As the recent Absa security incident brings corporate risk management under renewed scrutiny, Antonia Silva, a spokesman for local integrator NSS, says corporate governance principles in the King II Report provide for better risk management, but are not followed widely in SA.
King principles don`t yet carry any prescriptive weight, but commentators say non-compliance may be frowned upon in investment circles and could possibly scupper large business deals. Silva advises companies to use tools like NetIQ`s Security Analyser, which provide an effective way to secure a full house of IT systems.
Future-proofing
NSS was formed in 1995 as a network infrastructure company. However, it changed focus after a predictive assessment of post-Y2K life in South African IT buying trends.
The company came up with enterprise systems management as a main focus, and chose solutions like NetIQ, Concord, Smarts and other management tools to provide central control of companies` network-based systems and security management. These multi-purpose tools include functionalities like vulnerability assessment, intrusion detection, event log management and root cause analysis.
Network management and security
Enterprise systems management covers systems and application management (NSS manages all enterprise applications and components such as Active Directory, Exchange and databases), as well as network and security management.
"Central management of IT resources - components, appliances, applications, servers and devices - draws on pre-defined and known problem signatures. This enables security management as the next step," says Silva.
He explains that router and firewall logs can go into the terabytes of data per month, and since there is no prioritisation of log events, it is "humanly impossible to analyse this without a management tool or analyser. The idea with a good solution is to identify 'true positives`, as opposed to false alarms of failure."
Solutions like NetIQ and others from Smart and Concord provide a platform for analysis. Security Analyser builds on this by drawing on a back-end information base of known vulnerabilities, sourced from Bugtraq, Microsoft Security Bulletins and Cert and upon analysis of a system finds vulnerabilities, categorises and briefly describes them, and suggests a location for a patch.
Vulnerabilities may range from unauthorised, but otherwise legitimate, hardware and software, such as a desktop modem inside a WAN, or it might be a low-security setting in an application, or autorun enabled on a CD-ROM drive.
Registry entries of keystroke loggers will be picked up, as well as back-end activity. This "audit" will help satisfy requirements of corporate governance risk compliance, and supplies a baseline security status for the company`s systems.
Other solutions like NetQOS measure application response time and pinpoints performance degradation to specific locations. "When companies operate in silos, there is much finger-pointing between departments as to the root cause of a response problem," says Silva. "These solutions put paid to that."
Behind again
Few companies in SA are really serious about curbing the risks that non-compliant technologies pose to others, says Silva.
"In the US, a new breed of official has emerged - the chief security officer - who reports not to the CIO, but directly to the board. This has helped avoid IT budget constraints that have hampered acceptance of the vital area of risk management."
Share
