The weakest link
1 April 2005 | 0
We all know that computer systems are essentially stupid things that can only do what they have been programmed to do — and are irredeemably literal about interpreting their instructions. On the other hand, they are reassuringly unmotivated. So when your system gets done over — files trashed, directories wiped out, strange electronic organisms spread around that need professional cleaners and fumigators — don’t blame the technology, blame the people. As for crookery, it’s been around a very long time indeed. So lifting your customer list or business plans, or charging things to your credit card, or paying phoney suppliers have just found new avenues in this electronic age. If the back door is on the latch or the key to the safe is in your desk drawer you know, deep down, you are being stupidly human. When the password is in that same top drawer or taped to the computer you are merrily compounding that human stupidity with the dumb computer that doesn’t know it’s not you transferring those funds to Account 999, Nigeriscam Bank of Grand Cayman.
In other words, IT network security is always about preventing people from doing what you do not wish them to do. Of course that covers system viruses, vandals and similar electro-bugs as well as hackers, crackers and even accidental intruders. It most certainly covers unauthorised access to information and regardless of whether the prying is coming from outside or from within the organisation. For most businesses, in fact, protection against the generic e-baddies is relatively easy because it is almost mechanical. The threats are real and not to be minimised, but there is a plethora of ‘standard’ anti-virus and firewall solutions, although all experts warn that setting them up properly is by no means a simple plug and play operation.
But by far the greatest range of e-security concerns an organisation’s data, from information that might be of competitive advantage to others, to things of more immediate potential financial value like authorisation passwords and codes for payments, funds transfer, or the credit card details of your customers. As Noel O Dúill of Bull Information Systems points out, ‘The value of your network to the business grows with the number of connected users and the networked enterprise today is connected with partners, suppliers, employees and clients. It is now critical for any business to facilitate and enable access to and from as many channels and routes to market it can find. But just as value grows with size, so too does vulnerability. That old adage from the political world might well apply: only the paranoid survive’.
There is an urban myth out there that suggests most of this media talk about e-security and so on is hype and driven by anti-virus and other software publishers, security consultants, etc. etc. Security is even more of a risk in the electronic age because the perpetrators can be distant and usually cloaked by the darkness of the Internet. There is little risk and no bravery involved. In the UK a 2002 survey established that a full 44% of British businesses had suffered at least one malicious security breach in the previous year, nearly twice as many as in a similar survey conducted by PricewaterhouseCoopers. The authoritative study by PricewaterhouseCoopers, which was conducted on behalf of the Department of Trade and Industry, also established that the average cost of such incidents to the business was Stg£30,000, with several bills topping the Stg£0.5 million mark.
If by any chance the incidence on our outer island is any lower, which is doubtful, it is probably because we are generally a tad less e-commerce enabled than our neighbours despite the schemes, policy papers, initiatives and rousing rhetoric of recent governments. An almost equally interesting statistic from that same survey is that 56% of British firms either were not covered by insurance or were not sure whether they were or not! Once again, are we all that different? I doubt it. However, a decent 73% of UK business believes that information security is ‘a high priority for senior management’ (up from 53% in 2000), which one would like to think is mirrored in this market. The bit that is certainly similar here is that the vast majority of businesses spend less than 1% of their total IT budget on security although the expert consensus internationally is that between 3-5% is an appropriate level in this e-business age. In high risk sectors like financial services, this will be more like 10% on average.
Unfortunately, that very phrase ‘IT budget’ epitomises most of what is wrong with the management of security: it is regarded almost totally as an IT function because so much of it does involve technology. But as Mike Small of Computer Associates points out sagely: ‘we have become so focussed on the technology in many ways that perhaps we have forgotten why we need it in the first place. It is up to management to establish clearly what needs to be protected and what are the real risks and then to make the business decision on the level of protection required. There has to be proportionality, balancing of risk and the costs of protection, and that is clearly a management responsibility’.
