Security: Beyond the technocracy

Speak to just about anyone involved in the business of IT security and you`ll hear this phrase at least once: "There is no silver bullet in security."

The mantra is strikingly appropriate for an industry that is quickly coming to terms with the knowledge that there is no single solution to a problem that is becoming ever more prominent and widely spread.

And the onslaught, from internal and external sources, viruses, hackers and cyber criminals, shows no sign of slowing down. Rather, attacks are becoming increasingly sophisticated and difficult to track. The past 12 months alone have seen the emergence of blended threat worms, Trojans that are almost impossible to detect, and a growing band of wannabe hackers that have access to highly capable tools freely downloadable from the Internet.

Only 40% of organisations are confident that they would detect a systems attack.

Mark Danton, partner in charge of e-security, Ernst & Young

Quantifying the threat is near impossible and varies depending on which report you read. As a guideline, a recent white paper from security company Symantec, entitled "Fundamentals of Secure Information Technology", quotes the following CERT figures: "According to the CERT Co-ordination Centre at Carnegie Mellon University, there were 2 340 reported IT security incidents in the US in 1994, but there were 34 754 in the first three quarters of 2001 alone."

It is not only the scale of the threat that is contributing to the growth of the IT security industry and the drive towards greater specialisation. It is also the increased sophistication of attackers and the fact that more and more companies are embracing the online world for the benefits it offers, while accepting the associated risk of partially opening their networks up to the world. Again Symantec: "Today`s open environment increases the risk of loss [and] as technology becomes more sophisticated, so does the risk of unauthorised access."

The company`s CTO Rob Clyde has another point of concern: "The growth of the Internet alone does not explain the significant increase in viruses and malicious attacks. The primary reason is the over 30 000 hacker-oriented Web sites and the `democratisation` of hacking."

Kevin Archer, CEO of local security appliance vendor SecureWorx, predicts that the defining feature for 2002 will be the "dramatic class separation between the skilled and unskilled attacker communities. The unskilled will continue using automated attacks for Web page defacement and DDoS [distributed denial of service] attacks. The skilled attackers will start focusing greater efforts on more esoteric types of attacks at the perimeter, since most firewalls on the Internet today only react to IP header information. They will also include greater development of system backdoors that do not show up in process or task lists as this makes them far more difficult to locate during an audit."

It is an issue that dovetails with another concern permeating the security industry: the lack of security skills, both locally and internationally. Mark Danton, partner in charge of e-security at Ernst & Young, says the recent E&Y Global Information Security Survey 2002 concluded that more than 53% of respondents found the lack of security skills a challenge to establishing effective security systems.

Security needs to be reflected against the business benefit offered.

Trent Rossini, head of DiscoveryWorld, Discovery Health

And yet, as the security industry continues to grow despite a worldwide global IT downturn, it is also struggling to shake off its high-technology image which has limited it over the past decade to the realm of the IT department. "Technobabble" is what Danton calls it, arguing the case for security to become a mainstay of the boardroom. "Security is not a technology sell anymore. Until now security has not been pitched at a business level.

"Good IT security is 20% technology and 80% people and process," says Danton.

Trent Rossini, head of DiscoveryWorld at Discovery Health, agrees, also putting "people and processes" at the top of his security checklist, followed by performance management and access control.

"Nothing is 100% secure," says Rossini. "Security needs to be reflected against the business benefit offered." He points out that while it is important to establish the strictest security possible, the implementation of security should never hinder ongoing business processes.

Rossini says that while accepting that no system is perfectly secure, users must decide on "what is an acceptable level of risk". This depends, he notes, on the nature of the business and its operations. Danton echoes the thought by saying that companies must "understand what security they are putting in and its purpose". Business must understand the value of what they are protecting, he says, and build strategies around those values.

Skilled attackers will start focusing greater effort on more esoteric types of attacks at the perimeter.

