NRNews Central

Main Course
Site of the Week

Comings & Goings
Executive Suite
Top Story of the Week
News Briefs
QSR Links
QSR Newsletter
Top Story
News Briefs
On-Site Extra
E-Biz Top Story
E-Biz Briefs
E-Biz Extra
Top Story
News Briefs

  Services The ClassifiedsOnline BookstoreProducts DirectorySearch NRN ArchivesSite MapSubscribe to NRNFeedback

On-Site News


Network security: Awareness, attention to basics is a good start

By Evan Schuman

May 20, 2000

LIKE THE HOMEOWNER who believes he is living in a low-crime area and thus leaves his doors unlocked, industries that are the most vulnerable to computer network attacks often are the ones that

hacker photo
Dennis Moran was investigated in the Internet denial-of-service attacks that crippled several popular U.S. Web sites earlier this year.

believe they are unlikely targets. And the restaurant industry, which has been relatively slow to adopt wide-scale computerization and networking, is a prime example.

"One of my problems here has been raising the level of security awareness," said Corey Eubanks, who, at the time he made that remark, was senior security engineer with Chick-fil-A in Atlanta. Eubanks left the foodservice company to join a security firm.

"Just because we merely sell chicken doesn't mean we're immune to attacks," Eubanks continued. "In the restaurant industry there's this general sentiment that says, 'What do we have to fear? Why would someone attack McDonald's or KFC or Chick-fil-A? What intellectual property do we have that anyone would want?' "

As Eubanks knows better than most, the answer is "Plenty."

Along with the same types of sensitive payroll and financial data stored by any large national or multinational corporation, major foodservice players have the brand name awareness and publicity-generating potential prized by hackers. Hacking into a McDonald's site might be considered more prestigious within some hacker circles than maneuvering into an Allied-Signal or Boeing site, security insiders contend.

Operator indifference to network security is in keeping with "the nature of our business," Eubanks said. "If we were a bank, it would be a different story."

Eubanks comes by his professional nervousness honestly, having previously served as an analyst for the U.S. government's National Security Agency. "Since I'm a paranoid NSA-type person, I argue that the more security protection you have, the better off you'll be in the end."

Although security has been a top IT concern for decades, the Internet, with its attractive business opportunities, has


Experts from both the Information technology and consulting communities agree that when it comes to securing a computer network, it is best to start with the basics. Among their hints:
  • Secure against viruses by using at least two different anti-virus applications. Update definitions regularly.
  • Be fanatical about backups and keep one current set of backups at least 20 miles away from your main building.
  • Change passwords frequently. Prohibit easily-guessed passwords and delete all default passwords that ship with servers.
  • Consider outsourcing security functions.
  • Limit dial-up access by employee, what can be done remotely and by time of day.
  • Issue swipecards with employee pictures.
  • Have systems go to blank screen after two minutes of inactivity and then require logging in.
  • Train employees on security protocols, including low-tech issues such as locking doors and not discussing confidential company data on the phone.
pushed the issue to the forefront for many companies. One of the most attractive characteristics of the Internet, its interactivity, requires users to do some very nonsecure things.

To cut payroll costs, some restaurants are forming password-protected intranets to computerize the reporting of hours and automate direct deposits to bank accounts. To achieve those efficiencies, those foodservice companies are permitting external systems to connect though usually indirectly with one of their most sensitive databases: payroll.

Other foodservice chains are salivating over the potential savings represented by extranets, where suppliers and buyers can exchange business data to reduce paperwork automatically, accelerate order processing and slash inventory. Such systems require companies to open internal records with change privileges to nonemployees.

And many, if not most, foodservice companies have, or are, preparing public Web sites to build brand awareness, market logo products and, in some cases, take reservations. Such ventures not only permit interaction along the network but also encourage it. If online reservations capabilities are part of the package, then masses of Web-surfing restaurant users have even greater access to corporate crown jewels.

"If a restaurant chain operator is going to expose their business to the Web, they're exposing their backside, too," pointed out Ross Greenberg, a New Kingston, N.Y., security consultant.

Firewalls hardware and software are a popular form of network protection. They permit a user company to access resources on open networks, such as the Internet, but protect the user's private network from intrusion by others. Complications can arise in firewall strategies, however, when a firewall user grants access to the private network to outsiders, such as Internet or extranet users.

"A firewall does a wonderful job of protecting you from the unknown character coming in," Greenberg said, "but once you allow access to the legitimate customer, how does the firewall know who the nonlegitimate customer is?"

The recent high-profile disruption of popular Web sites, including Yahoo and Ebay, by so-called denial-of-service attacks illustrated the challenge faced by network security professionals. During such an attack the targeted Web server is rendered useless by a well-orchestrated and unrelenting bombardment of requests for information or action launched simultaneously from a number of different computers.

"How do you stop someone from sending 10 gigabytes of [data] packets to your site at the same time?" Eubanks asked rhetorically. Security experts agree that the answer is, "You can't," but they indicate that companies using publicly accessible networks can discourage troublemakers.

"If you want to keep out the 'bad guys,' you need to inconvenience the 'good guys,'" Greenberg said.

From an IT manager's desk, though, it is not always easy to distinguish the good guys from the bad guys. Many people still think of the bad guys as outside intruders, but security specialists suggest that damage is more likely to come from employees, either through inadvertent errors or angry acts of vengeance.

The high employee turnover and young workforce of the restaurant industry makes the need for protecting against unhappy employees triply essential.

"How many times have I replaced a POS machine because someone punched it out?" asked Charles Gray, chief information officer for Xando Cosi Inc. of New York City. "Or we'll have someone leave and erase a bunch of spreadsheets. With the turnover factor, you don't have stability."

But Gray sees those issues as part of a larger, much more frightening security trend: overreliance on younger computer-savvy employees by technology-frightened senior managers. Gray said he has seen plenty of wait staffers logging in as their manager because they can perform computer functions more efficiently.

Many security problems can be effectively addressed for very little money by simply adhering to security basics, Gray maintained. Among the most obvious, he indicated, are the routine changing of passwords and requirements that computer users log out before leaving their desks.

Recently, Gray said, he was walking down the hall in his corporate headquarters and saw an unattended, logged-on terminal. He went to the machine, set a screensaver, assigned it a passcode and walked away. Eventually, the careless party called the help desk and was promptly lectured, he said.

Gray also referenced an incident during which he was discussing a security issue with another executive. The executive wanted protection for a particular database. "Why?" Gray asked. "What could anyone do with that data?"

"They could find out a restaurant's sales particulars," was the answer. Gray then picked up his phone and called one of the chain's restaurants. Without identifying himself, but saying he was a friend of someone who worked there, he spoke with the manager, who revealed confidential sales figures.

Observed Gray: The other executive was worried about locking down Internet access when he should have been focused on training his people. He indicated that his colleague had more to fear from corporate spies working the phone than from hackers working the Web.

However, it is not just the mind-set of IT outsiders that needs to change when it comes to network security, Gray opined. "Some of my peers," he said, "need to stop looking at [security] toys and go back to the basics like deleting people [from log-on rolls] after they leave."

Evan Schuman is a freelance technology journalist from Whippany, N.J.

    To Top