File under "S"

Computer Weekly asked four exhibitors who will be at the Infosecurity Europe 2002 show in London next week to give us their...

Computer Weekly asked four exhibitors who will be at the Infosecurity Europe 2002 show in London next week to give us their security tips. Martin Couzins reports.

Infosecurity Europe is one of the most highly regarded security exhibitions in the world. With more than 150 stands and scores of seminars, it offers a one-stop shop for IT professionals looking to get up to speed on the latest security concerns and solutions.

The event is a showcase for all aspects of IT security and an opportunity for IT managers to find out about technical advances in IT security as well as gleaning top tips to keep the business safe and secure. It also provides IT managers with a chance to learn from others and to see how other businesses manage security.

The seminars are proof of the range of issues to be discussed. Topics include forensics in computer security, securing competitive advantage and a look at security breaches through the eyes of a hacker. But this is not all. There is also a panel session on digital identity credentials and electronic service provider environments. This will explore the challenges facing corporations, electronic service providers and governments in dealing with the complex problem of paper, people and policies.

In addition to this there is a seminar run by representatives from which will look at the human element of security.

To whet you appetite, we asked four companies that are exhibiting at Infosecurity Europe to provide some tips on the most important security issues.

Set an e-mail policy
Our recent national "e-mail ethics" survey found that 36% of employees in London and Manchester admitted sending racist, sexist and pornographic e-mails while at work and the rest of the UK fared little better.

So it is clear that UK companies still do not fully grasp the damage that an inappropriate e-mail can inflict on the corporate reputation, either through negative publicity or in the worst case scenario, legal action. This means that more than one in four UK companies are running the e-moral gauntlet every day.

Whilst this type of behaviour is endemic within the workplace, there are straightforward measures that organisations can take to educate and protect itself and its employees against the threat of unmanaged e-mail activity.

Primarily, it starts with policy making. Before any e-mail filtering software can be applied, the first step is to create an "acceptable use of e-mail policy". This document outlines to staff what is and what is not considered appropriate use of business e-mail. The HR department needs to work with staff to strike a happy medium in defining e-mail use. It is crucial that "top down" policy making is avoided.

Setting limits on personal e-mail use is an emotional issue and we advise companies that are serious about defining a policy to involve every part of the business: senior management, IT, business unit managers, human resources and interested user groups. Before implementation, any policy should be checked over by an employment law specialist.

The next step is education. Once the policy is finalised, it is imperative that staff understand why it is in place and the best practice e-mail habits to adopt. Employees need to be educated - in line with the policy - on how to use e-mail in the workplace. The golden rule is that if you are not willing to type a message on company-headed paper, the message should not be committed to an e-mail. Practically speaking, e-mail carries the same weight - in both corporate reputation and legal terms - as a company letter.

Once the policy has been communicated to all staff, it is necessary to have the means to enforce it. E-mail filtering software is one solution. It has the ability to manage e-mail traffic through either filtering, monitoring and where necessary, blocking messages sent and received within the organisation. The software offers the business a practical means of protection from e-mail deemed to be inappropriate within the "acceptable use of e-mail policy".

Before embarking on an e-mail content management strategy there is one final piece of advice. Without filtering technology the policy will suffer from the "toothless guard dog" syndrome with businesses unable to enforce its content. Conversely, without a policy in place, companies will be severely limited in what action can be pursued even in clear cases of employee e-mail abuse. Therefore, businesses need a policy linked to a security-conscious employee culture that receives continuous training and which is backed up by technology.

By striking the right balance and approach to addressing these measures, businesses and their staff will receive thorough protection against the worst elements prevalent in today's e-mail culture without becoming yet another e-moral casualty.

Know your legal liabilities
In the months following 11 September 2001, the motivation and drive in the US to combat terrorism was at its highest. As much of the terrorist communications take place via the Internet, the Patriot Act was passed on 26 October 2001, giving the US government unprecedented access to computer communications.

But the Act also had the effect of seriously eroding the civil liberties not only of US individuals and companies, but also that of UK citizens and businesses. Following on the Regulation of Investigatory Powers (RIP) Act in the UK which had legalised the type of surveillance regime only dreamt of by extremist dictators, the Patriot Act is yet one more nail in the coffin of corporate liberty.

These laws affect all businesses whatever their size and also create major legal liabilities for individuals. In addition, they support commercial surveillance by the government.

The RIP Act of October 2000 heralded a fundamental change in UK law. It gave the UK Government the right to intercept Internet communications and to demand and seize encryption keys used to protect these communications.

Should you or an employee of your company fail to provide a decryption key, or hand over the data in an intelligible format, for information held on a server in the UK, there is an automatic assumption of guilt with penalties of imprisonment. There is now a corporate requirement to hold and retain keys for encrypted data on servers in the UK with criminal penalties if you fail to do so.

This means that organisations holding encrypted data on UK-based servers need to determine who is responsible for retaining and managing encryption keys and where the data is held. If you are involved in international trade, you cannot afford to ignore the implications of this law.

In the US, the Patriot Act allows the government to go even further. The law gives the US government the authority to browse information, including medical, financial and educational records, without proof of crime and without a court order. The government doesn't need legal sanction to do so and the Act overrides existing state and federal privacy laws.

