Enterprise on guard

The best security policies are layered like an onion. If a threat gets past one layer, then there is a chance that it will be stopped at the next one. In this feature, NME peels the onion to show the many different facets of security, from physical access to combating viruses to disaster recovery, that can be used to protect the enterprise.

  • E-Mail
By  Simon Duddy Published  August 29, 2004

|~|nme_Guysept_m.jpg|~|Emirates Group’s Laserian Kelly uses the concept of defence in depth and has gateway level solutions as well as others inside the perimeter.|~|Security is the one of the few issues sure to keep network managers and CIOs awake at night and it is imperative that all interested parties have a thorough understanding of security weak spots and what can be done to plug the gaps. Physical security has traditionally been outside the remit of the IT and network manager but with the discipline increasingly reliant on technology, this is not guaranteed to continue. A good example of physical security becoming integral to the IT manager’s agenda is the use biometrics to control access to areas ranging from airport departure lounges to storage facilities. Many businesses in the Middle East are now utilising biometrics in their suite of security solutions. “We plan to use biometrics to limit access in certain areas,” says Amro Fakahani, IT manager of Saudi import company, Banaja. “For example, in parts of warehouses where we store pharmaceutical goods we will only allow authorised people to enter,” he adds. Not only is physical access control becoming a more technology-centric field, increasingly it is also becoming integrated with information security. This is borne out by the attitude of enterprises in the region. “We are looking at identity management, the products are maturing to the point where you can look at integrating building access with [IT] system access,” says Laserian Kelly, manager information security, Emirates Group. However, market commentators warn that security organisations wishing to drive integration between the two disciplines must carefully focus their efforts due to the broad set of goals associated with physical and IT security. “We believe that organisations must first examine a linkage of processes, such as user life-cycle management, monitoring, auditing and forensics before deploying integrated technology,” says Tom Scholtz, analyst, Meta Group. This will undoubtedly create more complexity in a security world that is already a complicated business. But, as the perception grows that integrating these processes makes business sense, network managers will do well to prepare themselves for the task. A related issue is access control within the enterprise. This is particularly important in large organisations with thousands of employees. When an employee leaves a company, making sure that the ex-employee is excluded from the premises and the IT systems can present a problem. “Having an integrated solution makes this easier,” says Alain Kallas, chief security officer (CSO) for Front Defense. “One press of a button and someone is frozen out, rather than having different people in charge of different systems who all have to be informed and have to react,” he explains. Although the convergence of access and physical security is increasingly common, it isn’t likely to keep network managers awake at night just yet. That dubious honour must go to viruses, whichh remain the greatest threat to the enterprise, according to most commentators. “The antivirus business is good, it’s inflation proof and has become a key component in providing business continuity,” says Justin Doo, managing director, Trend Micro Middle East and Africa. “There is limited growth left in some areas, but the investment by companies in antivirus and firewall solutions is ongoing,” he adds. A few years ago the antivirus market was dominated by the big three of Symantec, McAfee and Trend Micro. While this is still largely true, there is increasing competition in the segment, with companies like Sophos giving the Middle East increasing focus. That said, the established players are moving beyond their antivirus strongholds, with McAfee looking to move into intrusion prevention systems (IPS), for example. “Antivirus is important but it has become a commodity,” says Peter Kwisthout, territory manager, McAfee. “Antivirus vendors are coming to the end of the tunnel. McAfee’s IPS sales represent 10% of revenue at the moment and in the next two quarters we expect this to jump to 60%,” he adds. Trend Micro is increasingly providing on-site consultancy and training for customers, as well as providing its traditional products. “Solutions rather than products make up 60-70% of our sales. System integrators and value added resellers are key to growing the business,” says Doo. The vendor landscape is evolving fast but outstripping it by far is the development of threats themselves. Blended threats that combine hacker techniques to find software vulnerabilities with virus-like behaviour to spread further are a major concern. “We got hit in June 2003 by a Blaster variant,” says Jawad Abu Farha, IT director, Juma Al