif., which authenticates users via their fingerprints.
The companys DellGuard initiative will focus on standards-based solutions that are compatible with Microsoft Corp.s Windows NT 5.0. Windows NT 5.0, for example, will support smartcards and include a smartcard API as well as built-in data encryption.
Dell isnt alone in its security efforts. Compaq Computer Corp. is a member of the BioAPI Consortium, a group that is working to develop APIs for biometric security. The Houston company also
Computers & &writ-v, Vol. 17, No. 7
has a fingerprint recognition device for its Deskpro PCS.
IBM will also introduce a smartcard encryption prod- uct for its ThinkPad notebooks.The company is devel- oping a reader that will tit into the notebooks PC Card readers. The smartcard product, which has not yet been priced, will be available first as an option, sources said.
Hewlett-Packard Co., a longtime smartcard backer, recently announced ProtectTools, a program to inte- grate smartcard readers into its Vectra VL desktops, Kayak workstations and OmniBook notebooks. The Palo Alto, Calif., company is working withveridicoms sensors for inclusion in future desktops and note- books.
While all of these initiatives are useful and beacon the user to thinking more about being secure and less about the overall problem (its the I have a lock on the door and am therefore secure syndrome), they are all based on different methods, technologies, tech- niques, etc. Until we can get all the vendors together in a single mode of security, all this does is exacerbate the differentiation of security products for the same technical problem and, as usually happens, the users turn the security features off in defiance of IS person- nel due to their operational needs (i.e. they dont want to mess with the solution as it is intrusive and annoying).
Network Associates Introduces a New Firewall Concept: Adaptive Proxies
Network Associates, Inc., recently announced a new method to protect networks via firewall technology that promises to remove the longstanding tradeoff between security and speed when choosing a tirewall. The new patent-pending tirewall technology features Adaptive Proxies which maintain the tight security standards of proxy firewalls, but can dynamically adapt packet flows on the fly to achieve substantial performance improvements. The new Adaptive Proxy technology is the result of years of research at NAI Labs, the security research division of Network
Associates.The new technology will debut this month in Gauntlet Firewall 3.0 for Windows NT, and will be widely available on all Unix and NT versions of Gauntlet later in 1998.
Historically companies have faced a tradeoff between the speed of stateful packet inspection firewalls and the tight security of application proxy firewalls. The new adaptive proxy model eliminates that tradeoff by dynamically applying the appropriate degree of secu- rity as it is needed.
Application proxy firewalls like Gauntlet have tradi- tionally been viewed as better than average security due to specific architectural features that help secure ancillary information when a connection is in progress. Because all data passing through the firewall is examined at the application layer, the highest level of the protocol stack, application proxy tirewalls have full knowledge of exactly what is occurring in each attempted connection. Proxy firewalls are also consid- ered to be superior to stateful packet inspection firewalls because they act as a proxy for all authorized connections, never allowing direct contact between the trusted and untrusted networks. Although these methods offer significantly tighter security, the addi- tional security measures sometimes require more time to process.
In contrast, stateful packet inspection firewalls to simulate the approach of an application proxy tirewall by examining data through a proprietary inspection module at a much lower level of the protocol stack. Once a connection has been established, stateful pack- et inspection tirewalls also allow direct connections (if NAT facilities are not enabled) between endpoints through the firewall, potentially exposing internal systems to compromise from sophisticated attackers if the firewall is incorrectly set up.
The new patent-pending Adaptive Proxy technology supposedly gives users the best of both previous fire- wall technologies. Adaptive Proxy firewalls dynamical- ly adapt packet flow on-the-fly based on user-defined security rules. This allows users to customize firewall policies to their specific needs without sacrificing speed or security. When security requirements are
Security Vie ws/Dr. Bill Hancock
high, the initial security examination still occurs at the application layer, assuring the maximum security of a traditional proxy firewall. Once all the details of that session have been cleared by the proxy, however, subsequent data packets can proceed directly through the much faster network layer. Initial vendor bench- mark tests of the new Adaptive Proxy technology have demonstrated tenfold or greater performance improvements with zero security compromise (of course, these are vendor provided and still need to be verified).
Gauntlets new Adaptive Proxy technology will also enable more flexible integration between individual security products such as security vulnerability scanners, virus security scanners, and intrusion protec- tion sensors. As part of its Active Security initiative, Network Associates is enabling properly authenticated devices to automatically adapt firewall security levels according to a firewall administrators pre-established security policies whenever security sensors and scanners detect an important threat to the network. Next!
