IT security

The issue of security is an ongoing concern for all organizations. We gathered together some industry thought-leaders for their answers to some key questions: Mike Andrews – Sales Director, EMEA, Guidance Software, Andre Muscat – Director of Engineering, GFI, Ganesan Lakshmanan – Team Leader, Security Management, CA, Klaus Gheri – CTO & Co-Founder phion and Ahmed Baig – eHosting DataFort.

BM. What is the greatest problem that enterprises in the Middle East face today in terms of IT security?
Mike Andrews. Middle Eastern businesses are exposed by system, data and compliance risks associated with their inability to identify either inadvertent or intentional malicious activity by their own employees or external sources. This includes fraud, policy violations such as people having personally identifiable information (PII) on their PC, IP theft and malicious code being deployed on the network. The risk is that businesses believe they are protected by the myriad of ‘perimeter defense’ systems that they’ve deployed, such as AV and IPS, but this doesn’t stop employees within the perimeter acting inappropriately or sophisticated hackers penetrating the network and deploying rogue code.

Enterprises often have little understanding of the extent to which incidents are happening and believe that it can’t be a big problem if they’re not hearing about it more. The truth is that incidents happen everyday. If left unchecked the organization is vulnerable to a major incident that will leave it seriously exposed and suffering a damaged reputation. The only way to truly protect yourself is to invest in technology that can reactively and proactively respond to incidents anywhere on the network in real time.

Andre Muscat. The use of technology has greatly facilitated the way companies do business, yet it has also created a number of security issues. Most companies do business over the internet, transferring data from one office to another and their employees are mobile thanks to laptops and remote access. Thus, any data stored on a network can – unless properly secured – be accessed by malicious individuals for financial gain or for revenge. There is no single major challenge, but rather a mix of problems that include network growth, the threat posed by company insiders and financial restrictions.

First, as networks grow larger and more systems are connected, the more complex they become and the more difficult to keep track and control what is happening on its network and what use is being made of it. As networks grow, so does the risk of data loss and downtime. The second security-related issue is the threat posed by employees and other insiders. This is a growing concern for companies and recent high profile breaches are proof that it is a problem that cannot be ignored any longer. The third issue revolves around finances and budgeting. Companies are typically run on tight budgets and this makes it more difficult for IT administrators to purchase additional security measures. The problem is exacerbated when the IT administrator and management fail to speak the same language.

Ganesan Lakshmanan. Security stands out today as one of the most pressing IT concerns. Most organizations need to protect an increasing amount of disparate resources, allow for additional users and manage the ever-evolving risk of online threats and malicious attacks. As the organization expands assets and increases exposure to a variety of users, a simple patchwork of security controls no longer suffices. Instead, the organization requires a comprehensive solution that facilitates proactive management of your entire security environment. For example: how the website defacement is happening, Do you think the organization defaced did not deploy firewall, AV etc.? No. In fact they have deployed best of breed firewall, IDS, IPS, AV etc. but there is no adequate access control (who/what/when) (such as O/S hardening, protection of resources etc.) IT security is a continuous process. You must look at every aspects of organization’s infrastructure that include identities and provide adequate security to cover all those areas.

Klaus Gheri. As the digital world does not know any borders other than those barriers organizations put up as safeguards for themselves, one would strongly suspect that the threatscape in the middle east is the same as everywhere else. The vast and rapid economic growth that many areas in the Middle East have seen over the past years also means that an abundance of prosperous businesses there make interesting targets for criminals.

Ahmed Baig. The tremendous growth and pace of technology adoption by enterprises in the Middle East, has instigated the need for globally accepted information security practices. The need for protection of critical business and customer information requires senior management to make decisions by evaluating the associated risks prevalent in the enterprise today.

The urgent need is to secure the enterprise in terms of data protection and network security. Many enterprises require a comprehensive security program addressing the various aspects of information security like physical, technical, people and policy / procedural. Their systems need to be monitored 24x7 and should address risk proactively through an extensive and structured risk management program.

