ENTERPRISE: Under Attack

...so let the techies handle it. If you are one of those who believe that

securing their organization’s network is an IT problem, it’s time to wake

up. Chart out a fresh security policy, get your core team to participate,

implement the same and review it periodically. After all, it’s a dangerous

world out there.

Nothing has heightened security concerns in the near past more than the

wreckage caused by viruses such as Nimda and Sircam. But security spans a much

wider gamut of issues, and virus attacks and the resulting downtime represent

only some of them.

Of late, Cyber terrorism and its related species have added a wholly

different dimension to the security panorama. An increasingly networked world is

now also an increasingly helpless victim of such attacks. And after the

terrorist attacks on the US, so overpowering has been the potential threat to

network and computer security, that no protests have been voiced against FBI

reactivating its Carnivore program that snoops on e-mails routed through various

ISPs.

In India, while there has been much talk about the need for greater security,

action on the front is still insignificant. Most organizations don’t even have

a formal security policy in place. What is more, the perception continues to be

that security is a purely IT-related issue.

A reactive approach

Despite much talk about having security-savvy policies in place, most

organizations take a reactive approach to security. Only when a security breach

takes place–be it the corporate website being defaced or data being destroyed–do

organizations sit up and take notice. Security exercises are seldom preventive

in nature–and that’s a hard reality.

Organizations in verticals like finance and banking, telecom, and IT are

relatively more alert, but the situation changes when it comes to organizations

in other verticals. Not that there is no security-related awareness in other

verticals, corporates often don’t take security seriously into account while

planning for their networks.

According to experts, a limited knowledge of enterprise security often leads

to the reactive approach–many organizations believe that picking up a few

anti-virus or firewall products off the shelf will adequately address the

security issue. Moreover, the overconfidence, "this won’t happen to me,

or, I have taken enough precaution" doesn’t leave room for a proactive

security strategy.

A security breach can lead to disastrous consequences. Imagine the

consequences of a serious security breach on a power major’s distribution

network: There can be irrecoverable loss of precious data, and worse, a blackout

spanning several states can significantly bring down the industrial production.

Unfortunately, its’ only after such business losses have taken place that

companies realize the need to go for a comprehensive security policy.

Hanif Sohrab, GM, e-Secure, HCL Comnet, says, "Enterprise security is

more of a policy issue than a product-related issue. What’s the point buying a

lock for your house if you are not sure where to put it?"

Neel Ratan, partner, Global Risk Management Solutions, PwC, agrees to the

view, "Most Indian corporates do not have a formal security policy in

place. What some of them have is no more than a mere document, which seldom

spells out the kind of punishment to be given to those responsible for a

breach."

"In many a case, even the top management isn’t aware of the security

concerns. Just imagine the risk when someone connects one’s laptop, loaded

with sensitive company information, to the Internet, using the highly unguarded

dial-up connection," Ratan adds.

While having a comprehensive security policy is imperative, the need to

periodically review the policy is no less important. SV Ramana, V-P, systems

engineering, Cisco Systems India, says, "There is no such thing as a

perfect security. It is not possible to have a security plan deployed forever in

a continuously changing environment."

Rajeev Wadhwa, COO, Global eSecure opines, "Security is not given the

importance it deserves and is still looked upon as an expenditure rather than an

integrated network or application solution." He adds that most

organizations perceive security to be a part of their infrastructure only when

they consider doing e-business.

Daniel Ingitaraj, marketing manager, Microsoft India, however, doesn’t

think that Indian enterprises can be squarely blamed for showing scanty concern

to security. He says, "People around the globe have always shown a lack of

awareness on security issues and policies."

Not just an IT problem

Traditionally, security has been perceived to be an IT problem rather than a

business problem. And the scenario hasn’t changed much over the years. In most

organizations, it is the CIO who takes decisions when it comes to security. The

concept of an information security officer is still new, though such a post does

exist in a few IT/telecom firms, mostly MNCs.

Downtime losses from security breaches could have a far-reaching impact on

businesses, leading to losses worth millions of dollars besides a fall in

employee productivity. Since most businesses now depend on IT for

mission-critical applications, any breach–be it data loss, damage, passing of

sensitive information or virus attack–can have far—reaching implications.

Why, security, in spite of being a business problem, is still largely

perceived to be a purely IT-related issue? While IT is a tool of securing

business networks and protecting confidential business assets, it is probably

the complexity of the technology that gives security the perception of being an

IT-related issue.

Akhilesh Tuteja, senior manager, information risk management, KPMG, says,

"The controls in IT environment are guided more by operational issues than

overall business strategy. Even in organizations where the post of information

security officer does exist, he reports to the CIO. This reinforces the belief

that security is an IT problem".

