Internet security must be taken seriously

Security is not being taken seriously by a great many UK companies that trade on the web. This could be an expensive mistake,...

Security is not being taken seriously by a great many UK companies that trade on the web. This could be an expensive mistake, says Martin Butler

Although business was quick to recognise the advantages to be gained from improving connections to the outside world, a corresponding awareness of the unique vulnerabilities of such enhanced connectivity has been far slower to develop.

The results of this lack of understanding can be seen in the waves of virus infections sweeping across corporate networks, increasing attempts to accesses privileged data, and the ease with which distributed denial of service attacks can bring commercial Web sites to their knees.

However, an important issue is that many network managers focus on these external points as if they are the only concerns that need to be monitored in order to guarantee corporate security, and this is not the case. Internal concerns, such as personnel issues, are just as vital to the security of the enterprise, and yet these can often be overlooked in the haste to deploy a solution.

Security has become an issue that reaches into every part of the Web-enabled company. An Internet connection greatly empowers the business and its employees, offering the ability to reach out and carry out activities at almost any point in the world. However, the downside to this ability is that other people are equally capable of reaching back into the company in the same way.

It is generally the case that a firewall will be deployed between the enterprise and the outside Web to prevent unauthorised intrusions, but, unfortunately, this does not solve all the problems. There are ways to compromise security, such as obtaining private passwords through social engineering or other such manipulation of personnel, who can unwittingly circumvent otherwise robust security solutions.

A good example of this was seen in the recent wave of Web sites being defaced in connection with the UK petrol demonstrations. Many of the sites successfully cracked seem to have still been using default passwords installed with the solution, in spite of recommendations that these be changed following installation. This highlights the point that people using technology are simply not thinking in security-conscious terms.

E-mail is a particularly important issue in this regard, as it is both a preferred means of spreading viruses and a potential source of embarrassment - and even legal action - for the company. The rapid nature of e-mail exchanges seems to almost stun many users into a state of complacency in its use, making them prone to misuse of the medium.

Security warnings about opening attachments go unheeded, allowing viruses to be opened within the corporate defences, and poorly considered messages are sent out on what amounts to corporate "paper". The issue of responsibility for material being dispatched using corporate resources is one that is already concerning a significant percentage of network administrators, and this number will certainly rise in the near future.

But why has corporate security become such a problem to maintain, in such a relatively short amount of time?

The answer lies in the ability of the Internet to make real-time connections between like-minded individuals - the same strength that promotes business itself. Successful hacking tools, whether developed to highlight security concerns or to wreak havoc, are freely available. A classic example of the use of such tools could be seen in the attack on Yahoo. This was achieved through use of freely available scripts, the users of which are known as "script kiddies".

The ability of otherwise unskilled individuals to make use of destructive tools has dramatically raised the level of hostile activity directed against corporate networks, and is an important factor in the need for more robust security. While a network manager is firefighting against script kiddies, the vital strategic elements and decisions that the enterprise depends upon are being neglected, and this could prove costly.

The real problem with security is that people mistakenly persist in acting as though it is a problem that can be solved by the adoption of a solution. In spite of the quality of many available solutions, this is simply wrong thinking.

Security is best addressed through a policy based on the understanding that things will go wrong, and that damage control measures must be in place to deal with failures when they occur.

Embedding damage control processes into the business, such as disaster recovery measures, introduces automatic responses that minimise firefighting. Coupled with constantly evolving security solutions, this approach of managing risk proactively creates flexible business processes capable of withstanding far greater levels of threat.

This is such a vital need for the Web-enabled enterprise that the question is no longer whetherrisk management should be implemented, but when will it be up and running.

Read more on Hackers and cybercrime prevention