Subscribe
About

Cyber-baddies make hay as CIOs snooze

Old-style firewalls and anti-virus solutions are woefully inadequate for the new generation of security threats.
By Peter van der Merwe
Johannesburg, 07 May 2007

Late last year, technology research company Gartner dropped a bombshell in its annual Top 10 predictions: by the end of 2007, it said, fully 75% of enterprises would be infected with undetected, financially motivated and carefully targeted malware that had evaded their traditional information security systems.

The response from business was underwhelming, to say the least. In the 2007 Gartner CIO survey, information security dropped from its ranking as the number one priority in 2005 and number two in 2006 to number six in terms of planned investment in technology.

That is a little bizarre in an environment where phishing has become a multibillion-dollar industry and draft data loss protection legislation is about to be signed into law by South Africa's Parliament. Right now, it seems, SA's captains of industry are more worried about uptime and availability than genuine security in a rapidly changing environment - and it could cost them dearly indeed, according to the panellists at a recent roundtable on IT security held at ITWeb.

Quite simply, the threat landscape has changed, says Andrew Ochse, a senior product manager at SecureData. These are not the bad old days of the mid-1990s, where spotty teenagers hacked systems for the sheer glee of it. Today the threat is far more syndicated: highly organised gangs of criminals are targeting selected organisations for specific purposes to find holes and exploit them as quietly as possible for as much money as they can lay their hands on.

Spyware has already edged out hacking, viruses, worms and spam as the single largest threat to the integrity of corporate networks and data. Forget about pop-up advertisements and spam and virus attacks. Today, spyware is a powerful tool that criminals use for information theft and banking fraud, snaring passwords, usernames and logon codes for financial gain and corporate data theft.

To make matters worse, malware is being sold by criminal syndicates as drag-and-drop development kits, giving relatively unskilled criminals powerful tools that morph constantly, adapting on the fly to fool scanners. Add to this booby-trapped memory keys, viruses on smart phones or compromised Instant Messenger sessions, and it's no wonder IT security managers are looking haggard.

This changing threat means businesses will have to spend more time and energy making sure that data is not just secure, but also tracking which users are accessing and manipulating information stored in corporate databases.

Me, hacked? Never!

What's truly disturbing is that most companies have no clear idea of how to go about protecting themselves. Samresh Ramjith, a security consultant at Dimension Data, is constantly amazed at the number of large companies that have no coherent security strategy. They haphazardly pop in intrusion detection systems and firewalls to tick off boxes on their compliance checklist, and end up with a mishmash of solutions and no way of measuring their effectiveness.

<B>Putting a price on information security</B>

Faced with the reality of tight IT budgets and increased spending scrutiny, IT executives are battling to justify the costs of security spending.

IT executives are faced with the view by boards that security is a cost centre, an additional but unavoidable overhead, an unwanted and unnecessary tax imposed on the business.

But any company that suggests that it cannot afford IT security gets short shrift from SecureData's Andrew Ochse, who says companies should ask themselves what their information is worth.

"The question is not whether you can afford security. Rather, it's can you afford NOT to have security? If you're a small manufacturing company, someone can walk out with your company's most valuable drawings and processes on a memory stick. It could close you down. What's the cost of that?" asks Ochse.

To build coherent security architectures and programs to support them, CIOs must assess their firms' security risks and develop proper strategies, says MB Technologies' Guy Whitcroft.

"Once they've done those things, security chiefs can ask for budget in terms that boards will understand."

To justify the need for increased security, CIOs must be able to outline how time-consuming and costly it is to recover from a security breach, he says. "The aftermath of a security breach or virus attack is far more costly than implementing proper security measures."

"Forget about ROI. CIOs should take a look at RON (return on negligence)," says CA's Karel Rode.

"What's the cost of not doing anything? What is the cost of the status quo? Can we do things better, with tighter security and with lower operational costs? Then we can move forward."

"We are way past the days of grudge spending on security. There is a huge disconnect between what the business needs and what IT is putting in," says Ramjith.

"There is no idea how to translate compliance codes into doing something tangible. Even the big companies are not properly protecting themselves."

Some companies simply install an integrated security suite at the corporate gateway, imagining that it protects them from most of the major threats that they face, says Daniel Mothersdale, regional marketing director at Webroot Software, a company that focuses on providing anti-spyware solutions.

"The reality is that these solutions are simply not up to dealing with the complex threat that spyware poses."

Some system owners, after being contacted, had no idea that their system is compromised. In other cases, when asked about network security issues, many CIOs say their companies' networks have never been hacked.

"Ignorance is bliss, I guess," says Amir Lubashevsky, MD of IT integrator Magix. "These people have been hacked. They just don't know it."

Enterprises need to re-examine their whole thinking around security, says Martin May, regional director for Enterasys Networks in Africa.

"The enemy is not beating at the gates: it has already slipped in through a hundred tiny cracks."

Many attacks can be prevented by applying best practices and common sense. Guy Whitcroft, chief technology executive at MB Technologies and a 30-year veteran of the IT industry, says the first thing information officers should do is get their policies and procedures right.

"Staff education is the first step. Only then do you build the technology," he says.

Many security chiefs continue to miss the boat by focusing on the perimeter, instead of risk management: that is, knowing what their information assets are and how they are going to be protected. This is the very essence of the Jericho Forum, an industry initiative that says traditional approaches to security are obsolete, and the focus should be on controlling access to the data, not the infrastructure.

For a start, this means security needs to pervade the organisation. Albie Bester, a senior executive at Microsoft SA, says the focus needs to be more on people, rather than devices, than ever before.

"Giving people certain rights to use certain resources is the basis of the Jericho Forum approach," says Bester. "This needs to be integrated across all devices in the company."

Secure the data, stupid

Indeed, data loss is one of the biggest threats facing corporate SA, says McAfee consultant Chris van Niekerk. Companies need sound strategies to cover data loss prevention, whether that be a bank keeping its client details secure or a company ensuring sensitive information on an employee's laptop is not sent by e-mail or copied onto a flash drive.

"Host-based data loss protection is critical, whether a device is connected to the network or not," says Van Niekerk.

"Our strong belief is that the solution must reside where the data is. The solution must focus on preventing data loss at the server, desktop and laptop."

Of course, this implies knowing what it is that companies want to protect in the first place. Business Connexion consultant Eric McGee says many companies don't know how to secure their e-mail, which is a critical business application, but is frequently left unsecured.

Symantec country manager Premlan Padayachi says mobile phones are another gaping security risk that should be at the top of every CIO's security checklist.

"We access our e-mail and carry sensitive information on our mobiles, but there's no control. When employees leave, nobody bothers to clean their phones. Who knows with what information they are walking out of the door?" says Padayachi.

The enemy is not beating at the gates: it has already slipped in through a hundred tiny cracks.

Martin May, regional director, Enterasys Networks Africa

The situation is not hopeless, however. A few simple recommendations, along with a substantial shift in how organisations plan their security, can make a massive difference - without costing a fortune. Martin Walshaw, systems engineer at Cisco, says these involve policy shifts that reflect the changing environment, coupled with technologies to monitor and restrict the spread of the network.

"But remember: if you want to be secure, you have to accept that anyone and everyone on your network is your responsibility," he says.

This means, for example, that there must be top management support for information security. Information security control measures should be selected and implemented on the basis of risk: that is, information security controls, including policies, should be commensurate with the level of risk to which the organisation is exposed.

"Information security is a state. Information assurance is a process. There is a huge difference," says Karel Rode, a strategist at security solutions provider CA.

"Information security is reactive. Information assurance is strategic and proactive. If we can do one thing of significance, it is to get C-level executives to realise the importance of information to their companies."

An implication is that an information security policy shouldn't be developed unless there is a need, and information security policies must be designed to address a specific set of issues. Another implication is that threats, vulnerabilities and security performance must be continually assessed to ensure that the level of security is appropriate.

Wanted: a few good scapegoats

Part of the problem is a boardroom mindset that puts compliance first and security second, says Charl Louw, a senior consultant at Accenture South Africa.

<B>Confronting the enemy within</B>

Part of the problem facing the modern information executive is that there's no clear perimeter anymore. Who's us? Who's them? Nobody knows.

So many attacks come from inside rather than outside that building ever-stronger perimeter walls simply doesn't help.

Gartner reports that 84% of high-cost security incidents occur when insiders send confidential information outside the company. It's easy to see why. Hacks have to figure out how to break into the network, then locate, obtain and distribute the target data, all without being detected by increasingly sophisticated security systems. People within the firm have authorised access to data and access to the Internet, a deadly combination from a security standpoint.

The Computer Security Institute/FBI 2003 Computer Crime and Security Survey found that of 488 companies surveyed, 77% suspected a disgruntled employee as the source of a security breach. It is estimated that one out of every 500 outbound e-mails contains confidential data.

"The thieves live inside your company - and it is too easy for hackers to socially engineer them. You don't have to hack from Moscow if you can get people inside the company to get around the safeguards for you," says Magix Integration MD Amir Lubashevsky.

If you can't patch all the holes, he argues, you try to catch the thief instead. That's why Lubashevsky says the only workable preventative solution is to implement invisible employee monitoring technology to guard against specific information anomalies in real-time. This will enable businesses to catch malicious activity before any damage is inflicted.

"Security and compliance challenges around information protection and the insider threat have evolved over the past 24 months," says Forrester Research in a December report.

"Organisations are increasingly interested in their employees' computer activity and are often more concerned about sensitive information leaving their premises than about people getting viruses through e-mail or using the Internet inappropriately."

Activity management is a key recommendation, examining what is being done on the network, by whom, on which servers. This makes it easier to spot anomalous activity. This needs to be combined with device control to stop large amounts of potentially critical business information walking out the door on a large capacity memory stick, as well as filtering software on e-mail servers to look for messages containing confidential information.

"This suggests that IT security specialists are still failing to convince the board of the business benefits of security investments, and that a pervasive focus on compliance is diverting funds away from real strategic priorities," says Louw.

Microsoft's Bester is not convinced that companies take compliance seriously enough. He says there are no consequences for a lack of compliance in SA.

"If 50% of your company's software is pirated, there is a clear consequence. But if a security audit is done, and 50% of your data is unsecured, there are no consequences at all. That needs to change."

"We don't have a scary enough regulator," says Magix's Lubashevsky. "There are no black vans parked in your driveway if you mess up. The regulator doesn't have enough teeth."

MB Technologies' Whitcroft believes security should be an integral part of corporate governance: "Imagine if a company were to have trading in its shares suspended for not complying with security audit rules. That would change people's perceptions about the importance of security fairly quickly!"

Lawtrust director Maeson Maherry believes SA has good legislation in place, but it is not being applied. A case in point is the standard disclaimer to be found at the bottom of most e-mails, which, legally, is simply not enough. According to the Companies Act, any business communication must have the company directors and identification in place.

"Security is a business imperative that we have to get people to understand," says Maherry.

"We have a data protection law on the way that will make it mandatory for you to publicly disclose the fact that you have lost someone's information. This could have significant effects on your business - but nobody seems to think it can happen to them."

The value-add of security

Microsoft SA's Bester wants to move security out of the IT domain and into the business domain, where it can be sold as a strategic competitive advantage. According to Accenture research, higher performing companies tend to place security not under the CIO, but rather under the CEO, thereby reflecting its true importance. This gives security issues a higher ranking on the board agenda, with sponsorship from the top and a solid platform from which IT can argue the case for investment.

A major challenge is to stop security from being seen as primarily a technology issue, but rather an area where processes, people and other organisational factors are every bit as important. More importantly, though, it's about changing perceptions that security is about blocking access and protecting assets rather than generating a return for the business.

SecureData's Ochse is passionate about the ways in which IT security can become a business enabler - like the benefits of a mobile workforce, for example.

"Security is widely perceived as a cost of doing business, but it can be a very powerful way of creating value," says Ochse. "That's the way security chiefs and vendors have to be positioning themselves going forward."

Ignorance is bliss. These people have been hacked. They just don't know it.

Amir Lubashevsky, MD, Magix Integration<B><U></U></B>

So what's the bottom line? Rather than dwell upon network security threats and the havoc they can wreak on global enterprises, progressive security leaders today are talking about the new business opportunities that can be explored once you've secured your network. Even though it's a scarier than ever out there, security leaders are pushing a new agenda: it's no longer about the threat, it's about the possibilities.

Now that's a thought that could change the face of IT security for good.

Share