SECURITY Risky Business – Halting the hackers and crackers

There was time when business security simply meant bolt on solid door, locked filing cabinets, safe with secure combination, burglar and fire alarms and paying surveillance company to put your building on its nightly rounds.
While these remain high priority, the pervasiveness of the internet and the growth of sensitive and critical information flowing electronically around modern businesses has incrementally increased vulnerability.
Gartner Group says this is the year of reckoning for IT security in Asia-Pacific. Its latest survey of chief information officers from more that 30 countries ranks security as the number-one technology priority for 2005. It says the convergence of serious threats to business security is now coming from professional criminals, not bored teenage hackers.
As the business world goes increasingly mobile and wireless – whether it’s cellular connectivity or Wifi, notebooks, PDAs or smart phones – the likelihood of prying eyes sniffing out sensitive information or intercepting online activities is increasing exponentially.
A piecemeal approach to security is no longer the way to go. Companies need strategy, whole of business approach, based around an audit of corporate needs, written into security policy.
No one, for example, should be able to attach personal laptops to the company network or load cd-roms or software without clearance from the IT manager and thorough malware scan.
This policy should define how outside parties communicate electronically, what level of access they will have to computer systems and what is considered ‘normal’ behaviour in order to determine firewall rules which exclude abnormal behaviour.
According to 2004 survey by IDC New Zealand, only 10 percent of respondents had planned to boost security last year. However by April it was clear hackers, crackers and those on phishing expeditions were running riot and the release of internet nasties such as worms and viruses was nearing plague proportions.
These internet borne threats forced users across the country to push past their conservative security plans and invest in furious last minute fortification. As the dust cleared IDC found that in fact 30 percent of local companies ended up bolstering security.
Rather than an afterthought the top five dedicated security providers – Symantec, IBM, Cisco, McAfee and Microsoft – are all now top of mind when it comes to company IT buying intentions.
While the threat has abated somewhat Jenna Griffin, IDC’s market analyst for services and solutions, says it is clear that crackers and developers of viruses are becoming more sophisticated. “These threats are becoming harder to secure against and prevent, and our latest survey suggests 35.2 percent of businesses will continue to invest in security in 2005.”
Companies are now focusing on overall policies and prefer single solution from one vendor rather than dealing with four or five vendors to get secure infrastructure. Griffin says vendors who are partnering to provide all-in-one security solutions are well positioned to take advantage of that.
One of the core requirements for electronic security is to ensure software patches and fixes are up to date. Security advisories come out from Microsoft and other vendors on regular basis but if the IT department doesn’t keep on top of that the company is unnecessarily exposed.
What about passwords? Is single static password for access into the corporate network or the desktop sufficient? No, according to the experts that’s so 1990s. Multi-layered security including passwords that change frequently and possibly even biometric-access – where fingerprint readers are used to get into the computer and network or even into particular files – are favoured.
IDC says while 80 to 90 percent of those surveyed in 2004 had installed firewall, anti-virus software, virtual private network (VPN) or combination of the three, only 40 percent planned to invest in the security 3As. That’s administration, authorisation and authentication, including measures such as two-factor identification and one-time passwords (OTPs), which provide secure access to network both internally and remotely.
Peter Benson and his team at Auckland-based Security-Assessment.com conduct security audits for range of businesses to help isolate vulnerabilities in IT and internet-based systems. They’re in business to out-hack the hackers.
Benson urges companies to start from the premise that security risk is business risk rather than technology problem. The security strategy needs to come from the boardroom not from the technology department so technology is built around business decisions not the other way round.
From an environmental perspective, companies may need to consider contingency plans in case of fire, flood or earthquake. He says the key is maintaining ongoing availability of critical data with business continuity and data recovery plan.
Businesses need an information protection strategy to maintain the integrity of the data and who can have access to it. Is it public knowledge, restricted data, commercial and confidential, or based around human resources and personnel? Each classification will have different access profile.
The growth of mobile workers who use uncontrolled, unsecured devices such as laptops, PDAs and smart cell phones, and those who use Bluetooth connections to link to corporate machines to synchronise with Outlook or download applications or spreadsheets, often place the business at risk.
Initially wireless networks, voice over IP and Bluetooth all come in relatively insecure fashion and must be properly configured before use, says Benson.
And if you think it’s okay to use Wifi hotspot at hotel or public place or use cyber café for business purposes, think again. Anyone not at trusted location is inviting trouble, says Benson. “Wifi points are typically not authenticated which means someone with malicious intent might sniff out anything you are doing.”
His view is backed up by the Internet Safety Group which recently conducted “random survey” across 10 sites discovering most were infected or unsafe – most computers were infected with spyware and vulnerable to hackers.
Software that logs keystrokes and can capture internet banking passwords and other personal information was present on number of computers. IBM New Zealand security practice leader John Martin said security was totally inadequate and customers should expect better level of service.
The problem with security, says Benson, is usually between the keyboard and the chair. “Awareness is huge issue not only for the user of technology but in training technologists, including web developers, that security shouldn’t be sacrificed for functionality and should never be an afterthought.”
Critical data should be backed up onsite and off site, or there may be complete hot site where, if faced with disaster, the entire environment can be rapidly restored.
Identifying information assets and giving them some tangible value can help in assessing what needs the highest level of protection. customer database and financial records are obviously vital to the business.
While in the past the trend has been toward newer and faster technologies the focus is shifting to protecting information. The move from traditional server-based storage to storage area networks (SAN) and network attached storage (NAS) is one way of consolidating resources and optimising availability.
“You can replace hard disk or server but you can’t replace data if you lose it and recreating it can be very costly,” says Aaron Lamond, Hewlett Packard’s StorageWorks marketing manager.
He believes Information Lifestyle Management (ILF) methodologies can help companies keep track of key data through its useful lifecycle. “It could be an invoice which has immediate value for gaining revenue. Beyond that it has financial, audit and tax implications and there is responsibility to store and track it.”