We asked six industry leaders what, in their opinion, is the
greatest threat to IT security that UK businesses may have to face
in the next 12 months?
Roger Ellis, chairman, IT Director's
Network
Although the Blaster and Sobig viruses were relatively mild, they
caused problems for millions of users. But what would happen if a
virus writer developed a really malicious virus and then released
it with address book forwarding techniques?
While I am sure the virus protection firms would be able to come up
with an antidote, it does not bear thinking about the damage that
could be done to UK and worldwide industry. Think of major file
deletions, a virus that could infect Excel spreadsheets and cause
inaccurate calculations, or a virus that could detect sales files
and manipulate price and customer information.
The second area that gives me cause for concern is the increase in
the use of wireless communication, in the office and in Wi-Fi zones
around the country. These radio waves can be intercepted and, while
sophisticated algorithms to render a snooper's data meaningless no
doubt exist, the hackers of the future will be devising ways to
decode these signals.
Len Hynds, head of the National Hi-Tech Crime
Unit
The UK Threat Assessment of SeriousandOrganised Crime2003report, by
the NationalCriminal Intelligence Service, highlights high-tech
crime as one of the top six threats to the UK.
While the UK has some of the highest levels of e-commerce activity
in Europe, the fear of high-tech crime and the cost of associated
security measures may discourage the wider take-up of e-commerce in
the UK, particularly among smaller businesses.
Criminals are becoming increasingly technologically competent and
it is, therefore, reasonable to assume that their use of high-tech
methods will increase in parallel with the growing reliance of
financial institutions, businesses and individuals on IT and online
transactions.
There has been a significant increase in website "spoofing". This
involves duplicating a genuine website and giving it a similar
internet address to the original, so that users are unwittingly
redirected. The spoof site seeks to dupe the would-be customer into
supplying card and account details or other financial information
that can then be used by fraudsters.
Every business has a duty to itself, its employees and its
customers to be as security-conscious as possible. Routine
application of software updates, employee education and holistic
attention is fundamental. Ultimately, law enforcement, industry and
the public need to work in partnership to ensure a safer digital
environment.
Jonathan Mitchell, chairman, Corporate IT
Forum
While much noise has been made about whether there has been "timely
and responsible patching by systems administrators", the fact
remains that there are time-bombs ticking away inside all our
computer systems.
The central issue is neither the speed at which the systems are
patched, nor the malicious intent of the hacker that writes a virus
or worm program, but rather whether computer software is designed
properly.
I have experience in aero-engine manufacture and pharmaceuticals,
and both these sectors test each new product extensively. It is
common for a new medicine to spend six years in testing and it can
take two years before a new jet engine can be put on the wing of a
plane.
This mature approach cannot be taking place in the software
industry. It is difficult to square the concept of solid design and
testing when one sees frequent, simple buffer overflow loopholes
appearing. Moreover, the absurdly short product cycles in the
software industry mean that a comprehensive software testing
schedule is usually the first thing to be sacrificed if release
dates are threatened.
The Blaster worm starkly highlighted the need for change. Only a
few weeks lapsed between the discovery of a flaw in the operating
system and this exploit appearing. Rapid patching, with all its
risks, protected many organisations this time, but what will
happens when a hacker has a worm ready to go before any patches
appear? The software companies that wake up to this and start
producing well-designed, solid, patch-free products with sensible
upgrade cycles might just find a willing set of customers.
John Leach, consultant, Information Assurance
Advisory Council
Most widespread viruses do not, as yet, carry an overtly malicious
payload. It is only the minority that delete files or attempt to
render a PC unworkable. Given the demonstrated capability and
sophistication of malware writers today, there is no technical
reason why they should not be able to add damaging payloads at
will.
SQL Slammer is believed to be in the top 10 of the most damaging
malware, not because it caused direct damage to infected servers,
but because it spread so far and so fast and such a large number of
servers had to be cleaned up afterwards.
It is well known that a patch for the vulnerability Slammer
exploited had been available for about six months before the virus
appeared. What is not so well known is that knowledge of the
vulnerability was in the public domain for 20 days before the patch
became available. It does not take 20 days to write a worm like
Slammer or to add a seriously damaging payload. Just imagine the
damage Slammer could have caused if it had been released during
those first 20 days and before any servers could have been
patched.