Majid. “It generated a lot of traffic within the network. We ran diagnostics for 48 hours, scanning the network and downloading the latest patterns without turning up anything. Then we sent sample files to the Trend Micro labs for analysis and got a pattern file and could clean up the virus. We were one of the first companies to report the virus,” he adds. These means that a virus writer no longer needs a gullible employee to open an infected e-mail. Some viruses, such as Netsky-V, exploit security loopholes in Microsoft software that mean users can be hit just by reading an e-mail. Viruses have also developed to the extent that they don’t necessarily need to be e-mail borne. Sasser is a good example of this kind of worm. It spreads using the buffer overrun vulnerability in Windows operating systems. Anyone connected to the internet, including corporate networks, are potentially at risk. “Viruses these days are often low level exploits,” says Ivor Rankin, technical sales & SE manager, Middle East & Africa, Symantec. “Most antivirus programs run in user mode and can’t see the core operating system (OS), where the exploits are situated. You can have two responses to this, patch effectively or integrate client security — firewall, intrusion detection and antivirus — to monitor both the user mode and core OS,” he adds. While these new threats have enterprises on the defensive, one of the best methods of protecting a company is as old as the hills. Keeping software, from operating system to antivirus, updated is one of the best ways to ensure that a company does not get hit. “63.1% of the small businesses we surveyed were not updating their antivirus software often enough to protect against the fastest spreading threats. Antivirus software is no use if you don’t keep it updated,” says Graham Cluley, senior technology consultant, Sophos. An effective patch management programme is key if enterprises are to have effective resilience. This is less a decision about products, as all antivirus programs will come up with signatures to counter specific viruses, and more a question of process. “The problem is not about technology but about strategy. Lots of customers don’t have a strategy. Speeding up patch distribution is key as is training customers and heightening awareness,” says Haider Salloum, marketing manager, Microsoft South Gulf. Microsoft also made a big push in terms of tightening up security on its software. “There were four security vulnerabilities in the first 150 days following the release of Windows Server 2003. This compares with 17 security vulnerabilities in the first 150 days after the release of Windows Server 2000,” says Salloum. Completely tightening up code is impossible, however. As with any business endeavour there is a payoff between cost and security. This means that the imperative to patch will not go away anytime soon. Making the issue more serious is that hackers are paying close attention to patches as well. Their motives for this interest are, unsurprisingly, not benign. Skilled hackers can take a patch and reverse engineer an exploit from it, sometimes within days. This brings enterprises closer to the dreaded ‘zero day’ attack. This means that companies will have to install patches on the day of release to ensure they are covered. “The security environment is changing fast, there are blended threats and the window [from when a vulnerability is announced to when an exploit is released] is narrowing,” says Kelly. “It’s very important to keep patching. We have a team that works on alerts, prioritising these according to threat, before making a decision. The patches are then pushed out automatically around the organisation,” he adds. Where antivirus software falls down is that it is a reactive force. With the speed at which virus writers are unleashing attacks increasing, users are looking to proactive measures to provide an answer. The firewall is the best established proactive solution that can work in conjunction with antivirus software. Firewalls are particularly important in the era of worms such as Blaster. “Blaster exploited a Windows vulnerability, but firewalls protected systems that weren’t patched”, says Ivor Rankin, technical sales & SE manager, Middle East & Africa, Symantec. Managing a firewall can be difficult, as they are porous, with traffic moving back and forth through different ports. The key to the effectiveness of a firewall is knowing which ports to open in order to keep applications flowing and making sure that the rest are closed. A further proactive measure for the enterprise to deploy is IPS, which relies not just on signatures to detect attacks but also looks out for abnormal behaviour in the network. A good example is that if an e-mail account is sending out thousands of e-mails per hour, there is a good chance it has been taken over by hackers and is being used as a spamming engine. But IPS is not a magic bullet and is only effective if the technology can accurately define the huge and ever-changing world of threats. Its automated nature also causes problems for some businesses and it must be deployed carefully. “IPS doesn’t need manual input because it takes an action