BM. Some have said that damage to the reputation of a company through security breach can be extremely harmful. Would you agree with this?
AM. Yes. A data breach, or unauthorized disclosure, occurs when private or restricted data in a company’s possession is leaked to or stolen by an unintended audience. If the breach is limited to a company’s intellectual property, then the list of victims stops there, however in nearly every case, data theft is a multi-victim crime. More often than not compromised data belongs to other entities or individuals, and includes banking and health records, credit card and social security numbers, and so on.

Companies hit by security breaches can expect to pay a hefty price and suffer on many fronts through eroded trust, brand, loss of business, and in some cases, civil and even criminal penalties. Privacy compliance standards and regulations – SOX, PCI DSS, CA 1386, HIPAA, Basel II, and PDPSA, for example – often present their own consequences in the form of penalties ranging from contract termination to fines to jail terms.

Although every company puts a different value to its data, the loss of sensitive data can have a crippling impact on an organization's bottom line. You also have to factor in indirect losses to individuals, institutions and society at large when business people, lawmakers, and ordinary citizens lose faith in the institutions entrusted with data. Managing risk is always more cost effective than having to react to breaches or incidents.

GL. A corporate reputation damaged by a security breach can be harder to restore than lost data. So the identifying the potential security risks in whatever manner it comes and establishing safeguard is extremely important. Also, if there is a good security record, there is nothing wrong in publicizing it, in fact one had to be proud if their record shows they are secure. Some organizations may never reveal the security breaches such as internal access violation, unauthorized access attempt etc thinking that it will make more harm to company’s reputation.

“Theft of Proprietary Information” and “Unauthorized Access to Information” are ranked in the top 3 most costly security incidents for companies (Source: CSI/FBI Computer Crime and Security Survey, 2005). Most of these thefts are internal, and many companies would not reveal fearing of reputation damages.

KG. Absolutely! Especially for industries where trust is the very base of the relationship to their customers – like finance and insurance, transportation, government agencies, health and local authorities – to name just a few.

AB. Online services are penetrating the GCC market at a rapid pace, considering the initiatives undertaken by various GCC governments and private organizations thereby exposing critical information systems to the internet. Inadequate security of these systems can lead to information leakage/theft and misuse. Many times, organizations are not aware of being hacked until it is very late, which is due to complete lack of security monitoring within the enterprise. Even identified breaches in most cases are not reported to the public. The impact of these incidents can seriously hamper online businesses resulting in customers losing confidence and opting for other alternative solutions.

The recent incidents of information theft and losses, have raised serious concerns globally and even after a decade, the percentage of users conducting transactions online or paying through credit cards is less than 10 percent in the Middle East as compared to 40 – 50 percent in the United States.

MA. Security breaches can be harmful in a number of ways. It damages a businesses reputation and leaves existing and potential customers with an uncomfortable feeling at best – they will worry about whether their money (if you’re a bank) or data is safe. A bank in Europe we worked with recently told us that every time a report was published in the press about a fraud at their organization they knew exactly how many customers would decide to defect to another bank. This hurt them financially, damaged the moral of employees and also strengthened their market competitors, all because of one employee’s behavior.

These incidents can also affect the share price of an organization and have longer term implications on whether companies want to do business with you or not. Finally it can make you the focus of regulatory investigations and in some cases, result in significant fines. One of the banks in the UK was fined nearly £1m in 2007 for a single security breach, which kept them in the press for months.

BM. As we are living in an increasingly mobile world, how difficult is it to keep mobile devices secure?
GL. Technological advances and expanding adoption of mobile devices requires they be managed like other IT assets. Device loss/theft and employee attrition is exposing sensitive data; helpdesks with little device awareness or intelligence are swamped with device issues; and lax device security and configuration enforcement is raising compliance alerts.
“It's a problem when you don't have a centrally managed security environment and don't have control over every single person's device,” says Natalie Lambert, senior analyst with Forrester Research. “That's where you run into problems and where policies need to be created, so that if [employees] bring a device into the company, it can be integrated into the company's overall strategy.”

KG. With the advent of novel technologies work habits have changed dramatically throughout the past years. The portable laptop, vast amounts of data easily portable on a small USB stick, intelligent phones, ubiquitous wireless network access, personal area networking all have attributed to the fact that endpoints in corporate networks have become an increasingly hard to control hazard.

