The market is awash with claims and counter-claims regarding the level and nature of security risks. Claims that risks are hyped give companies a false sense of security and put them at risk of not taking any action, while counter-claims often lead companies to spend in the wrong areas, an industry expert says.
Barry Cribb, MD of security testing company IS Digital Networks, agrees that, while companies should not hold back on implementing new technologies that would benefit their businesses, such as wireless, VPNs and VOIP, they must be aware of the specific security risks new technologies can introduce.
"The penalties for failing to recognise security as a highly-specialised field, requiring constant monitoring, and failing to have systems independently security-tested, could have devastating consequences," he says.
The vast majority of successful attacks take place as a result of common, known and avoidable errors in the system`s build, design, configuration or the application programming itself and it is these errors that most hackers exploit, he says.
The ability to install a firewall, build a server, write a Web-based application, deploy a wireless access point or get a VOIP system working does not make one a security expert, Cribb points out.
Avoidable flaws
"Many of the penetration tests we carry out exploit known and avoidable flaws that allow systems to be compromised. Furthermore, a majority of the systems we test contain vulnerabilities. The more complex the system, the more there is to attack."
He says the vulnerabilities discovered are typically present as a result of the lack of understanding of security considerations. Almost everything is hackable if it has not been deployed with security as fundamental to the design.
"The greatest problem with security is that there is no positive feedback mechanism that permits faults to be discovered in the course of the system`s use," Cribb states.
The usual feedback on a security problem, however, is the negative one if the company is hacked. Many companies are unaware that their systems have been compromised. Their sites may even be used by hackers to attack another site or relay spam, Cribb says.
"One high profile South African site has been attacked eight times in the past 12 months, with multiple bogus pages added to the server. The company was not even aware that it had happened.
"The answer is not to avoid new technologies, but to test them when they are installed. Not just to check that they are working, but that they are secure. Objective and independent penetration testing is the only way to provide a positive outcome to an exploitable vulnerability and be able to enjoy the benefits that new technology can bring."
Share