Aussies Outsource their Equivalent of the US National Security Agency
The partial handover of Australias most secretive intelligence network to a foreign company was a threat to national security, the main opposition Labour Party said Tuesday.
The Defense Signals Directorate (the Australian equivalent of the US National Security Agency), which is so secretive its annual budget isnt even made public, has handed over some of its foreign intelligence gathering to private companies, one of which is British Aerospace Australia. The handover was made public when British Aerospace advertised for 40 peo- ple with expertise in languages of the Asia-Pacific region to work in Australia.
Labour defence spokesman Arch Bevis said handing such sensitive work to a foreign-owned company was madness and clearly not in Australias interests.
Not even Margaret Thatcher or Ronald Reagan went this far with privatization, Bevis said. Giving British Aerospace Australia a contract to advertise for and employ language and communications intercept experts has enormous implications for Australias national security.
In a conflict situation, the information they would be gathering could affect the lives of thousands of military personnel. Bevis called on Prime Minister John Howards government to make public any plans for the sell-off of other aspects of Australias defence systems.
What I find truly interesting about this is that the task is over and done with, the politicians are going crazy over it and there is a high probability that the situation has existed for years. In my years working in spook shops, it was not uncommon at all to have a great many commercial contractors working with us side- by-side. It would never appear on the books of any contractor as to what, exactly, they were doing - but they were there doing it nonetheless. Sorry, guys - nothing really earthshattering here. Been happening for years. I sometimes wonder what will be outsourced next. Upon reflection, I probably dont want to know.
New E-mail Newsletter on Electronic Identify Fraud
John Ellingson, principal of e-Dent&cation LLC announced the start of publication of a free E-mail newsletter called Electronic Identity Fraud. Publication is devoted to the newly created problems of electronic commerce and electronic data inter- change (EDI) wherein people in remote locations do business through electronic means and lose the valuable opportunity for personal face to face evalua- tion of each other.
Much attention has been devoted to the security of the message, using encryption and passwords and fire- walls. But the important question of the identity and honesty of the sender of the message has been ignored. The newsletter is available on request to ZRZZ32A@PRODIGY.COM. Please say Identity Fraud as subject of request.
Computers & Security, Vol. 17, No. 7
John Ellingson is chairman of NBIB Inc. which devel- oped an identity detection system now used by 17 000 banks.The new system is designed specifically for non bank companies engaged in electronic commerce. He is at Johne@37179.aol.com.
Worlds Smallest Combination Lock is Created
A team of US scientists have developed a minuscule mechanical device they describe as the worlds small- est combination lock, promising to build a virtually impenetrable computer firewall.
Sandia National Laboratories said in a news release that the Recodable Locking Device is a series of tiny notched gears that move to the unlocked position only when the right code is entered.Using the micro- electromechanical system (MEMS) so small that it takes a microscope to see it, Sandia said, the device is the first known mechanical hardware designed to keep unwanted guests from breaking codes and illegally entering computer and other secure systems.
The Recodable Locking Device is hardware. With it in place, a user would only have one opportunity to enter the correct password - and a one in one million chances of guessing it, compared with a one in 10 000 chances in most passwords used in software firewalls. The system shuts down if the password is incorrect and can only be reset by the owner. The entire device is about the size of a button on a dress shirt and could be built into a small chip that would be incorporated into any computer, computer network or security system.
It consists of a series of six code wheels, each less than 300 microns in diameter, driven by electrostatic comb drives that turn electrical impulses into mechanical motion.To unlock the device, a user must enter a code that identically matches the code stored mechanically in the six code wheels. If the user makes even one wrong entry, the device mechanically locks up and does not allow any further tries until the owner resets it. Sandia said that the device has a powerful potential besides being a deterrent to hackers. They expect to
see the device used in commercial applications within the next two years.
Getting Bitten by Year 2000 Problems in Places You Never Thought of.. .
Oddly enough I get a lot of E-mail questions about security and the Year 2000 problem. While some of you readers will refer to this section as I already knew that, and you may be correct, it strikes me that there are many out there in cyberspace who really dont understand the Y2K problem to the depth that it extends. If nothing else, use this section of this months column to educate your management.
