What's on your security shopping list? Karl Cushing suggests a few
choice items.
A lot has been written lately about the importance of management
issues like raising user awareness, getting buy-in and managing
access in an effective IT security strategy.
But what about the technology itself? The January sales might be
long gone and Christmas a faint memory, but with IT security event
Infosecurity Europe 2002 (23-25 April) just around the corner,
E-Business Review takes a look at the new products that companies
should be putting on their shopping lists.
Over the past year, the spotlight has been on nascent security
technologies like biometrics, public key infrastructure (PKI)
technology and digital certificates. However, while undeniably
interesting, they have made little headway so far and for the
average IT director the prospect of implementing such technologies
is still a long way off.
According to Gary Hardy, a director in Andersen's technology risk
consulting practice, although PKI has potential value it is caught
in a Catch 22. People expect these kinds of services more or less
for free, but somebody has to first invest in a global PKI
infrastructure.
Hardy is also critical of IT vendors, who he says have "neglected
security for years". He argues that more security measures should
be built into hardware at source, likening the current situation to
buying a car without wheels or an engine.
Hardy also reminds companies of the growing importance of data
privacy issues and the increasing enforcement of data protection
legislation. This is a good thing to bear in mind while shopping
around for new security ideas.
Peter Cox, international vice president for security software firm
Borderware, also argues that technologies like PKI and biometrics
can be a distraction. "There's a danger in focussing on these
technologies and taking your eye off the ball," says Cox, who
advises companies to concentrate on the basics, like firewalls,
anti-virus software and access management.
Cox says companies need to get away from a tick-box mentality
whereby they buy technology because that's what they think they
need. So instead of going to events like Infosecurity with a
checklist, companies should spend more time thinking about how they
will use and configure security technology and focus on user
education.
Although Cox believes that companies are starting to take security
more seriously, he stresses the need for IT directors to take a
closer look at measuring the quality of the security technology
they implement. "Over the coming year, you will start to see people
ask some serious questions about the quality of their technology,"
he says.
Heart and email soul
Cox suggests companies look
closely at email. "We view email as being the heart and soul of the
company," he says. "From a business point of view it's a lethal
application to mismanage."
As well as moving email off the firewall, which he says leaves the
corporate email server very vulnerable, Cox talks of the value of
undertaking an email audit and says that IT directors will be
amazed by the level of non-business related email they
receive.
According to Stuart Morrice, marketing director of network security
consultancy Peapod, which carries out email audits, around 60% of
the email traffic a company receives will be non-business related,
including pornography and licentious material. This constitutes a
massive cost to business and results in a greater risk from hacking
and prosecution. Morrice also advises companies to conduct
comprehensive security audits.
On a more general note, Morrice says companies should focus on
training and using what they've got before splashing out on new
technology. Like Cox he argues that companies need to go back to
basics, adding, "There's a lack of depth and understanding among
the tech guys in the marketplace today."
One thing Morrice does suggest, however, is putting in another
firewall as a fall-over because, as he puts it: "If your firewall
goes down you're stuffed."
Not everyone supports such an insular approach, however. Graham
Cluley of anti-virus software firm Sophos, for example, says there
are a number of things worth investigating at Infosecurity, like
encryption, content management and firewalls. As well as offering a
good opportunity to re-evaluate strategies, Cluley says it is a
good chance to speak to the vendors and harangue them if you're
unhappy about performance issues.
In view of the number of attacks on IIS servers last year, Cluley
says that companies should be looking for ways of minimising risks
from such attacks.
He also recommends looking for companies who offer a patch
monitoring service and tell you as soon as a new patch becomes
available. This is a valuable service worth considering as patching
promptly is a big aspect in ensuring security. Another key area to
look at is configuration.
Cluley says that "too many companies buy security solutions, put
them on the shelf and expect them to emanate magic rays to protect
the company". He says that events like Infosecurity offer a good
opportunity to take stock, speak to peers to see how they've
implemented technology and just generally keep a look out for
interesting ideas and information.
Remote access
Given the growing popularity for remote
working and hotdesking, Cluley says companies should also keep an
eye out for products designed to bolster security by managing
remote access. Key technologies here include personal firewalls,
updating anti-virus software and anything that makes sure users
aren't using unauthorised software, he says.
Mike Longhurst, principal security consultant for network security
firm SecureWave, also stresses the importance of "keeping on your
toes", pointing to the new threat posed by small, over-the-counter
devices such as miniature portable storage devices (MPSDs) and
digital cameras with Smartmedia and Flash Cards. "Businesses need
to understand the threats that these technologies can pose to their
business network and start looking at the solutions now," he
says.
Longhurst believes too many companies are still focusing on the
external threat and are failing to see the threat from within. He
says a potential hacker - possibly a disgruntled employee,
contractor or a visitor - can download free hacking tools like Back
Orifice 2000 and Hacker Utility V1.5 from the Internet and install
them onto portable storage devices.
Such hackers can then use the devices to mount a denial of service
attack, steal or tamper with information, or even plant a Trojan by
connecting them to a spare USB port on a company PC. Worse still,
Longhurst says external firewalls, content filters and anti-virus
software are of little use in preventing this type of attack. It is
also very hard to trace, let alone prosecute, offenders.
According to Longhurst, increasing users' ability to exchange
information between PCs and external devices has "inherent
threats", as users can "ride roughshod" over security policies.
To control the use of these types of technologies, he says that
companies can either disable the Windows USB driver on every system
- not really a viable option as this will prevent the use of other
useful USB devices - or use in/out device management products.
He stresses that the important thing is not to deny users access
but to use these "system environment control technologies" to
control executables and manage devices attached to USB ports.
He says that the functionality and level of control offered by such
technologies means they are now of serious value to enterprise
level users and enable them to centrally control what in/out
devices can be used, by whom and when. Some can even limit the
amount of files transferred to removable storage devices, even
driverless ones, and take copies of them.
Longhurst also advises companies to look at intrusion prevention -
as opposed to intrusion detection, which he claims will become a
thing of the past - and to re-appraise their anti-virus software
policies in light of what he sees as the inability of the vendors
to prevent viruses.
"Organisations need to start questioning the level of investment in
anti-virus software for the payback they get," he says. But for
Longhurst, one of the best things to look out for at Infosec,
however, will be protective mechanisms for wireless networks.
None of the aforementioned technologies or products cost the
earth, which is just as well in the current economic climate, and
although they might not be as flashy as biometrics they may well be
more effective in the short term. So, start preparing that speech
where you remind your MD or CEO that a stitch in time saves nine,
get sign off to exercise the purse strings a little and get ready
to go wild in the aisles. Happy shopping!
www.infosec.co.uk
Things to look out for at Infosec
- Personal firewalls and VPNs, especially for remote workers
- Access management technology
- Consider investing in an extra firewall as a fall over
- Re-appraise your anti-virus software
- Companies offering patch monitoring services
- Consultants providing e-mail and security audits
- Ways of shoring up - or even finding a replacement for - your
IIS server
- Protective mechanisms for wireless networks
- Intrusion prevention, as opposed to intrusion detection,
products
- Smart cards
- In/out device management products
Infosecurity 2002 will be held at Olympia in London from the
23-25 April