Cover story: Internet security – You’re not coming in

If one takes the old maxim that a chain is only as strong as its weakest link, the Internet often seems to have an infinity of links, many of which do not inspire confidence. Yet the Internet can be and has been made into a very secure medium by companies who are prepared to pay attention to every element of the problem.

A shortlist of areas to be addressed would include: the corporate security culture; the firewall and configuration issues; firewall monitoring software which captures events at the firewall; intrusion detection systems (IDS) which spot internal and external attempts to penetrate secured areas; encryption; Public Key Infrastructure (PKI); application level user authentication; automated user authentication through secure IDs, tokens and various smart card readers and lastly, Virtual Private Network (VPN) technologies, which give remote workers and branch offices secure, encrypted “tunnels” through the Internet back to, say, head office.

One of the messages that Internet security experts stress above all else is that security is a holistic business, embracing the whole of the company and what it does. There are any number of security tools out there, each addressing one or more sets of tasks and security goals. But a company needs to carry out a thorough risk assessment and impact analysis before it spends a penny.

As a guide to this analysis, it is worth remembering that security is both inward and outward facing. The company has to defend itself both against internal malicious snooping, vandalism and fraud, as well as against external attacks from hackers, virus writers and fraudsters.

As Alastair O’Brien, director of First October, which specialises in systems for the financial sector, notes, security has to be ingrained and continuous. “The firewall vendors have a continual war on their hands, but then so do the anti-virus vendors. For companies, user authentication processes have to be constantly reviewed but that is just one aspect of security. Ensuring that your operating systems and applications have implemented the latest patches to close off vulnerabilities is just as important.”

Undoubtedly one of the biggest challenges companies face is the active vandalism of hackers and the malice of the virus writers. These two communities have turned security into a multibillion pound industry as corporates seek to save their reputations and protect their on-line commerce. Companies may not like spending tens of thousands of pounds just to stop some spotty Eric from infecting their e-mail and knocking over their web servers, but there is no choice here.

Part of the problem with viruses is not just that new versions appear almost daily, but that even a protection regime that looks as if it is being continuously updated can turn out to be flawed. Of course, the vast majority of viruses are simply variations on a theme. But it only takes a slight change in the virus to throw the signature recognition engines in most anti-virus vendors’ software off the track (which is why such software needs to be constantly refreshed with updates to its local signature database). Moreover, all anti-virus vendors are vulnerable to a truly new creation.

Fortunately, as Alex Shipp, chief virologist at MessageLabs, observes, this is exceedingly rare. “But every so often, someone thinks of a new tweak, and when they combine this with good social engineering, such as the VBS script in the Love Bug, with its “I love you” subject line, it causes havoc.

The virus that MessageLabs encounters most frequently, according to Shipp, is KAK. This activates on the first day of every month and initiates a shut-down of the system. When the user reboots, KAK goes quiet till the calendar wakes it up again. That kind of thing is more irritating than harmful. The Chernobyl virus, on the other hand, goes for broke and tries to bomb the user’s system totally by corrupting the bios. Far and away the worst virus, however, according to Shipp, is the one that wanders through the user’s data, tweaking a figure or a character here and there at random.

By the time the user organisation wakes up to the way its data is being corrupted, all the back up files may have been corrupted as well. That is the ultimate nightmare scenario for corporates, and if the possibility of this happening doesn’t pressure boards to fund security, it should!

As Shipp notes: “The number of nuisance viruses is way higher than the out and out malicious virus, but you can never tell which is which. We have had many instances of viruses cross infecting each other.”

“Chernobyl, for example, infects .exe files. The MTX virus is itself a .exe file, so when a machine already infected with Chernobyl gets infected with MTX, the former piggybacks on the latter. When MTX mails itself out, it has a machine-destroying virus as an accidental payload.”

Yag Kanani, EMEA partner in charge of the secure e-business practice at Deloitte & Touche, warns that security is as much about management controls as it is about having the right defences. “We always look hard at things like what actually happens in the company when alarms go off.

Companies need to think about implementing standards such as the BS7799 Code of Information Security, which defines 10 guiding principles with about 127 criteria that identify good security practices. The standard has now been adopted internationally as ISO 1779 and this gives companies an international benchmark for security,” he says.

Increasingly, companies are waking up to the fact that they need to maintain a high level of confidence in their security infrastructure, and that the best way of obtaining this is to buy “ethical hacking” services from experts. According to Kanani, his company has a 60% to 70% success rate at penetrating client companies over the Internet. When they carry out penetration testing from within the company, testing its own authentication, internal firewall and security protection, the success rate goes up to 95%. “We can generally download sensitive material, such as the CEO’s strategy slides, or send spoof e-mail from the CEO to key staff. It gets management focused on the issues,” he says.