Effective endpoint security today extends far beyond historical personal firewall and antivirus concepts. It still entails protection of an endpoint against network threats using a host firewall and malware detection software, but extends the protection concept by adding the new dimension of policy governed network access control.

An efficient solution broadens existing network protection concepts by adding enforcement and validation of security policies that are specific to the identity of the device, the user, and its location and current posture. It enforces policy compliance, facilitates network access control, and nicely helps to close existing and potential future security holes.

AB. Mobile devices have become a part of the corporate infrastructure as well as our lifestyle. Today’s mobile devices are multipurpose and are more powerful than earlier, with an increase in processing and communication capabilities, acting as handheld computers. The very presence of these devices within enterprises makes the security perimeter disappear; these devices move critical information from secure enterprise networks to the open world resulting in data breaches and information leakage as they are not adequately protected with solutions like encryption.

There have been various incidents reported where USB devices or memory cards containing sensitive data have being lost or destroyed. The high profile data breaches at ChoicePoint and other service providers are already slowing down the growth of online transactions. The privacy rights organization indicates security incidents on a daily basis. Enterprises should identify their mobile computing requirements and establish appropriate policies to allow only authorized devices and storage mediums for handling corporate information.

MA. Keeping mobile devices secure is certainly a challenge. Our customers are most worried about ensuring that mobile devices continue to comply with corporate policies: do not have unauthorized software installed on them, have the most up-to-date security patches, don’t have malicious code running on them and finally, don’t hold sensitive or confidential data (such as customer identities) that can cause serious issues if it’s stolen.

Auditing mobile devices that are not connected to the corporate LAN often is tricky unless your digital investigations solution automatically connects to these nodes whenever they’re linked to the Internet. With a solution like this, you can audit these remote nodes as if they are connected to your network and ensure they’re safe from all the issues detailed above.

AM. The use of portable storage devices such as iPods, flash drives and laptops in and out of the office has created greater opportunities for malicious individuals to take advantage of security lapses. Failure to control in an effective manner how these devices are used and for what reason can have devastating repercussions on a company. To counter this threat, administrators have to start thinking of ‘perimeter-less’ networks and introduce security measures that reflect this new security risk scenario. It is impossible to eliminate risk completely and it is harder to monitor devices that you can’t see. However, there are a number of options that administrators have. These include: restricting portable device storage use to those who really need to use them; restricting who can download sensitive information from the network; installing hardware or software to monitor network activity including downloaded material, ensuring that data is encrypted on all mobile devices if possible, and educating employees not to leave devices running around and to use complex passwords. One important point is that a device is only as secure as the amount of attention its owner gives to security. Ultimately, the human is the weakest security link in a mobile world.

BM. What benefits do your solutions provide for clients?
KG. Enterprises are confronted with an increasing need for efficient, highly integrated security and connectivity solutions. Based on these market needs, phion developed in the last years a unique communication protection architecture (CPA) that can be used to protect and secure an organization’s vital communication infrastructure. Using phion products, multinational corporations and large to medium size companies provide and centrally manage the IT business application connectivity of their offices, factories and warehouses, and of their employees around the world.

AB. eHosting DataFort has proven expertise and vast experience in managing the Information security requirements (both onsite and offsite) for enterprises in the Middle East. We have been managing the IT infrastructure for local/federal governments, financial & banking, airlines, media, retail and other vertical industries for seven years.
DataFort provides a complete suite of information security consulting, management and monitoring services to clients thereby addressing Information security needs at all levels. Our services include monitoring customers’ infrastructure on a 24x7 basis and addressing vulnerabilities in a continuous and proactive manner. Best practices and security standards like ISO/IEC 27001:2005, ITIL have allowed us to develop effective processes and an efficient engagement model with our customers.

MA. The Guidance Software solution that enables companies to conduct all manner of network investigations is EnCase Enterprise. EnCase Enterprise is a scalable platform that integrates seamlessly with your existing systems and provides an investigative infrastructure to search, collect, preserve and analyze data on the desktops, laptops and servers across the network.

