The Organization for Economic Co-Operation and Development (OECD) notes in its 2002 guidelines for the security of information systems and networks that the technology environment has undergone dramatic change over the last decade.
The internet, especially, has driven a shift in what we use computers for, and what they are capable of doing.
We can now benefit from ‘open’ networks, whereas previously our use of computers was limited to who they could talk to – typically some PCs that were in the same office on a closed network. The internet has meant increased interconnection between individuals and networks; it supports critical infrastructures (can you imagine stock markets being paper-based in the 21st century?), and is global in reach. The ways in which we can access information has also changed, both in scope and method. System convergence means we can use a variety of ways to access data, which in turn is available in ever-increasing formats.
This openness has inevitably resulted in a much greater need for security on all parts of the network, right down to the home PC. Increased interconnectivity has led to a rise in the variety of ways in which hackers, virus writers and others with malicious intent can access, delete, infect, manipulate and steal information. This is why the OECD has called for measures to be taken to promote greater understanding and awareness of security issues, and the need to develop what they term “a culture of security.”
The aim here in creating a new, developed sense of security in the upper echelons of government and business and right down to the individual employee is to be applauded – anything that helps to raise security as an issue in the minds of those designing networks, or those using new information systems, or even the individual sending email, is worthwhile on many levels, not least because increased vigilance will result in a reduced cost to industry in terms of repairing damage caused by attacks.
Malicious code attacks cost industry more than £8 billion in 2001; this economic impact includes user downtime, loss of data and clean-up costs. So there are significant gains to be made from putting security at the forefront of planning and education.
To many of those reading this, the need for effective anti-virus protection is nothing new. So why does the cost of failure (i.e. breaches in security resulting in a successful viral infection or malicious attack) remain so high? There are many answers, but it is certainly true that most if not all organizations have some form of virus protection in place. At this point it would be easy to give an answer covering multiple network vulnerabilities and recommending certain actions. More informative though, is a response that covers one particular vulnerability that all organizations share, no matter what their purpose.
The human factor
Many of today’s threats are difficult for the average employee to detect. ‘Effective’ (i.e. successful, damaging) viruses don’t advertise themselves; they often masquerade as innocent emails in order to catch people off guard. The knowledgeable won’t open a suspicious email purely because they are aware of the likelihood that all may not be as it seems, but the temptation for the vast majority to click on an attachment that says something like “new photos from my party” is always there. Infected emails needn’t be from someone you don’t know; many modern viruses include the ability to infect a user’s machine and spread them via the user’s address book. The aim in both the cases described above is to get the unwary to open an infected email, and the technique used to do this is referred to as social engineering; trying to take advantage of our individual weaknesses and curiosity as well as vulnerabilities in network security.
The lesson to be learnt here, especially for those that are responsible for network security, is that it’s a very bad idea to formulate an organizational security policy that relies as one of its components on end-users ‘doing the right thing.’ Meaning, not opening any suspicious emails, not downloading something that may contain a threat and so forth. As this relies on knowledge that your average user does not require as part of their job, this policy is likely to founder.
So how does the organization address this issue? As the user may not have the expertise to use or administrate anti-virus protection on their PC, this should be taken out of their hands and automated from a central point, to remove the possibility that settings may be altered or disabled, thereby placing the organization at risk through this chink in the armor.
Appropriate protection at all levels needs to take into account anti-virus protection for desktops, laptops, servers, the internet gateway. It also needs to realize that the culture of security that OECD are pushing means recognizing that to err is human.
Jack Clark is McAfee security product marketing manager for Network Associates (www.nai.com).
Network Associates are exhibiting at Infosecurity Europe, Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29 -May 1, 2003. www.infosec.co.uk