Executive roundtable: IT security - growing pains

Over the last decade, technology has advanced at an unprecedented rate. The ‘world wide web’ has finally become truly world wide. While this is exciting news for business, it can also be bad news. As hackers and viruses become more sophisticated, they also become more difficult to intercept and block. We asked four industry experts to tell us more about IT security risks today, and what is being done to stop them: Klaus Gheri - phion, Dr Anton Grashion - Juniper Networks, Tim Pickard - RSA Security and Tony King - Arbor Networks.

BM. As technology becomes more advanced, so too do those wishing to sabotage it. How have you noticed IT security risks changing over the past few years?
KG. Nowadays, we don’t see that many major worm or virus outbreaks. Attacks are more often carried out against specific targets by cyber criminals in order to make money.

AG. It’s a simple matter of evolution as we are in a classic predator-prey relationship. Our networks are the prey, with malicious individuals or groups wanting access to the resources in the network. What changes over time is what we put in our infrastructure (new protocols, applications, user communities, etc) and the tools that the malicious user employ to attack them (DoS, targeted attacks, rootkits, etc). We still see the most common attacks or vulnerabilities are based on simple mistakes, not changing the default admin user password, advertising application availability, unsecured or non-encrypted data pipes, open wireless networks. It is possible attackers do not need to be more sophisticated as the same old mistakes are still being made. The sophistication is more prevalent with phishing, email engineering user info, stealing login and account details from servers and ID hijacking.

TP. Information security risks have been evolving continuously over the past few years. Enterprises are now global, virtual and dependent on dynamic information access. In this shifting landscape, the battlefront in security is rapidly changing from securing the perimeter to protecting the information itself. As the amount of corporate and government information grows at a staggering rate, more and more people need to get access to it inside and outside an organization. Risks come from all directions – including insiders who have access to sensitive data and make innocent mistakes, which can lead to a data breach.
 
Also, organizations that conduct business online – such as banking – have never experienced such an organized and technologically sophisticated crime wave as the one that exists today. Around the globe, news of security breaches and the emergence of advance threats – such as Trojans and man-in-the-middle attacks – have caused online users to become increasingly concerned with the activities they conduct over the Internet. Proper security controls including layered authentication to prevent online fraud, mapped to both the risk and value of information, can help keep the bad guys away.

TK. Today cyber crime has morphed and become more lethal. Cyber crime is worth more than US$62 billion in the US annually. Driven by for-profit motives, the attacks have grown more complex, sophisticated and dangerous. This means that the motivation for the bad guys grows, their investment in new techniques gets more serious, and the challenges rise. This is alongside a growing number of people "practicing" the art, meaning we have even more threats to deal with, professionals as well as amateurs. The economic benefits are driving this growth, in the size and scale of the attacks, and the number of attackers behind them.

BM. How important is it to ensure your network and electronic processes are secure?
AG. It is essential that you secure your network and electronic processes. There is a lot of data protection regulation and legislation nowadays and so security is not a discretionary spend. However, the amount you spend on it balanced by your attitude to risk is discretionary. Once you compromise network processes your whole infrastructure is at risk. Also many devices literally carry the key to network access, get into these boxes and its game over.

TP. It is as important as the value of the information that moves and lives in any local, global or virtual network. If these assets didn’t have any value, it wouldn’t be important to protect them. However, everything generated with private and public sectors has intrinsic value, so organizations are tasked with implementing solutions to secure data and the identities of their online users. The more valuable the assets, the more stringent the security posture needs to be in order to protect them.

TK. There is a famous saying from a man wrongfully accused of a crime, "Where do I go to get my reputation back?" A single network outage or security breach can undermine the trust of customers - and damage the reputation of even the most highly respected organizations. With cyber crime on the rise, companies must fend off an onslaught of network attacks that can expose sensitive customer data and erode the integrity of their brand. Despite a wide range of measures taken to combat them, security threats continue to multiply and mutate. Some security threats are even unintentional: employees accidentally transgress a use policy or find that they have unintended privileges to databases. All of these have a negative impact on network performance and business operations. As businesses increasingly move their operations online, both the challenges and the consequences grow.

KG. IT security administrators within organizations have long focused on securing the network perimeter. However, organizations are increasingly realizing the importance of also securing their internal networks and web-based business applications. Many of today’s security threats and attacks emerge within organizations. Internal security breaches can be in the form of worm outbreaks and other attacks that are introduced through mobile and wireless devices, internal hacking and misuse of business applications by users within an organization. In addition, due to the rapid development of web-based technologies, and the increased reliance on the web to connect remote users, Web-based applications and protocols are highly vulnerable to attacks. This presents many security challenges for businesses because internal networks and web-based communications contain unique complexities such as diverse programming languages and communication protocols that are used in these environments. Security solutions for both internal and web security need to have a deep understanding of the programming languages, applications and protocols that are common in these environments.

