Fraud and internal threats, unofficial WLANs and web services were top of the list of dangers flagged up at Check Point's User Experience event in Dublin, 22 May. IT managers at the event added that they fear the difficulties of end-user education, and the weaknesses created by policy conflicts between human resources, IT and security managers. Others are worrying about the social and legal implications of the spread of "Orwellian" surveillance techniques.
Everyone agreed on the importance of security, however. "Security may be a smaller market than storage, but it is $5 billion this year and will double next year and the year after," said analyst Aaron Goldberg of Ziff Davis Market Experts.
However, the temptation to overstate risks is strong: "I think every single user at home gets 200 attacks every day," said Gil Schwed, Check Point's chief executive, in his keynote, but everyone else at the event disagreed with him.
The "200 attacks" remark was based on the numerous alerts users see when they install a firewall or intrusion detection system. If all these were malicious attacks, it would require a hacker community much larger than is believed to exist, running multiple port scanners, pointed out delegates. In reality, many of these alerts are sites scanning for cookies rather than attacks -- a privacy issue but not one to panic over, said Goldberg.
While security technology focuses on the external threat, the industry is waking up to the fact that internal dangers -- from incompetence, accident or malicious intent -- are often more important. "The Great Wall of China was breached because someone opened the door," said Goldberg. "No security product can prevent someone with clearance from breaking the system." However, measures like cutting off someone's access as soon as they leave the company can help.
WLANs and web services
The danger of wireless LANs is well known, but not every IT manager knows they are in the company. "Anyone can put them in for $500, in order to take their laptop to the conference room. They don't understand the security hole, and it is hard to detect. I believe most large companies have some sort of wireless LAN in place, but in surveys only 20% say they have."
Simon Churcher, infrastructure architect at financial analyst Standard and Poor's is not so worried however: "We have WLANs, and encourage people not to hide them. We think we know every one there is, and we insist on IPsec encryption."
"We don't have them yet," said David Whelan, security architect for insurance company Eagle Star in Ireland. "Thank God," he adds.
Web services are dangerous because they expose corporate networks to outsiders, and can rely on modules from the web. "It's terrifying" said Goldberg. The users we spoke to agreed that it was worrying. "What we picked up on our IDS is enough to make anyone scared," said Whelan. "You have to be in a state of worry at all times. Web services would increase that, but it hasn't affected us yet."
The fact that security now has to be embedded in everything means that security companies have to deliver more than ever on making their products work together. Although it is under the control of one company, Check Point's Opsec standard is a good one, says Goldberg. "Someone should control those APIs, otherwise you have chaos. The industry has to trust someone, and Opsec is market driven."
The trickiest thing is the people and policy issue. Education is important but the subject is complex, said several people. "We tell them computer security war stories, and users are stunned," said Churcher. But even if users understand security, it must be invisible to them, he sai: "If they can turn it off, they will."
And even when people understand, their agendas may differ. "Sometimes IT puts in solutions, but human resources policy doesn't marry up," said Mark Smith, a solicitor specialising in IT law at Morgan Cole. Alternatively, HR may drive through a policy of encouraging home-working, without consulting IT people, and getting it secure first.
"At some level security can prevent you or your customers from doing things," said Goldberg. But the limitations of security are perhaps to do with how much users can take. Make things too hard and users rebel. A rule of thumb suggested by one delegate is to tighten things up until a significant percentage complain, then take it back a bit.
How many hacks?
The one thing everyone agrees on is that security breaches are widespread. "about half of UK businesses have at least one security breach in a year," said John Ryan, sales director at Entropy.
Another hearsay indication is the number of people disciplined. "We deal with one case of web or email abuse per month already," said Smith. "Most are settled out of court, with a compromise agreement which prevents publicity."
It is obvious that security is never going to be "solved", but it is encouraging to see end users and suppliers agree on the issues.