But there are other forces coming into play in the market to drive recognition of the importance of security higher up the corporate ladder, such as the increasing influence of Data Protection legislation. ‘With the recent passing of the 2002 Data Protection Amendment, business will again begin to focus on compliance with the Data Protection Act, and in particular the requirements for security of personal data that a company holds,’ points out Patrick Roberts, president of the recently formed Irish Chapter of the Information Systems Security Association (ISSA), a highly regarded international professional organisation. He says that maintaining levels of control over access to data has in the past been driven mostly by the fear of theft or inappropriate disclosure: ‘but now the legal sanctions in data protection legislation have made it an imperative that organisations ensure that personal information is appropriately secured at all times. In fact our members are reporting that data protection legislation has begun to drive investment in security products, policies and procedures’.
But information security has also become a hot corporate governance issue. It would be difficult to ignore the revolution in corporate governance that has occurred worldwide, as a result of difficulties at Barings Bank, Enron, Worldcom and other very big names. Developments such as the Turnbull report in the UK have led to an increased focus on information security as a core component of sound corporate governance. So although Security has traditionally been a function of the IT department, its increased importance as part of internal control systems generally means that the responsibility is increasingly moving out of IT, especially in the US.
Interestingly, that turns a focus back on an area all too often neglected in network security — the enemy within. Perhaps it is because friendly Irish managements are reluctant to question the trustworthiness of colleagues. But when you look at the security issues for any organisation, the main ways in which it can sustain damage are :
Damage to IT systems themselves, hardware or software, temporary or permanentData loss, corruption or revelation /theftMonetary loss, i.e. fraud of some kindDamaged reputation (more recently) through inappropriate or even criminal use of its IT resources, e.g. abusive or sexually harassing emails, pornography download/distribution, loss of customer information, etc.
Clearly, all of these are more easily perpetrated by someone inside. A disgruntled or dishonest employee is probably even more of a threat than ever in the IT age. Embezzlement is a crime that has kept well up with the times. If AIB Group can lose millions of dollars in currency trading, be sure any business can lose thousands of euro even more easily. Fictitious suppliers and even employees and a host of other ingenious scams continue to thrive in an electronic and online world. Somebody else’s password (not usually that hard to find out) can be a temptingly anonymous or at least disguised route to an embezzlement opportunity that the thief knows would be very hard to prove, even if discovered. In this country, employers are notoriously reluctant to pursue charges against former employees in the courts. So the risk-to-reward ratio can be seen as relatively low.
‘We are beginning to mature as far as information security is concerned — slowly,’ says Kelvin Garrahan, security architect with Hewlett Packard Global Services, ‘both on the management or client side and in the IT techie community’. Garrahan continues: ‘there are good frameworks and standards like ISO 17799 and better understanding at the top is leading to better practice. There have also been great advances in making elements like firewalls, anti-virus, access control and so on much easier to deploy and use. “Easy” is the key word because that means things actually get put into practice. That’s a fact of life, but it’s not always a good thing because the simplicity of the interface can delude general users into thinking that everything is working when in fact many controls and features may not be properly in place at all’.
Where the buck stops
He points to the example of the finance sector, where security standards are mature and good practices like assigning costs to risks are normal. ‘Every security project has an owner, a clear line of authority so that someone is specifically responsible for every step forward. In ordinary businesses the whole process of change control and approval can be seen to impede progress so it gets pushed aside. So policies get firmly set — in writing — but not necessarily followed through.’
At the end of the day, IT security like all other forms is about access: who is allowed to get at what. It has to be all-pervasive, because the specific channel does not matter. I want to protect my live, current customer database. I also want all of my sales people to be able to put orders in the system and look things up. In a modern B2B market, each customer should have access to his/her/its own account. What is often misunderstood is that to be both protected and accessible for working, the actual channel of communication hardly matters at all. It could be dial-up remote access for our own staff, either directly or over the Internet, they could be coming through a public wireless hot spot or from a laptop on a moving train — or just plugged into the LAN from the spare desk in the outer office. Virtual Private Networks (not always Internet-based) are the cost-effective way of linking locations from Bray to Balbriggan or Bogota. Of course we have to protect the ‘point of entry’ or outer perimeter. But the fundamental objective is to protect the data (e.g. a file) or the application (e.g. conducting a transaction, financial or otherwise). That is why all good security systems are multi-layered, protecting not just the perimeter of a network with entry control firewalls but also covering areas within the system — notably specific applications, databases and workgroups — and linked LANs within an overall WAN as well as dial-up direct connections such as are frequently used for branch/head office reporting or in supply chain relationships.
