Enemy at the gates

Firms are having to think smart to deal with new security threats to their corporate IT networks, and facing up to threats from the inside as well as outside the company.

  • E-Mail
By  Peter Branton Published  September 25, 2005

|~|spyware.jpg|~|Companies have shifted focus in security concerns from deploying anti-virus applications, just three or four years ago, to integrating security and centralising management.|~|Two months ago Mashreq Bank’s IT department detected a large number of failed login attempts to its systems from unconventional IP addresses — and whoever was trying to get in wanted to access accounts for fund transfers. Right there and then, it immediately became clear to the bank’s IT team that it was no ordinary computer glitch, but something far more sinister, and had it been successful, would have cost the bank thousands, or perhaps millions, of dollars. Warning bells started ringing as the bank realised that it was being hacked. Fortunately for the bank, it was able to implement emergency security measures before its core systems were breached. However, awareness about it in the region is low. “Even at the IT department level in many large companies in the region, people are not aware of the gravity of threat spyware poses,” says Justin Doo, managing director, Trend Micro, Middle East and Africa. What happened to Mashreq Bank, however, was not an isolated case. In fact, other banks, including the National Bank of Dubai, have reported similar attempts to their systems (see IT Weekly 16-29 July 2005). And while they were able to successfully thwart the break-ins, the incidents served as a reminder for everyone that the Middle East is no longer as safe as everyone thought it would be. People in the region are now beginning to realise the full implication of security threats. The attitude in the past of complacency, of believing that ‘it can happen elsewhere, but not here’, is now being replaced by a sense of caution, a realisation that when it comes to security breaches, the Middle East is as susceptible as other parts of the world. Consequently, the security landscape in the region has changed. Just three or four years ago, addressing security concerns in the region meant putting anti-virus software in place. Then as network security emerged as an issue, firewalls were put in place. Recently, focus has shifted to integrating security applications and centralising management. Now, Companies are looking at what applications they have and what they need. “At least the large companies are doing some sort of security audit or gap analysis,” says Abdul Karim Riyaz, business technologist, Computer Associates (CA), Arab Countries and Pakistan. “Most of them have multiple solutions bought from multiple vendors,” he adds. According to Riyaz, many small-to-medium-sized businesses (SMBs) are still in the phase of putting some sort of network security in place. Most of these SMBs had limited security with little more than anti-virus applications installed. But they need to do more. There are newer, more dangerous threats that enterprises must contend with. Spyware is being unleashed to steal information — such as credit card numbers — that can lead to financial fraud. Unlike viruses that cripple web sites and PCs, spyware sits quietly in systems collecting information with serious potential for misuse. Most of the time users are not even aware of its existence. It is estimated that one out of every three machines has a Trojan sitting in it. ||**||Cyber criminals|~|DavidEmmbody.jpg|~|The move towards cyber crime has raised awareness of spyware, says David Emm.|~|The objective of this type of hacker is not just to pull down a website or cause temporary damage to a large number of PCs around the world. Such acts seek to make a point – which very often is that large companies make insecure software. Spyware has no such political objectives. Those proliferating such malware are financial criminals seeking monetary gain. “We are moving from vandalism to cyber crime,” says David Emm, senior technology consultant, Kaspersky Lab. Suddenly, everyone is talking about adware and spyware. That is because the security environment has changed. “It is no longer about updating anti-virus software or intrusion detection,” says Emm. “It has to include spyware. Much of it — Trojans, backdoors — hase been around as long as the spyware issue has been around too, but you hear the buzz only now,” he adds. But, could it be just another vendor-led technology hype? Emm thinks the threat is real. “People are looking for umbrella terms because the threat has become much more significant,” he says. The impact of spyware in the region was minimal, as companies were less dependent on the internet to run their business. But with e-business taking off in a big way, customers, suppliers and employees all use the web on a daily basis. “Now, you are running mission-critical operations over the internet. So the threat has much greater impact,” adds Emm. Riyaz agrees: “The biggest new threat is spyware. It gives unauthorised access to outsiders. It’s a bit like having no security at the doors of your corporate headquarters.” “Any one can walk in and look through your files,” he adds. ||**||Spy awareness|~|Justin-Doobody.jpg|~|There is a slow uptake of identity management in the region, admits Justin Doo of Trend Micro. |~|However, awareness about it in the region is low. “Even at the IT department level in many large companies in the region, people are not aware of the gravity of threat spyware poses,” says Justin Doo, managing director, Trend Micro, Middle East and Africa. “Naturally, it’s