On the heels of different security threats and incessant attacks on high-profile Web sites, security experts agree: When it comes to the security of your systems, never be complacent.
Citing a Computerworld U.S. survey conducted last month, Douglas G. Conorich, Global Solutions manager of Managed Security Services at IBM Global Services, said that a majority of the 1,400 chief information officers (CIOs) polled said they believed their organizations were secure from both internal and external threats.
"This is a very unsecure posture to take. Security professionals need to have a paranoid attitude. Even the most innocuous hole can cause major problems," he said. "Security is not only a matter of how secure we are, but also how secure our customers feel we are."
For Warren R. Bituin, director of Technology Risk Consulting at Arthur Andersen, the public perception and attitudes of organizations toward security have changed in a positive way. He added that they are more aware about the dangers of taking security for granted.
"However, their usual approach to security management is not optimal," he pointed out. "In most cases that I've seen, companies roll out technical solutions right away without really going through the process of risk assessment and enterprisewide security architecture design and development."
As a result, some security threats are not effectively addressed and some system vulnerabilities are not fixed on a timely basis, Bituin observed.
Albert dela Cruz, president and CEO of Wolfpac Communications Inc., a local security system provider, attributed this change and growing awareness to the much-publicized distributed denial-of-service attacks (DDoS) on popular Web sites like Amazon.com and eBay.com as well to the security breaches experienced by software giant Microsoft last year.
"Well, there are good things that came out from the bad. Because of these events, companies have taken a serious look at information security," he said.
MORE ATTACKS TO COME
All these security experts believe that security threats will continue to be a major concern of organizations that are taking advantage of the Internet as a business tool.
At the same time, the Internet will also continue to be the major source of different security threats and hack attacks, said Bituin. "This is because the skills required to execute an attack has gone down due to the proliferation of hacking tools that are just a download away."
Dela Cruz agreed, saying that the increasing availability of DoS scripts over the Web and its ease of use have made it a favorite tool for wannabe hackers.
Conorich said the biggest threats on the horizon are from those that exploit vulnerabilities related to buffer overflows, floods and malicious code attacks, which the DDoS Trojans use.
"In the country, attacks by Filipino hackers against local Web sites will increase," predicted Bituin. "There will be more cases of Web site defacement wherein the company's Web home page will either be splashed with graffiti-like announcements or redirected to another site, usually that of a competitor."
He said the growing popularity of computer schools has also brought about a great number of technology enthusiasts who are all willing to experiment in the outside world with the tools they got from the World Wide Web.
"Viruses are still going to hog the limelight for years to come since they have been the most potent, destructive and effective means to deploy search-and-destroy as well as Trojan programs," said Dela Cruz.
Conorich pointed out that companies tend to overlook virus attacks altogether. "Most companies feel they have done what they need to do for virus detection and prevention. Unfortunately, these same companies are the hardest hit."
He emphasized that virus or malicious code education is as important as prevention and detection methods. "Users need to be trained in how to recognize executable attachments, questioning why they got one, and to save them to disk before opening them."
TIGHTEN KEY AREAS
So what will it take to secure the digital landscape? What areas should companies strengthen to keep them protected against these security threats?
What you must do, according to security experts
Albert P. de la Cruz, president and CEO, Wolfpac Communications Inc. says:
1) Improve your security policy. If you have none, then create one.
2) Re-study your IT infrastructure. If you plan to go online or do electronic transactions over the Net, make sure you have sufficient safeguards in place.
3) Do a security audit now. You may already have a breach in progress or you may have applications, operating systems or devices that have flawed software and may require a patch.
4) Invest in the basic security solutions such as IDS and antivirus software.
5) Determine the common mistakes that could lead to virus infections or security compromise and educate your people.
Jeffery Sy, country manager of Trend Micro Inc., says:
1) Perform detailed analysis for vulnerabilities and weaknesses.
2) Apply counter-measures in insecure areas.
3) Create and implement corporate security policies and processes.
4) Deploy, manage and support security enforcement systems in place.
