Product vs. Service: The Business of e-Security
D-I-Y
As IT manager, the direction, efficiency and fate of your organisation's security management rests in your hands. In addition to developing best practices – those that identify and define an organisation’s IT strategy, including ongoing maintenance and emergency response plans – identifying pitfalls, defining priorities and planning for the future can go a long way towards reducing the threat of online attacks against your organisation.
Security – or lack of it – impacts an organisation’s entire IT environment. There are many e-security products on the market, including anti-virus software, Firewalls, Intrusion Detection Systems (IDSs) and Virtual Private Networking (VPN). While some IT departments turn to over-the-counter remedies for their system solutions, company security cannot be bought off-the-shelf with the hope that it will function as promised in the marketing collateral and user manual.
Relying on software not specific to your needs is what IT folks call 'play-and-pray': install a fix and keep your fingers crossed that it works. Purchasing solutions from high-pressure vendors and salespeople may mean that a customer leaves the store with not only an inappropriate solution for their purpose, but inadequate support for the installation and subsequent security checks that ensure the installation was successful. Adding to the risk mix at a higher level, installations left to inadequately trained IT personnel, or implementations made with overall programme shortsightedness, can mean that solutions are installed without consideration of the loopholes or backdoors left open (intentionally or unintentionally) within the products themselves.
More often than not, the amount of money spent on a fix or upgrade is directly proportional to the degree of security achieved. That's not to say that all store-bought security software is ineffectual, but the old adage of 'you get what you pay for' is usually true. With millions of dollars at stake, security management requires more than Band-aide solutions and marketing rhetoric to ensure its effectiveness.
Managing to Keep It Simple
No doubt you've heard of IBM 'Tivoli', Computer Associates 'Unicenter' and Hewlett-Packard 'OpenView'. Each of these products notes that they are designed for network management, enterprise management or infrastructure management – but not security management. Network management and e-security management are commonly and erroneously confused by many industry players.
From a network management perspective, the oft-referenced philosophy of C.I.A. – Confidentiality, Integrity, and Authenticity – is not applicable in an e-security setting. Simple Network Management Protocol Version 1 (SNMPv1), or 'Security is Not My Problem', is the primary protocol used in network management, and, as the name implies, it's simple.
This mode of transmission runs in clear text for passwords and contents and is a user datagram protocol (UDP) – a 'fire-and-forget' way of doing things. It is not as effective as the store-and-forward SMTP (Simple Mail Transport Protocol), and the transmission may come from and go to any machine on the network. Add in SNMPv2 (Simple Network Management Protocol) and SNMPv3 and RMON (Remote Monitoring) standards with enhanced PKI (Public Key Infrastructure) and encryption and the process becomes even more convoluted. From a security perspective, oft-applied 'quick fix' solutions only mask weaknesses and leave the organisation open to intrusion. In addition, complicating basic protocol with layers of added features or encryption overloads the transmission payload, resulting in delays. It also diminishes the real-timeliness of security management. For best results, don't clutter the process by breaching the 'keep-it-simple-and-sweet' approach to security.
Network management focuses on managing the network uptime, performance and resources. Conversely, security management is aimed at ongoing commitment to best practices, not stopgap measures. Its simplicity rests in an overarching approach, one that speaks to an organisation's long-term needs, its network configuration, its customer requirements, and the availability and ability of support staff to continuously monitor and manage the network.
Decoding Cryptography
During the last world war, deciphering German encryption used for radio communication was one of the pivotal factors to the American win in Europe. Many lives were lost and great pains taken to gain control of the key to German encryption coding, the Enigma Cipher. As true now as it was then, knowing your enemy is half the battle won. Companies must recognise and defend against enemies whose ability to obtain the key to their cryptographic processes render attempts at disguising code limited or, even worse, useless.
What is cryptography? In layman’s terms, it’s the use of mathematical algorithms to provide encryption and decryption functions on clear messages so that unwanted parties outside the two-way communication are unable to understand the message content. Despite the promise of protection, cryptography has its limitations: all cryptographic algorithms are breakable. Thus, cryptography should never be a single criterion on an information security blueprint.
With the advent of the Internet came limitless possibilities for data transfer and an almost inconceivable mass of online traffic, the most common of which is still e-mail. Notoriously simple to intercept, e-mail hasn't been popular with people who want to send highly confidential messages. Then came PGP, ‘Pretty Good Privacy’, a cryptography solution authored by Phil Zimmermann that keeps e-mail messages safe from prying eyes outside the organisation. PGP is, according to many sources, unbreakable (though even Zimmermann himself says that his code is breakable if enough supercomputers work at it for long enough).
Law enforcement officials fear that in the wrong hands this technology could be a serious weapon. The U.S. Federal Bureau of Investigation (FBI) claims that the law has fallen so far behind technology that police authorities in North America are being seriously restricted in monitoring criminal elements that have access to cryptography software. Complicating issues, U.S. citizens cannot export cryptography from the U.S. without proper licensing, but using unbreakable cryptography within the country isn't breaking, or even bending, the law.
The Last Word
With the potential for loss being so great, companies cannot afford to overlook the critical importance of guarding valuable intellectual and material property. In light of the many pitfalls of DIY solutions, the confusion between the fundamentals of network management vs. e-security management, and the trials and tribulations of encryption, organisations must remain ever vigilant in their approach to e-security.
As we've pointed out, no one solution is going to provide the level of e-security coverage your organisation requires. The safest bet is to build e-security into all of your practices from the start, beginning with the design of a comprehensive network infrastructure, identification and fortification of potential weaknesses, selection of tools and solutions most appropriate for your network and e-business applications, and drafting of company-wide e-security policies and procedures based on best practices.
Lastly, because e-security is a living process, continual maintenance, evaluation and upgrades are necessary to ensure that the solutions you've put in place remain efficient and effective. With hackers and virus developers working 24 hours a day to crack encryption and blast through Firewalls, proactive 24x7 monitoring of your network and internal and external traffic is key in defending your organisation against the always present threat of assault.
Albert Lim is Chief Technology Officer and co-founder of e-Cop.net, an Internet Security Services provider headquartered in Singapore, with offices and Global Command Centres (GCCs) in Singapore, Hong Kong, Kuala Lumpur and Tokyo.