Malware today is a very fast, sophisticated, high-precision weapon
that, if used in anger, could have a hugely devastating effect on
the internet community. However, it seems malware writers have so
far chosen not to give their creations teeth. In the absence of any
sound reason for this, we must presume we are living on borrowed
time. The next time an exploitable vulnerability becomes public
knowledge ahead of any patch being available, I will be very
nervous.
Another concern of mine is of a different type of virus. Most
viruses let you know straight away that you have been infected, but
a virus that is completely stealthy and does nothing to give away
its presence is another matter. It would spread across the
internet, slowly but steadily and with no recognised symptoms,
until it had achieved almost complete infection. This might well
take several months. Once the infection had permeated, the virus
would then switch itself on. It might be triggered by a time switch
or a broadcast message from its creator. It could deliver its
payload across the internet simultaneously and cause complete
global chaos before suppliers are able to release an updated
signature file.
Mike Barwise, Computer Security
Awareness
The greatest IT security threat is not some new virus or hack. It
is the continuing failure by businessestoproactively manage
information security at a corporate strategic level. It is no
longer possible to kid ourselves that we can be secure solely
through deploying technologies.
The security problem and its solutions now goes far beyond the
boundaries of IT and its operational management. The sheer
diversity of threats and the rate at which they emerge and change
now necessitates a much more integrated approach. Creating and
maintaining security awareness must be an intrinsic component of
corporate culture, but business thinking has not yet caught
up.
It must become second nature for everyone, in all disciplines and
at all levels of the organisation, to "think secure" at all times.
Security policies need to become more consistent, informative and
sophisticated, and they in turn will require an ever-widening range
of expertise in their development. Information owners, business
managers, personnel departments and unions are all able to make a
contribution. Risk assessment needs to become more reliable,
responsive and accurate and take account of business processes and
information assets. Formal methods that eliminate a variation in
quality as a result of human error must be employed.
As the boundary between business demands and security
vulnerabilities is blurred by web services, more board-level
strategic involvement in IT is required to ensure exposure is
limited. Everyone has to be involved in information security
decision making. It can no longer be left exclusively to the IT
department. A firm can only be secure if it knows exactly what
threat it is exposed to and what it can do to protect itself.
Chris Sundt, independent security
consultant
The advent of broadband; the government's drive to connect
electronically with its citizens and industry; the encouragement
for businesses large and small to exploit e-commerce; and the
introduction of new technologies such as Wi-Fi are all creating an
interconnected world where it is difficult to define boundaries.
At the same time, business is outsourcing more and more of its
information processing and is relying on the managed service
provider to maintain adequate information security. Information is
being shared with trusted and not so trusted partners who
themselves share information. No longer can a business easily draw
a line around the information systems that support its
business.
Security is only as good as the weakest link, and that is now the
inadequately protected system or network. The lack of proper
anti-virus controls is already encouraging the rapid spread of
viruses such as Sobig. The Nachi worm illustrates the importance of
firewalls and maintaining security patches. Surveys by the DTI show
that information security is not the highest priority for smaller
businesses and certainly not for the public.
The greatest threat over the coming months will be from attacks
that exploit weaknesses in the soft underbelly and avoid
traditional methods of protection.
Pieter Kasselman, senior research engineer,
Baltimore Technologies
Security is added as an afterthoughttoany application.
Traditionally, the focus in the IT industry is on delivering
functionality. If it turns out the functionality is useful, such as
e-mail, a scramble ensues to provide some acceptable level of
security. Thus, current IT infrastructure and security solutions
are fragmented, which can represent a serious threat for IT
managers. There is no single interface for managing and monitoring
security in an IT system.
This lack of a central control also makes it very difficult for IT
managers to demonstrate the effectiveness of their security
measures or the extent to which the security policies of an
organisation are enforced. This can only be shown through lengthy
and expensive audit procedures.
To address this threat, it is important that IT managers focus on a
holistic, integrated security architecture and strategy, which
support business objectives and day-to-day business realities.
Comprehensive security policies can provide a new approach to
information security and enable rights and privileges to be
assigned at an individual level (ensuring, for example, that the
marketing manager has access to all marketing information but not
necessarily the same data as the marketing director).
This will allow for security controls to be put in place at two
discreet layers - the network/device layer and the application
layer.Ê At the network/device layer only devices able to enforce
these rights and privileges are allowed to sit within the network,
and at the application layer the IT manager ensures the right
people have access to the right information and resources.
This approach simplifies the IT manager's tasks, increases the ease
with which an organisation can deploy its security policy and
enables businesses to deal with any number of IT security threats.