5) Continue to make users within the organization aware of the importance of security, to achieve success in security deployment.
Douglas G. Conorich, Global Solutions manager, Managed Security Services, IBM Global Services, says:
1) Get the advice of outside agencies if you can't afford top-notch security experts.
2) Having an independent audit agency do vulnerability testing can go a long way.
3) Invest in IDS hardware but outsource IDS monitoring to companies who have the expertise. This way you will be able to understand the significance of what the alarms mean and respond accordingly.
Warren R. Bituin, director, Technology Risk Consulting, Arthur Andersen, says:
1) Perform a security risk assessment of your existing technology environment.
2) Include the four risk management areas in this assessment. The four areas are: policies and procedures, deployment techniques, technical solutions and monitoring process.
3) Perform enterprisewide security management to ensure that all technology components -- physical, network, platform, databases, business systems -- are properly considered.
Security policies and procedures remain at the top spot among the key concerns that companies need to address.
"The company's security policy is the key to their success. It should be the standard operating instruction for the company with regard to security operations. It should spell out what can and can't be done by users and list how and what services should be available for their use," Conorich said.
It is simply a document that will be the basis for your security implementations and covers the who, what, when and where of access to your IT resources, explained Dela Cruz.
Bituin said such a policy must be developed, approved by top management and disseminated to all concerned employees. Dela Cruz added that its crafting should involve the every segment of the organization, including engineering, human resources, accounting and auditing departments.
For Jeffery Sy, country manager of Trend Micro Inc., a security policy should also outline management support, user training and cost-effective security measures.
"The deployment of security solutions should also be managed. This should include change control over technical architecture, the design, implementation, and administration of the security function and user administration, education and training," said Bituin.
FIREWALLS ARE NOT ENOUGH
The experts said that security is a process, not a goal. So when it comes to implementing the security technologies or solutions, companies should not rely on one technology alone to provide any significant comfort. Firewalls are not enough.
Dela Cruz noted that most companies become complacent once firewalls, access control, authentication and encryption are implemented.
"Most people feel that these are enough. They give them a false sense of security. What they don't know is that there are other factors that can cause security breaches which are beyond the capabilities of firewalls," he said.
Thus, Intrusion Detection Systems (IDS), Public Key Infrastructures (PKI), Virtual Private Networks (VPNs), encryption and authentication mechanisms should be rolled out and properly configured as well.
"There are a lot of technologies available for an organization's security needs. It's just a matter of finding what is cost-effective and practical," said Bituin.
For Conorich, the most important areas of security that companies need to invest in today are vulnerability testing and IDS. "Companies need to deploy IDS that work in real time, both network-based and host-based systems."
However, companies will need to invest not only in IDS, but also in the monitoring of the IDS and the interpretation of the alarms. Conorich said the monitoring could be outsourced to firms that have the expertise to interpret the alarms, while vulnerability testings can help identify weaknesses prone to attacks.
Authentication is also an important aspect to reinforce security, said Dela Cruz. "At Wolfpac, we say strong authentication is needed because there are now methods which strengthen passwords and provides two-factor authentication such as authentication tokens, biometrics, or smart cards."
These technologies should also come with specific functions such as central management, auto deployment and updating as well as remote user management to provide system administrators effective and efficient tools in managing the security of a system, added Sy.
AUDIT AND BE UPDATED
After the appropriate technologies are put in place, auditing and monitoring the infrastructure should be made a part of keeping the systems secure, said the experts.
"The security infrastructure should be monitored to ensure that the controls continue to operate," said Bituin. "This area refers to periodic security assessments, incident response procedures and troubleshooting of technical abnormalities."
Aside from security audit, Conorich also emphasized that companies today need to keep abreast of the latest vulnerabilities, hacks and strategies to combat such threats.
"Security education is very important as well. According to IBM's Global Services Analysis Laboratory, the average number of vulnerabilities discovered per week in operating systems and applications has tripled over the last three years," he added.
This story, "Be wary of data security, companies warned" was originally published by Computerworld Philippines.