ENTERPRISE: Under Attack



…so let the techies handle it. If you are one of those who believe that
securing their organization’s network is an IT problem, it’s time to wake
up. Chart out a fresh security policy, get your core team to participate,
implement the same and review it periodically. After all, it’s a dangerous
world out there.

Nothing has heightened security concerns in the near past more than the
wreckage caused by viruses such as Nimda and Sircam. But security spans a much
wider gamut of issues, and virus attacks and the resulting downtime represent
only some of them.

Of late, Cyber terrorism and its related species have added a wholly
different dimension to the security panorama. An increasingly networked world is
now also an increasingly helpless victim of such attacks. And after the
terrorist attacks on the US, so overpowering has been the potential threat to
network and computer security, that no protests have been voiced against FBI
reactivating its Carnivore program that snoops on e-mails routed through various
ISPs.

In India, while there has been much talk about the need for greater security,
action on the front is still insignificant. Most organizations don’t even have
a formal security policy in place. What is more, the perception continues to be
that security is a purely IT-related issue.

A reactive approach

Despite much talk about having security-savvy policies in place, most
organizations take a reactive approach to security. Only when a security breach
takes place–be it the corporate website being defaced or data being destroyed–do
organizations sit up and take notice. Security exercises are seldom preventive
in nature–and that’s a hard reality.

Organizations in verticals like finance and banking, telecom, and IT are
relatively more alert, but the situation changes when it comes to organizations
in other verticals. Not that there is no security-related awareness in other
verticals, corporates often don’t take security seriously into account while
planning for their networks.

Joy Ghosh, country manager, Symantec

“In India, there is a lack of knowledge on enterprise security as a whole”

According to experts, a limited knowledge of enterprise security often leads
to the reactive approach–many organizations believe that picking up a few
anti-virus or firewall products off the shelf will adequately address the
security issue. Moreover, the overconfidence, “this won’t happen to me,
or, I have taken enough precaution” doesn’t leave room for a proactive
security strategy.

A security breach can lead to disastrous consequences. Imagine the
consequences of a serious security breach on a power major’s distribution
network: There can be irrecoverable loss of precious data, and worse, a blackout
spanning several states can significantly bring down the industrial production.

Unfortunately, its’ only after such business losses have taken place that
companies realize the need to go for a comprehensive security policy.

Hanif Sohrab, GM, e-Secure, HCL Comnet, says, “Enterprise security is
more of a policy issue than a product-related issue. What’s the point buying a
lock for your house if you are not sure where to put it?”

Neel Ratan, partner, Global Risk Management Solutions, PwC, agrees to the
view, “Most Indian corporates do not have a formal security policy in
place. What some of them have is no more than a mere document, which seldom
spells out the kind of punishment to be given to those responsible for a
breach.”

SV Ramana, V-P, systems engineering, Cisco Systems India

“In today’s rapidly changing environment, it is difficult to have a fixed security plan deployed forever”

“In many a case, even the top management isn’t aware of the security
concerns. Just imagine the risk when someone connects one’s laptop, loaded
with sensitive company information, to the Internet, using the highly unguarded
dial-up connection,” Ratan adds.

While having a comprehensive security policy is imperative, the need to
periodically review the policy is no less important. SV Ramana, V-P, systems
engineering, Cisco Systems India, says, “There is no such thing as a
perfect security. It is not possible to have a security plan deployed forever in
a continuously changing environment.”

Rajeev Wadhwa, COO, Global eSecure opines, “Security is not given the
importance it deserves and is still looked upon as an expenditure rather than an
integrated network or application solution.” He adds that most
organizations perceive security to be a part of their infrastructure only when
they consider doing e-business.

Daniel Ingitaraj, marketing manager, Microsoft India, however, doesn’t
think that Indian enterprises can be squarely blamed for showing scanty concern
to security. He says, “People around the globe have always shown a lack of
awareness on security issues and policies.”

Not just an IT problem

Top
10 Headaches of Security Managers
  • Servers where ordinary users have log-in accounts.
  • Users who modify their own desktops, especially by installing their
    own software.
  • No mechanism for scanning the network for open ports.
  • A single server running everything.
  • No logging of firewalled traffic, no summaries or periodic traffic
    analysis, and no one looking at denied or rejected packets.
  • Lack of an intrusion detection system.
  • “Temporary” holes made in firewalls to accommodate
    specific requests.
  • Passwords kept on default settings with no password aging in force.
  • No subscriptions to a third-party bug-tracker. Instead, employees
    rely on vendors to point out vulnerable points in their products.
  • An operations team that is not paranoid enough.

Source: Silver Line Technologies

Traditionally, security has been perceived to be an IT problem rather than a
business problem. And the scenario hasn’t changed much over the years. In most
organizations, it is the CIO who takes decisions when it comes to security. The
concept of an information security officer is still new, though such a post does
exist in a few IT/telecom firms, mostly MNCs.

Downtime losses from security breaches could have a far-reaching impact on
businesses, leading to losses worth millions of dollars besides a fall in
employee productivity. Since most businesses now depend on IT for
mission-critical applications, any breach–be it data loss, damage, passing of
sensitive information or virus attack–can have far—reaching implications.