harder to get the message across to SMBs,” he adds. Of course, a few companies might be exceptions. In some smaller enterprises, advanced solutions are getting implemented by proxy. Local partners of global firms like Starbucks or Hilton, are by default, getting exposed to the latest, more comprehensive solutions. So where is the security market headed? “If you look at anti-virus solutions today, they are far more comprehensive than what they were when I joined the industry in 1993. But no one can make them foolproof,” admits Doo. But customers expect their business to be running no matter what. Doo says the challenge is to keep areas of the network running even during an attack. For instance, if somebody has an online ticketing business, he cannot afford to have the site go down. Business continuity is a must. SMBs now can choose easy-to-implement suites. Vendors offer integrated suites comprising everything from anti-virus to anti-spyware to firewall in a single solution. The advantage of such a solution is that it comes with a full list of features and is easy to use. “As I see it, it is ideal for small businesses that do not have a large IT set-up. Larger companies would still go for best-of-breed solutions from different vendors,” says Patrick Hayati, regional director, Network Associates, Middle East. Bundles will always be there. But they are more useful for SMBs. Large organisations will evaluate different products. They will have multiple solutions at multiple points. “There is an integration of different products and that makes sense for desktops,” says Emm. Globally, companies are asking their partners to share the responsibility. Telecom vendors are being asked to take responsibility for what passes through their networks. Besides, the way companies look at security is changing. They are taking a more holistic view of things. One approach that seems to be emerging goes by the name of ‘end-to-end application security’. There appears to be some confusion amongst vendors about what it really means. However, Forrester Research pitches it as the next big thing in security. The underlying idea is simple. So far firms have largely focused on external threats only. Virus protection, intrusion detection and now spyware have hogged the limelight. But threats could come from within as well — what if employees steal the database or indulge in some sort of vandalism? Therefore, proponents of end-to-end application security suggest that companies should look at the security challenge from the perspective of applications rather than the type of threat. Companies can then figure out everything about how the application can be protected from both external threats as well as internal abuse ( the wrong people getting access to the application or database).||**||Security rethink |~|AKRiyazbody.jpg|~|Abdul Karim Riyaz of Computer Associates says many firms are now undertaking various forms of security audit. |~|That means focusing on end-to-end application security, including the people, processes, and procedures involved, as well as the technology, including access controls. “Companies have started to rethink the way they look at security – the focus has started shifting from merely shielding, to the value and nature of the information or data that they are protecting,” says Vikram Suri, country manager, Symantec, Gulf and Levant. This is more of an approach than a technology. There is a slight twist to this however. There are those — CA for example — who suggest there is more to securing applications than some consultancy-driven framework. The answer has to come from making applications more secure.Traditionally, security has been thought of as something independent of the application itself. So you add security soft ware on top of an application. “That concept needs to change. There are security considerations you can embed in an application itself,” says Riyaz. Developers are not security experts. However, CA claims it has created tools that developers can add while writing the application without having to spend time reinventing the wheel. “An increasing amount of attention has been focused on vendor responsibility to develop safe code,”says Suri. “There is also attention to the security vendors’ ability to develop integrated solutions to protect companies against increasingly complex threats designed to circumvent traditional security measures,” he adds. Forrester sees this as a good thing. Even though it may be some time before applications are ready to take care of themselves, the attention being paid to developing secure code is already forcing developers to factor in security considerations while writing code. Linked to applications are databases. While the former are common to hundreds of enterprises, databases contain information unique — and indeed critical from a competitive point of view — to an enterprise. And yet, while network security gets all the attention, the issue of database security has largely gone unattended. Experts predict that is about to change. In 2005, “database security will continue to gain importance across the industry, especially for those storing private data, primarily driven by increased intrusions and growing regulatory requirements,” according to a Forrester Research report. Because of the Ford-Experian incident, some security experts believe that putting consolidated customer information in one central database is too risky. They suggest companies fragment information — such as name, address and account details — and store them in smaller databases. After all, it’s much easier to break into a large centralised database than small separate