Everyplace you read you hear about the Year 2000 problem, especially when computer systems and software is involved. Is it real? Yeah, unfortunately, it most certainly is. Is your company at risk due to it! Yes, it is and thats a question we can explore in detail later, but first we need to understand what the Year 2000 (also known asY2K) problem is.
When programmers write programs, which are on every computer in every location, they have to create program code sequences that involve the use of dates and times. When defining any type of date many times, programmers must specify rules for the format- ting of year of the date. For instance, specifying only 19 for a year as the first two digits is going to cause big problems when the year 2000 hits and it starts with 20. Programs cannot do anything other than what they were programmed to do and those who are expecting 19 for the first two year digits are going to freak out in a major way when something hands a 20 to them instead. At a minimum, things stop working. At a maximum, systems crash and incorrect date information is saved. This can have some pretty far- reaching and catastrophic effects for a lot of things like databases and real-time programs which use dates and times for serious work like nuclear reactor failsafe programs.
Even worse are where programs have algorithms where date computations are made based upon only the last two digits of the year. Lets say you wanted to
Security Views/O=. Bill Hancock
know how many months had transpired from the first of January of the year 1900 until the last day of December of the year 1999. If the computation were made such that only the last two digits were used, then this task done before the year 2000 would result in a computation of 99 times 12 or 1188 months. But, what if the same question were modified to the number of months from the first day ofJanuary of the year 1900 until last day of December of the year 2000? The answer would come back as 12, not 1200 as the correct answer would be.This simplistic example can be expanded to problems like invoicing for time spent on jobs (typical timesheet applications), time manage- ment software, calendar tracking applications, etc., which affect everyday user routines. It can also affect railroad scheduling, flight scheduling, reservations for practically anything, industrial control systems, finan- cial and accounting systems and, basically, anything run by a computer.
So, the problem is quite serious. And, without updat- ing systems, it is not going away. In fact, the two examples above are simplistic ones that are easily understood.There are a rash of them that are consid- erably more complex and difficult to understand and correct. Another problem are the nay-sayers that claim that Y2K is over-hyped and that very few things will be affected.There have been some articles written by non-technophiles to this effect and they couldnt be more wrong if they tried. There are extremists that claim all will come to a halt and those who claim nothing is wrong. The truth is in the middle, leaning more towards the all will come to a halt than nothing is wrong.
Some companies are taking the Y2K problem very seriously. Consider the expenditures of the following banks to address the Y2K problem (sources are Chicago Tribune and Grains Chicago Business):
Chase Manhattan Corp $250 million Citibank 50-70% of staff dedicated
to the problem BankAmerica Corp $250 million First Chicago NBD Corp $100 million LaSalle National Bank $30 million
If you examine the locations where computers are being used, you can begin to see how problems with something as simple as a date can cause personal and professional problems.
I have an intercom system in my home. It has a digi- tal calendar in it and was manufactured about two years before I bought my home in 1987. Just for fun, I moved it up to January 3, 2000, and it displayed January 3, 1900. It does not even have the year 2000 capability to display the number in the unit. So, I called the company that makes the unit and they told me that to fix the problem would require replacement of the main unit with a new unit for a cost of about $700. Needless to say, I am really unhappy about this and am now tracking down the programmer for my intercom unit to do him/her bodily harm.
Another personal experience is my microwave oven in my kitchen. Installed at the same time, it has a timer, date and day display. Guess what happens when you set it to January 3,2000? It beeps at you and displays a fault code and then reverts to 1900. I called the manufacturer and they said that a $50 upgrade will fix it. Gee, how happy am I again? I am up to $750 in personal out-of-pocket upgrades and I have not even gotten to the house security system, car calendars, sprinkler system,VCR clock/calendars (yes, campers, they are affected as well), refrigerator (yes, it is calen- dar-challenged), stereo system, digital wrist watches, electronic alarm clocks, etc. All of this has nothing to do with my office, but all of it is up-close and person- al. And, a lot of it is going to break in the year 2000. Sigh.
What does this have to do with security? Plenty. Remember that most computer-based security tech- nologies use programmable date information to keep logs and audit trails. Lets examine some very simpli- tied example areas of risk and security issues where the Y2K problem, not fixed, will cause problems:
Perimeter facility access security products. These products, typically used to secure a building or grounds area, use computers to control access to the facilities. Dates are extremely important for enforce- ment ofTime of Day (TOD) operations when people
Computers & Security, Vol. 17, No. 7
are allowed in or out of a facility. TOD also causes problems for people with access which expires on specific dates at specific times. If the date modules of the programs controlling perimeter access cant deal with Y2K, the entire security system may be in jeop- ardy and will either lock everything down or lock up
nothing at all.
