IT security, like housework, is one of those ever-recurring things. Just when you think you have everything in top form and ship-shape, somebody else comes along and makes a mess. Unlike housework, however, securing an IT infrastructure pits the skills of IT departments against an increasingly sophisticated brand of criminal, working as hard and fast on threats as IT does on securing against them.
In today?s world of Sarbannes-Oxley, Basel II and other corporate governance requirements, security has become less about antivirus software on desktops and more about managing corporate risk -- across the board.
While antivirus, antispyware, firewalls, and other so-called perimeter security tools will always be an essential part of the security system; companies need to look beyond access control to the threats posed by, amongst other things, mobile devices, employees, and increased broadband Internet access.
Mobile malice
?As mobile access to sensitive corporate information becomes more popular, and the number and type of mobile devices used to access such information increases, security on these devices becomes a problem that most companies will have to deal with, if they are not already doing so,? states Business Connexion information security consultant, Eric McGee.
?The number of mobile devices in use has overtaken that of fixed devices, with about 1,000 new subscribers to mobile each day,? he says. ?Cell phones, PDAs and 3G networks are indispensable to the business world, and they are pushing the boundaries of the enterprise IT infrastructure further than the security infrastructure can reach at this time.?
Notes NetXactics CEO, Brett Myroff: ?Emphasis has been placed on gateway level protection; however, only one potential entry point is being protected. Where thousands of PCs exist, with unlimited network entry points through Bluetooth devices or the like, only an all-encompassing solution at server, gateway and desktop level will provide adequate security coverage.
?Technology is moving as fast as ever, and even seemingly harmless devices, such as an i-Pod or flash memory stick, can present a risk in terms of information theft or virus infection; the threat itself has not changed, and the potential for vulnerability will be extended without sufficient OS and desktop security,? he comments.
While Gartner has rated mobile viruses as one of this year?s most over-hyped security threats, they are still a danger, albeit a smaller one than has been made out in certain quarters. ?antivirus vendors see huge potential profit opportunities in selling security solutions to billions of cell phone and PDA users,? says vice-president and Gartner Fellow, John Pescatore. ?In particular, the anti-viral industry sees cell phones as the way to grow sales outside of a flat, commoditised PC market. However, device-side antiviruses for cell phones will be completely ineffective.?
?The most effective approach to blocking mobile malware will be to block it in the network,? Pescatore says. ?Companies should ask their wireless service providers to document existing and planned capabilities. By the end of 2006, all wireless service providers should be required to offer over-the-air mobile malware protection.?
Wireless network security is another aspect of the security chain that smaller companies in particular need to focus on. The security built into wireless devices and access points is not sufficient, and users need to become more aware of security, and IT personnel and departments more sophisticated in the way that these are deployed and protected.
?Mobility and wireless computing offers new opportunities for organisations to communicate in new and exciting ways and increase productivity,? notes BMI-T?s as yet unreleased IT Security 2005 report.
?At the same time, it increases the vulnerability of corporate systems, with more access points and client devices dispersed across different locations inside and outside of the organisation. The demand for architecture and design services around wireless environments and mobility, as well as security strategy and planning, is expected to be a focus area for organisations going down the mobility and wireless path.?
People problem
?Security awareness amongst users is a big issue,? says Mike White, partner, Enterprise Risk Services at Deloitte. ?The recent spate of phishing attacks against SA banks is a good example here - it took a big scare to get the banks to proactively warn users of the dangers, through e-mail and warning on their Web sites.?
Says business technologist at Computer Associates Africa, Karel Rode: ?Despite the advancements made in security infrastructure, it is still actually astonishing to note that that most companies still base Internet security on perimeter controls like firewalls. In fact, according to the 2005 edition of the Australian Computer Crime and Security Survey, 98 percent of companies still use firewalls and/or antivirus software (99 percent) with some form of access control.
