Security: The Neverending Story

Security is a continuum, says Brian Bigley. Anytime access is provided through new technology, that access needs to be controlled. But the scales are tipped when you add in the social engineering factor: people mess things up.

If you're doing business over the Internet, you need a solid infrastructure and the security to go along with it, because large, successful e-businesses make the juiciest targets

It's been said time and again, that if you're doing business online, then you're competing internationally - in effect, you have become a global company.

You've also become a global target.

The next person to probe your company's network might well be a hacker in Russia or the competitor down the road

Companies are realizing that e-business security is a global issue, and they have to think global as well. The next person to probe your company's network might well be a hacker in Russia or the competitor down the road - but they both want the same thing: to get in.

Strangely enough, the bulk of security breaches don't happen as a result of an external threat, but because internal security policies simply aren't secure enough.

"Only 15% of listed activity comes from outside," says Brian Bigley, senior vice-president of the eTrust Global Consulting arm of Computer Associates. "60% comes from the inside."

Bigley, who conducts "penetration studies" for clients, pointed out that it was a lot easier for a disgruntled (or bribed) employee to walk out with sensitive data, than it was to hack into a system.

According to Bigley, when pitting technology against technology in their studies, the "net penetration was zero".

But the scales were tipped when adding what Bigley calls "social engineering".

Social engineering isn't limited to the purposeful actions of employees - breaches in security can be accidental as well.

Two wrongs, is two too many

Bigley executes awareness training for clients around the world, and was recently in Singapore to share with several representatives of the banking and finance sector how easily their infrastructure could be breached.

Spoofing works especially well because of the inherent fear that most low-level employees have of authority figures.

Bigley drew a not-too-unbelievable scenario of how it was theoretically possible to hack a bank using a little ingenuity and social engineering (not to mention a crack team of computer programmers).

A critical process in the scenario was for a hacker to pose as a high-level employee. The imposter would then obtain passwords from one of the lower-level tech personnel to gain access to the network - a methodology also known as spoofing.

Spoofing works especially well because of the inherent fear that most low-level employees, such as help-desk personnel, have of authority figures. This is especially true in an Asian context, noted Bigley.

Part of the solution is for management to realize the potential for such fear to be exploited - education of both the management and its employees will help lower risks.

IBM-owned Tivoli Systems provides management solutions and consulting, and recommends that companies engaged in e-business "appoint a high-level executive with a company-wide responsibility to develop and enforce security policies consistently across an organization."

Effective security management and control means making high-level decisions to guide a security policy across an organization, says Carl Kessler, vice-president for Tivoli SecureWay.

A secure groundwork

"You're really only as strong as your weakest link," said Bigley. "Security is a process, it's not just technology."

"You also can't rely on one piece [of security], you need at least two or three countermeasures."

Create the system first, and build it from the worst case scenario

There are common misconceptions that all companies need to do e-business, is a well-configured firewall, however firewalls cannot protect the system from properly authenticated users i.e. spoofers, or brute-force hackers.

Brute-force hacking occurs when a series of words are tried until the correct password authenticates the intruder. This technique typically works on systems that make use of common words as passwords, such as names of people, company products, or permutations of the above.

Other security components include the use of anti-virus programs, virtual private networks (VPNs), content inspectors, encryption, Web access control and application access control.

Bigley notes that most e-business executives don't place security high on their list of priorities.

Executives are used to traditional closed [mainframe] architectures, whereas e-business is now an open architecture, and therefore requires more thought into its security infrastructure.

Create the system first, and build it from the worst case scenario, Bigley recommended, adding that he would spend between 4-6% of the company's revenue back in security.

Security as a continuum

As technology evolves, new devices and ways of doing business necessitate new security solutions.

Anytime you provide access with new technology, you have to control that access

Already, several vendors, including Computer Associates, have already rolled out security solutions for use with WAP devices.

"Anytime you provide access with new technology, you have to control that access," says Bigley. "Internet appliances are another 'window'."

These potential vulnerabilities need management, policy, and encryption of access, said Bigley.

Companies need to constantly re-assess their own security measurements to ensure their adequacy and that they are up-to-date, explained Bigley, referring to the process of security for companies.

But there still are certain security concerns that may not be able to resolved yet.

One such concern would be the distributed denial-of-service attack, similar to the ones that brought down sites like Yahoo! and eBay earlier this year.

"Technology is still trying to answer that one," said Bigley, adding that CA was working on developing a solution that analyzes patterns of such attacks before they happen.