Computer Security Part III: Taking care of big business

16 Nov 2004

While security is essential for any business, large corporate or government organisation, the stakes are even higher given the potential losses a security breach could bring. “Your security spend is based on your appetite for risk, and large corporates — banks in particular — have little appetite,” says Colman Morrissey, managing director of computer security firm, Espion.

Given the international profile of many of Ireland’s largest companies, international legislation has an impact on their security policies as they may be required to provide a secure audit trail for certain areas of the business. The Basle II and Sarbanes-Oxley Act 2002 are particularly relevant for financial services organisations while pharmaceutical companies have to comply with the requirements of the US Food and Drug Admininstration. But it’s not just multinationals that have to worry about legislation — under Irish company law, directors have certain legal responsibilities and providing adequate security could easily be interpreted to be one of them.

The first step in creating a secure corporate infrastructure is putting in place the necessary policies that state what is and isn’t acceptable practice by staff and other users of the network. “Policies are the driving architecture behind what you do with people and how you train them,” says Simon Perry, vice-president for security strategy with Computer Associates (CA). “Before you even go to market to look at technologies you need to have policies in place.”

Common mistakes are to make the policies far too detailed; the other extreme is not to formalise policies at all — in either case it becomes impossible to communicate them effectively to staff. Perry says policies should be “high-level controls over behaviour and expectations” while the detail of how they are enforced should be dealt with through the IT department’s operational controls.

Although policies are primarily inward looking, the fact is that the internal threat from disgruntled employees is a very real one. “The majority of incidents that involve large financial loss are internal,” says Perry. “The most frequent external threat comes from viruses and the gross cost of such external attacks is adding up to an increasingly large percentage of the total. But, at the end of the day, one internal attack can be as costly as 100 virus attacks.”

So what tools are available to big business to secure its information? Perry suggests that whatever technology is put in place should make things easier for staff members by reducing their number of choices. “If you have a policy on pornography and other undesirable content but you want to allow staff members to read news sites you need to use technology to block those sites,” says Perry. “It makes it much easier because they know if a site is blocked it is undesirable.”

“The best security tools are still antivirus and anti-worm software but they are not as effective as they once were,” says Conall Lavery, managing director of Entropy. “The time from a vulnerability being identified to a worm or virus appearing is getting much shorter so people are looking for a ‘day zero’ defence mechanism.”

Most so-called day-zero defences, which claim to protect against a virus or worm even before an antivirus signature has been written, do so by shutting down applications or hardware that starts to act in an unusual manner. Sounds good in theory but in reality that means benchmarking the organisation’s network and establishing what is typical activity — not a trivial task.

In addition, some systems are so crucial to an organisation’s activities — such as its manufacturing controls — that it would be too expensive to shut them down as a precaution. As Lavery puts it, such solutions need to be “custom fitted” to each organisation.

The mantra when it comes to IT security for big business is ‘defence indepth’. It basically means that rather than simply securing the perimeter of the network to stop intruders, that security is implemented at every layer of the network. “Our core business are local area networks and wide area networks but that equipment is all becoming available with embedded security,” says Neil Wisdom, sales director with LAN Communications. “That means that users can be authenticated at the switch or router rather than the network core.”

This is inherently more secure as users are not allowed any access to the network without being authenticated. The theory underlying defence in depth is that by adding X layers of protection against a particular threat, the security benefit is exponentially greater than simply X times.

While IT budgets were strained after the boom of the late Nineties, security spending was broadly maintained, and even increased somewhat, but companies are now starting to invest heavily in new security technology. Concurring with the experience of Wisdom, Morrissey says where once organisations might have had dedicated hardware for a number of different tasks — such as firewall, content filtering and intrusion detection — the trend now is towards all-in-one boxes that can do a variety of different tasks.

Some more advanced organisations, primarily in the financial area, are looking at the use of biometrics — such as fingerprint or iris scanning — to replace the need for passwords on their systems. Widespread deployment of such technologies may be years away but given that security begins with people, surely the ultimate security is technology based on your own unique assets?

By John Collins