Card control access systems. In a recent test at a customer site, we put the clock ahead to test a card control system. Everything worked great except the elevator card key facilities. Turns out that the system was upgraded properly, but the elevators were not and it was expensive to do so. Therefore, it was cut from the budget. Since the card keys did not cooperate in the elevator card reader PROMS after Jan. 1,2000, the elevators would not allow us to go anywhere a card was required to reach a specific floor. I am sure that other embedded logic card control systems will have similar problems as I have seen them on several already.
Fax machines. Many of them have built-in electronic day and date display and transmittal facilities.We took a relatively new unit (about 3 years old) and moved the date up just for fun. It wouldnt let us and beeped at us every time we tried. Really frustrating. In many companies, the date-time-group (DTG) provided on transmitted .fax documents is a crucial business requirement, especially where negotiations are going on or where there are date restrictions on actions by company management. If a fax machine cannot trans- mit an effective date, this is bad science for all involved.
PBX systems are particularly sensitive to calendar date events. Discussions with some industry experts tell me that many PBX switches that are over 10 years old will have problems withY2K. A customer of mine running a very large switch with over 10 000 users has a switch that is effectively 20 years old. Needless to say, aY2K test was a disaster and upgrading the switch will be expensive and time consuming.
Manufacturing systems. Companies that engage in manufacturing products actually have three threats to their business: embedded systems, the supply chain to
the business (and all associated systems) and internal, third-party packages. There are a lot of 1970s tech- nologies in embedded systems that will not work properly in 2000 and there is a great deal of microcode and other specialized applications that may be difhcuit if not impossible to debug and fix. In fact, one well known pharmaceutical firm I know of is discontinu- ing a version of a major diabetic therapy product due to the expense of converting the system to work in Y2K: its cheaper to get rid of the system and move customers to a newer product than to upgrade the system which makes the pharmacological components to work properly later on. Supply chain vendors who have problems shipping raw materials will impact arrival and scheduling of manufactured components and cause total chaos in the manufacturing and deliv- ery of product. Internal packages configured for Just In Time (JIT) inventory systems may suffer due to the standardY2K problem but also may not be equipped to deal with the issues of scheduling and manufactur- ing problems imposed by materials problems with the supply chain issues. It becomes a mess rather quickly when just a few things start to go badly.
Retail systems. Solely dependent upon supply chains, the problems of supply chain system failure to the retail channel will have far reaching and major effects to retail systems which depend on rapid delivery of sellable items where inventory is tight and rapid change in spending patterns occur. Supply chain components may not notify the retail consumer until it is much too late to do anything reasonable about the problem.
Utility systems.What happens if a nuclear power plant failsafe system, which may not be date-dependent, is told by a date-dependent system to scram the reactor. At that point, massive logging of events is required and needed. What if the logging system fails? The plant may be left in an Unanalyzed Condition (which is very bad - all safety issues that happen at a nuclear plant must be completely analyzed and resolved before a restart can occur) and the plant must be shut down until the safety issues are identified and corrected. Nothing has caused melt down and probably wont. The problem is that it cannot be started back up. Lights out.
Security Vie ws/Dr. Bill Hancock
Health care. Hospitals and other medical organizations depend on diagnostic systems which have their own embedded systems within them. A lot of these systems stop when maintenance intervals are reached. Computing the wrong date may cause that to happen a lot quicker than expected.These organizations have a lot of the same problems as the retail sectors problem with supply chain Y2K problems, but here peoples health and, indeed, their lives may be at stake.
The list of opportunities to fail goes on and on.The point is clear: Y2K is serious, ubiquitous and some- thing that a lot of companies are simply not paying attention to solving.This is especially the case in small and medium sized companies where expenditure to fix the problems is not part of the overall corporate goal of survival.
