The next big threat

We asked six industry leaders what, in their opinion, is the greatest threat to IT security that UK businesses may have to face...

We asked six industry leaders what, in their opinion, is the greatest threat to IT security that UK businesses may have to face in the next 12 months?

Roger Ellis, chairman, IT Director's Network

Although the Blaster and Sobig viruses were relatively mild, they caused problems for millions of users. But what would happen if a virus writer developed a really malicious virus and then released it with address book forwarding techniques?

While I am sure the virus protection firms would be able to come up with an antidote, it does not bear thinking about the damage that could be done to UK and worldwide industry. Think of major file deletions, a virus that could infect Excel spreadsheets and cause inaccurate calculations, or a virus that could detect sales files and manipulate price and customer information.

The second area that gives me cause for concern is the increase in the use of wireless communication, in the office and in Wi-Fi zones around the country. These radio waves can be intercepted and, while sophisticated algorithms to render a snooper's data meaningless no doubt exist, the hackers of the future will be devising ways to decode these signals.

Len Hynds, head of the National Hi-Tech Crime Unit

The UK Threat Assessment of SeriousandOrganised Crime2003report, by the NationalCriminal Intelligence Service, highlights high-tech crime as one of the top six threats to the UK.

While the UK has some of the highest levels of e-commerce activity in Europe, the fear of high-tech crime and the cost of associated security measures may discourage the wider take-up of e-commerce in the UK, particularly among smaller businesses.

Criminals are becoming increasingly technologically competent and it is, therefore, reasonable to assume that their use of high-tech methods will increase in parallel with the growing reliance of financial institutions, businesses and individuals on IT and online transactions.

There has been a significant increase in website "spoofing". This involves duplicating a genuine website and giving it a similar internet address to the original, so that users are unwittingly redirected. The spoof site seeks to dupe the would-be customer into supplying card and account details or other financial information that can then be used by fraudsters.

Every business has a duty to itself, its employees and its customers to be as security-conscious as possible. Routine application of software updates, employee education and holistic attention is fundamental. Ultimately, law enforcement, industry and the public need to work in partnership to ensure a safer digital environment.

Jonathan Mitchell, chairman, Corporate IT Forum

While much noise has been made about whether there has been "timely and responsible patching by systems administrators", the fact remains that there are time-bombs ticking away inside all our computer systems.

The central issue is neither the speed at which the systems are patched, nor the malicious intent of the hacker that writes a virus or worm program, but rather whether computer software is designed properly.

I have experience in aero-engine manufacture and pharmaceuticals, and both these sectors test each new product extensively. It is common for a new medicine to spend six years in testing and it can take two years before a new jet engine can be put on the wing of a plane.

This mature approach cannot be taking place in the software industry. It is difficult to square the concept of solid design and testing when one sees frequent, simple buffer overflow loopholes appearing. Moreover, the absurdly short product cycles in the software industry mean that a comprehensive software testing schedule is usually the first thing to be sacrificed if release dates are threatened.
The Blaster worm starkly highlighted the need for change. Only a few weeks lapsed between the discovery of a flaw in the operating system and this exploit appearing. Rapid patching, with all its risks, protected many organisations this time, but what will happens when a hacker has a worm ready to go before any patches appear? The software companies that wake up to this and start producing well-designed, solid, patch-free products with sensible upgrade cycles might just find a willing set of customers.

John Leach, consultant, Information Assurance Advisory Council

Most widespread viruses do not, as yet, carry an overtly malicious payload. It is only the minority that delete files or attempt to render a PC unworkable. Given the demonstrated capability and sophistication of malware writers today, there is no technical reason why they should not be able to add damaging payloads at will.

SQL Slammer is believed to be in the top 10 of the most damaging malware, not because it caused direct damage to infected servers, but because it spread so far and so fast and such a large number of servers had to be cleaned up afterwards.

It is well known that a patch for the vulnerability Slammer exploited had been available for about six months before the virus appeared. What is not so well known is that knowledge of the vulnerability was in the public domain for 20 days before the patch became available. It does not take 20 days to write a worm like Slammer or to add a seriously damaging payload. Just imagine the damage Slammer could have caused if it had been released during those first 20 days and before any servers could have been patched.

