While infrastructure security has long been on corporate agendas, the events of 11 September undoubtedly emphasised the importance of effective disaster recovery. Anthony Harrington finds that while firms accept the costs of security as an essential part of doing business, many of them are only slowly realising that a firewall is just one element of what should be a constantly refreshed and reassessed defensive system.
If there is one topic that should be of enduring interest to both consultants and corporates it is Internet and network infrastructure security.
It’s hard to do, which means consultants have a rich and fertile field to add value. It goes right to the heart of corporate survival, which means it should be of interest to corporate boards, and it is never ending, which, of course, makes for the kind of relationship that consultants dream about.
It is no surprise then to find that the big consultancy firms are all either already well down the track in growing their own security arm, or are rapidly investing in the deep technical skills required to launch such a service. The events of 11 September undoubtedly highlighted the need for effective disaster recovery if the company’s own systems were trashed for any reason.
It also, however, focused corporate minds in general on the whole question of systems security yet again. In fact, any director who is still unaware of infrastructure security as an issue must either be deeply asleep or living and working from an extremely remote, low tech spot.
The Turnbull Report makes directors responsible for evaluating the risk to their IT infrastructure. The Data Protection Act makes them responsible for guarding against unauthorised access to client and employee information.
The Obscene Publications Act makes them liable if their servers are used to harbour offensive material. Litigation from shareholders, suppliers and, conceivably, clients could follow any breakdown in performance due to their systems being corrupted. Litigation could also follow – and the incidents are starting to pile up – from their servers being hi-jacked without their knowledge and used as staging posts for denial-of-service (DoS) attacks on other sites.
For all these reasons, companies are becoming attuned to the idea that money spent on infrastructure security is simply an essential cost of doing business in today’s world. One of the biggest challenges, however, is that many facets of IT and IP security are impenetrable for the uninitiated.
Take intrusion detection, for example. This is a “must have” for any company serious about its security, since intrusion detection sits behind the firewall and looks for malevolent activity inside the corporate network.
It is a “black art” if ever there was one. Much the same could be said for ethical hacking – it’s not the kind of thing that a self respecting consultant with 10 to 15 years’ worth of successful SAP installations behind him/her would know too much about. The same point applies to configuring firewalls or running anti virus software.
Gunter Ollman, principal consultant at the security and intrusion detection specialist ISS, reckons that there are at least three main aspects to IP security, and only one of these is technology based. This last has to do with the network architecture, the firewalls and all the other physical components. The other two aspects are both people based. The first of these consists of the technical staff who manage and look after the physical network and physical security devices. The second comprises the users.
No aspect can be neglected, and consultancy firms have plenty of opportunity to partner with specialist vendors for the more arcane technical skills, while using their analytical acumen and grasp of logical processes to ensure that aspects two and three harmonise with, rather than negate, the security work being done at the physical, technical level.
“Everyone involved in security knows that unless the user community has an understanding of what the company is trying to achieve with its security policy, individual users can compromise or bypass virtually every security measure you take. It’s like bank employees leaving the doors unlocked and the vault open,” he says. As for the technical staff, if they are not adequately trained and motivated, they can compromise security considerably faster than na’ve end users.
Many firms believe that if they have a firewall – or even a couple of firewalls installed, their systems are secure and protected from the worst the hacker community can throw at them. Not so, warns Ollman. A medium sized firewall can cost a company around #100,000 to install and set up. The only thing that makes it secure is the fact that the person applying the firewall policies knows his or her stuff and is well trained. Moreover, there is always the risk that when someone edits the policies, they will accidentally revert back to some default level that leaves everything open.
In a busy IT department, anything can happen. A technical expert can begin the process of adding a new policy, get as far as deleting the old policy, but then get called away before they have a chance to install the new one. The result is a #100,000 firewall that now acts like a router, enabling any and all traffic to pass through into the system. Similarly, the firewall can be hopelessly compromised by a low-level operations person who has been delegated to change a rule, without ever being sent on a firewall course.
“For the sake of not spending, say, £2,000 to send Bloggs on a firewall course, a company can compromise its entire IT infrastructure and possibly the future of its business,” Ollman comments.
Graham Morris, technical director for e-security at Vanco, a managed network services and security company, points out that hiring an in-house technician to maintain a firewall can cost £30,000 to £40,000 a year.
Most companies will need at least one and half technicians (to cover week-ends and holidays), raising the price yet again. This cost, coupled with the technical skill required, makes firewall maintenance ideal for outsourcing.
As Morris notes, an outsourced service from his company for a single firewall would be around £15,000 a year. Companies with large numbers of firewalls will get a packaged deal of around £180 to £200 per firewall per month.
