The threat to corporate IT systems from viruses, crackers and
dim-witted users continues to grow. The trouble is, there is no
such thing as a "one size fits all" solution. Cath Everett
reports
No matter how many millions of words get written about IT security,
or how many millions of euros, dollars and pounds get lost as a
result of policy failures, no one seems to be getting any better at
making it work.
And we still don't really know the full extent of the problem.
"Small companies tend to get hit more often than big companies,"
says Bill Hancock, chief security officer at Exodus, Cable &
Wireless' Internet outsourcing arm. "But they don't tend to report
it to the police."
The most common external threat that organisations face are
viruses, followed by denial of service attacks. The third most
frequent problem is hackers attempting to penetrate companies' Web
sites. Matt Tomlinson, business development director at security
consultancy MIS, estimates that between five and 10 new viruses
appear every four weeks or so, and that hackers come up with up to
20 new exploits - new ways of breaking into a network - every
month.
The external threats are the ones that grab the headlines. A bigger
danger is the internal threat, however, Robin Dahlberg, managing
director of Internet Security Systems (ISS), a company that sells
intrusion detection software, says about 60% of security breaches
are staff-related, albeit generally through ignorance rather than
malicious intent.
This tells us, yet again, that companies need to devise a sensible
company-wide security policy and ensure that staff are aware of it.
"You would be amazed how many technical people still use Star Trek
names as their passwords. All hackers know this, so it is the first
thing they go for," says Dahlberg.
But adopting a coherent security strategy costs money. In the past,
this has not been forthcoming. But the rise in Web usage and
increased interest in collaborative commerce means purse strings
are starting to loosen.
Analyst firm Meta Group expects security budgets as a percentage of
IT budgets to increase from their current 1% to 2% level to between
5% and 7% over the next five years. Research from IDC predicts the
total European market for IT security products is set to explode
from $1.8bn (£1.25bn) in 2000 to $6.2bn in 2005. If security
services are added to the mix, the total size of the market will
increase to almost $10bn within three years.
Thomas Raschke, programme manager for IDC's European Internet
security research, believes that services - and in particular
managed services (see page 20) - will become increasingly
important. "A lot of customers just don't have the in-house
expertise or money to tackle the issue. More companies will start
outsourcing security, especially small to medium-sized firms that
tend to have less resources," he says.
But not everyone wants to outsource. Is there a product solution? A
bundle or suite that IT managers can install on their network to
solve their security problems and then simply update regularly?
Suppliers say yes. Symantec and Computer Associates (CA) are among
the companies that are working towards integrating security
products into their wider portfolios.
CA, for example, will launch its eTrust Portal at its CA World user
conference this month. The move is an attempt by the company to
make its security product family more coherent and easy to
administer by bringing it together under one management interface.
The portal will also support third-party offerings.
Suites suit some, but other IT managers feel more secure with
best-of-breed mix and matches. "There is no such thing as 'one size
fits all' in security," says Tomlinson. "Two solutions are never
the same because of the different concerns that users have. The
security you build on top of a network protects only that network:
no two networks are ever the same."
While Dahlberg believes that a properly configured firewall and
up-to-date anti-virus software can handle 98% of attacks on a
network, he acknowledges that IT managers always have to look at
their own specific business requirements.
"Security should be appropriate to what you are trying to protect,"
he says. "It is like buying a burglar alarm. You wouldn't spend
thousands on a system to protect a rabbit hutch, but you would if
you are running a trading system that you cannot afford to be
disrupted even for a few minutes."
This sentiment is seconded by Hancock. He believes that the issue
of what technology to buy boils down to operational security or the
minimum level of security that an organisation needs to get its
goods or services out of the door. "You need to ask yourself: what
are my assets? What am I trying to protect? And what technology
will enable me to protect them? You need enough to do that, and any
more is just a waste of money."
So a good starting point for building or revising a security policy
is to assess what assets the business has and what it would mean in
terms of lost revenue, market share, or damage to reputation if
security were breached.
The second stage is to assess what potential threats may occur, who
or what they might be, and how they can be dealt with.
The third stage is to establish what technology is likely to
provide adequate protection. Tarken Maner, Computer Associates'
vice-president of marketing, has come up with a six point checklist
for those implementing a security strategy:
Create a policy
Come up with a corporate security
policy before buying anything. It is vital to establish who is
accessing your systems and for what reason, who is using which IDs
and passwords, and who is authorised to do what and when.
It is also important to define acceptable procedures. "Each policy
has a birth, life and death and so it has to be flexible to enable
change," Maner explains. "Security is there to enable the business
to work successfully, and so it has to complement an enterprise's
business model."
Define an architecture
Define a security architecture
and establish what kind of IT is needed to do the job. "Policy
defines architecture, although most companies make the mistake of
putting architecture first, which is why line-of-business folk need
to be involved from early on," says Maner.
Inform users
Staff and any external people who access
the corporate network have to be made aware of security procedures
and what is or is not acceptable behaviour. Providing training may
be necessary at this stage.
Evaluate suppliers
Shortlist and evaluate products and
suppliers to see which fit your requirements most closely.
Audit
Undertake an audit of your policy, architecture,
processes, procedures and products.
Validation
The sixth and final stage is to check that
your processes are working and ensure that any changes are included
in your policy document.
These steps should be common sense to any IT manager used to
implementing new systems, but when it comes to security you have a
smaller margin for error. "You can never make your business 100%
secure, unless you had one PC with one Internet connection in a
room with eight-inch walls and a steel door," says Tomlinson. "But
you can achieve a balance: security good enough to ensure your
commercial needs are met."
Security technology
- Security 3A software is used to administer security on computer
systems. It includes the processes of defining, creating, changing,
deleting and auditing users.
- Authentication software verifies users' identities to ensure
that repudiation does not take place.
- Authorisation software is used in conjunction with business
policy to determine what resources users have access to.
- Administration software covers Internet access control, e-mail
scanning, intrusion detection, vulnerability assessment and
security management.
- Firewall software identifies and blocks access to certain
applications and data.
- Anti-virus software identifies and/or eliminates harmful
software and macros.
- Encryption software uses cryptographical mathematical
algorithms to protect the confidentiality of data, applications and
users' identities.
- Firewall appliances comprise a single-board computer with a
hardened operating system and a limited applications set, which can
include a virtual private network, URL filtering or security
management software.
- Biometrics technology measures and analyses human body
characteristics such as fingerprints or voice and facial patterns
to authenticate users' identities. Suppliers include Visionics
(facial scanning), Communication Intelligence (signature
verification) and Iridian (eye scanning).
- Tokens are used to authenticate users' identities and either
have a one-time-use password encrypted onto them or are
synchronised with an authentication server that they communicate
with in a challenge-and-reply format.
- Smartcards are cards that are carried by users to authenticate
their identity. They include a microprocessor and software to store
user data.
Web addresses
www.securityfocus.comwww.securityportal.comwww.infosecuritymag.comwww.attrition.orgwww.icsalabs.com