Then, there are the legal problemsYes, legal problems. In any area where liability is produced, there is always the human and corporate tendency to find someone else upon which to shift the blame and, therefore, the risk. For instance, in a public company, failure to disclose Y2K potential problems subjects the directors and officers of a company to a rash of lawsuits, The liability is that these individuals have a fiduciary responsibility to act in the best interests of the corpo- ration. While corporate standards of care vary from state to state, they exist to protect the company and stockholders. What is particularly important, especial- ly for public companies, is the risk to the company of shareholder lawsuits and enforcement actions by state or federal authorities based upon a companys lack of official or sufficient disclosure of Y2K issues in required public filings with the Securities and Exchange Commission (SEC), or with state securities regulators. The SEC issued guidance in 1997 (Staff legal Bulletin No. 5 onYear 2000 Disclosures) which advises companies of their year 2000 disclosure obligations. While a guidance by the SEC is not a law, you dont ever ignore it lest your company trigger an SEC enforcement action or class action lawsuit by stockholders. The SEC requires specific and mean- ingfulinformation aboutY2K issues and also specifies minimum informational requirements (which can be extensive in some situations). By keeping a consistent
and exhaustive chronology of events that the compa- ny undertakes to properly address the problems, these opportunities are minimized. Lack of doing anything can open up the company to a variety of problems including business failure.
Ok, now that your consciousness has been properly raised, lets examine what you can do about the prob- lem and what steps are necessary to avoid the Y2K pitfalls that are sure to come along.
There are four overall steps that have to happen to properly address and fixY2K problems:
1. Inventory and assessment of your exposures toY2K in software and systems .
2. Analyze and find your year 2000 risks and legal requirements.
3. Fix your programs and applications.
4. Test your changes.
Before you get too carried away and start the steps, there is that legal liability exposure-thing that you have to be concerned about - whether you are a public or private firm. One sure help in a courtroom is a great deal of documentation about all the steps and work that was done to ensure that your systems were being corrected for Y2K compliance. That starts first and now: document everything that goes on, regard- less of how trivial it might seem, to ensure that your company has proper paper-trail compliance efforts in the case of a legal action against the company as a whole or specific officers and directors.
While the following statement might seem a little brain-damaged and normally filed in the common sense file, its crucial: upgrade and fix mission critical systems first! A quick assessment will yield information about what systems and software are critical to keep- ing the business rumling or what supply chain facili- ties are critical to keeping materials flowing. These areas obviously must be the first addressed regardless of
Computers & Security, Vol. 17, No. 7
their complexity as they are considered to be business critical to keeping the company afloat as a profit gen- erating machine.
(1) Inventory and assessment of your expo- sures to Y2K
This step has two components: business issues and technical issues. Business issues require the concerns over compliance with Y2K by vendors, business part- ners, suppliers, subsidiaries, embedded systems, end products, retail products or provision and industry- specific business, legal issues and regulatory require- ments. The technical issues include: an inventory of software products in-use; vendor statements verifying either no issues or what issues are to be solved inY2K compliance (you will need to contact each one); in- house software analysis to discover what was home grown and will cause problems; embedded systems that you may be using that have older software in them and may fail or not operate correctly; etc.
(2) Analyze and find your year 2000 risks and legal requirements
Now that you have a rough idea of what the scope of software and business problems are to be solved, the problem of analyzing any in-house code and process- es for Y2K conversion efforts needs to be done. This can be an especially painstaking effort and is essential to ensure that you know exactly how much work and what types of efforts will be required to properly con- vert systems to Y2K compliance. Testing of date changes and effects of failure of one system vs. what happens to another is just a small piece of what has to happen. Other tasks include how your company affects supply chains, your requirements onY2K legal- ly and to your customer base and many other related issues.
(3) Fix your programs and applications
This sounds easy, but its not. A lot of programs that are home-grown or are used in systems no longer sup- ported by a vendor may be extremely difficult, if not impossible, to fix. This may entail entire replacement of selected systems or subsystems that are in use to
ensure that they can properly function when year 2000 comes around.You will most likely need to find source code for affected programs or get the upgrad- ed ones from vendors if they exist. Consultants who are familiar with your systems and problems will most likely need to be retained and an overall project and plan for correction will need to be designed and implemented.Tools and other facilities that will facil- itate the conversion of code or products will also need to be tested. certified and used for the conversion.
(4) Test your changes
This is often one of the most painful stages and often takes as long as it takes (or more) than it does to make code changes. Testing involves the use of automated testing tools., conditional testing, interrelationships with other programs and how the changes affect other code components and many other issues. If you are in the supply chain as a vendor, the pain can increase seriously when you consider that you may need to create a parallel system environment to test changes and updates. Interactive systems can be a real challenge as user interfaces, reports, database interfaces and all manner of interactive methods must be tested to ensure that everything works as required. Of course, there is user training, documentation and many other steps to ensure that everything gets done correctly and functions in accordance with plans.
