Get ready to fight future threats

If managing IT security is hard now, it looks set to become harder. Jon Tullett looks at possible ways to win the battle

In IT security we seem to be moving from a model where technical problems needed technical solutions, to an environment where management challenges dominate. Although there are technical solutions to most specific needs, delivering and managing the technology can be difficult.

It is no surprise that market luminaries point to management solutions as key areas for the year ahead, though the term ‘management’ encompasses a wide range of possibilities, including infrastructure management and managed services.

Managing technology is becoming a severe headache for security professionals. Every point solution, whether it is a firewall, IDS, content filter, authentication or something else, generates information about its activity. The result is an overwhelming flood of logs and events, which can inundate even a dedicated team.

Faced with a need to tackle this issue, vendors are stepping up with solutions to do just that. Some are moving towards framework management solutions, led by the likes of Symantec, IBM and Computer Associates.

“There's a pragmatism emerging among chief security officers about best-of-breed,” says Paul Rutherford, marketing manager of Clearswift, a maker of email and content filtering software. CSOs, he says, now see the importance of being able to manage the whole system rather than insisting on the very best point solution.

And he warns users that framework management solutions themselves will not be simple to run. “Vendors haven't produced these until now because it's very complicated managing policies in a framework. How do you manage across multiple servers, in multiple locations, with multiple policies? It costs an arm and a leg, and takes a lot of time.”

Marc Willebeek-LeMair, CTO of Tipping Point Technologies, believes the real problems lie in some very specific areas. “There’s in the order of 80 new vulnerabilities reported per week. That’s just an unmanageable problem, period,” he says. “It doesn’t matter how many people you’re going to get together at each individual enterprise to try to sift through that and try to figure out what’s going on, you just can’t. It’s just not economic nor humanly possible to go and address each vulnerability that does actually impact you in the timeframe you really need to in order to be protected.”

He believes intrusion detection system vendors should be taking a more aggressive role. “If you can detect this stuff, why don’t you block it and eliminate the problem altogether?”

Mark Armitage, European technical manager at Top Layer, agrees. “The first thing we hear from IDS customers is that the event management from IDSs is one of the biggest problems they have. They’re saying to us that if you can do a good job of stopping most of this stuff coming in, we don’t necessarily want to see one event per thing that you do, we want summaries of things that you do, which is easier for us to correlate into our existing systems.”

Someone else’s problem

One way to avoid dealing with floods of alerts is to make it someone else’s problem entirely, such as a managed security service provider (MSSP). Although many managers feel uneasy about outsourcing such a sensitive field, MSSPs are tipped as a strong growth sector for next year.

The big ISPs are gearing up for this role, as pressure from carriers such as Cable and Wireless, with its Exodus MSSP business unit, build up steam.

Armitage says his company is conducting trials with several ISPs worldwide to deploy intrusion prevention systems. “The places we’re starting are the places that are going to get operational value from this directly. So it’s the parts of ISPs where they have assets to protect. Further on, we expect them to deploy this slightly wider than that, so their leased-line or DSL-connected customers are filtered bi-directionally so the ISPs are stopping outbound attacks from their customers and the inbound attacks are being stopped as well.”

Efforts from telecoms companies to make security a commodity are also starting to make an impact - earlier this year Deutsche Telekom partnered with Check Point to offer managed security services to smaller customers.

The bottom line

Whether you deal with the problem in-house or outsource the solution entirely, it is still going to cost money. And wangling budget out of tight-fingered CFOs is one of the most common stumbling blocks facing security managers.

To address this, Willebeek-LeMair says managers should focus on the ROI from the start. Many vendors have taken this into account, building reporting facilities into their products to demonstrate efficacy and measure performance metrics. This can become a chicken-and-egg game - to measure lost productivity from spam, you need to measure the junk mail, and the easiest way to do this is with the same content management platform you would use to control it.

A solution, though not a simple one, is to draft and maintain corporate policies that cover security issues. This is becoming a necessity for many organisations in vertical markets such as financial or healthcare, and is simply good sense for others. That policy will give you a baseline for measuring the impact of non-compliance, which can be translated into ROI for the countermeasure.
 

As the number of embedded applications grows, with the fine line that separates mobile phones, PDAs and laptops becoming increasingly narrower, the security risks associated with computing will spread across to these embedded platforms. Mobile devices are increasingly being integrated with wireless technologies and hackers may find these a handy route to access personal and corporate information.

Broadband loopholes will pose a bigger problem

More people are working from home, logging on to corporate systems via the growing broadband infrastructure, connecting laptops directly to public networks and downloading sensitive information onto home PCs. As a result, the homeworker’s computer becomes a potential gateway to corporate information and networks, but with little of the security normally implemented for a normal corporate point of internet presence.

