Security part 2: where the weaknesses are

16 Oct 2003

There is simply no question that the security threats to any business in today’s internet connected world are real and constant. Every minute of every day somebody somewhere loses functionality through malicious worms, or data of value, or even money through one of the many types of fraud. The total cost to business is immense and probably incalculable, although estimates go as high as $6bn annually.

“A large Irish public company had its systems down for two days just last August,” says Conall Lavery, MD of Dublin security and networking specialists Entropy. “That was caused by the Nachi worm, one of the most destructive of the recent spate of attacks by variants of Blaster, Swen and lots of others. Of course the company had good systems in place on its network. This time the point of entry was traced to a back door – an individual user disobeying rules and procedures.”

All organisations are having to look very seriously at security systems that work at different levels. Remote working – essential today for users on the move and fundamental to the productivity gains from ICT in the last decade – has emerged as one of the major areas of concern. Naturally enough, individual users and portable machines are simply not under the same level of administrative control as the network. In any even event most SMEs do not have in-house expertise.

A telling example from Conall Lavery was the first major Blaster attack earlier this year: “Even as the publicity filled the media and alerts were flying around the world, our helpdesk reported no calls relating to it. But after a few days the calls began and quickly escalated.” What happened, he says, is that corporate firewalls and antivirus systems coped perfectly well with direct attacks but over time PCs used at home and on the move introduced the worm because the networks trusted them and their users.

Why is the situation so bad and apparently getting worse? There are clearly umpteen drivers, starting with the sheer proliferation of computing devices and the linking power of the Internet. The very same factors as the great economic and cultural benefits of today’s technology, in other words. It is absolutely unfair to ‘blame’ Microsoft – whatever criticisms may be levelled at its ways of addressing the problems in the past – but there is no doubt that Windows is at the heart of matters because of its sheer dominance of the world’s desktops. Jonny Chambers, platform strategy manager of Microsoft Ireland, points out that with over 300 million PCs running some Microsoft product it has to be the biggest single target area for hackers and malware. “We recorded 82,000 separate attacks for 2002 but this year the six-month total to June was nearly the same at 76,000.”

Last week Microsoft CEO Steve Ballmer promised major new initiatives from the software and acknowledged “…the need for the highest levels of security in a world that frankly is full of thieves, con artists, terrorists and hackers. Many of our customers are feeling the pain. They’re frustrated by vulnerabilities. They’re frustrated by patches. They are concerned about the threat that hackers pose to their systems. And businesses are taking a hit at the bottom line level. Our company and our industry has to hit on all cylinders to meet this new challenge. We certainly are all fully committed to meeting the challenge of these new security threats while continuing to innovate. In fact, we believe better security and constant innovation go hand in hand.”

Among the Microsoft promises are more straightforward and easy to administer security patches – regular monthly timetabling is suggested – and an increased emphasis on security in the new releases or service packs for Windows XP, Office and other products in early 2004. Also last week the US Department of Homeland Security, its British and Canadian counterparts and the SANS Institute published a definitive list of the Top 20 security vulnerabilities most often exploited. There was a Windows Top 10 and a second 10 covering Unix, Linux and other operating systems, illustrating clearly the relative positions.

The listing is intended to act as a spur to governments, the IT industry and the owners and operators of the critical infrastructure to eliminate the vulnerabilities. The message for individual organisations, says Conall Lavery, is that risk and vulnerability have to be actively assessed and managed – all the time. “You have to look at what could happen, how it would affect the business or mission, and what to do about it. There will have to be a hard look at cost/benefit, of course, but in fact most companies – perhaps especially SMEs – may find that there is quite a lot that can be done at zero cost. That is simply because so many have already invested in security tools that have not been updated or had their capabilities fully deployed.”

By Leslie Faughnan