ICI, which previously relied on service level agreements with web hosting companies to maintain security, signed up to the £30,000-a-year service in January, after independent security consultants managed to subtly change one of ICI’s websites during a routine penetration test.
“The day the Slammer worm came out it paid for itself,” said Paul Simmonds, ICI’s global information security director. “When I heard my phone ring on a Saturday, I was able to log on and run a manual scan on the IP range of ICI. Ten minutes later I knew we had no issues.”
Although ICI was forced to ditch one of its hosting companies when the firm refused to address 13 vulnerabilities identified in its systems, most hosting companies have been happy to deal with the problems, Simmonds said.
ICI is now planning to use a similar scanning service to analyse the company’s estimated 40,000 internal IP addresses for vulnerabilities. It is expected to put the contract out to tender at the end of the year.
Simmonds uses the Qualysguard scanning system to produce reports for ICI’s board. To date, they have shown a healthy monthly improvement in the security of the firm’s external websites .
“I regard myself as a business person first and an IT person second. My job is to go to the board and justify why they should spend money on IT security. The graph showing the treading down of the vulnerabilities justifies my existence, “ he said.
The system also delivers technical reports directly to ICI’s internal IT staff and security staff at the web hosting companies, who identify the vulnerabilities, rank them in order of seriousness, and give instructions on how they should be fixed.
It took only one afternoon of typing in the relevant IP address to set the system up, said Simmonds. The only hiccup was that, because of a communications breakdown, one hosting company did not realise it was being scanned by ICI and assumed it was facing a hacking attack.