Security is not being taken seriously by a great many UK companies
that trade on the web. This could be an expensive mistake, says
Martin Butler
Although business was quick to recognise the advantages to be
gained from improving connections to the outside world, a
corresponding awareness of the unique vulnerabilities of such
enhanced connectivity has been far slower to develop.
The results of this lack of understanding can be seen in the
waves of virus infections sweeping across corporate networks,
increasing attempts to accesses privileged data, and the ease with
which distributed denial of service attacks can bring commercial
Web sites to their knees.
However, an important issue is that many network managers focus
on these external points as if they are the only concerns that need
to be monitored in order to guarantee corporate security, and this
is not the case. Internal concerns, such as personnel issues, are
just as vital to the security of the enterprise, and yet these can
often be overlooked in the haste to deploy a solution.
Security has become an issue that reaches into every part of the
Web-enabled company. An Internet connection greatly empowers the
business and its employees, offering the ability to reach out and
carry out activities at almost any point in the world. However, the
downside to this ability is that other people are equally capable
of reaching back into the company in the same way.
It is generally the case that a firewall will be deployed
between the enterprise and the outside Web to prevent unauthorised
intrusions, but, unfortunately, this does not solve all the
problems. There are ways to compromise security, such as obtaining
private passwords through social engineering or other such
manipulation of personnel, who can unwittingly circumvent otherwise
robust security solutions.
A good example of this was seen in the recent wave of Web sites
being defaced in connection with the UK petrol demonstrations. Many
of the sites successfully cracked seem to have still been using
default passwords installed with the solution, in spite of
recommendations that these be changed following installation. This
highlights the point that people using technology are simply not
thinking in security-conscious terms.
E-mail is a particularly important issue in this regard, as it
is both a preferred means of spreading viruses and a potential
source of embarrassment - and even legal action - for the company.
The rapid nature of e-mail exchanges seems to almost stun many
users into a state of complacency in its use, making them prone to
misuse of the medium.
Security warnings about opening attachments go unheeded,
allowing viruses to be opened within the corporate defences, and
poorly considered messages are sent out on what amounts to
corporate "paper". The issue of responsibility for material being
dispatched using corporate resources is one that is already
concerning a significant percentage of network administrators, and
this number will certainly rise in the near future.
But why has corporate security become such a problem to
maintain, in such a relatively short amount of time?
The answer lies in the ability of the Internet to make real-time
connections between like-minded individuals - the same strength
that promotes business itself. Successful hacking tools, whether
developed to highlight security concerns or to wreak havoc, are
freely available. A classic example of the use of such tools could
be seen in the attack on Yahoo. This was achieved through use of
freely available scripts, the users of which are known as "script
kiddies".
The ability of otherwise unskilled individuals to make use of
destructive tools has dramatically raised the level of hostile
activity directed against corporate networks, and is an important
factor in the need for more robust security. While a network
manager is firefighting against script kiddies, the vital strategic
elements and decisions that the enterprise depends upon are being
neglected, and this could prove costly.
The real problem with security is that people mistakenly persist
in acting as though it is a problem that can be solved by the
adoption of a solution. In spite of the quality of many available
solutions, this is simply wrong thinking.
Security is best addressed through a policy based on the
understanding that things will go wrong, and that damage control
measures must be in place to deal with failures when they
occur.
Embedding damage control processes into the business, such as
disaster recovery measures, introduces automatic responses that
minimise firefighting. Coupled with constantly evolving security
solutions, this approach of managing risk proactively creates
flexible business processes capable of withstanding far greater
levels of threat.
This is such a vital need for the Web-enabled enterprise that
the question is no longer whetherrisk management should be
implemented, but when will it be up and running.