Why, security, in spite of being a business problem, is still largely
perceived to be a purely IT-related issue? While IT is a tool of securing
business networks and protecting confidential business assets, it is probably
the complexity of the technology that gives security the perception of being an
IT-related issue.

Akhilesh Tuteja, senior manager, information risk management, KPMG, says,
“The controls in IT environment are guided more by operational issues than
overall business strategy. Even in organizations where the post of information
security officer does exist, he reports to the CIO. This reinforces the belief
that security is an IT problem”.

Jayesh Thakkar, director, consulting, Computer Associates, however is more
optimistic, “There is a definite shift taking place in the way that
security is perceived. Increasingly, security is being seen as a business issue
and hence the need to integrate it with the overall business strategy.”

Mohit Rampal of Rainbow Information Technologies says, “Security is both
a business and an IT issue. The key is to seek the best fit vis-à-vis the
organizational mission and objective.”

Most common breaches

Virus attacks and worm-related security breaches are among
the most common attacks. A clear trend of integrated security breaches is
emerging, and hackers are always devising new ways to penetrate systems.
Businesses usually use firewall and other security software and hardware to
protect their networks.

According to the ‘2000 Information Security Industry Survey’,
published by International Computer Security Association (ICSA), the most common
security breaches are:

  • Malicious code: 26%, including viruses, Trojans,
    worms, and hostile ActiveX and Java controls;

  • Loss of privacy/confidentiality: 25%, including
    abuse or misuse of data; and

  • Electronic exploits/tools: 20%, including
    cracking, eavesdropping, spoofing and toolkits.

In today’s networked environment, when all enterprises are
connected to the Internet for all practical purposes, threats are greater. It is
estimated that 93% of all viruses are transmitted via e-mail.

Goh Chee Hoh, regional sales director, overseas business
unit, Trend Micro, says, “Enterprises need to take a centralized approach
to data protection. Corporates are realizing that anti-virus is no longer just a
desktop issue. The key to a secure environment is an integrated information
management solution that protects the enterprise from threats at its Internet
gateway.”

But even a centralized approach may not ensure that all
security breaches will be discovered. Capt Raghu Raman, head, security practice,
Mahindra Consulting, says, “Some breaches can well go undetected. That the
most common breach is discovered has nothing to do with the ones that are never
discovered, except by experts.”

Downtime can be tough

Daniel Ingitaraj, marketing manager, Microsoft

“Security is a vital issue. It is best to act fast and walk the prevention path”

The first implication of a security breach that comes to mind
is loss of data confidentiality, which can have serious financial implications,
depending on the criticality of the data. With a large number of organizations
entering into e-business transactions, including customer interaction for
commerce, support and services, a downtime can well lead to a weaning customer
base. The longer the downtime the greater the losses incurred will be. Besides,
the brand will also be tarnished.

S Manjunath of Enterasys makes a point about the trickle-down
effects of networks being down for a long duration. “This will lead to
confusion and chaos as important data may get lost or transmission of such data
may be affected,” he says.

Sunil Kanaran, director, sales and marketing, e2e Systems,
says, “Besides the loss of revenue, data, security breach will lead to lack
of trust.” Joy Ghosh, country manager, Symantec says, “The effect of
downtime can be crippling in theabsence of a strong disaster recovery plan. A
proactive organisation is thus better equipped to bounce back to normalcy.”

One size doesn’t fit all

While there are a variety of technology options available to
tackle the security, there is no one-stop solution. A study of the company’s
security vulnerability, identification of critical assets is included while
selecting an adequate technology option. Access controls have to be clearly
defined to prevent unauthorized access to data.

Post the September 11 attacks, industry experts have talked
about heightened security awareness and focus in the fields of IT and telecom,
banking and finance, and power and manufacturing.

Security software sales are on the rise. Despite the
slowdown, which has badly hit the IT industry, sales of security products
actually grew to $3.3 billion in 2000, up 25% over 1999.

Dataquest, in a previous survey published in the August 31
issue, had assessed the impact of the slowdown on enterprise IT budgets.
Interestingly, CIOs have been stating that that security software will be least
affected due to the slowdown.

Amit Sarkar in New Delhi

DQ IT Security Survey

Time to Wake Up…

As many as 70% of firms had no formal IT security policy. A high 83%
said security was an IT issue. Simple conclusion: Despite the rising
danger of attacks, enterprises are as unprepared as ever

What are the key IT security issues facing business organizations?
Do they have a security policy in place? What are the barriers to
security and what steps are organizations taking to over come those?
Dataquest carried out a survey of organizations to determine what IT
security policies are in place, security concerns of enterprises, the
barriers faced by them and the steps being taken for reinforcing security.
23 organizations from verticals like banking, petroleum, telecom,
manufacturing and services responded. The turnover of these organizations
ranged from $20 million to over $9 billion. The results:

Security Policy: 70% of firms surveyed had no formal IT security
policy on paper. Even some large organizations didn’t have a formal
security policy. Verticals like banking, telecom, and IT are the verticals
showed more seriousness with regard to security and generally had a
security policy in place. The manufacturing and service companies lagged
behind, though many respondents said that they had informal security
policies in place.

