Defending your data
There is nothing mystical about information technology security. Nor should it be seen as something sinister or a "big magic black hole", according to Doug Jenkins, senior consultant in information security at e-enterprise integrator Kanbay Australia. It all comes back to risk management, he says, and each company's risks differ.
However, there is still the issue of whether companies are aware of just how great the risks are. A study released earlier this year by information security consultant Deloitte Touche Tohmatsu and the Information Systems Audit and Control Association (ISACA) looked at the status of e-commerce security around the world. The E-Commerce Security: A Global Status Report assessed whether the companies surveyed were managing the risks associated with the adoption of e-commerce.
It found that while most company executives involved in e-commerce were satisfied with the state of their organisation's e-commerce security, company auditors and computer security managers had considerably less confidence.
Dean Kingsley, partner, enterprise risk services, at Deloitte Touche Tohmatsu, says the survey interviewed 150 companies worldwide, including 10 in Australia.
The findings showed that in the Asia-Pacific region only 20 per cent of organisations had formal security strategies and policies in place, compared to 35 per cent globally.
Those surveyed perceived the primary e-commerce security risk as unauthorised access and many of the organisations interviewed quoted lack of globally accepted standards and guidelines for e-commerce as a concern. The major security measures cited as being in place included virus scanning (90 per cent), firewalls (85 per cent), intrusion detection (60 per cent), SSL encryption (55 per cent) and password authentication (75 per cent).
Quantifying the risk
Martyn Bartlett, regional director Asia-Pacific, at enterprise software vendor Tumbleweed Communications, describes the IT dangers as "quite significant". He says problems with intrusion are often not publicised because companies already have to conquer customers' fears on issues such as privacy and the submission of credit card details. "If you're going to try to [promote] consumer confidence, the last thing you want to do is publicise the fact that a Web site has been hacked."
It should also be remembered that the risks to IT security can come from within as well as outside, and may not always be intentional security breaches either. Jenkins uses the example of simply sending an e-mail with confidential information to the wrong person or (worse) distribution list.
Changing staff attitudes to new security systems may not always be easy either. Peter Sandilands, Check Point Software Technologies' regional manager Australia/NZ, advises selling security on its business benefits, such as the necessity of controlling the flow of information in the organisation. "It's as if you've had free rein to roam the building as much as you like and somebody new comes in to the operation and locks all the office doors so you can only go into areas where you're allowed."
Deloitte Touche Tohmatsu's Kingsley suggests one on one is still the best way for IT managers to educate users about security and how to use the systems. In contrast, he sees many companies opening systems up to staff even more, under the concept of the knowledge worker. "This actually makes internal hacking a much bigger risk than it's ever been," he says. "The vast majority of security incidents - people stealing data, shutting systems down - happen internally.
"What's been interesting about the security phenomenon is that there's been a lot of talk and energy going into protecting ourselves from the bad guys outside, but it's probably led to an actual reduction in focus on the bad guys inside."(See "Security starts from within" in this issue.)Kingsley emphasised this point by adding that most companies, when they consider security, think firewalls, intrusion detection and other outside risks. "Most people aren't thinking about internal firewalls, internal intrusion detection, policies and procedures, training, awareness."
Setting the standards
Ross Wraight, chief executive at standards organisation Standards Australia International, says his company is trying to ensure products and systems connect internationally "to have this sort of borderless world where any system or any application anywhere can communicate to another one".
In March, Standards Australia launched a standard aimed at helping organisations improve the way they managed information security, which it saw as an increasingly critical issue for companies that rely on electronic commerce, e-mail and the Internet to do business.
There are two parts to the new standard: Part 1 (a revised AS/NZS 4444.1:1999, Information security management (Code of practice for information security management) provides a detailed definition of how to develop an information management system. Part 2 (AS/NZS 4444.2:2000, Information security management (Specification for information security management systems) is designed to be used as a basis for independent certification. (Visit Standards Australia on www.standards.com.au See www.ecommercestandards.com also.)The standard examines such questions as:
- how does a company protect its electronic mail from viruses or interception?
- how safe is it to give a credit card number over the Internet?
- how can teleworkers remotely access their company networks without a lapse in security?
- how can digital signatures be protected?
- how do companies protect client information?
- when it's given personal information, how does a company create trust that it will handle the information confidentially?
Standards Australia is also developing a scheme to certify companies that meet the new standard, which it expects to complete early in the new year. The certification scheme will be voluntary and Wraight envisages, once operational, it will give companies a way of demonstrating to customers and business partners that they can be trusted to manage the risks associated with their information systems.
What about business partners?
Outsourcing and partnering is increasingly being used by businesses and Kanbay's Jenkins says it is common for IT departments to exchange information on their level of security.
According to Ann Knight, national security manager at systems integrator Com Tech Communications, partners generally agree between themselves what level of security will be required. In order for it to work successfully though, Knight said the security measures usually have to be equal at both ends: strong authentication or non-repudiation for example.
"As we move towards more payment over the Internet, [it's] very important to make sure the person who is doing that transaction is in fact the person they say they are."
Wraight uses the example of the issues facing Standards Australia, an independent business, totally reliant on information technology. Selling a large number of publications over the Net, its risks are huge if it doesn't manage its IT assets.
"We need to make sure we've got systems in place that give us maximum protection to treat all of the information risks to give us confidence and to ensure we can deliver our products and services to our customers all the time," he says, adding that it was also an important issue for its customers. "If we have an IT failure, we can't deliver to our customers. That then flows on to their businesses."
Stories of e-mail viruses, Web sites being defaced and denial-of-service attacks do surface, but generally companies are hesitant to talk about their IT security being breached.