automatically but with this you increase the chances of false positive and false negative results,” says Tobias Christen, chief technology officer (CTO), Stonesoft. “For many companies with mission critical information flowing [in and out of the business] this is as important an issue as security,” he adds. Many companies cannot afford to lose an important e-mail because the IPS thought it was a threat and blocked it. IPS needs to be tuned to be effective. In the smaller business this is usually not possible so it’s harder to utilise in this space. That said, IPS is moving into the small business sector, with some client side IPS solutions, such as eEye Digital Security’s Blink. Sygate is also blending IPS, antivirus and firewall technology in one client-side solution. Worry over blended and zero day threats has also prompted companies to extend firewall-like technology into network devices. A prime example of this is Cisco’s Network Admission Control (NAC) policy, which is designed to prevent notebooks connecting to the corporate network if they don’t have the correct security policies in place. This is largely in response to a large number of corporations being attacked through secondary infections when remote workers log into the network unaware that their notebook has been compromised. Cisco is also building more security features into routers and switches in a bid to beef up network resilience. “Routers and switches are a major component of the security solution in an enterprise and are potentially the hacker’s best friend. That’s why it is important to build security in routers and switches,” says Tarek Houballah, network security specialist, Cisco. Features that Cisco is including are the ability to lockdown traffic, control user access and automatically generate an access list that allows the user to block off applications and ports that are not used. In fact, the cabling chosen by the enterprise can also impact on security. Transmission of information is more secure over fibre optics than Ethernet because it is difficult to tap into the line. This makes fibre attractive for financial and security applications. Fibre is also unaffected by electromagnetic interference from radio signals, car ignition systems and lightning. Intelligent cabling solutions, such as Ortronics iTRACS-ready products, can also help as they give alerts when a cable fails and can by distinguish between authorised and unauthorised MACs. No matter what technology, or blend of technology, users choose to deploy in their business, a sound corporate policy will be the key to its success. “The Middle East is a very technology focused environment,” says Kelly “So it’s important to set, communicate and enforce policy, before you look at the technology,” he adds. This includes having the correct security emphasis. For many companies, it is important to establish where the greatest threat lies. Many make the mistake of thinking of security only in terms of external threat, when in fact a significant proportion of attacks originate within the enterprise. “We are seeing an M&M problem in security, it’s hard on the outside but soft on the inside,” says Tarek Ghoul, country manager Gulf & Levant, 3Com. Many companies, however, are making moves to ensure they have a holistic approach. “We use the concept of defence in depth. We have several gateway level solutions and as there are other ways into the enterprise, such as users plugging in an infected USB drive we have other security solutions inside the perimeter,” says Kelly. The company uses McAfee solutions inside the perimeter and solutions from other vendors at the gateway. “Lets face it, no one particular vendor is any better than the competition,” states Dean Bell, regional director, BorderWare. “One vendor finds the virus first, one fixes it first, its simply a game of chance and having a number of vendors protecting your network at different levels is the only way to achieve anywhere near 100% protection,” he adds. As well as developing a layered approach to security, companies need to make sure that appropriate processes are in place. These need to be tightly defined and rigorously enforced if technology is going to reach its full potential. “Developing a security policy is not easy, however it is much harder to maintain one flawlessly and ensure that it is adhered to by all concerned,” says Bell. As part of working out the appropriate security processes for a company, a decision must be made on who is best placed to manage it. In an ideal world, virtually all companies would take care of security in-house. However, not all companies have the resources to adequately manage security on their own. Thus handing over security responsibility to a third party, usually a security vendor, can be attractive for a small company. “There are lots of different relationships that fall into the catch-all term of managed security, from consultancy, to company managed but vendor monitored, to full vendor outsourced. They key here is process and finding what is appropriate for the business in question,” says Symantec’s Rankin. Symantec has recently appointed Information Management Technologies (IMT) as its