The secrets of our success

Large or small, all businesses are open to security breaches. We examine how three companies have approached the threat from hackers and malicious viruses

It is imperative to have appropriate business security in today's online world, yet few companies have really got to grips with the appropriate management skills, processes, and technologies needed to combat the new corporate risks that internet-based activities expose them to.

One of the problems is that online security needs to evolve so rapidly that many companies find themselves blazing a trail into unknown territory. An added complication for pan-European and global e-businesses is the need to comply with complex, cross-border regulations in relation to business practices, data security and privacy.

Nevertheless, companies have to get to grips with online security if they are to make their e-businesses fly. For most, it's a case of putting a strategy in place and then tweaking it as a problem arises. Here are a number of case studies of users who have faced down security problems and won. Their experiences are by no means unique but they offer valuable lessons for others.

Case study 1: Virus protection at ICL

Like many multi-national companies, global IT services company ICL believed that its anti-virus strategy provided comprehensive protection, until a new breed of virus came on to the scene during 1999.

The company became infected with the W97M/Ethan, a macro virus which affects Word 97 documents and disables some of the options relating to anti-virus security. ICL's anti-virus software, Dr Solomon's Toolkit from Network Associates, could recognise the virus but could not actually deal with it.

While the company reacted quickly to close systems down to stop the virus spreading, there was nothing it could do to help those systems already affected, which meant that all appropriate resources were immediately diverted to the project. Network Associates also stepped in to help.

"In some cases the cure was worse than the infection because workstations had to be completely rebuilt," says John Colley, head of information security. "We lost work time and productivity from this event."

To protect against the virus in the future, ICL arranged to upgrade to the latest, more comprehensive Virus Scan software. But just as the upgrade was being installed, ICL became the victim of a second virus that struck many companies last year - Melissa.

This virus is technically known as a worm since it spreads by copying itself to e-mail addresses in the system and then mailing itself out to unsuspecting recipients. "This was a completely new way of spreading viruses and no-one in the industry knew how to deal with it," says Colley. "It had a bigger impact on us than the Ethan virus because we had to stop our mail delivery system worldwide for about eight hours while we cleaned the systems manually, to prevent infecting our external trading partners."

ICL spent hundreds of man-hours racing to implement its new anti-virus software, which could cope with Melissa.

"Because we had to implement the software very quickly across the rest of the company, this virus incident escalated to being flagged a 'corporate red alert' within ten minutes," says Colley.

"We had an advantage in that we had a quick fix partially installed, but we were still anxious that we might spread Melissa outside our company, so we put some rough-and-ready protection on our mail gateway while we were cleaning up the system."

Today, ICL has installed additional protective products at the edge of its infrastructure, and on its mail gateways, desktops and Exchange servers. Colley is confident that no known or new virus can get in or out of ICL without being spotted and dealt with quickly.

He concludes, "The overriding lesson we've learned is that no matter how well you think you know and understand the security threat environment, something new will always come along."

Case study 2: Security policy at Shell Services International

Shell Services International (SSI) is the IT services company that serves the needs of the multi-billion pound Royal Dutch/Shell Group of companies, and some external customers.

The company is spearheading a major global infrastructure project - the replacement of Shell's existing global IT infrastructure with a new strategy based on Windows 2000. Thisinvolves replacing80,000 clients,1,500 servers, and merging the two separate networks that currently serve North America and the rest of the world.

The main system vulnerabilities for Shell's new globalised business will be its networks, which is why it is overhauling its current security policy to ensure that there are no black holes in the system.

"We're slowly changing our security policy from being closed and selectively open to one that is open and selectively closed," says Nick Mansfield, principal consultant of information security services at SSI, who has more than 15 years experience in the security industry. "Cosy, closed networks are no longer sustainable, or affordable," he says.

Shell is reducing its reliance on its corporate firewalls, since the new security strategy means that not everyone will be behind one. This calls for greater accountability of the individual in an increasingly mobile and open environment.

"On an open network, you've got to pay more attention to the authentication of the remote end-user," says Mansfield. "User IDs and passwords do not give enough legal certainty that the owner is doing the deed.