The challenge of managing invisible networks grows

Wireless computing, applications and devices are set to take off in 2003, but it is unlikely that the security controls and protocols will develop at the same speed. The ease with which wireless networks can be installed and configured will continue to encourage their use in organisations, but the security implications of this continuing trend will generally remain poorly thought through.

Application security becomes a hot issue

If enterprise software is not to become the big security victim of 2003, and as more and more services and enterprise applications are provided remotely through web-based interfaces, the focus of access control will need to move from infrastructure-tailored security to application-led solutions.

Computer systems become new cyberterrorism targets

As the risk of terrorism increases, the threat to the logical assets of businesses and those they trade with will increase rapidly. We will see more attacks aimed at disabling entire organisations and global internet and telecommunications infrastructures. The ability to recover quickly from a major disaster caused by intentional destruction will become a major concern for many organisations.

Robert Coles is European head of information risk management services and James McKeogh is security specialist with the Information Security Services team at KPMG (www.kpmg.com).

If 2002 was a ‘quiet’ year for infosecurity, Illena Armstrong discovers there are real concerns about 2003

An electronic threat, according to Internet Security Systems, “is any tool or technique that can be used to damage the data stored on a network, server or desktop, or to compromise those resources for unauthorised use.”

For many, 2002 proved a relatively quiet span for such infosecurity threats. Sure, this year saw its share of vulnerability exploits, viruses, packet spoofs, electronic fraud and other incidents, but it was devoid of any momentous security events. Taken in combination, though, the threats that did come to fruition over the course of this year may mean something bigger in 2003 for everyone tied to the internet.

Noting that the last 12 months lacked comparable attacks to Code Red, viruses similar to LoveLetter, catastrophic distributed denial-of-service attacks, major web defacements, large outbreaks from SNMP flaws, and reported events involving wireless session hacking, Chuck Pfleeger calls 2002 “the year that wasn’t”. Yet, while Pfleeger, the master security architect for Exodus Communications, a Cable & Wireless Service, might believe “it’s hard to write about the dog that didn’t bark,” he does think “something is amiss”.

He points out that this year the number of reported vulnerabilities grew, security patches went up, statistics on attacks from the likes of CERT doubled from last year, and surveys from other groups revealed that attack sophistication is growing. On the other hand, security spending on services and/or products is, at best, making only modest increases - “certainly not enough to double the ability to ward off attacks,” says Pfleeger.

This latter trend, many experts contend, is largely due to tight budgets that will only get leaner in the next year and is one of many reasons why organisations will increasingly look at how to make security work, says Ken Hammond, vice president of business development for eSecurityOnline LLC. In so doing, they will need to delve into what they require to make initiatives that support their business’ bottom line secure. This will involve consensus building to gain enterprise level support - not an easy task.

Implementation of security solutions that address this high-level business view will have to consider attack areas that continue to develop. One such area is application level security and, more specifically, attacks on new protocols over web ports such as SOAP or SML, says Royal Hansen, vice president of the Northeast region for @Stake in the US.

More sophisticated attacks, and growing coordinated inside and outside assaults will likely hit unprepared companies hard in 2003, adds Hansen. These more ingenious cyberattackers will also increasingly “use VPN connections, web protocols and wireless connections, thereby bypassing any firewall or perimeter defences,” says Entercept’s Ryan. “The concept of a ‘hardened perimeter’ will become meaningless in the near future.”

The other big issue for next year will be cyberterrorism, say many experts. “The four words that could sum up where we are with cyberterrorism are, ‘We’ve just been lucky,’” says Jon Gossels, president of SystemExperts Corporation. To maintain this string of luck will take much more work from both the private and public sectors. At a recent conference, former US Attorney Andy Purdy noted that governments alone are incapable of securing cyberspace. “Everyone must be responsible for their piece of cyberspace, the piece that they own and operate or use.”

Even if such a sense of responsibility comes to pass during 2003, there will be some organisations that are adversely affected by these examples of future threats and the many others mentioned in our ‘Top Five’ listing.

The result is the inevitability of next year’s theme: “security-based economic Darwinism,” says Bob Ayres, director of @Stake’s Business Risk Services in the UK, where, for example, credit card companies will not survive when customer numbers get posted on the web all the time. In short, he concludes, “those companies that see [the threats] and act will survive and those that don’t will fail.”
 

In the United States, recent legislation on health and financial records, and other regulations, “will continue to get more teeth and will force end-users to be more meticulous and vigilant about security and privacy issues,” says Lou Ryan, CEO of Entercept Security.

Waking up to infosec needs

Some experts, however, think it may need a widespread infrastructure attack to get corporate executives, government officials and private citizens to wake up to infosec demands. Meantime, regulations have at least helped a bit in pushing IT security awareness and have supported security administrators’ efforts to convince bosses how much they need to plan for cyberattacks.

“Most security pros look to outside regulations as justification for doing something they already know needs to be done,” says Jon Gossels, president of SystemExperts. “So regulations, in general, have been helpful in raising the bar for security in many industries.”