databases. And those determined to find their way around security walls are likely to cut through the defences, sooner or later. And the culprits need not be outsiders. “The enemy could be within the gates,” as Emm puts it. Employees who have left the organisation, but have retained access privileges to intranets, could pose a serious threat. In a recent incident, three executives have been found guilty of stealing information from their former employer. They joined a competitor but continued to access their former company’s information. How is that possible? Often, such accounts are not disabled. Similarly, when the work profile of an employee changes, the data he should have access to needs to be altered too. Again, this usually does not happen promptly enough. According to IDC estimates, expired user accounts may be upwards of 60% of all accounts in corporate systems. ||**||Old identities |~|spyware3body.jpg|~|Most of the time users are not aware that spyware has infected their PCs.|~|That is putting spotlight on ‘identity management’ – a piece of software that makes it easy for system administrators to activate or deactivate employee accounts, access rights policies, ca-rds and other privileges. By automating this process, the software allows simultaneous activation or deactivation of a user account across multiple points within a consolidated interface. This reduces the cost and effort in managing employee churn. Or that’s the idea. Putting such a system in place has turned out to be tougher than most companies imagined. There are no standards yet for identity records and authentication processes. As a result, there is no single format for either the old applications or the new ones. Integration is time consuming, as the process is largely manual. Things should get better in the near future. Security assertion markup language (SAML), an XML framework, is gaining momentum in standards organisations such as Oasis and the Liberty Alliance. There was a setback earlier with two software giants, Microsoft and IBM, shirking the alliance. However, customer pr-essure has brought IBM back to the table. The idea itself is evolving – from being enterprise-centric to incorporating partners outside the boundary of the enterprise. Identity federation, says Forrester, is the future. Several firms that do business with each other will be able to authenticate users across the network with a single sign in. The other thing in favour of identity management projects is the emergence of virtual directories that make it easy to seamlessly integrate authentication and applications. And there are those who suggest access control can be defined more easily by roles rather than a unique identity. Privileges are granted based on the role, rather than a unique identity. Such an approach can ease day-to-day identity administration. However, it is early days for identity management technologies in the Middle East. “The uptake is beginning to happen. But still awareness is low,” says Doo. He concedes such solutions are relevant only if the number of users is large. In many cases, security is lax because companies do not have internal expertise. Their IT departments have evolved from a pool of system and network administrators. Therefore, they are more tuned to managing software or at best handling network security. Therefore, it might make sense for enterprises to outsource their security. Globally, managed security services is a hot topic. It has emerged as an ideal solution for companies that have limited IT resources or do not want to invest heavily in hardware and software. However, there is often a sense of loss of control while handing over security to a third-party service provider. “Trust is an issue here, particularly in this region,” says Doo. Vendors of such services realise that customers need to know, on an ongoing basis, what is being done about their security. They need to have a sense of control. To ensure transparency, vendors in the West provide real-time reports, if a customer’s network is under attack. Customers demand information that keeps them aware of the nature of threats they face and what is being done about it. Symantec, for instance, updated its Symantec Managed Security Services Secure Internet Interface recently. This interface provides a consolidated view of the threat environment to Symantec’s customers. The emergence of managed security services is also leading to a bundling of solutions. Hardware, software and security vendors have come together to deliver complete solutions. McAfee and Checkpoint have also joined forces to offer managed security for the small business market, delivering a firewall and anti-virus managed solution. But for the concept to work, pricing will need to be attractive. “Cost is an entry barrier in the region. Labour costs here are very low. So if the work is outsourced — and done in the US or Europe — then the economics becomes unfavourable,” says Doo. Symantec has recently lau-nched the service for enterprises in the region in tandem with a partner. Given the fact that around 65% of business in the region falls in the SMB category, it may not be a bad idea for such companies to explore managed security services as an option. As Riyaz says, they have to understand that the threat is real, and credible. Global security management trends reflect the response to the evolving threat scenario. And while other aspects of business such as marketing need to factor in local nuances, companies in the region would be wise to take the global scenario seriously. For the threat they face is no less grave. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code