The weakest link

Companies in the Middle East are increasingly waking up to the need for IT secuirty. However, in their rush to buy antivirus software and firewalls, many organisations forget to draw up the policies needed to support them.

  • E-Mail
By  Neil Denslow Published  July 29, 2002

I|~||~||~|When a company thinks about IT security, it tends to think about firewalls, antivirus software and passwords. However, these are of little use unless they are backed up and organised by security policies and procedures.

“Policies and procedures are a critical part of any IT strategy,” says Ivor Rankin, technical sales manager, Middle East, Symantec.

“The technology we or anyone else delivers is simply an enabler and it enables policies that [companies] have defined,” he explains.

Traditionally, the Middle East has had a poor record on security in general and security policies in particular, with few companies taking security seriously and being prepared to spend money on implementing solutions.

“Top management cannot understand why they need to allocate a budget, when they have very intangible returns,” complains Assad Haddad, marketing director, Comsec.
However, the region is now waking up to the issue following September 11th, which made people generally more aware of the need for security, as well as the publicised spread of worms and viruses.

“If you compare what was happening a couple of years ago to what is happening today, you see there has been a big change. It has yet to reach the optimal level, but we are getting there,” says Abdul Karim Riyaz, marketing manager, Middle East operations, Computer Associates (CA).

“[However,] only a few companies have [a security policy] and most of them have put them in a safe locker and not really looked at it in two to three years,” he adds.
Ian Williams, e-security analyst, Datamonitor, describes procedures as the most cost effective way for a company to improve IT security. Proper procedures will ensure that a company is making the best use of their existing applications, and also show where additional resources need to be deployed. “Tighten things up without spending and then spend to cover the holes that remain,” he explains.

For instance, Graham Cluely, senior technology consultant, Sophos, highlights how an organisation can easily reduce its chances of being infected by a virus by blocking all executable code at the gateway. Viruses are often hidden in screensaver (.scr) or visual basic (.vbf) files, and as these files are rarely business critical, most organisations can just put a blanket ban on them. Similarly, he recommends blocking files with double extension names. “It’s amazing how many of the new worms you will stop that way,” he notes.

Configuring antivirus software properly, and downloading patches, is just a small part of proper security procedures. Daniel Nufer, marketing director, Comguard, recommends that they embrace all aspects of the IT infrastructure as well as human actions across the entire organisation.

For instance, staff need to be trained not to reveal their password to other people as this undermines even the best security system.

“It doesn’t make sense to have just an advanced security application, as humans are the weakest point,” he observes.

Similarly, security policies also need to consider physical security issues, such as access to server rooms. “If you have physical access to a server then 95% of them can be accessed,” notes Theodore Kouyoumdjian, area manager MENA, Stonesoft.

||**||II|~||~||~|Because of the all-encompassing nature of a good security policy, Ayman Esmat, regional director of strategic services, Internet Security Services Middle East (ISS), says it is vital that the process of drawing up security procedures is sponsored by top-level management.

“Especially in our region, the CEO has to be part of the process and the owner of the security policy, as his involvement will empower the committee to create the policy and enforce it,” he explains.

The first step in writing procedures is to identify what the company wants to protect. This will involve a risk assessment and the grading of data into categories, such as high, medium and low risk. Many companies will assume that this is a task for the IT department because it involves computers. However, Vineet Chhatwal, senior manager, PricewaterhouseCoppers Consulting, advises that they IT department should have no more than a co-ordinating role with the risk assessment actually being done by the business users, as they own the information not the IT department.

Premchand Kurup, CEO, Paramount Computers, also suggests that the company tries to give a monetary value to each piece of information. This will then let the company see whether it is using its security in the most cost effective way, and also help the IT side justify the expense.

“If a direct valuation [of the data] has been done, then it’s very simple for the customer to determine whether it is worthwhile spending the money or not,” he explains.
After the risk assessment has been performed the company can define security policies to protect its data.

Nazeem Sharma, product specialist, Haris Al Falak, says the security policies “should include your procedures, your access controls, your password policies, software policies, and administrative policies for servers and machines. Basically, what is and what isn’t allowed.”

