Will Internet security software bring the criminals to book?

The adoption of Internet technology and the pursuit of e-business strategy are causing world class, board level headaches in just about every corporate organisation you can think of.

No business can survive in a e-business vacuum, which explains why so many are taking the painful route of re-engineering themselves now to ensure a web-enabled future. But the problems don’t stop with adoption.

The aftermath of almost any investment in the systems needed to drive web applications is usually dominated by security worries.

Sure, the system works, but does it lay you wide open to abuse from both within and without your seemingly paper-thin perimeter? Are your mobile workers securely attached to your intranet? Are your customers getting the access they need, and no more? How badly would a denial of service affect you? It’s as if by swapping bricks and mortar for clicks and mortar, corporates are shaking off armour that may have rendered them slow and unresponsive, but at least offered a degree of insulation.

Web security threats can arbitrarily be divided into ones that are plain for all to see, and which form the staple of concerns that corporates put before solution providers, and threats which, though very real, are generally underestimated and unconsidered, perhaps because they have received little press.

Very much in the former category, and one of the most widely acknowledged network security loopholes around, is connectivity between outsiders and an internal network, either in the form of customers or employees accessing the system remotely, perhaps using an intranet model.

Kevin Black, marketing manager with web security vendor Internet Security Systems (ISS) says: “For financial services companies, in particular, a big problem is not being sure just how secure customers’ PCs are when they are connected to their systems. If the customer of an online bank has a Trojan horse virus on their PC, then their personal account details could end up being sent to another recipient via the bank’s system. Then the problem is, who is liable for any losses that result. Ultimately, the bank is liable, but they are able to protect themselves far less easily from this sort of threat than, say, from stolen credit cards.”

Black says that ISS has developed software, currently being beta tested in both the US and UK, which sends an applet from the bank to the user’s machine to perform a security test. If this fails, the customer is denied access. This, in effect, is the bank protecting itself by protecting its customers.

The issue of network access for remote employees of an organisation is comparable, but demands different solutions. Steve Bennett, MD for EMEA for security vendor Check Point says: “Organisations of all sorts are asking themselves how they can deliver use of their internal information systems securely to people on the road. This has been a big driver for the adoption of security measures over the last 12 months. Consequently, some 70 percent of the gateway solutions we sell are based on virtual private networks (VPNs).”

He adds “As the Y2K threat becomes a distant memory, so people are asking what the next big IT challenge is, and that’s generally web security-based, and to be more specific revolves around VPNs.”

Another classic corporate sleep loser, particularly in the light of the headlines that surrounded the recent Yahoo fandango, is denial of service.

ISS’s Black says: “The Yahoo problem has raised the temperature. Companies of all sizes are fearful now of being held to ransom. They figure that if someone as big as Yahoo can’t protect themselves, then what chance have they got. The stakes have been raised generally by the growing importance of e-commerce and online communications reliant on Web integrity.”

The threats of malicious outside attack goes some way beyond non-functioning systems and lost business. Millions were wiped off Yahoo’s share price overnight by its crash, and many fear that it may not be not too long before a big name becomes a terminal casualty as a result of something similar. This in turn could preface a major downturn in Internet sector stock values. Share prices have been seen by many on this side of the Atlantic as a peculiarly American fetish, but they matter more and more over here to the stability of economies.

Not all web security threats are so well documented, and by no means all have ready-made solutions. A web security concern that many organisations, particularly in the financial services and retail sectors, are only just waking up to is summed up by Black of ISS: “Many online divisions of traditional banks, like Smile or Egg, are operated largely independently of their parent company. They have contracted their own web developers to develop their sites. These developers, in many cases, do not have the knowledge to develop sites with the parent company’s systems in mind. They are great at pretty pictures, but not sufficiently aware of security threats.”

Black cites the example of the myriad shopping cart appliances in use with many online shopping sites. He says: “We examined the 12 most popular applications, and there were 10 whose security we could compromise in no time at all. This is all down to the lack of certain skill sets found in web development shops.”

The secure storage of corporate data is a very well served need. Except, that is, where that data is held on a web server. Then, normal codes and procedures can go by the board, argues Black. But he understands from customer feedback that this issue is rising up the ladder of corporate web concerns. “Many companies are holding extremely private customer data on their web server, a server not protected by the same sort of safeguards as a mainframe. The Data Protection Act alone should be waving a big red flag at them. If they can’t keep this data more securely, then eventually someone will be ordered, in the name of the Act, to delete the customer information that they have spent years collecting.

Clearly the web security issue is a mixed bunch of concerns too often lumped under the same heading. It is also a worry that some security threats are more modish and media led than others, not necessarily according to the seriousness of the threat they represent.

If there is one primary role for any management consultant with a stake in the market, it is to bring to degree of reality and perspective to an emotive area.

MARKET LEADING WEB SECURITY VENDORS

Check Point

Check Point made its name in firewall technology, a market it has long dominated. Now, according to the latest market research from IDC, Cisco has pushed Check Point from the top spot. In 1998, Cisco captured 23.4 percent of the total revenue in the firewall market, or about $156.5m.

The IDC report credited Check Point with 23 percent, or about $152m in revenue.

ISS

Internet Security Systems (ISS) is a specialist developer of electronic security management solutions. Formed in 1992, it offers software and services for enabling secure e-business, in particular solutions that reduce the risk of compromised digital assets; prevent business disruptions; and protect the integrity, availability, and privacy of online data and operating systems.