D&T sees around 30 to 40 new vulnerabilities affecting Internet systems every month. “Around Christmas we saw defacements of organisations’ websites happening at the rate of 20 a day. This is now down to 12 defacements a day globally. Too many corporates are building their websites on sand. Retrofitting security is very difficult. You need to start with a hardened shell,” says Kanani.

Encryption plays a key role in turning the public space of the Internet into a private, secure network over which corporates can do business with confidence. Virtual Private Network or VPN technology is a topic in its own right, but as Linda Colman, managing director of VPNet, now a wholly owned subsidiary of Avaya, observes, it is an essential part of many companies’ strategy for extending access over the Internet to remote workers and branch offices. “VPNs really enable companies to take advantage of the low cost access provided by the Internet without compromising security.

The VPN authenticates the user in any of a variety of ways, by password, or by a secure ID token, for example, or both. The authentication process includes a full account of the permissions allocated to particular users, which clears them for access to particular internal systems. We have seen a tremendous increase in demand for VPN technology,” she notes.

Internet security is a growth industry and will continue to be so in the foreseeable future. Whole new categories of access devices based on the emerging wireless data access GPRS networks will pose fresh problems for corporates in the year ahead. The message to companies is simple. Take security seriously. Seek expert help and stay on top of the issues.

The message for the consultants is equally clear. Security is a goldmine. It takes you right to the heart of the enterprise and if you can’t upsell, cross sell and add value in all directions from there, you should think about retraining your customer facing staff …


Mark Suller, chief technology officer, MessageLabs

“Virus checking has to be a major part of any business’s security policy. The virus challenge is growing, not diminishing. We advocate using an e-mail gateway virus scanning service, backed up by local anti virus software on the company’s servers and desktop assets.

“People do not realise that statistically the best anti-virus checking software will miss 3% of viruses. For this reason, we use three different commercial products on our anti-virus e-mail gateway, which means that statistically, we get it down to 3% of 3% of 3%. In reality we do better than this, since the combination of anti virus software products we use is orders of magnitude better than a single product. “We use NIA (which used to be McCaffee, which bought Dr. Solomon, both noted anti virus companies), since they have excellent heuristics for checking for viruses hidden in executable files. We also use F-Secure, since it has good heuristics for locating viruses in scripting files, such as Microsoft Word macros. And we use V-Find, because it is able to decode some of the more obscure compression formats.

Once the scanners are done, the e-mail gets probed by our own software, Sceptic, which is great at probabilistic analysis of ‘exploits’ (an exploit is a ‘hack’, an attempt to ‘exploit’ a known vulnerability). For example, CERT recently issued an advisory on Microsoft’s MP3 player, which enables a hacker to cause a buffer overrun, which in turn can lead to the hacker gaining control of the system. Once an advisory like this is published it becomes a known exploit. We feed that into Sceptic and it enables us to see if there is anything odd going on. If the system sees ?exploit? like behaviour, it stops the e-mail. Most anti virus checking software operates on the principle of recognising a string. As soon as the hacker changes the virus even slightly, the anti virus software can?t ?see? the virus any more, until it is fed the specimen signature. So there is always a vulnerability gap between when a new virus appears and when the anti-virus vendor manages to publish their patch. A second vulnerability gap occurs between the moment when the patch is published and the point where the user organisation implements that patch.

To be secure from the perspective of eliminating threats to their systems and data from virus attacks, companies need to take a belt and braces approach. An e-mail gateway anti-virus service, supported by local desktop and server anti virus software, is the best approach.”

Nick Coleman, e-business services executive, IBM Global Services

“Internet security is a multi layered affair. To begin with there is a logical path that user organisations have to think their way through. It comes down to identifying where the risks lie and putting policies in place to address these risk areas. Technologies to address one or other of these risks are available, but it is up to each organisation to analyse its own vulnerabilities, with expert consultancy help where necessary.

The best people to give advice are those who have been through this successfully a number of times already. Organisations like ours have implemented security policies across a range of different sectors and in different parts of the world. You need a structured, logical method for identifying risk areas and assessing the likely business impact that could follow from these vulnerabilities. Implementing ad hoc technological solutions for this or that problem is not the way forward. Security is a holistic issue and companies have to see it in the round.

When you do have a security solution that addresses all the areas you have identified, you need to see if it can flex and change as your organisation changes. Can it adjust to new ways of working?