Kevin Archer, CEO, SecureWorx

The fallibility of security systems is likewise echoed by security vendors and SecureWorx`s Archer says "many security teams try to shoot for 100% effectiveness even though it is impractical". According to Archer, better network design and monitoring is the key. And security should never be implemented as an afterthought. "Companies should design their networks from the ground up and incorporate security into the design from the beginning. Unless companies incorporate proper security into their networks, so that it is ingrained with the network infrastructure and not an afterthought, they will continue to have major security problems."

Archer also argues for a layered security approach, which he says is "a sure-fire way to increase your chances of detecting security breaches and incidents. A series of overlapping solutions work much more effectively, even when you know the solutions are individually fallible ... three security controls that are each 60% effective together are 90% effective," he says.

Similarly, Rossini says the fundamental principle of good security is to plan for the inevitable. "When the system is compromised, you must be sure that the breach is not a strong staging point for attacks deeper into the system."

But security systems degrade over time either through human error or new external threats. Danton and Rossini agree that it is the human element that is the weakest link in the security chain. "It is guaranteed that people will make mistakes that weaken the system when changes are made," says Rossini. "Unfortunately, there is no silver bullet in security, but the monitoring of systems is critical to security, as are dedicated and skilled staff."

Danton adds that while "we are putting in perimeter protection well," the security weakness in most companies is the result of constantly changing policies and faulty implementation. "Policies are changing constantly because the landscape is changing."

Conventional wisdom of the past 10 years has had it that as much as 80% of security "incidents" originated from within the corporate firewall, largely undermining the seriousness of external threats. Recent figures are putting a very different spin on the statistics with external Internet-originated attacks starting to account for a greater portion of reported attempts. Some figures, such as those from the Computer Security Institute and FBI 2001 Computer Crime and Security Survey, go so far as to turn the previous statistics on their head. According to the FBI survey, a mere 31% of attacks originate internally with external-source attacks accounting for the majority of attacks.

The growth of the Internet alone does not explain the significant increase in viruses and malicious attacks.

Rob Clyde, CTO, Symantec

User experience, however, seems to run contrary to this figure. Rossini says that while it is difficult to accurately assess the number of internal threats, "definitely more than 50% [of unauthorised access incidents] originate internally. Not all are malicious and many are done for sheer experimentation but you have to draw a line somewhere. Unfortunately there is only so much control you can put in place ... and you have to assume a level of trust."

Richard Power, editorial director of the Computer Security Institute, says: "Clearly the threat from the outside is increasingly dramatically and has been doing so for several years. It is quite conceivable to me that there are more doorknobs rattled from the outside than from the inside."

"Only 40% of organisations are confident that they would detect a systems attack," says Danton. Another, perhaps more worrying figure, is the 40% of companies that admit to not investigating information security incidents, according to the Ernst & Young Global Information Security Survey 2002. The figure cuts to the heart of effective security systems which are all but useless without constant monitoring and upgrading. Danton says the speed of change and sophistication of threats is the single biggest challenge to implementing and maintaining a suitable level of security within a company.

2002 will see the dramatic class separation between the skilled and unskilled attacker communities.

Kevin Archer, CEO, SecureWorx

"Security is a people-intensive process," says Danton, adding that the days of Microsoft-certified staffers picking up the security slack are long over. Today`s ever-changing environment requires constant monitoring in both large and small corporations and specialist security staff.

While large enterprises have the resources to employ trained staff for their security needs, it is the small and medium sector that is increasingly becoming the weak link in the security chain as more and more SMEs move online. Of particular concern to many in the industry is the fact that the often badly protected SMEs are liable to be the weak spot that hackers use to launch attacks on their bigger parent or partner organisations.

Danton explains by way of example: a VPN connection between two companies, one of which has been compromised, may provide a potential hacker with direct and uninterrupted access to a parent corporation.

For many companies, particularly on the lower end of the market, the costs of security are prohibitively high and many of these turn to many of the low-cost PC-based solutions on offer. Linux, the freely available operating system, has gained a particularly strong foothold in this market because of its low start-up costs and its highly configurable nature.