Malware today is a very fast, sophisticated, high-precision weapon that, if used in anger, could have a hugely devastating effect on the internet community. However, it seems malware writers have so far chosen not to give their creations teeth. In the absence of any sound reason for this, we must presume we are living on borrowed time. The next time an exploitable vulnerability becomes public knowledge ahead of any patch being available, I will be very nervous.

Another concern of mine is of a different type of virus. Most viruses let you know straight away that you have been infected, but a virus that is completely stealthy and does nothing to give away its presence is another matter. It would spread across the internet, slowly but steadily and with no recognised symptoms, until it had achieved almost complete infection. This might well take several months. Once the infection had permeated, the virus would then switch itself on. It might be triggered by a time switch or a broadcast message from its creator. It could deliver its payload across the internet simultaneously and cause complete global chaos before suppliers are able to release an updated signature file.

Mike Barwise, Computer Security Awareness

The greatest IT security threat is not some new virus or hack. It is the continuing failure by businessestoproactively manage information security at a corporate strategic level. It is no longer possible to kid ourselves that we can be secure solely through deploying technologies.

The security problem and its solutions now goes far beyond the boundaries of IT and its operational management. The sheer diversity of threats and the rate at which they emerge and change now necessitates a much more integrated approach. Creating and maintaining security awareness must be an intrinsic component of corporate culture, but business thinking has not yet caught up.

It must become second nature for everyone, in all disciplines and at all levels of the organisation, to "think secure" at all times. Security policies need to become more consistent, informative and sophisticated, and they in turn will require an ever-widening range of expertise in their development. Information owners, business managers, personnel departments and unions are all able to make a contribution. Risk assessment needs to become more reliable, responsive and accurate and take account of business processes and information assets. Formal methods that eliminate a variation in quality as a result of human error must be employed.

As the boundary between business demands and security vulnerabilities is blurred by web services, more board-level strategic involvement in IT is required to ensure exposure is limited. Everyone has to be involved in information security decision making. It can no longer be left exclusively to the IT department. A firm can only be secure if it knows exactly what threat it is exposed to and what it can do to protect itself.

Chris Sundt, independent security consultant

The advent of broadband; the government's drive to connect electronically with its citizens and industry; the encouragement for businesses large and small to exploit e-commerce; and the introduction of new technologies such as Wi-Fi are all creating an interconnected world where it is difficult to define boundaries.

At the same time, business is outsourcing more and more of its information processing and is relying on the managed service provider to maintain adequate information security. Information is being shared with trusted and not so trusted partners who themselves share information. No longer can a business easily draw a line around the information systems that support its business.

Security is only as good as the weakest link, and that is now the inadequately protected system or network. The lack of proper anti-virus controls is already encouraging the rapid spread of viruses such as Sobig. The Nachi worm illustrates the importance of firewalls and maintaining security patches. Surveys by the DTI show that information security is not the highest priority for smaller businesses and certainly not for the public.

The greatest threat over the coming months will be from attacks that exploit weaknesses in the soft underbelly and avoid traditional methods of protection.

Pieter Kasselman, senior research engineer, Baltimore Technologies

Security is added as an afterthoughttoany application. Traditionally, the focus in the IT industry is on delivering functionality. If it turns out the functionality is useful, such as e-mail, a scramble ensues to provide some acceptable level of security. Thus, current IT infrastructure and security solutions are fragmented, which can represent a serious threat for IT managers. There is no single interface for managing and monitoring security in an IT system.

This lack of a central control also makes it very difficult for IT managers to demonstrate the effectiveness of their security measures or the extent to which the security policies of an organisation are enforced. This can only be shown through lengthy and expensive audit procedures.

To address this threat, it is important that IT managers focus on a holistic, integrated security architecture and strategy, which support business objectives and day-to-day business realities. Comprehensive security policies can provide a new approach to information security and enable rights and privileges to be assigned at an individual level (ensuring, for example, that the marketing manager has access to all marketing information but not necessarily the same data as the marketing director).

This will allow for security controls to be put in place at two discreet layers - the network/device layer and the application layer.Ê At the network/device layer only devices able to enforce these rights and privileges are allowed to sit within the network, and at the application layer the IT manager ensures the right people have access to the right information and resources.

This approach simplifies the IT manager's tasks, increases the ease with which an organisation can deploy its security policy and enables businesses to deal with any number of IT security threats.
This was last published in September 2003

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close