By Wendy Maxfield
Few in the IT industry would deny that a Lotus Notes and Domino installation is a very secure place to start. And yet during the last six months even the seemingly secure Lotus has had to scramble to downplay the buzz created over two recently discovered security vulnerabilities that have given even its tight-knit IT community something of a jolt.
To be sure, Lotus' name rarely crops up in the daily vulnerability briefings published at SecurityFocus.com but if you've been sitting smug behind your desk for some time, it may be time to wonder if your company security is up to snuff?
"Just asking yourself that question is a step in the right direction according to Wouter Aukema, computer security consultant with Trust Factory, the security consultancy based in The Hague, the Netherlands. As soon as a CIO looks at security," Aukema emphasizes, "then he or she is doing a good job. Otherwise, it's management by surprise." What happens more often than not, according to Aukema, is that "they just don't look."
Where to start looking immediately is at two recently reported security vulnerabilities.
In January SecurityFocus reported a lapse that lies within the Lotus Domino Web Server. The "Domino Server Directory Traversal Vulnerability" makes is possible for someone who -- given a known path and file name --can access files from a Domino server running the HTTP task.
And, at last July's DefCon-8 conference, Trust Factory consultants along with Security Design International spotlighted several Notes/Domino vulnerabilities and demonstrated weaknesses in the hashing algorithms for Internet passwords.
If your admin or network manager hasn't gone to Lotus' IT Central Security Zone to get the skinny on these two already then have him or her head there immediately. Here, Lotus posts responses or fixes to all known vulnerabilities. The Security Zone also has a wealth of other security-related data including recommendations, tips, tools, and third-party solutions.
What is it that makes security such a tough nut to crack for admins and network managers? For one thing, according to Rob Axelrod, Lotus Practice director with United Messaging, an enterprise-messaging solutions provider based in West Chester, PA and slated forum speaker at The View's ADMIN 2001 upcoming conference in March, an adequate security infrastructure is a continuum that never really ends.
"Every additional unit added [to your infrastructure] will add a unit of hassle in overhead. Every convenience you add takes away from security," he says. The important thing is for a company to strike a balance between its security and a risk level that it is comfortable with. "You can't increase security and increase convenience at the same time," Axelrod notes.
Trust Factory's Aukema concurs. "Security is a balance between risks and the damage resulting from those risks. Can you be totally secure? What is the optimum level of security that you wish to gain?"
To get a grip on your comfort level, Axelrod suggests asking these basic questions:
--What am I protecting?
--What are the consequences of it being compromised?
--What is the likelihood of someone wanting to compromise my system?
Don't let yourself be lulled into a false sense of security by thinking your company is too small to be worth the effort. Trust Factory's security consultant Kevin McPeake, author of the "Red Hat Linux Installation and Configuration Handbook," (Que Publishers), points out that "Script-Kiddies are taking down small companies because they're easy targets." Sometimes, McPeake emphasizes, small companies are even more vulnerable, "because [Script-Kiddies] can practice their skill set without much trouble."
Enough of the doom and gloom. Where does one start? In a buzzword: Best Practices.
Axelrod reels off the basic questions to which any person responsible for company security should be able to answer "yes."
-- Are there formalized architecture documents and policies for which each employee is responsible?
-- Are there policies in place about how to set up each server in terms of security? For instance, all databases would have the following access? all servers would have these allow/deny lists, etc.
--If a server has Internet access or another remote-entry point, which of these types of databases may reside on which types of servers?
If, Axelrod cautions, formal policies such as those above aren't in place at your company then you need to ask:
-- Is there a lot of turnover in the IT department?
-- Have we made recent changes to our architecture?
-- Are there any new points of entry into the network?
If you answered "yes" to any of these questions, Axelrod says, then it may be worthwhile to consider whether a security audit -- either internally or one you outsource -- is something to put on the front burner. In a nutshell, he says, "if you haven't outlined and documented Best Practices internally, then its time to get them." Many times in mid-sized organizations -- from 300 to 1,500 clients -- Axelrod feels that "if admins are not constrained by procedures, then they are going to lean with what makes their life easier. And, he stresses, "what is easier to execute is almost always the less secure way."
Can any system be total secure? McPeake jokes that there's a saying in the computer world that goes: "no computer is secure until you bury it 6 feet undergound." Unfortunately, that's probably true. What's also true is that if you keep your head buried in the sand regarding security then you'll probably get burned sooner or later. Is that a risk you're willing to take?
SECURITY LINKS TO CHECK OUT
Security experts warn of holes in Lotus Domino
This article outlines the basics of the DefCon 8 presentation by Trust Factory and SDI and offers some solid advice on how to protect your Notes database:
Falling Dominos FAQ 1.0
Trust Factory's own guide to the security vulnerabilities presented at DefCon-8. Also available in PDF.
CIOs claim networks are secure
This January Computerworld article states that most CIOs believe their companies are secure while also giving credence to the opinions of many computer security consultants who believe otherwise.
CERT Coordination Center
This Internet security site, located at the Software Engineering Institute operated by Carnegie Mellon University, studies Internet security vulnerabilities, provides incident response services to victimized sites and publishes a variety of security alerts.
It's Usually an Inside Job
This Sept. 2000 article from Group Computing gives a good overiew of in-house security problems and the steps to take to make them less likely at your company.
Information Security Magazine and the Security Portal
Two nice sites -- updated daily -- for those charged with making sure their systems are locked up tight.
Is Your Small/Midsize Enterprise at Risk?
This October 2000 article at the Advisor's Security zone takes a look at the Gartner Group's warnings and advice for organizations that may be potentially vulnerable.
Openhack III: Close calls, but no cracks
eWeek's third challenge to anyone wanting to compromise its systems provides insight into the lengths hackers will go to.
All the news, tools, analysis and discussion that you need about security.
Lotus Security Zone
Next week we'll take a look at specific Notes and Domino security practices and setups that managers should keep an eye on.
Wendy Maxfield is a searchDomino.com contributing editor based in Littleton, Mass.