Jayesh Thakkar, director, consulting, Computer Associates, however is more

optimistic, "There is a definite shift taking place in the way that

security is perceived. Increasingly, security is being seen as a business issue

and hence the need to integrate it with the overall business strategy."

Mohit Rampal of Rainbow Information Technologies says, "Security is both

a business and an IT issue. The key is to seek the best fit vis-à-vis the

organizational mission and objective."

Most common breaches

Virus attacks and worm-related security breaches are among

the most common attacks. A clear trend of integrated security breaches is

emerging, and hackers are always devising new ways to penetrate systems.

Businesses usually use firewall and other security software and hardware to

protect their networks.

According to the ‘2000 Information Security Industry Survey’,

published by International Computer Security Association (ICSA), the most common

security breaches are:

• Malicious code: 26%, including viruses, Trojans,
  
  worms, and hostile ActiveX and Java controls;

• Loss of privacy/confidentiality: 25%, including
  
  abuse or misuse of data; and

• Electronic exploits/tools: 20%, including
  
  cracking, eavesdropping, spoofing and toolkits.

In today’s networked environment, when all enterprises are

connected to the Internet for all practical purposes, threats are greater. It is

estimated that 93% of all viruses are transmitted via e-mail.

Goh Chee Hoh, regional sales director, overseas business

unit, Trend Micro, says, "Enterprises need to take a centralized approach

to data protection. Corporates are realizing that anti-virus is no longer just a

desktop issue. The key to a secure environment is an integrated information

management solution that protects the enterprise from threats at its Internet

gateway."

But even a centralized approach may not ensure that all

security breaches will be discovered. Capt Raghu Raman, head, security practice,

Mahindra Consulting, says, "Some breaches can well go undetected. That the

most common breach is discovered has nothing to do with the ones that are never

discovered, except by experts."

Downtime can be tough

The first implication of a security breach that comes to mind

is loss of data confidentiality, which can have serious financial implications,

depending on the criticality of the data. With a large number of organizations

entering into e-business transactions, including customer interaction for

commerce, support and services, a downtime can well lead to a weaning customer

base. The longer the downtime the greater the losses incurred will be. Besides,

the brand will also be tarnished.

S Manjunath of Enterasys makes a point about the trickle-down

effects of networks being down for a long duration. "This will lead to

confusion and chaos as important data may get lost or transmission of such data

may be affected," he says.

Sunil Kanaran, director, sales and marketing, e2e Systems,

says, "Besides the loss of revenue, data, security breach will lead to lack

of trust." Joy Ghosh, country manager, Symantec says, "The effect of

downtime can be crippling in theabsence of a strong disaster recovery plan. A

proactive organisation is thus better equipped to bounce back to normalcy."

One size doesn’t fit all

While there are a variety of technology options available to

tackle the security, there is no one-stop solution. A study of the company’s

security vulnerability, identification of critical assets is included while

selecting an adequate technology option. Access controls have to be clearly

defined to prevent unauthorized access to data.

Post the September 11 attacks, industry experts have talked

about heightened security awareness and focus in the fields of IT and telecom,

banking and finance, and power and manufacturing.

Security software sales are on the rise. Despite the

slowdown, which has badly hit the IT industry, sales of security products

actually grew to $3.3 billion in 2000, up 25% over 1999.

Dataquest, in a previous survey published in the August 31

issue, had assessed the impact of the slowdown on enterprise IT budgets.

Interestingly, CIOs have been stating that that security software will be least

affected due to the slowdown.

Amit Sarkar in New Delhi

DQ IT Security Survey

Time to Wake Up...

As many as 70% of firms had no formal IT security policy. A high 83%

said security was an IT issue. Simple conclusion: Despite the rising

danger of attacks, enterprises are as unprepared as ever

What are the key IT security issues facing business organizations?



Do they have a security policy in place? What are the barriers to

security and what steps are organizations taking to over come those?

Dataquest carried out a survey of organizations to determine what IT

security policies are in place, security concerns of enterprises, the

barriers faced by them and the steps being taken for reinforcing security.

23 organizations from verticals like banking, petroleum, telecom,

manufacturing and services responded. The turnover of these organizations

ranged from $20 million to over $9 billion. The results:

Security Policy: 70% of firms surveyed had no formal IT security

policy on paper. Even some large organizations didn’t have a formal

security policy. Verticals like banking, telecom, and IT are the verticals

showed more seriousness with regard to security and generally had a

security policy in place. The manufacturing and service companies lagged

behind, though many respondents said that they had informal security

policies in place.

Not a Business Problem: Security is still being perceived as an

IT problem rather than a business problem. 83% said that the respondent

was the decision-maker. 8.5% of respondents said that they had an IS

security officer. The concept of such an officer is still at a nascent

stage, and is more prevalent in verticals such as IT, telecom and banking.