"Like everyone else, we know that some of our people use poor and inadequate passwords, so we're looking at stronger authentication mechanisms - class two digital certificates. We want to use recognised and trustworthy third-party certificate authorities, such as Viacode and Identrus, that tie the person to a certain location, and you have some certainty in a legal sense of who's doing what."

But making such a strategy work will be a challenge since Shell's global infrastructure hosts traditional fat PCs, thin clients used by hot-deskers, and personal digital assistant devices with Windows CE.

To keep tabs on everyone, Shell intends to use smartcard technology. "We estimate that password resets are costing us several million US dollars a year, so from a financial perspective, smartcards will be a big saving," says Mansfield.

Shell is not taking any chances with its staff being careless with these cards. It will ensure that the cards have a personal value to staff, such as free entry to the company car park.

Mansfield says, "We learned a long time ago that you cannot change peoples' security behaviour by simple awareness campaigns and training. You have to provide what's known as something 'personal, immediate, and certain' - PIC - and embed it into the corporate culture."

Shell will test the smartcard technology this spring and begin implementation in the summer. The company's 80,000 staff worldwide should all be using smartcards on the same infrastructure by the end of 2001.

"It will mean more determined and predictable security, in that we will know with a degree of certainty what security we have, and don't have," says Mansfield. "We will know our strengths and weaknesses better."

Shell's incident response behaviour:

  • Break the attack cycle of events
  • Limit the damage
  • Contain the incident
  • Follow up to improve response
  • Deal with immediate incident
  • Create rapid response teams
  • Avoid responding overtly - stay cool
  • Identify critical processes and assess impact
  • Activate respective response plan

Steps to improve critical infrastructure security:

  • Identify the critical infrastructure and relevant business processes
  • Create platform for liaison between government and industry partners
  • Create critical infrastructure specialist groups by sector and linked to civil defence plans
  • Increase effort on intrusion detection and response - virtual teams across organisations
  • Developing fast warning and response mechanisms to alert and protect government and industry - avoid hierarchies
  • Conduct awareness campaigns across businesses - due diligence not hype
  • Collect evidence to convince business management to take precautions
  • Consider making recording and reporting incidents and near misses mandatory
  • Consider making business continuity planning mandatory for critical business processes
  • Publish best practice guides and standards aimed at protecting critical infrastructure components
  • Balance persuasion with coercion

Case study 3: E-commerce and security at W Pauley & Co

W Pauley & Co can teach large enterprises a thing or two about security. The Northants-based fresh food procurement and distribution business has only ever had a virus problem and that was detected with Norton Antivirus software, and resolved quickly.

It attributes its clean record on security incidents to its choice of IT infrastructure - Unix servers, dumb terminals, applications written in Java, and banning incoming calls while allowing dial-back access. The company also has a policy of restricting access to critical systems held on a small group of PCs to top management only.

However, over the next year or so Pauley plans to try out Web hosting and e-commerce. It knows that once the business is opened up to wider Internet access its vulnerability will increase.

Pauley, which employs 400 people and has satellite offices from London to Scotland, runs a nationwide fleet of more than 70 lorries that deliver 20,000-30,000 packages daily to 11,500 customers - mainly hotels, caterers and catering groups throughout the UK. In moving to e-commerce, the £34m plus turnover company wants to give its customers and suppliers access to core systems so that they can see if stock is available in real-time, place orders, and check their account details online. "I know it's going to give us some big security nightmares," says research and development director cum IT supremo, David Lane. "We'll have to find a way of validating that people are who they say they are and make sure that the whole system is secure."

Lane is currently looking for a suitable firewall and will probably opt for digital certificates for user authentication purposes. He is also swapping Pauley's dumb terminals, most likely for Sun's Sunray boxes because they offer the same features but with a graphics environment and inbuilt smartcard technology.

"My main security worry is that I don't want people messing around with the Web site, putting in bogus orders and being malicious," says Lane. "But we've also got to ensure that customer and supplier details are kept private, and that when they access our systems in real-time they can't let anyone else in because the security isn't right. That's an area that's got to be nailed tightly shut."

He adds, "I don't subscribe to the view of today's generation of programmers and engineers who say that a security breach is going to happen no matter what you do. I think the key to security is simplicity, just like our IT infrastructure."

Read more on Hackers and cybercrime prevention