Strategy: Shopping around

What's on your security shopping list? Karl Cushing suggests a few choice items.

What's on your security shopping list? Karl Cushing suggests a few choice items.

A lot has been written lately about the importance of management issues like raising user awareness, getting buy-in and managing access in an effective IT security strategy.

But what about the technology itself? The January sales might be long gone and Christmas a faint memory, but with IT security event Infosecurity Europe 2002 (23-25 April) just around the corner, E-Business Review takes a look at the new products that companies should be putting on their shopping lists.

Over the past year, the spotlight has been on nascent security technologies like biometrics, public key infrastructure (PKI) technology and digital certificates. However, while undeniably interesting, they have made little headway so far and for the average IT director the prospect of implementing such technologies is still a long way off.

According to Gary Hardy, a director in Andersen's technology risk consulting practice, although PKI has potential value it is caught in a Catch 22. People expect these kinds of services more or less for free, but somebody has to first invest in a global PKI infrastructure.

Hardy is also critical of IT vendors, who he says have "neglected security for years". He argues that more security measures should be built into hardware at source, likening the current situation to buying a car without wheels or an engine.

Hardy also reminds companies of the growing importance of data privacy issues and the increasing enforcement of data protection legislation. This is a good thing to bear in mind while shopping around for new security ideas.

Peter Cox, international vice president for security software firm Borderware, also argues that technologies like PKI and biometrics can be a distraction. "There's a danger in focussing on these technologies and taking your eye off the ball," says Cox, who advises companies to concentrate on the basics, like firewalls, anti-virus software and access management.

Cox says companies need to get away from a tick-box mentality whereby they buy technology because that's what they think they need. So instead of going to events like Infosecurity with a checklist, companies should spend more time thinking about how they will use and configure security technology and focus on user education.

Although Cox believes that companies are starting to take security more seriously, he stresses the need for IT directors to take a closer look at measuring the quality of the security technology they implement. "Over the coming year, you will start to see people ask some serious questions about the quality of their technology," he says.

Heart and email soul
Cox suggests companies look closely at email. "We view email as being the heart and soul of the company," he says. "From a business point of view it's a lethal application to mismanage."

As well as moving email off the firewall, which he says leaves the corporate email server very vulnerable, Cox talks of the value of undertaking an email audit and says that IT directors will be amazed by the level of non-business related email they receive.

According to Stuart Morrice, marketing director of network security consultancy Peapod, which carries out email audits, around 60% of the email traffic a company receives will be non-business related, including pornography and licentious material. This constitutes a massive cost to business and results in a greater risk from hacking and prosecution. Morrice also advises companies to conduct comprehensive security audits.

On a more general note, Morrice says companies should focus on training and using what they've got before splashing out on new technology. Like Cox he argues that companies need to go back to basics, adding, "There's a lack of depth and understanding among the tech guys in the marketplace today."

One thing Morrice does suggest, however, is putting in another firewall as a fall-over because, as he puts it: "If your firewall goes down you're stuffed."

Not everyone supports such an insular approach, however. Graham Cluley of anti-virus software firm Sophos, for example, says there are a number of things worth investigating at Infosecurity, like encryption, content management and firewalls. As well as offering a good opportunity to re-evaluate strategies, Cluley says it is a good chance to speak to the vendors and harangue them if you're unhappy about performance issues.

In view of the number of attacks on IIS servers last year, Cluley says that companies should be looking for ways of minimising risks from such attacks.

He also recommends looking for companies who offer a patch monitoring service and tell you as soon as a new patch becomes available. This is a valuable service worth considering as patching promptly is a big aspect in ensuring security. Another key area to look at is configuration.

Cluley says that "too many companies buy security solutions, put them on the shelf and expect them to emanate magic rays to protect the company". He says that events like Infosecurity offer a good opportunity to take stock, speak to peers to see how they've implemented technology and just generally keep a look out for interesting ideas and information.

Remote access
Given the growing popularity for remote working and hotdesking, Cluley says companies should also keep an eye out for products designed to bolster security by managing remote access. Key technologies here include personal firewalls, updating anti-virus software and anything that makes sure users aren't using unauthorised software, he says.

Mike Longhurst, principal security consultant for network security firm SecureWave, also stresses the importance of "keeping on your toes", pointing to the new threat posed by small, over-the-counter devices such as miniature portable storage devices (MPSDs) and digital cameras with Smartmedia and Flash Cards. "Businesses need to understand the threats that these technologies can pose to their business network and start looking at the solutions now," he says.

Longhurst believes too many companies are still focusing on the external threat and are failing to see the threat from within. He says a potential hacker - possibly a disgruntled employee, contractor or a visitor - can download free hacking tools like Back Orifice 2000 and Hacker Utility V1.5 from the Internet and install them onto portable storage devices.

Such hackers can then use the devices to mount a denial of service attack, steal or tamper with information, or even plant a Trojan by connecting them to a spare USB port on a company PC. Worse still, Longhurst says external firewalls, content filters and anti-virus software are of little use in preventing this type of attack. It is also very hard to trace, let alone prosecute, offenders.

According to Longhurst, increasing users' ability to exchange information between PCs and external devices has "inherent threats", as users can "ride roughshod" over security policies.

To control the use of these types of technologies, he says that companies can either disable the Windows USB driver on every system - not really a viable option as this will prevent the use of other useful USB devices - or use in/out device management products.

He stresses that the important thing is not to deny users access but to use these "system environment control technologies" to control executables and manage devices attached to USB ports.

He says that the functionality and level of control offered by such technologies means they are now of serious value to enterprise level users and enable them to centrally control what in/out devices can be used, by whom and when. Some can even limit the amount of files transferred to removable storage devices, even driverless ones, and take copies of them.

Longhurst also advises companies to look at intrusion prevention - as opposed to intrusion detection, which he claims will become a thing of the past - and to re-appraise their anti-virus software policies in light of what he sees as the inability of the vendors to prevent viruses.

"Organisations need to start questioning the level of investment in anti-virus software for the payback they get," he says. But for Longhurst, one of the best things to look out for at Infosec, however, will be protective mechanisms for wireless networks.

None of the aforementioned technologies or products cost the earth, which is just as well in the current economic climate, and although they might not be as flashy as biometrics they may well be more effective in the short term. So, start preparing that speech where you remind your MD or CEO that a stitch in time saves nine, get sign off to exercise the purse strings a little and get ready to go wild in the aisles. Happy shopping!

Things to look out for at Infosec
  • Personal firewalls and VPNs, especially for remote workers
  • Access management technology
  • Consider investing in an extra firewall as a fall over
  • Re-appraise your anti-virus software
  • Companies offering patch monitoring services
  • Consultants providing e-mail and security audits
  • Ways of shoring up - or even finding a replacement for - your IIS server
  • Protective mechanisms for wireless networks
  • Intrusion prevention, as opposed to intrusion detection, products
  • Smart cards
  • In/out device management products

Infosecurity 2002 will be held at Olympia in London from the 23-25 April

Read more on IT risk management