Lastly, you need the solution set to be implemented by an organisation that has sufficient skill across all the point solutions. You need to work with a provider that can do ongoing testing and challenging of your systems to ensure that your security remains effective.

When a customer turns to a consultancy and says, we need help in fixing this issue, what they are looking for is both for the consultancy to help them to understand the risks the organisation faces, and to help it address those risks and implement solutions. Ideally, the initial analysis, the specification of the solution and the implementation should come from the same supplier. This avoids the classic integration risks that happen in a multi supplier roll out, where no one takes overall responsibility.

Companies need to realise that when they consider the issue of security, web enablement of their organisation contains risks of internal attacks as well as external ones. Statistics show that around 75% of all hacks are internal to the organisation. Any security solution has to look to implement multiple partitions inside the organisation to protect key areas and assets.”


Ian Kilpatrick, managing director, Wick Hill Group

“It is a sobering thought that according to a recent Department of Trade & Industry survey, only 18% of all British companies with an Internet presence have a firewall. What makes the figures even worse is that of those who are protecting their sites with a firewall, only 5% have deployed firewall monitoring tools. The rest have absolutely no idea when and how often their firewalls are under attack or who is coming through them.

Companies have to move beyond this level of ignorance. They need to deploy monitoring tools such as WebTrend. If a key employee in accounts is coming in through the firewall at 1.00 am every Friday morning they are either being extremely diligent, or they are defrauding your systems. If you do not monitor the firewall, you won?t pick up on this until it is too late. Similarly, if someone is trying to launch a denial of service attack, it would be nice to know about it before your system crashes.

Companies need to distinguish between technical reporting, which requires expert interpretation, and management reporting, which provides real information on which managers can base tactical and strategic decisions. One of the perennial problems with security is that no one ever gets a sufficient budget to do everything. And if managers cannot read the technical reporting data to extract the business significant information, the budget is even less likely to be forthcoming. It is up to security professionals to talk to management in business strategic language, not in some techno-speak.

The tool beyond firewall monitoring is intrusion detection systems (IDS). These tools tell you what people are trying to do once they penetrate beyond the firewall. According to a recent survey from the Computer Security Institute, 186 companies who admitted to experiencing losses as a result of intrusions reported a total of $378m lost, or over $2m per company. Deploying IDS does not cost anything like this sum, so the case for it should be obvious.

One of the products we like in this space is the WebTrend Security Analyser. Once installed on a network, this system runs around finding security weaknesses and reporting on them. It is an excellent tool for consultants to use to give companies a health check on their infrastructure vulnerabilities.”


Glyn Geoghegan, principal consultant in security assessment services at ISS

“There is a whole suite of security products that look for network and host attacks coming over the Internet and within the enterprise. For most companies who do not have internal expertise in these tools, the best way forward is obviously a managed services offering, where the whole issue is outsourced. If you think that the average firewall probably costs around £40,000 per annum in maintenance, plus the security specialists to run it, a managed services offering at around £1,000 to £2,000 a month per device looks very cost effective.

It makes a lot of sense for consultancies to add security skills to their portfolio. For one thing, security is a growth area, even in a slowdown or a recession, companies still need to be secure. Confidentiality, systems integrity and availability remain key elements whatever the economy is doing.”


Richard Barber, future technologies architect, Integralis

“Too many companies think that Internet security begins and ends with firewalls. A good hacker will look at a firewall and see what types of traffic it is configured to allow. Every firewall has to permit certain kinds of traffic or you may as well disconnect your system from the Internet.

We are currently doing a roadshow where we take a perfectly standard, well configured firewall, in this case CheckPoint?s Firewall 1, but it could just as well be any other vendor?s product. We use a standard Microsoft NT 4 server running Internet Server 4 with all the security patches, which, again, is a fairly typical configuration. Then our hacker comes in and goes right through the firewall and tips over the NT web server with no problem at all. That kind of thing tends to grab the attention of IT managers and business managers alike.

What we find, time after time, is that while there is an awful lot of information available in the hacker community about security vulnerabilities and weaknesses in the major operating systems and application servers, IT managers do not have the time to spend trawling through hacker web sites and user groups to discover this information for themselves. As a consequence, they trail way behind the hackers in their security expertise.

This also makes me nervous about the idea of companies outsourcing security. That is all well and good if they find the right outsourcer, but very few companies can actually handle security at the level of detail that is required for a high level of confidence. Security is not like a help desk function. It goes right to the heart of your network.

