Manning the breaches

Most companies do not employ staff with information security qualifications and yet they are confident they can cope with any...

Most companies do not employ staff with information security qualifications and yet they are confident they can cope with any attempted system breaches. Jane Dudman reports

Measuring the potential threat of attacks on the network is so difficult that most people just do not do it. "It is hard to be clear about the value of security procedures," says John Wheeler, head of services at financial information provider Telekurs. "The only way we know our system is doing something is to change things ourselves, internally. Then we can see it is there, blocking things. The purpose of this is to protect us from things we do not even know about."

The 2004 Department of Trade & Industry Survey of Information Breaches says the cost to UK business is "significant". It puts the average cost of the most serious security incident at about £10,000, but this can rise to £120,000 in larger companies. The biggest impact is on availability. Some organisations have suffered disruption to business operations for more than a month.

As well as spelling out the cost of security breaches, the survey reveals another facet of the problem: three-quarters of the UK businesses questioned are confident their technical security processes are good enough to prevent or detect all large security breaches. But only one in 10 companies actually has staff with formal information security qualifications and most businesses spend less than 1% of their IT budget on security.

There are ways to quantify the risks and the non-profit Information Security Forum (ISF), which has more than 250 members, has developed several ways of analysing risk.

"We measure incidents in very detailed ways," says Andrew Wilson, ISF project manager. The main finding of the survey ISF carries out among its members every other year is that most IT security incidents are not malicious. "Most incidents are caused by accident or user error and most affect availability rather than involve the theft of information. Malicious threat is almost tiny as a problem."

Wilson believes the threat of malicious damage to networks is overstated for a very good reason. "You are not going to get money out of the board by saying the network is down because of a cock-up. It is the malicious threat that gets the attention."

Assessing potential loss involves more than the theft of information. "If you talk to people responsible for IT security in large banks, the actual losses from security breaches are minuscule, but the potential impact on the banks' reputation is huge," says Wilson.

It is hard to quantify the potential cost of network breaches and to assess accurately the likelihood of a malicious attack, but it is even harder for IT managers to assess whether the problem is escalating. Wilson believes the situation is manageable. "There are more threats, but not crazily so. In general, there is not much increase, although that may be because of improved security."

Paul Jacka, IT security manager at the Royal Cornwall Hospitals Trust, agrees that the main impact on his network comes not from malicious external attacks but from internal problems, such as non-business or non-essential use of the internet during working hours. But he has also seen the amount of spam grow dramatically. To counter these problems, the trust has installed a web and e-mail filter from SurfControl.

"We have 12,000 users and the system receives 800 spams a day," says Jacka. "We do have signs of people attempting to get into the network, but it is pretty well tied down."

The trust is particularly strict with remote users. It is trying out a number of systems to limit the options for remote users with the main aim of preventing anyone logging into the trust network and then using it to leapfrog on to other internet sites. "We have a system that tells users where they can go and if there is any doubt, it will bundle them off the work system," Jacka says.

Although some experts think things are not getting worse, others disagree. Security specialist Symantec says there has been an annual 64% growth in generic attacks, and Computer Associates estimates that on average, there were 79 new vulnerabilities every week in the first half of 2004.

Figures like these are not reassuring for IT directors, who have to remain on constant alert to existing and emerging threats.

"Anything that stops us flying planes is a threat," says Paul Williams, head of architecture at Virgin Atlantic, which has recently set up an information security team to help protect its 4,000 users and has implemented an anti-spam system from supplier Ironport.

"We look at security from the process side, rather than as a technical issue, but the biggest headache is where does this stuff start and where does it end? It takes quite a bit to understand," he says.

Even if the threats are growing worse, the dilemma is certainly increasing about how to protect networks at a time when there is increasing mobile and remote access into core systems by both internal staff and external partners.

One body of UK users taking a different approach is the Jericho Forum. Set up in January and comprising many large UK companies and organisations, including Royal Mail and ICI, the Jericho Forum is working on developing open standards that will help make information flows across organisations more secure, rather than simply trying to strengthen a notional perimeter around an organisation. They call this deperimeterisation, or boundaryless information flow.