Bernie Dodwell, sales director at the security specialist Allasso, divides security up into seven separate technology “islands”, all of which are interrelated in practice: access control (firewalls); content management (which includes anti virus software); authentication; authorisation; vulnerability assessments; intrusion detection; systems testing and, lastly, monitoring and management.
“The light is slowly dawning on corporates that a firewall is just one element of an effective defence,” he says. As a simple example, a firewall sitting in front of a public facing web server has to allow HTTP traffic to flow into the server or no one will be able to access the company’s web site. However, many hack attacks use web exploits to attack the server and to the firewall these all look like legitimate web traffic. So the company also needs a product such as Sanctum, which guards against attempts to make unauthorised changes to web pages.
Basically Sanctum is aware of “directionality” as well as being updated with all the latest exploits. A legitimate command from an internal systems administrator to change a web page comes from the inside of the network.
A hacker’s commands to change a web page come from the “wrong” direction.
In other words, products like Sanctum can do things that firewalls can’t.
They bring a different level of “intelligence” to bear on the defensive task.
Similarly, anti virus protection is now a routine part of an outsourced service. Mark Sunner, chief technical officer at MessageLabs, which provides managed e-mail protection services, argues that there is a lot to be said for having a high degree of specialisation on specific components of the technology solution. A consultancy can build a very good practice by adding in elements of managed service protection to its own total offering for clients, he says.
MessageLabs, for example, uses a suite of three anti virus software products plus its own specialised “heuristics” package to identify viruses at the mail server side, long before they reach the client’s systems. Sunner argues that by looking for e-mails on the macrocosm of the Internet at large, as it were, rather than just on the microcosm of a single client’s mailserver, MessageLabs can become aware of patterns and trends of attack well in advance of the anti virus vendors.
However, one has to come back to Ollman’s point. Security has to be engrained in the corporate culture. The right tools are vitally important, but then so is staff co-operation and awareness. Consultancies have a growing role in helping corporates to ensure that they have the right culture and infrastructure in place; and that security is a dynamic, constantly refreshed and reassessed part of the way the company does business. In many instances, the consultants may well end up being their corporate client’s best defence, in court, if things do go horribly wrong. The fact that they were there, supposedly doing their part to make things secure is proof that the company was not just sitting on its hands and neglecting its duties.
Anthony Harrington is a freelance journalist THE EXPERTS’ VIEW Bernie Dodwell, sales director, Allasso “Consultancies have problems developing scale to their security practices since many of the deeper aspects of security are very people intensive – one thinks of intrusion detection and vulnerability testing, for example. The problem is that security moves so quickly, so that the tests you do on day one may be valid for that day, but they are out of date five days later when a new vulnerability is discovered in, say, Microsoft Internet Server. It is worth pointing out that in the last year Microsoft issued 157 patches for its products. If you are an internal IT department that means dealing with an overhead of implementing a patch every two days. “However, there are now tools coming along that will automate vulnerability analysis, patching and testing, and this represents the best chance for consultancies to really add scale to their operations.” Madeleine Allen, business development director, security specialists, dns “The simple mistake people make with firewalls is allowing everything through then disallowing whatever they can think of that should be disallowed. This virtually guarantees that they will miss something, and it is one of the more usual ways that we break into company systems when we do ethical hacking. A far better practice is to disallow everything, then only turn on the services that you really need – making sure that you understand what it means to turn those services on.” David Love, head of the security advocacy group at Computer Associates – formerly head of NATO military security in Europe “Every facet of our lives in the West is impacted by computers. This has always seemed to me to be a much more likely and damaging target for the bin Ladens of this world, than a tall building. A truly destructive, successful virus would do far more global damage even than the 11 September attacks. Companies need to embrace security and we believe that PKI (public key infrastructure), which provides very strong authentication and non repudiation of transactions, has a huge role to play in B2B transactions going forward.” – Gunter Ollman, principal consultant, ISS “The web relies largely on SSL (Secure Sockets Layer) encryption technology to protect innumerable transactions for e-business and e-commerce. However, the applications developers who write B2B and B2C systems are generally woefully incompetent when it comes to understanding how SSL works. When we test systems we generally find plenty of ways of bypassing the security offered by SSL. Many developers do not understand the requirement, for example, for adding filters to protect against, say, SQL insertion attacks, where the SSL layer is used to pass a malicious SQL query, such as “give me all client passwords” to the database server. Are there courses to help web developers understand what they need to do, you may ask? I haven’t heard of many! The only safe computer is one that is switched off, disconnected from everything and locked in a vault. Everything else is a best compromise”.