SINGAPORE (04/11/2000) - While the continued growth of the Internet and mobile access has created many business opportunities, it has also created a wild, wild world of Web and wireless insecurity, where companies must now look more closely at guarding their networks against an increasing number of hack attacks.
Today, wireless Internet requires too many intervening players to conduct end-to-end transactions, which therefore, adds to the complexity of the picture, according to Pierre Noel, chief executive officer of security consortium ICSA.net Asia-Pacific.
The growth of wireless services will also introduce a new category of users, who are perhaps even less aware of the security implications in their daily transactions, Noel said.
Wireless Internet and WAP (wireless application protocol) are also highly attractive for the rapid deployment on new e-commerce sites in view of the emerging customer demands, he said.
"Time pressures leaves little room for security consideration, and we might expect these services to come with their load of security holes," Noel warned.
"All these concur to a significant increase of the security risks."
"Today's security on top of WAP is far from absolute, the concept is still very immature, so is its security framework," he said. "Unless special techniques are used, information over WAP cannot be confidentially transmitted end-to-end, and is therefore subjected to middleman interception."
"I would remain very cautious on the overall protection for financial transactions conducted over wireless Internet. We have to let the technology mature a little before we can see what makes sense as a proper security solution."
Noel is currently working with the Hong Kong government on establishing a wireless public key infrastructure.
And while the Internet brings with it tremendous opportunity, it is also shrouded by serious security challenges, creating an environment where enterprises are rushing to keep pace with the e-business imperative, and integrating suppliers and customers over public network infrastructures, said Simon Naylor, Asia-Pacific vice president, RSA Security.
Protecting valuable corporate assets while opening up these e-business opportunities raises serious security concerns in companies expecting to manage a substantial portion of their business over intranets and extranets, Naylor said.
"Organizations are concerned about the direct economic risks of compromised security. They also fear severe loss of business through compromised Web presence. The stakes are high," he added.
The Internet is by nature, public, distributed, connected, and very dynamic, and it has seen phenomenal growth in infrastructure, the number of people online, and the types of applications running across it, said Stephen Tan, business continuity and recovery services, IBM Global Services, Singapore. This multi-dimensional growth is enabling tremendous business rewards, especially for those who stake their claims first, but at the same time, this growth is engendering risks, Tan said.
Security is one of the critical issues any organization faces when they expand and extend their business to the electronic world, and there are some key security issues that must be considered, he added, and named security policies and posture, theft of proprietary information, and denial of services as examples.
Viruses are still the number one threat and concern, said Leigh Costin, international product manager, enterprise solutions division, Symantec Asia-Pacific, who noted that the number of hacking incidents in the last six months of last year, was higher than that figure over the previous two and half years.
There is concern also over what employees are downloading from the Internet, Costin said, noting that a lot of that is tied up with mobile-code issues. Web sites with multimedia or graphic displays typically use either Java or ActiveX code, which can increase the sites' vulnerability to virus attacks. And because ActiveX runs outside the engine of Web browsers, viruses can still lurk even after the user has logged out from the browser.
Ensuring that the network is "Internet-ready" will depend on the organization's business use of the Internet, said Charles Williams, chief scientist at Cylink.
For example, if the Internet is used for posting general information to the open public, the concerns are limited to assuring access to the site, and ensuring that hackers cannot modify the site, Williams explained.
But if the business application is supply chain management, the considerations are quite different, he noted. The focus is then on ensuring "fine-grain" access control to systems and data, encryption to protect sensitive information flowing across the Internet, he said.
All systems attached to the Internet must be continuously monitored for security breaches, Williams advised, where it is critical that businesses should not rely on one tool, "especially automatic tools", to monitor their systems on the Internet.
It is crucial also to have a plan that outlines actions that should be taken in response to the event where the system is being hacked, he said.
"This plan must be unambiguous and easy to execute," he added. "Proper planning and network architecture are key to making the plan easy to execute."
"It must also be reviewed and approved by all business managers, so they understand what will happen to their systems and processes after an attack.
This approval is important since the response to an attack might further disrupt business process, for example, the shutting down of the system or even network."
When companies look at ways to secure their network, they should consider several factors such as implementing proactive verification of Internet/intranet security, and embedding tools that help prevent and detect unauthorised activities, Tan advised.
Businesses should also hire skilled resources in terms of knowledge and experience, and equip them with the right set of tools to respond to emergency situations, he added. These people should be vigilant in securing their Internet/intranet 24 hours a day, 7 days a week, and have access to experts to discuss security implementation and issues, he said.
