A heightened awareness of security issues and the need to safeguard mission-critical, highly confidential data has catapulted security to the top of organisations’ agendas.
Despite this, companies are suffering from more security violations than ever before. In the UK, the Department of Trade and Industry (DTI) recently reported that 78 percent of businesses suffered from some form of breach, such as file corruption or stolen data in 2002, compared to just 24 percent in 2000.This rise in violations indicates a growing lethargy amongst companies looking at security options. It would appear that many organisations are merely adopting a tick in the box approach and the procurement of an IT security kit is not followed through in terms of a strategic security programme.
Many larger companies have chosen to hire management consultants to take an external look at their organisation and assess where they are going wrong. For the smaller to medium organisation (SME) with neither the budget nor the inclination to turn to a consultant, it is not so easy. In addition, many SMEs that do not have data sensitive information on their networks believe that they do not need to invest in security solutions.
However, potential 'hackers' scan networks daily for signs of vulnerability. An organisation's networks can be attacked, by an external 'hacker' for example, from anywhere in the world. When this occurs, the loss of confidential client data is not the only repercussion to an organisation. The 'hacker' can use the attacked business's system as a 'host' to pollute other organisation's networks. This can also result in an organisation's systems going down for over 24 hours, a process known as "zombieing". This impacts upon small organisations that rely on their computer systems in order to operate.
Organisations are so inundated with security solutions that they find it easier to ignore the problem, without thinking through the long term implications. A casual glance across security options available will identify numerous security fixes for vulnerable networks. Detailed technology information, although useful for the knowledgeable user, tends to cloud the issue for many.
Putting security plans in place does not have to be a complicated or lengthy process. It does, however, require some forethought by organisations and must be followed through in terms of a strategic security programme. Just buying and installing an IT security product is not enough.
There are a number of options for SMEs looking to implement a successful and effective security strategy depending upon their budget and expertise. A good, cost effective solution is to sign up to an advisory service such as the Computer Emergency Response Team (CERT), a non-profit making organisation set up by the US government and run by the Carnegie Mellon University. Organisations such as CERT supply information on how to protect an organisation's system against potential problems and advise on what to do if a security breach occurs. This involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems and developing information and training to help improve security at an organisation's site.
The advisory service takes the form of a free email, which is issued to anybody who wants to subscribe. However, although these services are a good source of information, they are just that. They do not give advice about how a violation will affect an organisation's individual requirements or the business impact of a security breach.
Some organisations may choose to employ a specific security administrator, responsible for updating their computer systems to respond to any threat. This is perhaps the most costly solution of all, but certainly a very essential resource in today's information age.
Organisations can also employ an external third party to conduct vulnerability scans and penetration tests of their network on a regular basis. A vulnerability scan is an automatic process undertaken by a remote server with a library of known vulnerabilities, testing a network against each. These scans are usually carried out on each IP address and can take place daily, weekly, monthly or as often as a business chooses. The scans produce an automated report that can be used to close the system vulnerabilities down. The cost of these services is relatively low, due to their automated nature.
A penetration test will involve a person actually physically trying to hack into a customer's network using known hacking tools. Although this is a far more costly exercise, the tester will also use social engineering to break into the network. This can include calling up the business and finding out people's names and trying to hack using common passwords (it is surprising to note how many people use "password" as their own password). At the end of this period, an organisation can expect a very detailed report, not just into the system's vulnerabilities, but also the company as a whole.
Certain types of vulnerabilities are most common. If a business does not have a firewall, designed to prevent unauthorised access to private resources, it is most likely to be hacked within a matter of days. Hackers will scan entire IP address ranges, and an unprotected network stands out like an elephant at a mouse convention. Hackers can take over servers or desktop machines and either access the boxes at the root level and copy or delete all their data, or install malicious programs that will take over their machines and attack other networks.
For a company that has a firewall, these too can be exploited if they are not properly set up and monitored. Hackers can exploit known vulnerabilities and get the network to break its own firewall. Devices most commonly affected include the web server, email server, file and print servers.
When choosing an Internet Service Provider (ISP), a business needs to have confidence that a service provider is protecting itself. If not, catastrophes can happen which can affect the business that partners with the provider. Organisations must ensure that its provider fully explains its security procedures and its policies towards denial of service (DOS) attacks and unauthorised hacking. The provider will need to demonstrate that it has its own security administrator and is regularly auditing its own network.
In summary, a business ideally needs to employ a security administrator if possible or, at the very least, somebody that is responsible for security of the network. This individual should have knowledge of all the company's systems and all versions of software it operates, carry out regular network scans and change passwords frequently.
The monitoring of security alerts and patch announcements can be managed through advisory services such as CERT as they are usually the best form of alerts, as well as the vendor's own advisory service. Also, third party vulnerability checks can provide invaluable insight into an unprotected network
A final point to note is that a successful security programme is most effective if it has the full endorsement of the Chief Executive Officer (CEO) of a company. In addition, the person responsible for security needs to have an avenue to communicate with the CEO. Perhaps most importantly, a security policy needs to be enforced throughout the entire organisation. Each individual within the organisation has a role to play in maintaining a secure computer network. Numerous security technologies can be installed but if there is no uniform security policy across the company that everyone buys into and adheres to, a business will always be vulnerable.
Jon Haynes, hosting and security product manager, GX Networks UK Limited,
