Caught in the web

Enterprises still lack an understanding of the various security mechanisms that need to be in place in order to ensure that their online presence does not cost them their business.

  • E-Mail
By  Sathya Mithra Ashok Published  March 1, 2009

While internet usage rates are still fairly low in the region, industry experts believe it is set for rapid growth. However, enterprises still lack an understanding of the various security mechanisms that need to be in place in order to ensure that their online presence does not cost them their business.

Over the last year, internet penetration in the various countries of the Middle East grew by leaps and bounds. Currently, there are more people connected to the web and interfacing with it than ever before in the region.

In spite of this massive spread of broadband, and more potential customers coming online everyday, not many regional enterprises have willingly taken to e-commerce.

The majority of organisations in this region are not taking care of the security aspect of their web applications. We hear lots of stories every day about organisations that got hacked.

"In reality our experience is that they are not doing it as fast as other regions. There might be a number of areas where organisations in the region are using web services, but these are mostly the case when it is being dictated by global structures and IT functions as a remote entity. While the actual take-up is not as much as say Western Europe, the awareness levels remain high," says Mike Smart, senior product marketing for EMEA at McAfee.

In a region where shopping is considered a recreational activity, it is not surprising to note that not many customers are eager to turn to internet purchasing, and not many companies have ventured into the field.

Most of the work in web services in the region has been done by governments which have enabled online services, and banks and financial institutions which encourage the customers to use the web as a convenient way to manage their finances.

Apart from this, online applications in enterprises have remained in the realm of a few internal processes, and only when it is absolutely necessary, though many in the industry believe this is soon set to change.

"Yes, the whole internet adoption for commerce in the region is a bit behind the curve compared to Europe and the US, but the market is growing very quickly indeed and actually faster than anywhere else in the world," assures Ian Cochrane, marketing manager, southern emerging markets at Trend Micro.

While enterprises that adopt web services may remain in the minority, the question is whether they are putting in the right security measures to guard their online applications, and this question is likely to take on priority as more organisations adopt e-commerce applications.

"I believe this is the sad part of the story. The majority of organisations in this region are not taking care of the security aspect of their web applications. We hear lots of stories every day about organisations that got hacked or went out of service for some time.

Obviously, with the trend of running a business over the internet, this makes it a prime target for internet criminals and sophisticated hackers," points out Ala Al'Khalil, F5 team leader at network distributor SecureWay.

Getting ideal

"While security measures vary according to organisations it's important to remember that web services open up a potentially big hole to the outside world by their very nature.

So people are very much closer to sensitive data than they were when they used to have to actually visit a physical office. This has meant a re-evaluation of how sensitive data is treated and what discipline needs to be applied to it," states Nigel Ashworth, technical director, Middle East and Africa at F5 Networks.

"The rapid introduction of web services has led to a sporadic security response. We have seen organisations design well thought out security strategies around web services, however the level of implementation has been varied.

As web services provide relatively transparent interoperability between business functions, the skills required to validate web services specific security measures becomes more specialised," adds Mark Hammond, lead principal consultant at major Symantec.

Whether an enterprise decides to build, maintain and monitor online applications internally or it chooses to outsource these activities to a service provider, it needs to ensure that the security environment is maintained as close to an ideal state as possible.

"If you are having your stuff hosted by someone else then you will need to conduct regular reviews of your provider's security and make sure that they meet your security criteria rather than their own security criteria.

When offering online apps internally, the number one duty is to make sure that you keep any of your internet facing systems patched and up to date. Many companies have been compromised due to weaknesses in their patching regimes," says Rik Ferguson, senior security advisor at Trend Micro.

"Number two is that you have to keep your stuff regularly tested and that means vulnerability scanning and penetration testing, from the internal perspective obviously, but it is also very important that you scan the service from the outside, from the internet, as well. This is probably more important than internal scanning. You also need some kind of strong authentication, like two-factor, token based systems, to validate your customers," he adds.

McAfee's Smart emphasises the need to rely less on traditional, physical, appliance-level security, since it is incapable of catching the modern-day threats.

"The way we see this taking off in a secure way is to focus much more on the user, what the users are doing, where they are going, what types of apps they are using, and looking at doing risk assessment around those apps. Any system that is able to understand that it is not just web traffic here, but a specific app within web traffic, is really where we are able to provide more control over the users and protect them," he says.

Premchand Kurup, CEO of Paramount Computer Systems encourages organisations to consider the implementation of web application gateways, a web application vulnerability assessment, an application process security review as well as multi-factor authentication.

Judhi Prasetyo, Middle East consulting manager at Fortinet recommends periodic testing of apps by an independent team supported by the deployment of tools that can detect malicious activities. Apart from these considerations, security while transferring data needs to be kept in mind.

"All sensitive information needs to be transmitted securely via technology such as Secure Socket Layer (SSL) encryption. Digital signature technology needs to be used to assure customers are interacting with the legitimate servers, and finally all network traffic needs to be monitored by devices such as IPS/IDS (Intrusion Prevention/Detection Systems)," points out Ahmad Kamali, director of network and information security development at ISP Etisalat.

Ferguson adds, "Encrypt all messages that go out and encrypt critical data on disk. This means that even if a hacker gets into your systems he will find only protected information.

Use coding best practices for your website and make sure you use the right techniques to avoid SQL injections, which account for a majority of attacks on sites. Also, put in place simple database security measures like providing access only on a need-to-know basis with least privileges. So if a user accesses a system for only reading a document, he cannot change it."

"A dedicated web application firewall (WAF) has to be adopted as a core part of these measures, as it is a proven technology that protects against new types of threats, which any web application will face almost daily.

Recent studies show that cross-site scripting, SQL injection and information leakage constitute more than 82% of these new threats, so critical action has to be taken to prevent these threats. Organisations have to do regular reviews of their security policies to ensure they are up to date and tuned to get optimum results," says Al'Khalil.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code