"Creating a secure posture for e-business is not a single event, it is a process," he stressed. "It takes time and must be constantly improved and fine-tuned, and should become an integral part of standard business operations." Tan added that security approaches that take a holistic view of hardware, software, services, and networks have the best chance of succeeding.
He suggested that businesses should begin with three fundamental guidelines for managing guidelines to manage Internet security: understand your dependencies on the Internet, maintain constant awareness of the status of those dependencies, and be able to react in a pre-planned manner to changes in the environment.
Although new security gaps will continue to emerge, organizations can mitigate risks by exercising due diligence, and by implementing processes for preventing and reacting to security incidents, he said. Awareness and effective management of security risks are distinguishing characteristics of successful online businesses, he added.
Organizations also need to have a reference defining the appropriate security conducts to adopt, and this security policy needs to be simple and adapted to their business environment, said Noel.
In the vast majority of the cases, Internet-related hacking could have been easily avoided by keeping the "exposed systems" such as Web server, mail server, and firewall, current with latest patches and anti-virus signatures, he said. Companies should also establish a trusted information security feed to enable their security personnel to prioritize, and make proper decisions when protecting against new threats, he added.
"The real security comes with the team, rather than the technologies around it," he said. "Proper Internet security requires daily focus and quick reaction to the possibility of new threats. This can only be achieved with an educated security team with access to trusted support."
"What really makes you vulnerable is not the lack of technology, but the lack of follow-up by your security administrators," Noel said. "These people are typically the network administrator, the IT administrator so they don't have time to fully focus on being a security administrator. That's the problem."
"The technology is fine, it's just that these administrators don't have the time or are not aware or educated about these security patches."
Inside attacks Hack attacks from within the network are much more difficult to defend against, detect, and respond, Williams said, but suggested however, that companies could make it customary to know who their employees are.
"Background checks are very important before the employees are hired," he explained. "Use good management techniques to prevent or identify and treat disgruntled employees. Make sure that all employees understand the importance of security. Use good business planning and risk-management techniques to prevent unnecessary access to sensitive information."
"Ensure that employees have the tools and system to effectively perform their jobs. Don't make honest employees circumvent security in order to complete their jobs. An inside hack has many of the features of a natural disaster. Make sure effective disaster recovery methods are in place."
But a lot of the attacks that originate from within the company happen purely by accident, rather than out of malice, Noel said.
More often than not, employees are unaware that they may be putting their companies at risk by bringing a virus-infected floppy disk from home to the office, he said, adding that a lot of this can be eliminated by education.
Malicious or not, security policing is one way of curbing attacks from the inside, and this policy has to fit the philosophy of the company, he explained.
For example, it is not realistic to ask employees to change their password everyday.
"Set the rules, and educate the employees. And write down a small time plan or easy-to-understand rules over the company's intranet, so that everyone can read, understand and appreciate these rules," he suggested.
Companies should then put in place some form of mechanism to control or show that they are capable of controlling the system, he said, adding that security policing not only helps increase awareness, it also double-up as a deterrent to discourage employees from even contemplating committing a breach.
"Show that you know what your users are doing. One way is to ask security consultants to come to the office, and look at the way people do things, so people will notice and know that something is being done, and be more aware of security," Noel said.
Security is a company-wide issue, where establishing policies and identifying vulnerabilities and counter-measures, must be done in the context of corporate security as a whole, so that cost effective solutions can be identified, Naylor said.
A vulnerable system means it is exposed to exploitation, where this weakness may arise by accident or may be the result of a decision made to achieve valid business objectives, he said, noting that it is critical then to identify specific handicaps that arise as a result of business decisions.
Effective security starts with a strategy that is based on an understanding of what needs to be protected and from whom, he said, adding that this strategy should be implemented through a consistent centralized policy that is understood by everyone in the company and that encompasses all aspects of security. Because threats induced by the Internet are of an "ever-evolving" nature, security should not be reduced to simply buying a couple of firewalls, and assuming the network is sufficiently protected, Noel said.
"As organizations place more and more of their business on the Internet, the need for effective Internet security procedures, and the means to enforce adherence to them are clear," Tan said. "What is also clear is the need to review and update these procedures for dealing with intrusions on a regular basis, responding to the continual changes in Internet technology and network infrastructures."
"Forensic analysis" must sit at the top of this list, where companies should quickly identify how and where the hacker was able to penetrate the system, and shut the loophole, Noel added. The next step is then to reactivate a backup system to take over the operations, he said, noting that a sound disaster-ready site is especially critical if the company's entire business depends on e-commerce.