The nature of new threats means a new approach is needed, according to Ian Dobson, security director of the Open Group consortium, which is a member of the Jericho Forum, says. "These threats included blended threats that combine hacking, denial of service and worm-like propagation that can rapidly compromise millions of machines," he says.

"The Jericho Forum accepts that the present combinations of information security products will not scale to meet rapidly increasing volumes of transactions and massive increases in future. Deperimeterisation is the key. This is where the firewall's traditional role disappears. Meanwhile, all users need to use the tools we have now and take personal responsibility for safeguarding their systems."

Wilson agrees, "It is virtually impossible to throw a perimeter of security around your IT network, so you need to know how to protect individual pieces of technology that may not even be within your castle."

One of the biggest challenges for IT directors, he adds, is the sheer rate of business change, which makes it a real challenge to keep track of components within the IT infrastructure. "It is so frenetic that in some cases it is almost out of control," he says.

Increasing use of wireless networking is not helping. "People are blasting holes in the firewall to let in legitimate traffic without realising their potential vulnerability," he says.

Some users are more optimistic, however. "We know what has to be done," says Didier Verstichel, director of worldwide networks at Swift, which provides messaging for more than 7,500 financial institutions. "It is a scientific approach. We need an algorithm long enough and which renews the key fast enough to stay under the breaking time and mankind always invents ways to do that."

He also believes things are not getting significantly worse. "We have moved away from an X.25 network and in the past, that has been attacked," he points out. "The internet is very good at propagating news and vulnerabilities, so that knowledge is more widely reported."

Verstichel says security must be designed in at every level of the IT infrastructure and must be seen as an integral part of IT design. "It cannot be added in afterwards," he says.

Case study: Royal Society of Medicine opts for managed service   

The 18,500-member Royal Society of Medicine promotes the exchange of information and ideas about medicine. It provides a broad range of educational services for doctors, dentists and veterinary surgeons via events and its medical library, which is one of the largest in the world. 

Tansy Cook, head of IT at the RSM, says the internet presents risks as well as huge benefits. "Our doctors and researchers need constant access to the internet," she says.

"They need access to anything and everything. But we were getting more and more Trojans on our network and, although we had an anti-virus product, it was taking more time to keep up-to-date; particularly as we run a virtual Lan so our fellows can bring in their own laptops and plug them in." 

Cook and her team have opted for a managed security service. "We could do this on-site, but we are only a small IT team. We wanted to have our security managed by a third party. It makes it very easy." 

She says that since implementing the new service, provided by security firm ScanSafe, she has seen a real difference. "At the last count the system had stopped 500 incidents," she says.

"Each and every one of those could have been a risk. We could add up the potential cost of those incidents, but the important thing is to have as few outages as possible."

Weighing the risk of worm infection with the cost of securing systems   

Dick Bussiere, chief technology officer at network supplier Enterasys, has calculated the potential cost of security breaches and of protecting against them.  

He posits a scenario of a business with an £11m turnover and 100 staff, whose time is costed at £16.64 an hour. He assumes there is an 80% chance of a worm occurring in a year and that it could make 90% of the computer systems unusable, with three days' recovery time. 

According to Bussiere, this will result in losing labour worth £31,048 and lost business of £86,950, making the total cost of the incident £117,998, not taking any loss of reputation into account. By calculating the likelihood of the incident and the extent of the damage, annualised loss expectancy is £84,970. 

To protect the system, Bussiere assumes an installation cost of £13,879, with annual maintenance costs of £2,778. If the system lasts five years and reduces the spread of malicious code by 85%, he calculates that implementing the system will reduce the annualised loss expectancy to £12,760. By spending £5,554 a year on the system, the company can make a total saving of £66,733.  

This looks clear but Bussiere warns that anyone looking at security systems should analyse supplier claims carefully, and all systems must be properly installed and maintained to achieve the maximum benefit.

This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft


Read more on IT architecture