?Favourably, virus and worm infections dropped from 88 percent in 2004 to 64 percent in 2005, indicative of the high level of malicious content activity in 2004, as well as more successful deployment of risk mitigation measures.
?Sadly, the misuse of e-mail, Internet access and system resources by insiders is still high (68 percent). This may be as a result of limited successes in communicating acceptable usage policies, or failure to implement technical controls to enforce said policies. Having these policies in place can initially be a drain on resources, but having policies without ?teeth? will not discourage such abuse,? he notes.
Security threats posed by not having a centralised view of an employee, and not managing that employees? access to company resources over their employment lifecycle, including withdrawing access as appropriate, can be mitigated through the use of Identity Management solutions. Corporates need to be careful about what they buy into, however.
As White notes, ?Companies should take a more holistic view of what the market is touting as ?identity management.? Employee lifecycle management is in fact what is needed here. As part of both governance and security consideration, companies need to get control of user identities buttoned down. Too much time and money, for example, is still being spent by the helpdesk on resetting user passwords -- identity control can help here.?
Speed freaks
Increasing prevalence of high-speed Internet access, says BMI-T?s Security report, will open up new threat avenues -- although this is not a problem SA is likely to have anytime soon, given that it does not even have true broadband yet.
?Higher broadband, wireless, and remote computing penetration open new avenues for attacks. Virus writers and hackers are using increasingly sophisticated spam, phishing, and P2P technologies to propagate viruses and trojans. The ever-changing nature of threats will drive new technology adoption as they emerge,? the report states.
The convergence of voice and data and the increasing use of VOIP brings its own threats. Says IS Security Solutions head, Brett Salovy: ?Companies deploying VOIP need to know that you cannot just ?plug it in? and expect to be secure. The technology itself -- operating systems, soft PBX?s and encryption -- is weak, security-wise, and companies need to take the time to ensure that no-one is listening in.
?While it is best practice not to run voice and data over the same VLAN, many companies do. In a worst case scenario, this opens corporates up to denial of service (DoS) attacks, overly large phone bills, if someone hacks in and uses the network to make international calls, and loss of confidential information -- through hacking into mailboxes or listening in on phone calls,? he states.
On the other hand, Gartner has stated that IP telephony is not as insecure as it is made out to be. ?The reality is that security attacks are rare for IP telephony,? says Lawrence Orans, principal analyst at Gartner. ?Preventive measures for securing an IP telephony environment are very similar to securing a data-only environment. IP telephony eavesdropping is the most over-hyped threat. Eavesdropping is unlikely to happen since it requires local area network (LAN)-based access to the intranet. The attackers must be inside the company, because they have to be on the same LAN as the IP telephone that is subject to the eavesdropping attack.?
Gartner analysts say companies can encrypt voice traffic to protect IP telephony eavesdropping, but typically it is not required. It is no more difficult to eavesdrop on voice packets than it is on data packets.
?Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans,? Orans adds. ?For these enterprises, the benefits of IP telephony far outweigh any security risks.?
Trends
Going forward, the security vendor landscape is going to continue to shift rapidly, not necessarily making life any easier for users in terms of relationships, but consolidation should bring more holistic solutions from fewer suppliers.
Says BMI-T security analyst, Roy Blume: ?We have seen the biggest IT players, which have not had a security focus in the past, move into this market, including the likes of Oracle, HP, and Cisco, and even Microsoft with two security technology acquisitions. This merger and acquisition (M&A) activity is yet another sign of the imminent convergence of security, network, system, and infrastructure management technology.?
Additionally, says the BMI-T Report, security software will be almost entirely replaced by appliances by 2009. Says Blume: ?Appliance-based solutions continue to cannibalise security software revenues. Customers have taken well to the message that appliance-based solutions offer a lower total cost of ownership (TCO), and also offer easier deployment and management. BMI-T expects 80 percent of all e-mail server, gateway, and network security software to be deployed as appliances by 2009.?