A ‘firewall’ incidentally is, as the metaphor implies, a semi-permanent first bulwark against attack that at least slows down any intrusion to allow time for the alarms to be sounded. Products come more and more as ‘little black box’ appliances (Cisco has just launched a new range), but also as software or a combination. In essence, they screen every signal and allow network (or individual PC) access only according to pre-set security rules. Larger businesses will also use a ‘proxy server’ — in essence, a web server that both screens traffic and conceals the true IP address of the real server. The firewall’s principal task is to prevent unauthorised entry of anything suspicious, much less actively hazardous. So it will check all traffic and reject/suspend anything from an unknown source and will be closely integrated with anti-virus software.
But most importantly, the management has to set the rules as with other kinds of security. It is no problem, for example, to reject email attachments (even the clearly innocuous) from all but a specific list of contacts. You will not want the exceptions unceremoniously bounced but re-directed to a responsible executive for a sensible human decision that computers cannot make. Alex Gogan of Web specialist Future Business Intercommunications says bluntly: ‘the number one factor in choosing firewall or other security systems is the competence of the people who are going to be responsible for it. The second is the determination of management to set policies and stick to them, and the third is probably the choice of sensible rules, appropriate to what you are securing, that will actually be adhered to. The choice of actual product or system is well down the list and there are lots of good ones in the market.’
Access control, whether to specific functions on the LAN or from somewhere outside via direct dial-in or Internet link, is increasingly important to all businesses. It’s not just reps on the road any more as teleworking becomes simply another element in the mix. ‘In that context, authentication has become a real issue,’ as Dave Keating of Data Solutions explains. ‘Passwords and PINs are all very well, but they can be lost/stolen and in any event many businesses need the reassurance that you are who you say you are. That can certainly apply even in the office as well — Treasury functions, for example, or HR.’ Users need something that gives higher security yet is simple to use. A common solution is two-factor authentication based on something you know (a password or PIN), and something you have (an authenticator) providing a much more reliable level of user authentication than just a reusable password. SecurID from specialists RSA is a clever ‘key fob’ gadget that has actually been around for over a decade. It generates a new six-digit password every minute, synchronized in advance with a server back on the LAN. Users just enter the number off the little screen, add their own PIN and you have a double layer of security with minimal effort on the users’ part. ‘Another factor here is that there is nothing on the PC to assist a potential intruder,’ adds Dave Keating, ‘and if the device itself is lost it can be de-listed in a matter of minutes’.
Password management is another growing issue. ‘With so many security and access control measures, it is becoming an increasing problem to manage all the passwords,’ says Stephen Leslie of Software Security in Waterford. ‘Passwords are required for Internet banking, Revenue returns, network logon, remote access, application software and many others — with the danger that they will be written down, or simple words will be chosen allowing would-be hackers to compromise your security. But there are now management tools that allow users to store all of their access control details in a secure application or hardware device such as a smart card or USB token. A single strong password will protect access to the “container” that will allow people to use strong passwords without the need to memorise them all.’
The fundamental message about network security is clear: in cyber-business as in any shop, security does not just begin at the door with the guard or the tag detector — it begins when management gives serious thought to the risks and plans how to deal with them. There is no real problem setting up a smart security system for most normal organisations. You invest in good systems and good advice. The problems come from the human side and tend to be at management level. Laying down the information access policy for each role and rank, for example, is essential or the system could actually hinder people getting on with their work. Yet this is exactly where many worthy efforts founder. Senior managers are also inclined to evade the general rules and forgive themselves anything. Any industrial spy will tell you that it’s always best to try to drill from the top down — easier to get in and more access when you do. The head honcho’s own desk and PC is invariably a good place to start — or try the PA’s.