Simon Kidger, a Linux engineer at local Linux services company SevenC, says that for the companies he deals with, the choice of Linux is made for many reasons but the primary one is the fact that the operating system is open source. Being open source, the kernel can be configured, altered and shaped to individual needs. Another reason, is that "Linux has a massive developer base and an extensive peer-review system," ensuring that the system is widely scrutinised for weaknesses and holes. "Linux does have bugs, but there is an exceptionally high turnover time, often in the order of hours."

The Linux approach has its critics, however. Among these is Archer who argues that the approach is a costly one, particularly because it requires a high degree of skills and is often reliant on the knowledge of just one or two staff members. Danton is a little more direct when he says of companies following the Linux route: "The problem is that when your Linux skills leave, so does your firewall." Nevertheless, he says he understands the need of smaller organisations to follow this route and for many it provides the best solution to their needs. When it is a problem, he says, is when users believe that the system is secure and install a stock standard distribution and forget about it.

Good IT security is 20% technology and 80% people and process.

Mark Danton, partner in charge of e-security, Ernst & Young

It is a problem that Kidger is well aware of and he is quick to point out the difference between a Linux distribution and the kernel itself. "Just because the kernel is secure doesn`t mean the distribution is secure."

Archer argues the case for Internet Security Devices - purpose-built plug-and-play devices that offer a range of services from firewalls and content filtering to virtual private network applications. The benefit, says Archer, is their simplicity of use, the reliability of the device as well as improved performance over the standalone PC approach. "Appliances typically sport an on/off switch and a few simple controls. The IT department can have a new appliance up and delivering service within 15 to 30 minutes of delivery," says Archer. And almost without exception they all run a hardened version of Linux.

The business of security is one of balance and risk management. There is no foolproof solution that will counter every possible attack, and with attackers gaining in numbers and sophistication, companies need to adopt a holistic approach to their IT infrastructure.

Building security in from the ground up is just one of the solutions. The other, equally important, solution is to layer security devices to avoid giving the few successful crackers a decent foothold to get deeper into the business.

It doesn`t so much matter which hardware solution you opt for so much as being aware of the need to constantly monitor and evaluate security systems. Security degrades over time, through both internal and external influence, and only regular and consistent audits will ensure systems are up to date.

But perhaps these are the most resounding pieces of advice: Security is more about people and processes than it is about technology, and it is vital to develop an understanding within the business structure of what it is you`re protecting and what value you attach to that. And lastly, never underestimate the damage a public attack can do. It may not result in lost data, but the loss of investor and client confidence could be even more damaging.

IT security is a balancing act, says Trent Rossini, head of DiscoveryWorld, Discovery Health`s online offering. The company has made giant strides in its efforts to move a substantial portion of its user base over to the online self-service channel and Rossini clearly recognises that the move is a game of risk management.

He says that while attacks on internal systems and backend processes can be devastating for companies, seemingly simple Web site defacements can be equally damaging if not more so.

"What is the value of your brand?" he asks. "Reputational attacks often have far more exposure than internal attacks ... and people`s perceptions are very difficult to change."

It is an issue of trust, says Rossini. Public defacements can "discredit a channel that you are still in the process of setting up ... and will result in users defaulting back to older channels such as fax and phone."

The threat is a particularly stark one for companies that offer financial services because the defacement brings their security structure into question, he adds.

According to Rossini, online transactions require two key elements: Authentication and authorisation. The former entails identifying users and verifying their legitimacy. The second involves assigning the relevant privileges to the user.

He says DiscoveryWorld is built on a simple underlying structure that assigns a unique identity to each user, providing the company with a single view of all users. By avoiding multiple usernames and passwords for each user, the process is simpler for users and easier for administrators to maintain.

Rossini says the DiscoveryWorld site relies on the traditional username and password combination, largely because the alternatives are costly, cumbersome and rare. As far as new authentication techniques are concerned, "fingerprinting stands out because you can`t leave your fingerprints at home". The hurdle is providing users with fingerprint readers and building up the requisite database of user prints. "All of these add inertia to people changing channels, and the more inertia, the less likely users are to change channels.

"Nothing is 100% secure. The challenge is to decide what is an acceptable level of risk."