Security blanket

A new Age of Insecurity veined with nasty-looking trends confronts managers of information technology in private and public companies.

Society's critical information networks - power, water, health, finance - are tempting targets for cyber attacks by terrorists looking for destabilising supplements to their physical atrocities.

Another clear and present danger is the appearance of newer versions of super-worms - like Nimda and Code Red - capable of infecting servers around the globe in less than an hour.

The spread of wireless networks is opening fresh windows of opportunity for detection-free intrusions.

Then there is the trend towards legislation beefing up government electronic surveillance and monitoring powers. And let's not forget the Privacy Act amendments, which raise the bar for protection of customer information. Factor in the recessionary chill which the shadow of September 11 has cast over corporate budgets and it adds up to interesting times in the IT security space.

Counter-intuitively, vendors hoping to see a rush of orders to kick off the new Age of Insecurity have had expectations dashed.

Far from splashing out on new security initiatives, business is reacting by battening down the hatches on their corporate exchequers.

Prevailing attitudes are dominated by caution, pragmatism and a renewed focus on ROI, says Glen Miller, managing director of Australian IT security solutions distributor Janteknology.

A straw poll of several dozen Australian IT managers and CIOs showed corporate Australia has adopted a business as usual attitude towards security in the wake of September 11.

They are continuing to do their regular disaster recovery, vulnerability testing and network security reviews but aren't welding on any fresh armour plating.

George Weston Foods CIO Frank Coogan said his company had a security initiative under way. It was part of the company's continuous scrutiny of security matters and not prompted by concerns related to the New York terror attack, he said.

Cashcard Australia was double-checking its disaster recovery and continuous availability procedures "to make sure they are current", said CIO Geoff Lord.

Epworth Hospital has been reviewing IT security for several months, according to IT manager Peter Dickason.

"I don't think September 11 caused us to review things any more than we normally would. The Nimda virus probably hastened along a project we already had in operation but we don't run Microsoft servers and it didn't get into our networks in any malicious way."

US-owned companies are sending directives to their Australian subsidiaries to ensure their disaster recovery and business continuity plans are up to date and tested, says PricewaterhouseCoopers technology risk specialist partner Jan Schreuder.

However, organisations in Australia are generally putting their primary emphasis on physical security, not on IT security, Schreuder said.

Nimda has had far more effect on data security plans in Australia than the New York atrocity, he said.

"Nimda has been extremely hard to stop and not many organisations have escaped it totally.

"Even now it is popping up all over the place, often because somebody took a laptop home, connected it to his ISP and then reintroduced the infection when he went back to the office."

The most significant impact of Nimda was not necessarily in downtime but in overtime shifts worked by IT departments on weekends and overnight to clean the worm out of their servers, he said.

"Nimda has been a real frustration and it has increased the business focus on security at senior management levels."

Thorniest IT security issue for management at the moment concerns the struggle to keep up with the continuous flood of patches provided by software vendors, Schreuder said.

"The administration costs around all this are enormous and if you tried to apply every single patch that was made available, it would become a full-time job."

A method of prioritising or categorising patches in terms of importance and more streamlined distribution systems by vendors are badly needed, Schreuder said.

Glen MillerGetting physicalPhysical rather than IT security has dominated the thinking of Australia's political elites since the New York attack.

Post-September 11 Australian efforts to lift cybersecurity to new levels have been much lower key than in the US - at least publicly.

Where the US has appointed a Presidential adviser for cyberspace security to coordinate efforts to safeguard critical information infrastructures, "very disappointingly", the Australian Government has created no similar post, says Janteknology's Miller.

The US is also fostering a dialogue between the FBI and more than 27,000 corporate security officers at companies owning and operating systems such as telecomms, banking and finance, railroads, water supply, transport, and electric power facilities.

"Australia is equally at risk of cyber attacks, but there have been no statements here about hardening critical networks against attack here," Miller says. "I hope they are doing something. It would be silly for them not to be."

The destabilising potential of cyber attacks as morale-harming adjuncts to physical terror attacks is too obvious to ignore, he suggests.

Especially after Nimda which showed how unprepared most of the critical infrastructures are.

Janteknology's server logs showed 30,000 attacks in an eight-hour period, of which a number were vectored from telcos and power companies.

"You would naturally expect those organisations to have bulletproof security, but it was their infected IIS servers that were attacking us."

Miller excludes banking systems from his criticism. "I would say that generally speaking, banks have created the most hardened IT targets, notwithstanding the military."

Miller says it doesn't take much imagination to foresee payloads of worms like Nimda and Code Red being manipulated into something really destructive.

If the small- to medium-size enterprise, large corporate and government worlds ignore such warnings and adopt the ostrich syndrome, "the computer security industry may only have itself to blame because we are seen as hype meisters and there is an element of the boy who cried wolf in this."

The National Office for the Information Economy declined to comment on the issue of what, if any, steps are being taken to harden the national information infrastructure.

For corporates, any reaction to fears of cyber warfare will largely consist of strengthening traditional mechanisms, says Meta Group program director, global networking strategies, Mark Bouchard.

That takes in antivirus updates, Web site integrity measures, firewall protection and intrusion detection.

Australia's amended Privacy Act, due to take effect on December 21, will mean extra business costs, Bouchard says.

But the increases will not be overly burdensome and in the long run compliance with the legislation will work to the benefit of business, he argues.

Organisations have to add strategies for database encryption, install privacy training programs and modify policies to demonstrate they are promoting a culture of privacy.

"But these are costs that corporate Australia should embrace," Bouchard says. "We need this base level of security in place before we can install the national and international trust frameworks that pave the way for a true digital economy."

Meanwhile, increased government antiterrorism surveillance of corporate e-mail and Internet traffic will translate into eavesdropping on sensitive corporate communications.

Corporate fears on that account would lead to heightened use of encryption, but so far, there has been no post-September 11 spike in Australian sales of encryption products. A proposal to expand police powers to tap the Internet, e-mail and phones has been introduced in Parliament. It carries the jaw-cracking title: Telecommunications Interception Legislation Amendment Bill 2001.

Says PWC's Schreuder: "It is fair to say there is generally a concern about government's ability and right to monitor that traffic.

"But people also realise that if it is in the interests of national security, it might be required."

In any event, that battle will be fought at the political level by civil libertarian groups rather than by corporate IT security officers.

One existing government electronic intelligence gathering system, Echelon, has been branded by the European Parliament as a system aimed at picking up commercially useful data.

Australia, along with the US, Canada, the UK and New Zealand, is an Echelon partner although the Government refuses to discuss it.

As far as corporate Australia is concerned, "Echelon has been discussed informally but there is no consensus", Schreuder says.

"Informed CIOs and security officers are aware of it, but they are in a wait and see mode."

Join the newsletter!

Error: Please check your email address.

More about EchelonEuropean ParliamentFBIGeorge Weston FoodsJanteknologyMeta GroupMicrosoftNational Office for the Information EconomyNimda virusPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments

Market Place