No one with a network is safe from digital attack. Smaller organisations and those out of the limelight can no longer hide behind their obscurity: these are the training grounds for up-and-coming hackers. Frank Booty takes advice on getting networks open yet secure
With all the technology advances over the past few years, protecting information and data in the digital world – particularly in networked environments – has become difficult. Internationally-renowned security technologist (and CTO of Counterpane Internet Security) Bruce Schneier in his book ‘Secrets & Lies: Digital Security in a Networked World’ notes that good security involves a combination of prevention, detection and reaction. Protection-only mechanisms (firewalls, cryptography, etc) cannot be relied upon: they’re vulnerable.
Generally, while the security message may be getting through, there are worrying inconsistencies in the perception of internal IT security. Most manufacturers appear to feel that passwords provide the best protection. They don’t.
And there are additional issues here for everyone getting involved in aspects of e-business – yes, we want to keep hackers out, but yes, we also want to welcome in existing and potential customers with open arms. All this in an area where few, if any, want to talk openly: if companies have got security procedures in place they’re hardly likely to talk about them. Equally, if something goes wrong they don’t want to talk about it; if they’ve just installed the latest release of authentication software they don’t want to talk about it.
One lesson worth heeding comes from Fishers Feeds of Driffield, East Yorkshire. Its finding: don’t ignore financial transactions that often sit around unprotected until, in this case, forwarded to BACS. Fishers Feeds is the largest trader of agricultural crops in the UK: it decided to find something to secure inter-site financial transactions between its headquarters and four divisional offices.
The story goes that the company became aware of the vulnerability of such data on its networks, and Fishers found it necessary to look for a secure solution for its wide area network (WAN). In the event the company went for X-Kryptor (www.x-kryptor.com) network encryption (which unusually provides secure, integrated multi-platform protection between clients and servers on corporate TCP/IP networks) from Barron McCann (www.bemac.com). It’s now being used for the BACS transactions between the sites. IT director Jon Colborne would say no more than, “Security is a high priority for our company. X-Kryptor gives us a highly secure solution that was simple to implement. We now have more confidence in the integrity of our financial data travelling over the WAN.”
Exactly. Mark Lillycrop, director of research at IT analyst Xephon (www.xephon.com), says, “The real problems are often found inside the organisation – over 20% of respondents to our survey ‘Enterprise security strategies’ said they could protect their systems from interference by malicious employees only ‘occasionally’. Over 75% said the impact of insider damage, though rare, was potentially very serious or disastrous.”
The Xephon research shows that e-business and security are out of step in 50% of large organisations. “No networked IT application can be totally secure, and it’s challenging to deliver the highest level of protection without making systems inflexible and hostile to users,” observes Lillycrop. The safest place to store data? The mainframe (9/10) followed by Unix (6.6), NT/Windows 2000 (5.5) and Linux (4.6).
However, “Security cannot be 100% guaranteed,” says Ian Hameroff, security manager for global IT and e-business giant Computer Associates (www.ca.com). “Security is about meeting the needs of what you’re willing to risk.” And he adds: “We offer software across the gambit [sic] to manage the business, clicks and bricks – security, systems, storage and database management. The approach we’ve taken with our security products, marketed under the eTrust banner, is to offer tools in three solution areas. These are to defend the
e-business from threats, to enable enterprises to extend applications out to the e-business world, and to manage the chaos that can ensue from suddenly growing from a few thousand users to millions.”
Paula Palmer, vice president and managing director Europe for e-business security software firm Entegrity Solutions (www.entegrity.com) believes network security is only half the story. Focusing on manufacturing industry, where the concept of e-supply chain and B2B exchanges is taking off, organisations need to be aware of application-level security for business partners. “Organisations focusing on network security risk missing the business-empowering aspect of security,” says Palmer.
“The first wave of security-savvy companies installed firewalls to prevent hackers accessing corporate systems where they could potentially wreak havoc. When companies wanted more people external to the company – such as customers or suppliers – to access corporate systems, these same companies tried to solve this access management problem by implementing strong authentication. So they deployed sophisticated public key infrastructures (PKIs) to verify the identity of each individual.”
But this was only half the solution. PKIs only identify who someone is; they don’t define what that person should be able to do or see. That second half is the next wave of security to be implemented as organisations realise that authorisation allows you to open all the corporate doors, not keep them barred. Palmer’s company has a product that enables organisations to determine who has access to what data. You may only want a partner to see your stock control list if their last invoice has been paid.
Rob Moores, e-business manager at IT services firm Lynx (www.lynxtec.com), says, “If you have a business strategy, a well-thought out security strategy should be a fundamental part of it. Software design is just one part of the jigsaw, albeit a key one. If security is Cinderella at the e-ball, software design is the glass slipper.” Yet Moores points to a study for data warehousing company SAS Institute by market researcher Ipsos-RSL in 2000 which showed only 25% of organisations had measures against fraud on the Internet.
And here’s a point. Analyst ARC’s US-based IS and Infrastructure Group manager Stefano McGhee says, “Before, smaller organisations might have got away with little or no security for defending their networks. Today the reality is everybody will be found. Even if you believe that no-one knows where you are, someone does... Security by obscurity no longer works.”
Iain Franklin, vice president of anti-hacking software solution provider Entercept Security Technologies (www.entercept.com), adds, “Before any security measures can be taken, the exact nature of business risk – which varies between manufacturers – needs to be defined. Different levels of management need to be involved to combine business and technical perspectives. Once the business needs have been assessed, a security audit can be carried out to assess whether the security meets those needs.”
Franklin reckons the security market is at the stage virus protection was some five years ago – few thought they’d ever be on the receiving end of a virus attack. Now? Like virus attacks, hack attacks are expected to become more commonplace, and more disruptive. “To be secure now, businesses need to be aware of the limitations of products on the market,” says Franklin. “Take firewalls – often thought to be the best line of defence. There’s not one that cannot be hacked. Something is needed behind firewalls.” A sobering thought.