8.5% of respondents indicated that their top management, including the CEO

or the MD, was involved in security policy formulation.

• The most important security issues that organizations mentioned in
  
  order of importance were: Data-protection, Virus attacks,
  
  Internet/e-commerce, Security awareness and Damage from employees

Protecting data clearly emerged as the most critical issue. The threat

to data could either come from internal sources or external breaches.

Virus attacks such as those pertaining to Nimda and Sircam have reinforced

the vulnerability of organization’s defenses. Exposure to

Internet/e-commerce transactions, enhanced awareness of security, and

damage caused by disgruntled employees followed in close succession.

• Security Breaches are generally detected by Data/material damage,
  
  Employees, Server/firewall logs and Intrusion detection tools

Breaches are most often detected by damage to data/material. This is

followed by alerts sounded by employees. Server/firewall logs and

intrusion detection tools follow suit.

• In a third of cases (33.3%), the culprit responsible for the breach
  
  was from within the company. Another 8.3% were ex-employees. Untracked
  
  hackers accounted for another third (33.3%) of security breaches. Only
  
  in a quarter of all cases (25%) was the external hacker identified and
  
  traced.
• The main barriers to IT security are: Pace of change, Lack of
  
  training, Complexity of technology.

Rapid technological advances shorten the lifespan of any standard

security system. Lack of end-user training was also mentioned as a major

security hurdle. Complex technology options made choosing effective

security systems a difficult option. Capital expenditure and lack of

support from the top management figured low on the list.

• Data-encryption, still very low: Most enterprises encrypt very
  
  little amount of data. 58% of respondents encrypt less than 25% of
  
  data. Those that are conducting e-business are usually doing more
  
  encryption
• The chief measures employed for enhancing security were: Access
  
  controls, Security audit, End-user awareness and Use of intrusion
  
  detection tools

The most common steps undertaken for enhancing security included

putting stricter access control mechanisms in place, and ensuring that

data was available only for specified users. Conducting security audit to

assess vulnerability came next.

Shots in the Dark

The enemy could strike in a variety of ways. Here are just some of the ways

your enterprise could be bushwhacked:

Crimes against property

• Computer network break-ins:
  
  Using software tools installed on a computer in a remote location, hackers
  
  can break into computer systems to modify or steal data, plant viruses or
  
  Trojan horses, or change user names or passwords.

• Electronic eavesdropping:
  
  This ranges from using a Trojan or packet sniffer program to infiltrate a
  
  system, to the sophisticated interception of electromagnetic signals and
  
  remote monitoring of radiation emitted by a computer. Wireless networks with
  
  inadequate security offer an opportunity for the simplest of drive-by
  
  eavesdropping.

• Software piracy: Illegal
  
  copying and distribution of software. These copies often work as well as the
  
  originals, but may sell for little more than the cost of recording media.

• Intellectual property theft:
  
  With illegally reproducing copyrighted material on the Web being as easy as
  
  a matter of a few clicks, it’s hardly surprising that intellectual
  
  property theft is a big threat. According to a US task force report, losses
  
  to the information industry due to intellectual property theft each year
  
  range from US $15—17 billion in that country alone.

• Cyber squatting and
  
  page-jacking: Cyber squatting is registering or otherwise occupying a
  
  domain name that rightfully belongs to another person or company. Page
  
  jacking involves the appropriation of a Website’s key words, or meta-tags
  
  (used by search engines to sort sites on a particular topic) and inserting
  
  them into one’s own site in a bid to attract more traffic.

Crimes against government

• Breaking of telecommunication
  
  services: Offenders gain illegal access to telecommunication services by
  
  impersonating a valid user, fraudulently obtaining access code or using
  
  software to break-in. New instances involve using calling cards that are
  
  illegally programmed to regain their "stored value" after being
  
  used. Break-ins into Internet accounts were a big problem in India until
  
  VSNL started tracing caller-IDs.

• Internet communications to
  
  further criminal conspiracies: Government agencies use monitoring
  
  software like Carnivore and Finger to filter e-mail and other messages for
  
  traces of any criminal activities. But this raises privacy issues. The
  
  possibility of the usage of encryption technology by cyber crooks further
  
  complicates matters.

• Terrorism: Government
  
  military communication systems are a favorite of not just Hollywood hackers.
  
  Break-in attempts have been reported from countries as diverse as Britain
  
  and Sri Lanka. In recent years one of the biggest fears has been public
  
  infrastructure attacks originating on the Net. By transmitting spurious
  
  signals, electronic terrorists ensured that the FBI’s website remained
  
  inaccessible for more than three hours in February 2000. Facilitating
  
  terrorist activities by posting information about organisations engaging in
  
  such activities and providing information about manufacturing arms and
  
  ammunitions are another big problem.

Source: Computers@Home