Not a Business Problem: Security is still being perceived as an
IT problem rather than a business problem. 83% said that the respondent
was the decision-maker. 8.5% of respondents said that they had an IS
security officer. The concept of such an officer is still at a nascent
stage, and is more prevalent in verticals such as IT, telecom and banking.
8.5% of respondents indicated that their top management, including the CEO
or the MD, was involved in security policy formulation.

  • The most important security issues that organizations mentioned in
    order of importance were: Data-protection, Virus attacks,
    Internet/e-commerce, Security awareness and Damage from employees

Protecting data clearly emerged as the most critical issue. The threat
to data could either come from internal sources or external breaches.
Virus attacks such as those pertaining to Nimda and Sircam have reinforced
the vulnerability of organization’s defenses. Exposure to
Internet/e-commerce transactions, enhanced awareness of security, and
damage caused by disgruntled employees followed in close succession.

  • Security Breaches are generally detected by Data/material damage,
    Employees, Server/firewall logs and Intrusion detection tools

Breaches are most often detected by damage to data/material. This is
followed by alerts sounded by employees. Server/firewall logs and
intrusion detection tools follow suit.

  • In a third of cases (33.3%), the culprit responsible for the breach
    was from within the company. Another 8.3% were ex-employees. Untracked
    hackers accounted for another third (33.3%) of security breaches. Only
    in a quarter of all cases (25%) was the external hacker identified and
    traced.
  • The main barriers to IT security are: Pace of change, Lack of
    training, Complexity of technology.

Rapid technological advances shorten the lifespan of any standard
security system. Lack of end-user training was also mentioned as a major
security hurdle. Complex technology options made choosing effective
security systems a difficult option. Capital expenditure and lack of
support from the top management figured low on the list.

  • Data-encryption, still very low: Most enterprises encrypt very
    little amount of data. 58% of respondents encrypt less than 25% of
    data. Those that are conducting e-business are usually doing more
    encryption
  • The chief measures employed for enhancing security were: Access
    controls, Security audit, End-user awareness and Use of intrusion
    detection tools

The most common steps undertaken for enhancing security included
putting stricter access control mechanisms in place, and ensuring that
data was available only for specified users. Conducting security audit to
assess vulnerability came next.

Shots in the Dark

The enemy could strike in a variety of ways. Here are just some of the ways
your enterprise could be bushwhacked:

Crimes against property

  • Computer network break-ins:
    Using software tools installed on a computer in a remote location, hackers
    can break into computer systems to modify or steal data, plant viruses or
    Trojan horses, or change user names or passwords.

  • Electronic eavesdropping:
    This ranges from using a Trojan or packet sniffer program to infiltrate a
    system, to the sophisticated interception of electromagnetic signals and
    remote monitoring of radiation emitted by a computer. Wireless networks with
    inadequate security offer an opportunity for the simplest of drive-by
    eavesdropping.

  • Software piracy: Illegal
    copying and distribution of software. These copies often work as well as the
    originals, but may sell for little more than the cost of recording media.

  • Intellectual property theft:
    With illegally reproducing copyrighted material on the Web being as easy as
    a matter of a few clicks, it’s hardly surprising that intellectual
    property theft is a big threat. According to a US task force report, losses
    to the information industry due to intellectual property theft each year
    range from US $15—17 billion in that country alone.

  • Cyber squatting and
    page-jacking
    : Cyber squatting is registering or otherwise occupying a
    domain name that rightfully belongs to another person or company. Page
    jacking involves the appropriation of a Website’s key words, or meta-tags
    (used by search engines to sort sites on a particular topic) and inserting
    them into one’s own site in a bid to attract more traffic.

Crimes against government

  • Breaking of telecommunication
    services
    : Offenders gain illegal access to telecommunication services by
    impersonating a valid user, fraudulently obtaining access code or using
    software to break-in. New instances involve using calling cards that are
    illegally programmed to regain their "stored value" after being
    used. Break-ins into Internet accounts were a big problem in India until
    VSNL started tracing caller-IDs.

  • Internet communications to
    further criminal conspiracies
    : Government agencies use monitoring
    software like Carnivore and Finger to filter e-mail and other messages for
    traces of any criminal activities. But this raises privacy issues. The
    possibility of the usage of encryption technology by cyber crooks further
    complicates matters.

  • Terrorism: Government
    military communication systems are a favorite of not just Hollywood hackers.
    Break-in attempts have been reported from countries as diverse as Britain
    and Sri Lanka. In recent years one of the biggest fears has been public
    infrastructure attacks originating on the Net. By transmitting spurious
    signals, electronic terrorists ensured that the FBI’s website remained
    inaccessible for more than three hours in February 2000. Facilitating
    terrorist activities by posting information about organisations engaging in
    such activities and providing information about manufacturing arms and
    ammunitions are another big problem.

Source: Computers@Home

 

Leave a Reply

Your email address will not be published. Required fields are marked *