Network security: as the worms turn.Code Red. Nimda. MSBlaster. SoBig. Love Bug. The simple and colorful names given to "worms" and other viruses unleashed against computers around the world only hint at the damage they can do, primarily in knocking out systems and costing corporations big sums in down time and emergency restoration. While it's commonly agreed that corporations have become considerably more sophisticated about computer security in recent years, the universality of the viruses' target--Microsoft systems--makes defense difficult. Worms, "Trojan horses" and other viruses use new and different techniques to destroy the hosts' code, making it difficult for businesses to anticipate and block them. And things aren't getting better. "There's been a significant increase in the rates, the types and the voracity of attacks over past year," says Tina LaCroix, vice president, Integrated Services and Technology Solutions (ISTS ISTS - Individual Sewage Treatment Systems ISTS - Information Systems Tracking System ISTS - Institute for Security Technology Studies ISTS - Institute for Space and Terrestrial Science ISTS - Integrated Software Training Solutions, Inc. ISTS - Intel Science Talent Search ISTS - International Sea Turtle Society ISTS - International Switched Transit Service ISTS - Ion Source Test Stand) Information Security, at Aon Services Corp. "Part of what we face is really an inverse curve. It used to be that 10 years ago, you had to have significant knowledge about computers [to be a hacker]. Now, you only need rudimentary knowledge. You can go to 10,000 Web sites and put together the necessary components--an average 10 year-old can exploit these." Some hackers may have altruistic motives, she says, but many are political activists (so-called "hacktivists") or teenagers following Internet "scripts." Then there is "underground and underworld activity" coming from countries like Brazil and China. "Any kind of development is open to someone to prove it's vulnerable," says James Wade, chief information security officer at KeyCorp, the regional bank based in Cleveland. "We are seeing increased sophisticated attacks from anywhere in the world. We know security is critical to our infrastructure, and the opportunities to attack are really increasing almost daily." "Today, lots of people are probing and monitoring networks to launch automated exploits," says Louis J. Carpenito, vice president of information security/business strategies for Symantec Corp., a provider of the popular Norton antivirus software, as well as network security software appliance products to enterprises and service providers. "There's a lot of external activity, much more than internal," he adds. "But the success rate is significantly less. Most organizations have a layer of protection, but there may be other channels into the organization." In fact, studies show that while outside attacks are far more common, 60 percent to 80 percent of successful attacks come from inside, a sort of soft underbelly of information security. Which is the bigger threat, denial of service--caused when systems go down--or the actual ability to steal secrets or corporate account information? "They're both very real threats," LaCroix says. "Denial of services precludes you from doing business; it forces you to shut down." More than anything, she believes, "For companies to improve, they need to have a baseline. You need to start with a point in time; you need to put a stake in the ground and measure." Consultants may be helpful here, she says, because it may be easier for an outsider to establish a plan and gain consensus. "The hardest part is to have a knowledge base. Most companies are five years behind, in my opinion," LaCroix adds. "Then, you need to have a plan and stick to it, and not move with every development." When it comes to protection against hacking or intrusion from anywhere. experts say, think "perimeter." It's not unlike a military encampment, where sentries are posted along the perimeter to detect and deal with invaders. In this case, of course, the invaders are electronic; viruses often are transmitted through attachments or downloads, which individuals inadvertently bring onto their desktops. "Most people would agree that a defensive posture starts with a perimeter. You need to create a control environment," says Bruce Moulton, also a vice president of information security/business strategies for Symantec. "Perimeters can be dynamic, and they can vary from strong to weak." The common concept of a perimeter "firewall" is well described, Moulton says, though the term is being blurred because other functions, such as intrusion detection technology, are being integrated with firewalls. Antivirus applications and virtual private networks (VPNs) are among the controls that work at the perimeter, he adds. Within the perimeter, defense is typically not created in code. "The process we use is called defense in depth," says LaCroix. "It involves multiple layers of protection--you look at the pending threat, the types of risk--you look at other technologies. You ask what controls can we add to things like the firewall. You don't simply need all the latest and greatest." Firewalls differ, and filter different depths of information that pass through the perimeter, Carpenito says. "The cover may look okay, but there could be something very malicious inside. There is a movement toward firewalls going deeper into content." Another trend is to look at systems more holistically. "Integration of protection mechanisms that had previously been used in a silo approach can be put on an appliance, which is less costly to deploy and maintain," Carpenito says. That reduces the total cost of ownership and provides better security. "The ability to monitor networks from a worldwide perspective is key--you have sensors that detect activities that can be profiled into individual hacker attacks," Carpenito adds. Yet he warns that organizations tend to be too trusting of their own people--a lesson that has been harsh for a number of financial services organizations. "The lesson is that the people you need to watch the closest are those with privilege--and you need to watch as well those that are trying to gain privilege," he says. As the pace of attacks has increased, so, generally, has company response time. LaCroix, who has been at Aon for 2-1/2 years, says that during the first year, she helped put together an Internet response plan that went into action when the worm-meisters went on the attack. "When Microsoft alerts us to [code] patches, where we would have taken that seriously and looked at responding in three to four months, we're now doing a much more thorough assessment of the patch and the vulnerability," she says. "We try to get a sense of the danger, what code the exploits [hackers] are passing among themselves." The company's ability to respond has changed dramatically, LaCroix says, and in the past six months, Aon has proactively done patching, which "cost us millions on the front end." That means pulling people together from across the organization, which she calls "a huge balancing mechanism," given Aon's base of 53,000 employees and the need to "do a lot of testing and disruption of core operations." The result, however, has been worth the stress and strain. "We have been able to weather those storms," she says, and the company is committed to being proactive, given the rule of thumb that it costs four times as much to remediate a security breach than to install patches to prevent one. Cost is an issue that financial executives clearly understand and focus on, but it can't be the primary focus of an IT security program. "The issues around integrity of information, reliability and privacy are now right on the desktop of senior executives," says Symantec's Moulton. "There's been debate about how much they need to know and care. We would say that internal control harks back to key definitions. While security controls may not be not explicitly discussed, most security professionals want security controls understood"--and made an organizational priority. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion