We live and work in an ever more joined up world of multiple connections between devices. The simple local area network (LAN) has been joined by the wide area network (WAN), all networks can become Internet based and virtual and the proliferating range of devices is boggling to human minds and security systems. We have relied traditionally on strong, layered perimeter defences that still deal with perhaps 90% and more of the issues. The big change and the big challenge in the Internet age is dealing with transient connections across that complex span of possible links. Mobility, teleworking, multiple portable devices and multiple protocols have all introduced new complexity. It is all the more challenging when the links and the access are by trusted categories of people such as employees, customers, business partners.
By and large, IT security historically has concentrated on protecting the computer and the network. In today's world of multiple temporary connections and proliferating devices, that emphasis has changed-or has to change in organisations which have not yet caught up. An IDG survey earlier this year on behalf of RSA, the security division of EMC, found that 87% of respondents recognised this under the useful heading 'Protect the data, not the container.' It is a good mantra, but the tasks are complicated by the fact that even with the trend towards centralisation, data is to be found in a variety of places, from the virtualised copies to portable devices of many types. As the IDG report says, "the issue of protecting data becomes even murkier when companies start to move critical information into the cloud."
According to Andrew Moloney, EMEA marketing director of RSA, "A typical large enterprise today is hyper-extended, with the traditional security boundaries broken down by mobile communications, social networking and other new Web 2.0 technologies, electronic collaboration and supply chains. Information is flowing in and out along all of these channels; you have mobile employees, partners, service providers and customers. It almost begins to be difficult to define where one enterprise ends and another begins. There is a whole new level of compounded risks in this extended world-think of the simple examples of the storage capacity of a USB key or a tiny data card or the data that is often contained on a PDA or even a phone."
Laptops are of course a exit route for major data leakage when they go missing or stolen: "Even as we perhaps struggle a bit with IT security solutions in this new web world it is worth remembering that the biggest single danger in daily business is probably not the malicious guys out there but the good guys who do dumb things," Moloney is keen to point out. "The laptop left on the train often makes headlines, but CDs of data in the ordinary post have gone missing while accidental web publication of or open access to masses of data is not uncommon."
Back on the e-front, the challenge to IT security in the hyper-extended enterprise is that the risks and the range of risk are greater. Almost by definition, the ingenuity of the attackers rises to match the security measures deployed. But the enterprise is striving to be flexible and progressive, so layers of security that will have a choking effect on the business or its relationships must be avoided. "In general, enterprises are adopting new business models faster than the security systems to match them," Moloney believes.
"That means that we have to identify and apply the appropriate security controls to information rather than systems. In this new scenario we have to move to behaviour-based analysis, looking for the exceptional and the inappropriate. That's a known customer IP address and someone is just looking at the correct order summary, but that's an accounts query but coming from a PC in sales or by remote access."
The point he emphasises is that it is perfectly possible to define in advance what an in-house user or privileged information access a third party like a customer is allowed to see or do. "But tight security also depends on strong authentication, perhaps more than a single and simple sign-on password or PIN. So you need to balance that extra step with the corporate importance of the data or the level of potential risk. If you make the experience difficult or tedious for customers, it will ultimately damage the relationships."
"We are now seeing more enlightened conversations around security," Moloney believes, "because risk is a common language between the technical side and the business. Priorities and levels can be agreed and set because the corporate objectives are common to all and compliance policy needs, for example, bring best practice standards that are understood on both the technical and business fronts."
Like the other experts, Renaissance managing director Michael Conway is firmly of the view that the primary IT security risks in business are not inherently technical at all. "The biggest risks are gross incompetence and stupidity, and it has been proven time and again, sometimes very publicly. Web risks are much lower, at least in terms of the likely damage or value of stolen or compromised assets. On the other hand, there are most certainly some serious risks out there. One of the ones that we are seeing more and more frequently is the legitimate web site that has been secretly attacked so that visitors may inadvertently infect their own systems with malicious code. People generally might be cautious about areas like adult sites, for example, but in fact the compromised web sites tend to be popular and trusted, such as online shopping of various kinds including airline tickets and holidays and even in the UK a political party web site at election time."
Malicious code is almost always targeted at money in some way, Conway says. Ireland may not have very many specific targets such as banks but any type of web site through which customer credit card information might pass is a potential target. "Malware of this kind is targeted but random, as it were, attempting to spread as widely as possible in order to harvest information that can be used for criminal purposes from any unprotected systems. A tiny level of success on a global scale can amount to very significant returns for the criminals."
Although this might be seen as a risk for the individual, employee or person browsing, organisations cans suffer serious reputational business damage. "If you read that a certain airline site had been compromised, for example, would you even try to use it? There may also be corporate negligence issues that could find their way to the courts."
But Conway says that company information is certainly targeted and at any level of business from SME to multinational. "Everyone in business knows the types of information that would be valuable to competitors, from customer lists to pricing information to strategic plans. This type of information may be held electronically, but by far the easiest way to get it is by traditional human agency. In other words, bribe someone who has access. Given the volume of data you can get onto a USB key in seconds these days, unprotected databases can be stolen easily and with minimal likelihood of detection."
In daily commercial life, what all of that means, Conway advises, is a combination of standard IT security tools including firewall, antivirus/malware and spam filters for e-mail. "Much of that is at appliance level these days, with Unified Threat Management (UTM) boxes that are very effective. On the business information side, access control and encryption are essential and not difficult or expensive to implement. "You have to have control over who can see what information. Would you leave salary information or even company banking information open to all staff? The answer has to be the same for all business data. That also means securing the endpoints, like network and laptop logon, with PIN or other authentication. It should go without saying, but in truth needs to be shouted, that all data on mobile devices should be encrypted."
The theme of the insider threat is taken up by Darren Craig, IBM senior managing consultant, security. "It is a sad fact but in the prevailing economic climate, with redundancies and the threat of business failure, more employees are being tempted to steal information. It may be for possible value in another job, on behalf of a competitor or even for sale to criminal gangs in the case of customer credit card details. In recent years one gang successfully used insider information to generate 'valid' Laser ATM cards with ghost accounts."
From a corporate point of view there have always been formal policies about who is authorised to see information or take certain actions. "Today the challenge is to enforce these policies through smart security systems at all levels," Craig says. "The traditional network perimeter has disappeared, so we have moved on from protecting the infrastructure to controlling at a more granular and subtle level together with tagging and tracking data access. All such systems depend on a role-based model combined with strong identity management. You can authenticate that you are who you say you are, your role entitles you to access these systems and perform these actions, whatever you do will be logged and auditable."
That might mean fine distinctions, such as permission to read but not to write, not to print or not to copy, all of which can be electronically enforced. "Setting up these systems starts and ends with the business side," Craig emphasises. "The business units and data owners have to classify their information, define the roles and assign the individuals. The systems are designed and set up to match that structure and each employee has the appropriate set of permission set up by IT and signed off by the relevant data owner."
Splitting the responsibility between IT and business is now the norm, usually in some workflow system so that line managers and data owners can accredit individuals. The organisation also has to set policies and authorise the 'key holders' who have privileged access, Craig points out. The days of 'back door' access by senior IT people are gone, so there has to be shared authority and privileged administration brings special scrutiny and the monitoring and logging of all actions, especially changes.
The internal threats are potentially the worst from a value point of view, agrees John Power, business manager, security, CA. "All sorts of business relationships now include electronic links from the heart of one company's systems to the heart of another. They are likely to be in a trading relationship, so there will be some caution about information access, but similar situations arise when businesses merge and set about sharing systems. In all cases, management's concern has to be to define the needs and policies for the application users and data owners and then to invest in the security systems to enforce the rules."
Role-based permissions are the basis, Power explains, with a general principle of 'least privilege' meaning that each role has a limited set of essential access rights to do what is needed for that role and no more. "Roles can be combined for specific individuals, of course, permanently or temporarily. In the famous Societé Generale scandal the trader who lost the billions was enabled because his former back office privileges were never withdrawn when he moved to trading. So that is a dramatic lesson that roles and privileges should be reviewed regularly and the systems should include automatic expiry, by any change of role and by time so that formal renewal is triggered."