Comprehensive protection of communication must take both security and business continuity considerations into account. Many enterprises have begun to address this topic not just from a purely technical standpoint but from a wider business perspective within the context of overall risk management. Risk management identifies and assesses risks and eventually paves the way for economically acceptable risk mitigation strategies. Absolute communication protection is not attainable as either the direct costs associated with required measures or opportunity costs arising from side effects of taken precautions become intolerable. The cost of communication protection is determined by purchase cost, deployment cost and cost of operation, with the latter typically being the dominant contribution when typical amortization periods of three years are considered. Outsourcing of communication protection to managed security providers may help to mitigate risks and make cost of operation more calculable. Cost of operation is intimately related to the manageability and scalability of the deployed technical equipment. Good manageability means that all configuration, maintenance, trouble shooting and lifecycle management tasks can be carried out efficiently from a central management system. It also means that compliance issues are well represented and associated routine tasks, such as creating a daily configuration change report, can be carried out efficiently. Good scalability means that the used protection equipment is adaptable to changing technological environments and that an increase in the number of deployed components only causes moderately increased operational expenses. The products and solutions found on the market place today vary significantly in regard of cost of operation depending on the degree to which manageability and scalability features have been integrated into the product design.

BM. It has been noted that a large percentage of disasters or security threats are internal. Do you agree with this, and how can companies mitigate against them?
TP. Yes, we agree. Internal threats are very significant. According to a survey conducted by the Ponemon Institute, 78 percent of IT professionals polled claimed that their companies have suffered unreported insider-related security breaches. Companies and government organizations can mitigate these threats by protecting access to data through stronger forms of authentication and access controls. Organizations should also institute stringent security policies to identify who has access to specific data and what data is most important. And once data is classified and protected, additional controls such as security information and event management can provide stringent mechanisms to mitigate against threats from all directions.

TK. For over a decade the Computer Security Institute has issued an annual report titled Computer Crime and Security Survey. The 2007 edition has two alarming findings for network security professionals. The first is that the average losses from attacks have surged this year, rising to an estimated US$168,000 per incident in 2006 to US$350,454 per incident in 2007. Equally alarming is the fact that the single biggest security threat faced by corporate networks today doesn't come from virus writers but from company insiders.

KG. Misuse or attacks from within an enterprise are usually more successful than from an outside intruder. A single remote access link with an unsecured external PC or laptop is often sufficient to allow hackers and malicious codes to open a back door into the company. There are also additional hazards that arise as a result of intentional or unintentional misconduct by some employees. This threat cannot be mastered with perimeter protection alone, because attackers are already behind the network limits. Internal security solutions are therefore required. These monitor the company network and permit fast reaction to risks. With these solutions, company-wide security policies are not restricted to the perimeter and field offices, they can also be implemented in the increasingly important core area.

AG. More often that not, security threats come from internal sources and are usually caused by accident. The internal threat largely stems from unenforceable usage policies, which is why technologies like unified access control and intrusion prevention systems are increasingly important in helping your users to not make mistakes. The added advantage is it will also control the action of malicious users internal or external. While many concentrate on perimeter security, we also need to consider network segmentation with security domains, using unified authentication enabled on firewalls, routers and switches alike. Also an audit trail of network access and use helps investigate and curtail attacks.

BM. Are security threats any different in the Middle East to elsewhere?
TK. Security threats are global in nature, and display no geographic boundaries. The mitigating factor is, are you doing business online? If the answer is yes, then your business is at risk. Anecdotally what we’ve seen is that the Middle East is growing in the number of customers and ISPs, meaning new targets are coming online, and with growing ISPs we have to worry about capabilities and communications to the rest of the ISP security community. As the Middle East gets online, they begin to suffer all of the same attacks that everyone else does, such as online banking customers being targeted with Trojan horse modifications to their systems or DDoS attacks from botnets, phishing attacks, etc. Every region that comes online suffers this and the Middle East isn't special in this respect.

KG. Not in our experience.

AG. Not specifically, although there is a wealth of imported “talent” in the Middle East able to attack or hack networks and of course the attacker does not have to be physically located in the region to be a threat. As political and ethical battles exist in commerce and governments, this can extend to a battle in commercial or state funded cyber crimes against rival companies, organizations, affiliations and governments. Any organization that is in some sort of opposition to other groups should consider itself to be a target.