A final comment about consultants. Be careful who you select to do your work, ensure they have the prop- er credentials and get some specific information about what they can and cannot do for you in the conver- sion effort. As in any service sector industry, there are some very reputable individuals and some that are less than what they seem. Remember that all the work is being done by people, not machines, and the selection of those people with the right qualifications are what makes or breaks a conversion. Also, the customer has the absolute right to know what they are getting and why and also be intimately involved in the process. Failure to get thoroughly engaged in the process leads to miscommunications, overcharges and runaway pro- jects. Get involved and stay that way.
When starting your conversion efforts, ensure that
Security Vie ws/Dr. Bill Hancock
your team has the proper systems, tools and facilities that are necessary for the job. Some larger consultan- ties have developed their ownY2K conversion pack- ages. Mainframe vendors, such as IBM, have entire Web sites and conversion suites that are used for conversion help. Project management tools, Gantt chart progress tracking, source control systems, formu- la and strategies for date management and upgrades and a whole host of other technical tools and facilities are necessary to properly plan and upgrade systems and code forY2K compliance. All of this costs money and does not come for free. These are expenditures over and above the actual code conversion and, with- out them, the effort will take much longer and have a less overall chance for success.
Y2K is non-trivial. In some systems, the effort may involve as little as upgrading a system to a new version of the product. In most cases, especially if there is home-grown software involved, the effort must be carefully planned and progress controlled to ensure success. Even if your in-house systems are not affect- ed, if you are a manufacturer, retail supplier or other middleware type of business, you may be affected by otherY2K problems at other companies and vendors. Take some time and analyze your exposures and know what alternatives you have before real problems creep up on you and its too late to do anything about them. Insist on vendor compliance and remember to work with your vendors and suppliers to minimize the impact of systems that have not been converted. Develop a disaster plan of action in case there are supply-side problems that you have no control over but affect your ability to pursue your business. And, remember that there are a great deal of legal issues that you must deal with to ensure that the companys liabilities are properly dealt with.
The Year 2000 Software Crisis Ian S. Hayes, William M. Ulrich Yourdon Press Computing Series ISBN O-13-9601 54-6
Practical Methods for Your Year 2000 Problem Robert B. Chapman Manning Publications Co. ISBN O-884777-52-X
The Year 2000 Computing Crisis Jerome T. Murray, Marylyn J. Murray McGraw-Hill ISBN o-07-912945-5
Dr. Bill Hancock, Executive Vice President and Chief Technolog Officer of Network-l Software and Technology, Inc., is a well known computer and network consultant, designer and engineer with thousands of network desqqx to his credit. In the business for over 25 years, he has drslgxd and rr-engineered networks (over 4000) for many of the Fortune 1000 as well as many international companies and governments with system counts from two to over 1.5 million rystrms. He has held full-time technical and management positions at various Fortune 100 companies including Standard Oil of Ohio, I>igital Equipment Corporation, Texas Instruments and US governmental organizations such as the Naval Security Group Command. A prolific network architect and designer, he has desiqed networks for a wide variety of organizations such as the Capitol of the United States of America. 17 power companies, NASA research networks, aircraft control systems such as components of Boeing aircraft and the F-16 and F-22, manufacturmg networks, K&II networks, telephone companies, banks and financial institutions, distributed control systems, various governmental networks and components of the worldwide network known as the Internet. A network and system security expert, Bill has designed and developed commercial dial-up security, encryption, network firewall, authentication, digital signature and other products.As a consultant, Bill is often sought to provide guidance on security policies, procedures, trchnolo+s, strategies and actual hacker prosecutions and trackdowns. Bill often works with law enforcement professionals worldwide to identify, stop and prosecute computer criminals and offenders. Bill is an often sought speaker for keynotes at InterOR Comdex, CEBIT, NT World, NrtworksExpo, Compsrc, Internet World, Mactivity and is well known for his detailed knowledge of networking and security as well a\ his humorous style of speaking. Uill has written 20 books on computer networking and security and has wrlttrn art&s for Datn C(~rwrrr~rnirati[l,r~s Mqaziue, DEC hf&ionnl, D@fa/ I\%~Lx, ?+lru 34/3X, Tl~e Wall Street J~umnl, 7%~ D&s .IL&ri