From reactive to proactive security

Another week, another virus. This time, a whole series of variants of Zotob, and as usual, a few headaches for affected companies.

Another week, another virus. This time, a whole series of variants of Zotob, and as usual, a few headaches for affected companies.

The attacks reminded me of a recent IDC report, which suggested that most organisations in Western Europe have a lacklustre approach to IT security, hoping that if they ignore the problem it will pass them by. As a result, the majority still have relatively weak security protection mechanisms in place.

The good news is that IDC sees companies making major efforts to improve their existing ecosystem. The bad news is that it might take five years to achieve.

"Securing digital assets presents significant challenges to most European organisations, many of which are now realising that a holistic approach to security is paramount and an integral part of any successful business strategy," said Thomas Raschke, programme manager of IDC's European Security Products and Strategies research.

"Successful companies can move from reactive security to a comprehensive, integrated, and forward-looking approach to IT security,” he added.

The latest virus attacks have once again provided a wake-up call for the corporate world.

Security monitoring remains IT’s responsibility, but is still largely a bolt-on extra. Eventually, however, it will be integrated into the infrastructure. Five years ago, antivirus software was largely an add-on, but has now become integrated into many enterprise applications.

The integration is important because having an array of unintegrated, point solutions means problems can occur ‘between the gaps’, leaving holes for attackers to target.

Richard Archdeacon, director of technical services at Symantec has a few ideas on how the future might develop.

He believes three elements need to be present in a security structure:

• information
• integration, and
• education

Taking information first, you need to know what’s going on and what’s being done about it. That means you have to have good information sources, so you can see where the trends are.

“The scenario should be like a dealing environment in financial services,” says Archdeacon. “Like a dealing floor, you need to know what the attack trends are and make a decision in terms of types of threat, and how to deal with them. 18 months ago, we started to see more attacks being made on confidential data, rather than big attacks, hitting lots of people. But recently, the focus has been on stealth attacks and getting extricating confidential information for financial gain.”

Archdeacon believes organisations need to know what is happening strategically, and they can then do risk assessments in terms of what are new threats, which ones are confirmed, and which ones are ongoing.

“These latest attacks are being made on Windows 2000, a more dated technology. So there is a need for organisations to ask themselves what their risk assessment is for older technologies. Where does the organisation have them? Will Scada – Supervisory, Control and Data Acquisitions - systems be affected, such as process control, pumping stations, because they are often based on Windows 2000 technology?” asks Archdeacon.

Archdeacon believes the security successful companies will be those that are best able to integrate the reporting of their disparate security technologies, and take strategic, analytical and tactical decisions to benefit the organisation.

For example, if there are seven threatening versions of Zotob out there, which one should you tackle first? Which one carries the greatest risk? By adopting threat management concepts and doing effective risk assessment, you can put into practice measures that minimises risk to critical areas. By making these assessments, you can then utilise the best way of committing corporate resources.

There is little doubt that the ‘flash to bang’ cycle – the time between a vulnerability being spotted, and when it has been exploited - has rapidly been coming down. It used to be weeks, now it’s days. With the Zotob outbreak, the window was three days, making it the fastest exploit announcement to worm outbreak to date. This emphasises the absolute necessity to have technology in place that can protect against ‘zero-day’ threats without a delay.

The trouble is that even when antivirus definitions have been created to cope with threats, there may still be a window of anything from 24, 48, or 72 hours, before all machines on the corporate network have been updated and protected. One of the simple problems is companies’ ‘moving population’, with staff using laptops ‘on the road.’ Typically, these systems are the ones that may not have had their definitions updated. And making sure staff are not complacent, is an ongoing education process.

One area to consider is outsourcing. Although the words security and outsourcing don’t easily fit together, areas such as firewall monitoring which involve huge overheads for an organisation trying to do monitoring 24 x 7 with 5 people can be outsourced more cost effectively.

Read more on IT risk management