Our software offerings assist companies in reducing costs and managing risk in the areas of internal investigations, data audit and policy enforcement, government information assurance and electronic discovery. EnCase Enterprise maps directly to many key regulations that are forefront of every global CISO’s mind such as: ISO 27001, Basel II, PCI DSS, data protection amongst others. Many CISO’s are trying to align ‘security’ to other parts of the business most notably through the enterprise risk management (ERM) program team if the organization has one in place. We see that this is critical as our Enterprise solutions focus on reducing business risk by giving you the power to protect your systems (from external attack) and data (by finding out where it lives and removing it from unauthorized personnel).

Critical for a CISO’s success is the knowledge of the new paradigm shift where Security’s responsibility will not be information protection, but information assurance. Our Data Audit and Policy Enforcement product leverages powerful auditing and remediation capabilities to proactively search the network for ‘data-at-rest’ matching a variety of search criteria. This helps companies know with complete confidence that they have resolved their data issues and mitigated their risk and exposure.

AM. The benefits can be seen at two levels. First, GFI’s focus has always been small and medium sized businesses. Unlike enterprise companies that have taken enterprise-level products and scaled them down for SMBs, GFI has designed its products from the ground up to meet the needs of SMBs, at the same time providing enterprise-level functionality in a solution that is easy to install and use.

GFI’s products are priced to suit the needs of the SMB with limited budgets but in need of quality solutions. GFI meets both of these requirements. GFI’s solutions address the most common problems faced by IT administrators in SMBs. These include the threat posed by increasing volumes of spam, viruses received via email, problems encountered through uncontrolled browsing and downloading, unpatched networks that are susceptible to hacker attacks, not knowing who is doing what on the network, storage problems due to ever-growing email inboxes and the problems faced by companies that still heavily depend on manual faxing to do business.

GL. CA offers a comprehensive security management solution that enables you to align security to your business processes – addressing the entire spectrum of issues, from user identity and access, to threat management, to centralized security information management. CA security management delivers multiple benefits, including reduced costs, greatly reduced risk, less downtime and lost productivity, and simplified regulatory compliance. Most importantly, when your organization is confident that its information assets and resources are secure, it can return to doing what you do best – conducting business more efficiently.

Andre Muscat – Director of Engineering, GFI
Andre Muscat is a Certified Information Systems Security Professional (CISSP) with 10 years’ experience in security and software development. Andre was involved in various projects and in the year 2000 led the development of GFI’s very first release of GFI LANguard Security Event Log Monitor. In 2003, he was entrusted with the management of GFI’s network security division. In 2006, Andre Muscat was appointed Director, Network Security Products. In 2007, he was appointed Director of Engineering.

Ganesan Lakshmanan – Team Leader, Security Management, CA
Working as Team Leader for Security Management with CA in the Arab Countries, Ganesan is responsible for understanding customer requirements and providing suitable security solutions based on CA technology through consulting and solution architecting. He has more than 15 years of work experience in the IT Industry as well as with Research Institute. He specializes in IT security and is recently focusing on Identity and Access Management.

Mike Andrews – Sales Director, EMEA, Guidance Software
Mike Andrews has over 20 years experience in the IT industry, developing markets for innovative technology in EMEA. He has a broad range of experience across a variety of Industry sectors including Financial Services, Telecoms, Media, Manufacturing, Retail and Government. His knowledge of current market topics and international experience will be invaluable in helping organizations better understand and fight the threat posed by the digital world.

Ahmed Baig, eHosting DataFort
Ahmed Baig leads the security services and consulting practice in eHosting DataFort, the leading end to end IT outsourcing provider and managed service provider in the region, owned by TECOM Investments, a member of Dubai Holding. He brings to his current role more than 10 years of experience in IT and Information Security.

Klaus Gheri – CTO & Co-Founder, phion
Klaus Gheri is responsible for overall Product Management and Strategic Business Development. He was instrumental in the design and development of phion netfence and phionOS in particular. He holds a PhD in Physics from the University of Auckland (New Zealand).