As Com Tech's Knight asks, how many times do you see a company coming out and saying they were hacked or lost money as the result of an attack? However, just because the information is not made public does not mean it's not an issue.
"It does happen, and it happens quite regularly, but nobody is going to be prepared to actually publish that information," she adds.
According to Check Point's Sandilands, people are reluctant to talk about attacks, particularly successful ones. However, he estimates there is probably about the same level of attack here as in the US.
Kanbay's Jenkins says tools are available for people to crack passwords, but in fact the most common way to get into systems is to utilise known vulnerabilities. "Every bit of computer hardware and software has some flaws in it," he asserts, using the example of a firewall where (when you are installing it) you don't change the default password which comes with the system. He says most hacker packages go through all of the known, well-publicised vulnerabilities first.
Standards Australia comes across about 100 viruses a week, he says. "Our antivirus technology protects us from them, but they're just constant. I don't think anybody realises just how prevalent this is."
Wraight says it has very good protection systems, but every now and then one like the Love Bug gets through. According to Wraight, the big problem with the Love Bug was that although his organisation knew a virus had got through its security screen, it found it didn't have in place a simple way of informing all staff quickly.
Since then it has developed a management system designed to help organisations think through how to deal with information risks such as virus attacks.
Utilising the tools
Kingsley says it discovered from its survey a lack of understanding of often complex security issues such as strong authentication and non-repudiation in the form of digital certificates and digital signatures, quite apart from legislation varying in different countries.
Knight says security comes in layers and it's a matter of looking at the level of security required for a particular organisation - some organisatons may opt for internal firewalls to segment the network, rather than just having a firewall at the perimeter.
As for virtual private networks (VPNs), Jenkins sees it as a good solution for businesses which want to set up a secure connection using the Internet. He says it's a simple, cost-effective way for a company to implement the equivalent of what used to be an expensive leased line.
Organisations are making substantial investments in physical security, Bartlett believes, such as protecting networks with firewalls, but should also be considering security measures for online communication. He estimates at least 25 per cent of e-mails coming into most organisations for staff are non-work related.
He also highlights the risks of employees downloading or circulating inappropriate material. Bartlett says a spate of law suits in the US encouraged companies there to implement content filtering systems, such as Tumbleweed's Messaging Management System (MMS). Bartlett says MMS scans all incoming and outgoing e-mails to detect unacceptable or potentially offensive material, and can also be configured to search for key words to make sure outgoing e-mails don't contain confidential information, intellectual property or inappropriate recommendations which could jeopardise a company's statutory position. "Basic risk management dictates that companies provide some means of controlling the messaging stream that enters and leaves the workplace.
This covers not just content but other countermeasures such as viral protection, archiving, compliance monitoring, automatic encryption and access."
Kingsley cites public key infrastructure and digital certificates as security tools which companies may consider. He says there are complex issues with PKI, because it's one thing to have an infrastructure and certificates and to know who people are, but if they aren't able to run on the applications you have it becomes irrelevant what they can do. He says some off-the-shelf applications aren't prebuilt to use digital certificates, so it's a matter of re-engineering the applications.
The second issue is cost justification, such as that involved with public key infrastructures. "The answer is, if you're involved in B2B and multimillion-dollar transactions and you have just one of them that can't be legally enforced because you can't prove someone did it, your PKI just paid for itself."
David Heath, technical manager at positive authentication provider Triton Secure, advises against using passwords, seeing them as no longer effectively protecting information. Heath believes the more complicated IT managers make using passwords the less staff honour it.
Among Triton Secure's products is the SAFLINK SAF2000, an enterprise server-based solution which integrates multiple biometrics with smart cards and PKI. It can be used with network infrastructures such as Microsoft Windows NT, Novell NetWare, and Computer Associates Unicenter TNG. The product uses fingerprint, face, voice or iris to authenticate users at log-on and allows administrators to control which areas users can access.
What about WAP?
There's been a lot of hype surrounding what wireless application protocol (WAP) can do, but not as much over the security associated with using or working with it, according to Sandilands.
And because it's still relatively new, Kingsley says there isn't enough of a threat profile yet. However he believes WAP is close enough to HTML or normal Web technologies that it's not too hard to take the threats and vulnerabilities in the Web world and create the WAP equivalent, such as WAP viruses and WAP trojans and other vulnerabilities that can be exploited, and denial-of-service attacks.
Likewise, Knight believes it's still early days for WAP. She envisages most of the security on WAP will need to be voice-oriented, using tools such as voice recognition, which she says provides strong authentication because of the unique speech pattern each person has.
Going into the future, the consensus among industry pundits is further development of security.
Knight sees services as a growth area. Rather than every organisation having to build a team of security people, she thinks they'll have a core group and use out-of-house managed services.
The systems approach and interdependence are the two areas Wraight sees becoming the big issues globally. He believes we have been sidetracked by e-commerce transactions. "It doesn't matter if you're new economy or old economy - every significant organisation, even SMEs, are really reliant on information technology."
Heath envisages a future for security products where they are "faster, more discreet, more reliable".
He cites fingerprint scanners costing $3000-10,000 three years ago, compared to the current sub-$500 price tags.
Kingsley adds that for a long time the concentration has been on perimeter security, but in the last six to 12 months many have accepted that "people will always get access to things you don't want them to".
He believes areas such as intelligent intrusion detection will become increasingly popular, enabling an adaptive response like shutting down the offending connection or altering the firewall to stop the intrusion, real-time patching of whatever vulnerability is being exploited.
And he offers a word of warning about the increasingly organised nature of threats: "There are certainly incidents of highly structured and deliberate external attacks. Hackers, in their spare time at 2am, wandering around Web sites seeing what they can do, will always be a threat. But now the biggest danger is someone who's doing it deliberately and really knows how."