Shelter from the storm: How secure are your systems?

The art of defence is getting tougher. For businesses trying to protect themselves, the challenge to protect the corporate network is getting harder every day.

  • E-Mail
By  Robin Duff Published  November 21, 2000

The art of defence is getting tougher. For businesses trying to protect themselves, the challenge to protect the corporate network is getting harder every day.

The art of defence is getting tougher. For businesses trying to protect themselves, the challenge to protect the corporate network is getting harder every day. It’s expensive, both in terms of capital and skilled labour, to secure networks, mobile workers and e-commerce operations.

Security employees are being asked to deploy a growing number of security applications, which are by their very nature complex. For many security professionals, and particularly in this region, there simply is not enough time to design and implement the processes that will ensure these protective measures live up to their potential.

The problem is, just like a bacteria in the human body, the viruses are getting more and more clever at outwitting the very means that are being deployed to destroy them. The “I love you” virus, which hit the world in May, spread from computer to computer as unsuspecting users clicked on a seemingly harmless e-mail message.

The self-replicating virus fed off infected PCs, quickly clogging up company e-mail systems worldwide and sending flurries of messages to even more machines. Within a few hours, more than 100,000 systems were infected; within days, tens of millions. The need, therefore, for Middle East businesses to not just software solutions to protect themselves, it is more crucially, to establish an in-depth security policy, which addresses every area of risk to important data.

“There are problems in the Middle East’s IT community, especially in [Saudi], and we are fighting an uphill battle day in and day out,” said Mizra Asrar Baig, chief executive officer, Information Technology Matrix. “We have a major security hole in our IT community, and the problem is that IT is developing at a very fast pace. IT and product and service providers, as well as customers are always trying to catch up. In terms of a policy: you have to ask questions like: is a particular data set an asset to the company? Is the data to be share with business affiliates with a confidentiality clause?”

So what should a security policy consist of, and why is it so crucial? One of the clearest problems facing the Gulf IT market is that it is still reactionary to security for the most part.

A virus like the Chernobyl or I Love You does create a sudden shock wave of interest, and brings a degree of realisation of threats, but at the same time, vendors are then often seen failing to deliver solutions adequately to deal with the problem. Baig elaborates on the point by saying that the customer in this region still assumes that the solution to a viral problem is relatively simple, and as a result are not as ready to pay for the appropriate implementation.

“The vendor, which then feels like it is being short changed for providing extra service, is then inclined to take short cuts,” commented Baig. “The vendor then just delivers the box. The net result is that the viruses are still going into the networks. No-one is talking about this, but a lot of organisations are getting into bad situations as a result.”

A major aspect of security that has been somewhat overlooked is that, most of the time, what is being ‘stolen’ or ‘trespassed on’ is intangible to its owner. The result is that the owners do not feel any immediate effect, and therefore do not feel threatened. A security policy which is built around six basic, dynamic principles is seen amongst security solutions consultants as the best foundation to getting round this intransience.

These principles would be: an administrative policy; an operating system level security policy which considers users; an anti virus solution with an appropriate policy, particularly where e-mails are concerned; a firewall with policy; intrusion detection (especially for dealing with hacking from within an organisation) and data encryption.

“You walk into an average organisation— say a 100+ user base, and 90% of the time, you will find that they do not even have administrative policies, nothing documented, even the password on the server is one that the vendor set up at the time of the installation,” said Baig. “They have never been summoned by a network security policy or an e-mail policy. There may be a few very large organisations using network security. We will mostly see them failing to maintain the dynamic aspect of security.”

Another issue facing companies here is, if they are sufficiently secure, what exactly have they protected themselves against is something which needs to be examined. In a recent survey done in the US by Symantec illustrated the problem: despite concern about ‘cybercrime’ amongst IT professionals and consumers alike, awareness that going beyond the standard anti virus software protection is necessary.

The survey showed that while 87.1% of consumers and 94.7% of professionals use anti virus software to protect their computer from viruses, only 19.5% of consumers and 48.9% of professionals use a personal firewall on their PC.

This shows that, while the trend towards preventing viruses is high, usage of tools to protect against hacker attacks is a different story altogether. Of course, the incidence of ‘personal firewalls’ in the Middle East is hardly significant, but the US findings to indicate the existence of a lax attitude to the hacking element of security.

In addition to this, 84.7% of consumers polled and 70.6% of professionals indicated that they were aware of how to protect themselves from online attacks. Of this 36.9% of consumers updated their anti-virus software at least once a month, while 68.8% of tech professionals update virus definitions in the same timeframe.

“These findings show that concern and a feeling of vulnerability due to viruses and cyber crime exists among both average consumers and technology professionals,” said Steve Cullen, senior vice president of Symantec’s Consumer Products Division. “But, in terms of protection from today’s threats, all types of computer users, including the more technically savvy, need to go beyond basic anti-virus protection and install more robust Internet security solutions that include firewall protection.”

The Denial of Service (DoS) attacks on companies such as Yahoo and Amazon.com illustrated that anyone can be hit by such attacks, but what is most relevant about these incidents was that these two companies were victims not of their own lack of awareness, but more the lack of security policies in smaller corporate entities.

“This instance showed how vulnerable everyone is on the Web. Also it should have highlighted the ‘dynamic’ aspect of security,” explained Baig. “Firstly, there were so many servers on the Internet without adequate security, the attack was launched from a huge number of such servers. The attacker hosted his attack application on these servers, and essentially set a time bomb. What made the attack successful was not the security of the victims, but the inadequate security of others. New security threats evolve everyday: the customers have to partner with vendors who are able to provide and maintain ‘dynamism.’”

There are a number of basic principles that can be safely considered as being central to any effective policy. Formalising the process by which a company compartmentalises its mission-critical data is essential, and as Baig says requires a company to look at data as an asset. Ensuring that all sensitive business data is logged for access attempts and refusals is important, and can be taken care of by good intrusion detection software, which will do for external as well as internal access.

The restriction of the number of contractors, consultants and temporary workers to only the information they need to do their jobs will reduce the incidence of such people leaving with sensitive information they may have acquired on the job. The standard method for dealing with this would involve such tasks as changing passwords after projects have been completed, or failing that, the signing of non-disclosure agreements. One common misinterpretation made by companies is that remote access to a business’ network from external sources by using centralised modem access.

“It depends a great deal on the organisation and the sensitivity of the data and the type of transactions going on,” says Baig. “Firstly, no sort of access should be there without any firewall. Now the access may require an organisation to let users or other servers to connect over the Internet, also the cost is much lower when you do that. Even the banks now let you do that, but of course with the appropriate security in place.”

The final, and possibly the most obvious security policy which still seems to so often be overlooked by businesses in the region is that of the regular backup of sensitive data on all servers and host systems. What also must be remembered is that while backing up data will preserve information availability and integrity, but only if the storage facility and backup information is properly secured, and if backups are performed regularly.

“Providing strong security for the backup process and storage ensures integrity of data,” says Baig. “It also helps protect large volumes of information from being redirected during backup processes or when being copied from storage.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code