TP. All organizations around the globe have a responsibility to secure their networks and the data that travels through them. However, some forms of attacks are more common in certain regions. In the Middle East the attacks most commonly seen are a result of bad password practices. Organizations not implementing strong authentication solutions are at a very high risk from fraudulent attacks. In spite of this RSA is seeing that as cyber criminals become more aware of the gaps in IT security within organizations through out the Middle East, a wider range of attacks are occurring in higher percentages. It is therefore of the utmost importance that organizations take a proactive approach to prevent such attacks by implementing a security solution set that not only protects the perimeter but also protects the information through out its life cycle. Taking a reactive approach to security could have devastating consequences for the organization, employees, partners and customers.

BM. With the increase of mobile computing, the threat of outside intrusion also increases. How important is end-point security?
KG. With the advent of novel technologies work habits have changed dramatically throughout the past years. The portable laptop, vast amounts of data easily portable on a small USB stick, intelligent phones, ubiquitous wireless network access, personal area networking all have attributed to the fact that endpoints in corporate networks have become an increasingly hard to control hazard.

Effective endpoint security today extends far beyond historical personal firewall and antivirus concepts. It still entails protection of an endpoint against network threats using host firewall and malware detection software, but extends the protection concept by adding the new dimension of policy governed network access control.

An efficient solution broadens existing network protection concepts by adding enforcement and validation of security policies that are specific to the identity of the device, the user, its location and current posture. It enforces policy compliance, facilitates network access control, and nicely helps to close existing and potential future security holes.

AG. End point security is very important and more importantly, increasingly needs to be both open (not proprietary) and able to interact and link with technologies deployed in the rest of the infrastructure. The biggest threat is the loss or theft of those end point devices, keeping them secure and a minimal risk is vital. Also the obvious rise in wireless networking and kiosk access means endpoint security needs to enforce levels of access based on predefined criteria suck as antivirus (AV) support level, resident applications and connections to other networks in parallel with your own.
 
TP. End-point security is very important. The loss of sensitive information runs the gamut from missing or stolen laptops, vanishing BlackBerrys and disappearing USB drives. By nature, digital information is in constant motion throughout its lifecycle, often leaving the secured network perimeter via laptops, PDAs, email and backup tapes. In order to protect against the loss of information in the world of mobile computing and devices, it is critical that end-point security be implemented to lock down data in motion. A solution to this problem includes encryption and data leakage protection for data at all endpoints, fixed and mobile, and an encryption key management system to manage all of it.

TK. The increase in mobile computing causes several concerns for IT Security Managers. End point security is one way to protect the internal network and its data. Well known network security solutions such as firewalls, IDS/IPS and anti-virus protect a well-defined perimeter. The proliferation of mobile computing devices and/or telecommuters has blurred the network edge/ perimeter causing many of the solutions to become useless and thus expose the interior network to malicious activity. Solutions that focus on network behavioral analysis (NBA) can augment the traditional perimeter (and usually signature based) solutions of today by learning normal network behavior and alerting InfoSec teams to deviations from this normal activity which could be attributed to exposed VPN clients, inside misuse, rogue applications, worms, botnets etc.

Klaus Gheri, CTO, phion AG
Klaus is responsible for overall Product Management and Strategic Business Development. Klaus Gheri was instrumental in the design and development of phion netfence and phionOS in particular. He has extensive experience in Linux software development and in the management of Linux clusters. He holds a PhD in Physics from the University of Auckland (New Zealand).

Dr Anton Grashion, EMEA Security Strategist, Juniper Networks, Inc.
Dr. Anton Grashion is responsible for the product marketing of Juniper Networks’ NetScreen security products portfolio throughout the EMEA region. He has over 20 years' experience in the IT industry, including research, teaching, product development, product management, entrepreneurship, consultancy and IT management. He holds a BSc (Hons) in Earth Sciences from the University of Leeds, an MSc in Computing Science from Staffordshire Polytechnic and a PhD in Artificial Intelligence from Staffordshire University.

Tim Pickard, Area VP International Marketing, RSA, The Security Division of EMC
Responsible for building the market development strategy for EMEA as well as acting one as the key spokesperson for the company. His expertise covers a range of security topics including authentication, encryption, web access management and public key infrastructure, for both wired and wireless environments.

Tony King, Vice President, EMEA Sales, Arbor
In his role as Vice President, EMEA Sales, Tony is focused on the continued growth of Arbor's sales and marketing activities throughout EMEA for direct, channel and OEM relationships. He brings to Arbor over 22 years of telecom and information technology sales and sales management experience. Over the past four years, Tony has held the role of Sales Director, Northern Europe for Arbor Networks where he has been directly responsible for driving up European revenues and building out the Arbor EMEA team. Before joining Arbor, Tony was a Sales Director at Avici Systems, focused on the sale of core router solutions to telecommunications companies in Northern Europe. Prior to Avici, Tony worked at Ericsson as a Regional Sales Director where he was responsible for selling IP backbone and data solutions into the wireless and wireline carrier market place.