Network Associates

Network Associates, the number one maker of antivirus software, plans to organise itself into four units around product lines. It is looking to boost sales from its encryption unit, which makes software for detecting hackers and protecting computer networks, and from its software used by technical support staff to manage service requests. Those product lines could see sales increases in excess of 50 percent this year. The other two product lines, antivirus and network management, are likely to see increases of 15 percent. Last year the company spun off McAfee.com, the result of one of many acquisitions it has made in the last year or two.

Reflex Magnetics

Reflex Magnetics, formed in 1985, develops and markets Disknet, a multi-layered software security system aimed at preventing viruses from gaining access to computer systems. Since the software was launched in 1992, Disknet has established Reflex as a leading anti-virus and data security supplier.

The Reflex solution is used in many corporations and government agencies around the world. Initially formed to supply corporate users with magnetic media, Reflex developed into one of the largest PC disk duplicators in the UK. Clients’ requirement for virus-free media and the lack of a sound, commercially available product, led to the in-house development of a fool-proof data security solution.

Security Dynamics

Security Dynamics, the pioneer in digital certificates, announced last year that it was taking the name of its subsidiary, RSA Data Security, becoming RSA Security. The company makes security software for e-commerce.

The company has also announced new products in its Keon line of Public Key Infrastructure software.

Symantec/WebGain

Symantec specialises in antivirus software. It decided to sell off its Internet tools division last year, and concentrate on its more lucrative Internet security software and tools for managing and connecting mobile workers. The result was WebGain, a new company spun off from the Internet tools division, which claims it has found a potentially profitable niche: outfitting businesses with low-cost, easy-to-use Java development tools.

The tools allow users to quickly build e-commerce software that links customers, employees and suppliers to the web.

Verisign

VeriSign has been the most visible issuer of digital certificates for the Internet but has recently experienced heightened competitive pressures.

The company, along with rivals such as Entrust Technologies, GTE’s CyberTrust and other firms, develops software to secure online transactions using Public Key Infrastructure (PKI) technology, as companies begin to conduct far more complex transactions over the Internet. PKI systems issue and manage digital certificates, which serve as electronic IDs for online use.

Safety conscious websites

Internet security related links from the Library of Congress

href=”http://www.advisor.com/wHome.nsf/w/MISmain”>Home page for Internet Security magazine

href=”http://www.webreference.com/internet/security.html”>Hot-linked definitions and contacts

href=”http://www.hi-media.co.uk/uk_security/”>The UK Internet Security Directory

CASE STUDY: ST JOHN’S WAY MEDICAL CENTRE NHSnet is the Government’s bid to get all GPs and health facilities up and down the country benefiting from technology and using the Internet.

St. John’s Way Medical Centre in North London is one such. The centre’s IT manager, Simon Newns, says: “Like other general practices, we want to provide access to the Internet for all the medical staff because of the wealth of information available on the web. But we know that Internet connection brings threats as well as opportunities. NHSnet gives us firewall protection, but achieving compliance with its Code of Connection requires pretty bullet-proof security on our internal network too.”

To this end, Newns has been testing GP Disknet from Reflex Magnetics.

“A Windows NT system running medical software like ours typically contains clinical records, payment details and perhaps accounts. Clearly, we cannot run the risk of compromising the confidentiality of this data, so effective access control is absolutely critical.” He adds: “We are also acutely aware that e-mail attachments expose us to the risk of computer viruses. We are not very confident in the ability of conventional scanner technology to protect our system from infection, though. Scanners are only effective against threats they recognise – new viruses that can get past them are emerging all the time. Besides which, as you might expect, we take the view that prevention is always better than cure.

Newns says the North Thames NHS executive security co-ordinator advised him to try the GP Disknet suite because it meets all the security criteria of the NHSnet Code of Connection. He says: “We also like the fact that it takes a preventative approach to viruses – stopping infections, rather than simply reacting to them. One of the best things about GP Disknet, though, is its unobtrusiveness. Our PC users only really notice it if they try to do something they’re not supposed to.”

CASE STUDY: METLIFE Metropolitan Life is the second largest US insurer with annual sales in excess of $28bn. The New York-based firm must maintain and protect an array of systems and data, including hundreds of servers and several mainframes that contain key databases and applications. As with other companies, the IT infrastructure serves as the foundation for emerging e-business and e-commerce initiatives.

Mike Stoico is security specialist in MetLife’s Enterprise Security Unit.

He says: “Every day, hackers scan systems and look for vulnerabilities.

But it’s not only outsiders that you have to worry about. There are also a lot of threats that emanate from inside the company. Without the right tools and mindset, it’s only a matter of time before key data or systems are brought down. The results can be devastating.” Stoico speaks from experience. Several months ago, he learned at first hand just how easily the enterprise data walls could tumble down. While sitting at his control console, he received an alert that someone within the firm was sending a file outside the firewall via FTP. Upon closer examination, he noticed that the destination was a known hacker site.

He immediately shut down traffic to the site and began to investigate.

Later, while poring over event logs, Stoico noticed that PCs across the company were sending the same file to the same site, a highly unusual event that raised a red flag. Using Internet Security Systems’ RealSecure monitoring and intrusion detection software, he identified the signature file. A quick crosscheck revealed that it was a destructive virus that could have wreaked havoc on the company’s 40,000 plus PCs. He innoculated all the network’s systems, thus preventing a massive virus outbreak.

Network security can determine whether companies like MetLife harness the full power of the Internet or wind up short-circuited by it.