Clearly, this can be a mammoth and complex task given the wide variety of systems and users many companies have. Williams recommends using a standard model, such as BS7799, as a starting point.

He describes BS7799 as essentially a checklist of things that a company should consider.
“It’s something that companies that don’t know much about IT security can use to reach a certain minimum level,” he says.

Mirza Asrar Baig, CEO, IT Matrix, agrees that it provides a valuable framework, but notes that it needs to be adapted to a company’s individual requirements.

“That’s where you need an understanding of the culture and the habits of the organisation, how it works at the moment,” he explains.

BS7799 recommends regular external security audits, as often as every six months for critical systems. The vendors, which perform the audits, agree it is important to get an outside opinion of the policies in place.

“You need to have an external eye to see that everything is above board,” says ISS’s Esmat.

“It’s like a separate section that comes from outside and says there is a problem. The internal audit is a must because they check that everybody is complying with the policy.
But I believe there should be an external audit as well,” he explains.

||**||III|~||~||~|Aside from trying to prevent an incident happening, the security procedures must also be reactive to security issues. This should include both reacting to stop an attack in progress and also the steps to follow after a major incident. However, CA’s Riyaz feels that companies in the region have been slow to act in this area.

“I have not yet come across anybody who has come up and said ‘we have a definite disaster recovery plan’,” he notes.

“What happens in many organisations when [there is an incident] is that there are five different people asking people to do five different things. If there is a single point of contact within the company, and he is someone quite senior, then he can take charge, and everybody knows what his role is, if and when this happens,” he adds.

Cluely also sees this as good policy for dealing with virus attacks as a knee-jerk panic reaction can make a problem worse. For instance, he notes that there are some viruses that are not e-mail aware, so there is no point shutting down the e-mail system if an organisation is infected by one.

Once the procedures, including the incident response plans, are written up, they should be widely published, preferably on the company intranet using a knowledge management tool, so that all end users know exactly what they can and can’t do.

Publishing the policy, however, does not mean companies can consider the security process to be complete.

Riyaz says this is a common mistake within the region, as companies “look at security assessment as a one-time thing. We emphasis that it has to be a continuous assessment on a day-in, day-out basis. If you do it today and then six months later, there are probably hundreds of things that will have come up,” he says.

Chhatwal also recommends that a security review becomes “part of change management… If they are planning to introduce a new product, maybe there will be no impact on security, but it should be formally recognised as a possibility.”
Given this need for regular reviews, as well as daily steps such as checking for the release of software patches, it is clear that to properly implement IT and physical security requires a large investment, not just in money but also in time and attention. For this reason, some companies are beginning to lift this burden off the CIO by creating a new role, the chief security officer (CSO).

James Buckett, Tivoli Presales manager, software group, Central Europe, Middle East & Africa, believes that this is an important role for ensuring that policies are properly implemented, otherwise security can be forgotten about by the IT department.

“If you want to have accountability you have got to centralise it and make one person accountable for it,” he observes.

This, however, is proving difficult as few people have the skills necessary to oversee security across the entire organisation. A recent People3 survey revealed that security manager was the hardest IT position for a company to fill, with the average search taking over three months. ComSec’s Hassad believes that the local picture reflects this.

“It is the biggest [security] head-ache that organisations have — finding people who understand security, both the physical and technical side, properly… It’s not like you are looking for a Cisco engineer, when you can find many people with good qualifications,” he notes.

The 24x7 nature of most IT operations further stretches the demand for IT security staff. Most IT departments operate on a 9 to 5 schedule, so when a hacker in America tries to break into Middle Eastern company’s system, it is highly likely that the IT manager is asleep in bed.

Farooq Hasan, marketing manager, Comtrust, therefore believes that companies need to wake up to security and implement proper round the clock procedures.

“There is a mindset here that nothing is going to happen to my system. [People say] ‘there are very few hacks in this part of the World, so I have very little probability of an attack.’ This mindset is stupid [though]… because the bottom line is it can happen to you,” he argues.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code