People say that IDS is important, and it is. But most intrusion detection systems today are passive. They record what is going on, but you have to reboot the system and read the logs after the hacker has crashed the server to discover the point at which the IDS system noticed the intrusion. This is less helpful than it might be. It?s a bit like sitting and watching the cookies burn and logging the time at which they started smoking. What you need is an active IDS system that can both detect an attack and swing into action to stop it. To date I am only aware of one such product, the Network ICE product, which intercepts and stops attacks.

Where networks remain vulnerable is at the application level when hack attacks come in at the applications layer. This requires a move from passive IDS to active IDS software that can identify and terminate malicious protocols, or exploit like uses of protocols.

Most companies still prefer to rely on simple password protection to safeguard their systems at the applications level. However, as has been shown many times, password protection is vulnerable to a range of attacks, including social engineering scams to try to get employees to reveal their passwords. Some companies institute policies to ensure that all users adopt new complex passwords every 30 days. But when you go down this route, calls to the support desk go through the roof as users clamour for help with forgotten passwords.

The main point that companies have to bear in mind is that hack attacks are increasing. At the beginning of 2000 the average total number of recorded hack attacks on corporate sites a month according to the Information Security Business Survey, was just 300. By November it was up to 600, and the average now stands at 800.”


Mark Osborne, director of security engineering, KPMG

?One of the things that we see time and time again in the Internet security space is that corporates do not sit down and plan their approach to security. Buying a firewall is not a security policy. What we find is that when corporates take security seriously, they tend to fall into the trap of looking at things from a very minutely detailed internal perspective, but they overlook obvious external facing risks. So, for example, we find sites that are highly secure against fraudulent intervention to alter the payment details of transactions, say, which is a good thing. But those same sites may well be highly vulnerable to a hack attack aimed at defacing the company?s home page.

For a bank or financial institution, where trust and credibility are everything, falling prey to this kind of attack can cause as much damage to your reputation as falling victim to fraud. The effect on the share price and on future prospects could very well be the same.

Companies and their advisors need to learn to think laterally where Internet security is concerned. One obvious instance is those sites you come across where you can only gain entrance by typing in a secure ID. A typical approach is to have the site lock up for a particular user if a false password is entered three times. This looks nice and secure. However, this approach opens up a denial of service attack where the hacker can hit every single user ID, locking up everyone?s password and no one can get into the system, including the legitimate users. A script kiddie (the name for hackers who use readily available hacker scripting tools to substitute for deep technical knowledge) can find a script that will do this for him, no problem.”

Bob Pearce, chief operating officer, Differentis

“Our focus at Differentis is on classic e-supply chain implementations. What we are finding is that after the dotcom bomb there is now much less pressure on time to market, and much more of a focus on getting things right, including the security element. Companies have found that launching a site and then having to take it down the same day because of security holes, is bad for their reputation and bad for their image in the City. Boards are now very alive to the issues of reputation and security.

We are seeing a great deal more thought being put into creating multiple specific zones inside companies. Demilitarised Zones, known as DMZs, are now being set up not just between the company and the outside world, but between the web server and the database server, and between the database server and the applications server.

The recent spate of denial of service attacks launched from multiple different locations are very hard for companies to combat. But what we are seeing is a definite upsurge of interest in what are known as ?honey pot? sites. These are false, decoy sites that look like real corporate web sites with certain well crafted vulnerabilities. They are very inviting to hackers, who cannot see from the outside that the site is not actually plugged in to anything useful for them. The honey pot site is there to attract and hold the hacker while tracking activity is launched to break the hacker?s anonymity. However, companies will not budget for this kind of expensive defence mechanism unless they are convinced that they are seriously at risk.

On the business to business front, there is scope here for Public Key Infrastructure based technologies to be deployed to provide a very high level of confidence that business partners coming in over the Internet are who they say they are. However, what we find is that most companies are unwilling to stretch their budgets to incorporate this kind of approach. Most of the B2B implementations that we do rely on fairly simple authentication and security protection techniques.

We are starting to see some applications embedding security into their offering. BEa, the applications server specialist, has a product called Collaborate, for example, that talks across company boundaries and provides a rich messaging service. This has security built into the product. What this illustrates is that it is a very tough job for anyone in this industry, even the professionals, to keep track of every development. Our approach here is to ensure that we have regular meetings with as many of the key players as possible. However, for a company getting on with its core business, there is no way that it can hope to stay abreast of what is happening. This is really a huge opportunity for consultancy firms to step in and add value for their clients.”

Anthony Harrington is a freelance journalist.

Related reading