The government can effectively examine e-mail within the US and e-mail coming into and going out of the country. So anything your company sends to the US or receives from there can be intercepted theoretically.

This is obviously open to abuse. Commercially sensitive information to and from the UK is open to interception and can be used to the disadvantage of
non US-based companies. While interception and use for US commercial advantage has been going on for many years, this is a further clarification and justification for the activity.

What is more, you could be asked to prove you are not a terrorist. The Act will treat anyone sending viruses or carrying out actions which could interfere with the operation of US computer systems as a terrorist - whether they acted deliberately or unknowingly. It will be incumbent on you to prove your innocence.

What can you do about it? As far as the RIP Act goes, you should make staff aware of the need to protect and encrypt business critical secrets. Also, take steps to hold and retain keys for encrypted data held on UK servers.

With regard to the Patriot Act, encrypt everything going to the US and get anyone sending you regular mail to encrypt as well. It won't necessarily stop the authorities being able to read your e-mail, but it will slow them down considerably and make it less likely that your communications will be routinely read, as they won't be picked up on key word trawls.

Make the most of your security budget
In an industry where trust is imperative, many security suppliers are taking advantage of their unquestioning clients by advising them to spend more money on security than is necessary.

Over the past 12 months an average of 200 sites were breached each day in the UK with the average breach estimated to cost companies about £16,000. Figures like these would shock even the most cautious finance director into believing they need to spend thousands of pounds to secure their business assets.

But there are cost saving measures that should be considered before over spending on a mixture of technologies that may not be suitable. For example:
  • Have an audit, or penetration test carried out by an independent company to find any security holes before buying technology tools

  • Understand what your business must achieve before trying to secure it. For example, an e-commerce site has different security needs to an information-based site

  • Use a third-party supplier which will concentrate on recommending tools and services to secure your mission critical/high business impact security issues

  • Consider network reconfiguration before buying tools that you may not need. For example, a bad supplier would recommend a separate firewall for each connection, whereas an honest supplier will suggest methods that will save money, such as rationalising the number of Internet connections and directing all traffic through one point of entry, using one, properly-configured firewall

  • Write a bespoke security policy and use products configured in line with that policy to enforce it. This will save you from making costly last-minute panic purchases

  • Look to centralise your security support and management via experienced managed service providers. Managed services have been proven to lower security costs of some companies by up to 96%

  • If you have the in-house expertise to manage your own devices, look for a modular security solution that suits your business and buy it all from the same supplier - bundle prices are often available and in most cases there will only be one support contract involved. Remember that products are not designed especially for your network, so ensure that the solution is properly configured for your business

  • Standardise on platform security devices such as Nokia, rather than NT, which is not a security platform. Start with a solid platform or you will find yourself constantly spending budget on trying to secure it

  • Maintain the integrity of your infrastructure via constant reviews, patches, virus and vulnerability signature updates. By making use of all updates you will keep your technology tools working at optimum efficiency, thus giving them a longer shelf life and higher odds of keeping ahead of the hackers

  • Do not use BS7799/ISO7799 as a "must apply manual", it should act as a guideline but is too vague and not specific enough to individual companies. Attempting to achieve this status is time consuming and extremely costly.

Secure working culture
Security has always been important in all walks of life, but it has taken the Internet to bring the issue to people's attention in terms of how computers and networks are used, abused and the need to protect them.

Privacy issues have caused a few heated debates recently. British Gas customers, for example, did not like their invoice details being visible to other British Gas customers. The privacy issue has presented a host of Internet security product suppliers with a springboard to stake their claim on a potentially massive but mostly gullible market. Many Internet users are still novices and are seduced by the trend-setting and dynamism of the Internet, but do not understand how to use it and the issues that surround it.

Even business owners and stakeholders who carry the can for "security" - whether they realise it or not - often do not understand what is needed. To know what to do, the risks have to be understood. In computer terms, this requires some degree of knowledge about the technology being used. Law firms, accountants and financial institutions have carefully - and probably expensively - worded, legally correct and compliant disclaimers on their e-mails and sometimes even the acknowledgements they send automatically.

I find it amazing, but people who send e-mails are often not held accountable when it comes to the information they can send, the content they can use and the recipients of the information that they send to. Surely this is a case of damage limitation instead of damage prevention?

Financial loss and fraud is a far more serious issue than that of privacy - even if only from a commercial point of view. Privacy is generally a fashionable issue for the do-gooders in Brussels.

The most significant threats in the context of computer network security are inside an organisation's firewall. Trusted employees in general, can't be. Everyone should be held accountable, whoever they are and whatever they do.

Auditors now expect organisations to be able to track who has been on the network, when they were on, what they did, when they did it, where they did it.
The pressure is on IT security officers - do you know who yours is? - to be able to comply with their company's security policy and meet their auditor's requirements.

Infosecurity Europe 2002 is the largest exhibition of its kind in Europe. The show takes place from 23 to 25 April at the Olympia Exhibition Centre, London. The event incorporates a free high-powered keynote conference and 55 seminars on a range of topical issues. The Computer Weekly Infosecurity User Group will hold its inaugural meeting at the show. Places are limited, e-mail [email protected] for details. For free tickets to the exhibition and further information visit or telephone 0870-429 4406.

Read more on IT risk management