Security part 3: there’s more to protection than patches

23 Oct 2003

We can’t go on like this: patching, reacting, staying and apparently never more than one step behind the hackers and malware bandits. That would certainly be the sentiment of most businesses and organisations trying to get on with their main missions. The very real disruption, damage and loss that can be caused by worms, vandals and electronic infiltration, means that there is a significant bottom-line cost.

The price of eternal vigilance is high. Some part of the trouble has to be that it is a price the world’s governments and leading organisations, financial and commercial, are willing to pay. Financial institutions and multinational manufacturers and public companies are not in the business of reforming the world. Their job, as they see it, is to cope with all current realities and get on with making a buck for their shareholders.

Another element is security as a sector of the IT service industry worldwide at this stage, bringing a perception of a new level of professionalism and brainpower to this aspect of information and communications technology (ICT). Innovation makes news in encryption and biometrics, and unfortunately, in the bad stuff.

Blaster, Swen, Nachi and so on have the slightly glamorous fascination of hurricanes and Richter scale aftershock reports. There is no question of a cosy consensus or of that hoary old conspiracy theory that the anti-virus companies have a clandestine partnership with some of the outlaw code writers. The real problem may be that there is an almost universal inertia and acceptance of inherent insecurity in ICT systems, just as we are stumbling towards a vision of a totally connected information age.

“Yes, it is a bit of a rat race and speeding up all the time, so it really demands a more managed approach,” says Ian Hameroff, security strategist with Computer Associates. “As far as ‘patching’ is concerned we really can’t succeed that way. We have to develop ways – and the industry is – to go below the waterline and build security into the structure of every device and every application. At one level that is about threat management, which is the responsibility in the first instance of each organisation. It starts with analysis of vulnerability but in many respects the real key to ongoing success is education of users and a firm, consistent and written security policy in palace.”

People bypass security procedures, they are careless or unduly trusting – just as they are in daily life. That is a far commoner weakness and exploited successfully by worm and virus writers far more than pure machine code attacks. The obvious examples are those who have clicked on an .exe (executable) or in fact any other unrequested file that came as an email attachment – or that were fooled by the emails masquerading as security update patches from Microsoft.

“Caution and prudence are almost innate in the rest of our social and business worlds,” says Hameroff, “but are not yet so in the IT world and it is the job of the leaders and managers of every single organisation to educate and inform their people – but also to implement policies and disciplines.” On the systems side of things, he acknowledges that the industry shows no sign of coming up with a ‘magic bullet’ nor is there even a cocktail of best-of-breed solutions that will give the level of protection required – 100pc being impossible, it is a question of an acceptable threat/risk balance for each organisation.

“One area that is central to e-trust, however, is digital identification. If you need access to digital assets to do your job, you have to be able to prove that you are who you are supposed to be and that you have the right authorisation.” There are a growing number of successful ways to do that – some easier than others for general users – but he makes the point that it will have to become much more prevalent. It will have to be enforced from mainframe to smart portable device and even down to task level.

That, in turn, means good systems that are effective but easy enough not to generate resistance in real-life use and automated as far as possible. “There simply has to be a holistic approach,” according to Tony Redmond, vice-president and chief technology officer with Hewlett-Packard Services. “The technical systems have to be automated, multilayered and built into our hardware and our software applications. They certainly have to be user-friendly but they also have to be mandatory. That is the management side – there have to be policies, they have to be current and best practice, they have to be enforced.”

Once the policies and the requirements are clear, IT can perform its side of the bargain whether inside the organisation or on a national or world scale. “Given clear policy, an IT department or a provider can give a commitment and security service-level agreement to the business,” says Redmond. He goes on to suggest that similar guarantees, certification or assurances will soon become basic for supply-chain partnerships, customer-seller situations and eventually any electronic interaction. A business that wants to stay in business has first of all to make sure that it is secure. Then it may start to look very hard at the rest of the world.

By Leslie Faughnan