DCOM Explained
by Rosemary Rock-Evans
Digital Press
ISBN: 1555582168   Pub Date: 09/01/98

Previous Table of Contents Next


One of the ways used to do this is by using “spoofing.” Spoofing is the alteration of a packet to make it appear that it originated from a different part of the network. This method has been used to steal credit card numbers. The criminal changes the IP address to make it appear as though the request came from within the organization’s network.

The Internet makes us that much more vulnerable because it was designed to be an open system from the very start—it has absolutely no security built into it. This wouldn’t be a problem if the Internet was a nice, closed network separated from us by a huge barrier, but it isn’t. The Internet has provided a handy little open door for anyone everywhere in the world with a modem, a PC, and a telephone line to come strolling around our networks and machines, as if they owned them. They can do it in the time it had taken me to type this—crime or malicious damage is far, far easier—no traveling, no security guards, no locked doors, no safes.

So it is worth making a fuss because there is a lot at stake here.

And are the risks real?

It is in the nature of human beings that they are absurdly optimistic. In the first place, most people assume it isn’t going to happen. When it does happen it is treated as an isolated incident. Only when it happens over and over again is action taken. By this time, of course, the company could be on its knees financially or a dead duck.

Take it from me, all the risks I’ve identified are happening—a lot.

Since 1988, there has been an increase in the USA of 2000% in the number of just Internet security-related attacks. In recent surveys over 47% of the companies asked have been attacked—again over the Internet. Three quarters of these companies suffered financial loss; the rest suffered malicious damage.

There have been reports of large numbers of credit card numbers being downloaded from computers, for example, and in one case handled by the FBI in 1995, the cards were used to purchase $50 million of goods. So we need to take these things seriously.

Policy Setting

We have seen what risks there are and how serious those risks can be. How, then, does a company decide what needs to be protected? The answer is that it must task a security administrator to define the company policy. All companies need to have a security policy. The aim of the policy is to list a set of rules that precisely defines:

  which users or groups of users (who)
  are allowed access to which applications and data (what)
  together with the dates, times, days, and so on when they are allowed to access them (when)
  where they are allowed that access (from where and to where)
  as well as how they are allowed to do it (equipment, lines, and so on)

For example:

  All users are allowed to access the Web Server XXX to look at pages A, B, C, D, E, F, G, at any time, from any location.
  John Smith is allowed access to Web Server XXX to amend pages A, B, C, D, from 9 to 5, Monday to Friday, from Machine XXXX in Building SSS.
  Alan Jones is allowed to use Payroll Function “Enter Bonus Payments” to access Manchester’s Payroll data, Monday to Friday from 8.00 a.m. to 6.00 p.m., from terminal CCCCC in Payroll Room AQSRT.
  Annie Oakley is allowed to use DBMS ZZZ administrator’s utility TTTT to reconfigure, reorganize, and repair Manchester Payroll database, Ealing Payroll Database, Boston Payroll Database, and Chicago payroll database at any time, from Machines X, Y, Z, in Building DBA1.

It is only by having a policy that you can decide when to employ the safeguards and decide which safeguards to employ. The combination of policy and risk provides us with the means of starting to define the mechanisms of protection. What, therefore, are the main mechanisms we can use to protect ourselves against these risks?


Previous Table of Contents Next