'Keeping the bad guys out' was the main emphasis in IT security in the past. Still valid, of course, Power says that the emphasis has switched strongly to controlling and monitoring the activity of authorised users, staff or third parties, and automatically enforcing security policies. "Abnormal behaviour or attempted actions will either not be permitted or trigger alarms or both. Say accounts office activity, normally nine to five weekdays, is attempted at midnight on a Saturday. You would expect that to generate an alert, even if the credentials are valid. But protection can be down to a much more micro level today. For example, security can be content aware so that if someone attempts, for example, to send a confidential document outside the organisation it will be intercepted."
People are the inevitable theme in security, according to Seán Reynolds, CEO of information security specialists RITS. "Most users really have no idea of security and if they are allowed they will install browser add-ones, participate in internet peer-to-peer file-sharing and so on. Some of those, like Lime Wire, are potentially valuable tools for enthusiasts, perhaps, but ignorance or carelessness can lead to settings that expose the entire C: drive of a PC to the Internet-or even the company's entire network!"
Clearly, larger organisations will have control of the desktops but in an SME it can be difficult to police on the LAN while laptops are a real potential threat. "I'm constantly amazed at the numbers of people who are deceived by phishing attacks, although indeed some of the newer ones are very convincing. The dangers to the individual from disclosing personal or even credit card or bank information are obvious, hopefully. But from a company perspective the danger is that these phishing attacks lead staff to visit compromised web sites which will send trojans and other malware down to the PC or the network." Because the user has deliberately clicked on the URL, not all security systems will prevent what can pass as a deliberate download, Reynolds explains.
Similar problems of innocence or ignorance can cause problems for SMEs, Reynolds suggests. "With lower priced web hosting, security is not always featured, yet business proprietors just assume that it is part of the deal. Security at that level is just essential for any business, but it must be requested, the services defined-and paid for, because proper security protection does not come free and seldom cheap."
A customer portal on the Web site is common in business today, allowing customers to check their accounts and order and possibly track progress. "These have become features built into packaged software such as accounts. But they are a route into your systems that need protection and there are known vulnerabilities whereby a little tinkering with the search codes can allow a user onto other parts of your network and data systems. Is your portal secure? How do you know?," Reynolds asks.
There are effective IT security solutions available from single PC level up to multinationals and governments. What is necessary is to think about security, plan and make decisions, invest in appropriate systems and review everything regularly. That's the view of John Stone, chief technical officer of Cisco Systems in Ireland. "There is a range of threats, from the generic Web malware and intrusion threats to targeted attacks by people who want to steal your money or your data, intellectual property-or indeed your employees' or your customers' data."
Clicking on compromised web sites, whether led by phishing or just accidentally, can lead to a route into corporate or personal data. "These threats have evolved and become much more intelligent. If you think of all of the tiny breadcrumbs of personal information that travels over the Internet, including some large slices on social networking sites like Facebook, of course there are clever systems that can gather them all up and combine them in strings for better targeting. There are certainly systems to gather information on, for example, individuals in particular broadly targeted industry categories like banking, police and military, government or whatever. Once the trails of crumbs lead to an individual, over time the criminals can gain passwords and PINs, logon details and so on, not to mention leads to all of that person's personal and professional contacts."
Protection against the broad range of Internet threats can be delivered by smart UTM devices, Stone says, but adds that at a serious corporate level this has to be based on real-time updating. "The days of batch updating of lists and patches are gone because dynamic response is needed to new threats that can go global in minutes." Within the enterprise, however, there is no single 'box' solution to control and monitor user behaviour or rogue software. There has to be a combination of appropriate business rules for permitted data and systems access, usually defined by role, and monitoring systems to enforce the rules and log access and actions. "That is a top level management responsibility, not simply an IT function. Defining what needs to be protected, and to what degree, and who can see what, are all business decisions. What IT security systems contribute is the means to police and enforce all of that, to an auditable standard that will satisfy any compliance authority. But like everything in IT, that may depend on investment decisions and budget priorities that must be set first."