first managed security services partner (MSSP) in Saudi Arabia. Although managed security is growing in appeal to some businesses, many dispute its benefits. “There is no future in managed security,” says Filip Keunen, marketing director, Scanit. “It’s a good in-between solution and there are some very good IPS/IDS solutions but we don’t recommend it,” he adds. Handing over the reins of your security solutions can present problems and prove more costly then taking control in-house. “Often consultants come and fix a problem, but when the situation changes the company has to re-hire the consultant to change the technology, which is expensive. In-house security is key,” says Keunen. Integral to any security plan is knowing what to do if you do get hit, whether this comes as a result of a catastrophic virus attack, fire, flood or bomb attack. Disaster recovery is therefore a central plank of any solution. In fact, disaster recovery has evolved to become business continuity management. In this definition, the key thing is not just to recover from a disaster but to avoid downtime in the face of a disaster. The simplest way to ensure business continuity is to replicate data and store it at another location. “Some companies are looking at long range disaster recovery, with the back-up site in some cases thousands of kilometres away,” says John Hickman, business continuity manager, EMEA, Hitachi Data Systems. “While this means that the same disaster than happens to the first site is unlikely to also happen to the back-up site, it poses other problems, such as the high cost of links. A lot of bandwidth needed to transfer data quickly over this distance,” he adds. As well as backing up data remotely, some companies are out-sourcing the entire back-up operation. The main reason for this is cost. It makes sense for some operations to out-source back-up so they can concentrate on their core business. Whether you back up data on-site or off, or indeed within the company or without, the main debate in business continuity is how to put appropriate value on data. “Technology is the smaller part of the solution,” says Bjarne Rasmussen, vice president, technology services, Computer Associates. “Rules and process are more important and we are working with companies to make this easier,” he adds. It can be a difficult task to decide which processes are crucial to the business and which are important but not critical. It is also difficult to get different departments within the enterprise to agree on what is most important. “In the business analysis some divisions in a company are more equal than others while IT tends to see all departments as equal,” says Ali Khan, IT solutions architect, HP. Enterprises are moving towards putting responsibility for these decisions in the hands of the business focused decision makers rather than leaving it to the technical team. “The security department has to manage risk,” says Emirates Group’s Kelly. “But the business comes first and you have to make sure that the business is moving forward,” he adds. Taking a holistic approach to security means taking into account the fundamental elements that safeguard business continuity. One area is electricity, which is not as reliable as many people think. Not taking the necessary steps to ensure continuous power supply can have a damaging effect on companies both in terms of loss of data and downtime. “Uninterrupted power supply (UPS) is as critical to power driven devices as a proper diet is to an Olympian athlete,” says Vipin Sharma, director business development, Tripp Lite EMEA. UPS devices are developing fast and today occupy much less space than they have traditionally. They are also becoming more intelligent and can remotely shut down applications that freeze computers or kiosk machines, thereby reducing network administration costs. “What we are seeing is a tendency towards more intelligent and complete UPS systems in the data centre,” says Erik Vossebelt, business development manager, APC. “UPS devices are able to be controlled over the net and we are offering management of devices, cable management and precision cooling as well as UPS in the same range of solutions,” he adds. APC has implemented UPS devices at Saudi Aramco, with devices at over 1400 locations. Using web access the devices can be centrally controlled from Aramco headquarters. This creates a security problem, where if the headquarters is compromised, the whole network could be taken down. “To counter this, the UPS is controlled on a dedicated network with stringent access control policies,” says Vossebelt. Despite the worries that securing the enterprises presents, it is a job that must be tackled head on. Despite its complexity, the enterprise that has a thorough understanding of its workings and needs stands the best chance of thriving. “Common sense is often the best support against threat,” says Hein Vandermerwe, senior data centre architect, Sun Microsystems. “A company that knows its user base, requirements, data processing environment and what can be done without being disruptive is more likely to be successful,” he says.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code