A clear and present danger

When it was widely reported in June that the Sydney Opera House’s website contained malicious code designed to harvest ticket buyer’s bank account details it made a big splash in the media. It is also the perfect illustration of the security situation facing IT managers and resellers in 2007. Think back, when was the last time that a major virus or worm outbreak hit the headlines? It has literally been years since Melissa, Slammer, Blaster, I Love You and Nimda sent corporate networks into meltdown and brought organisations all over the globe to their knees.

There has been a quantum shift in the security risks and concerns facing today’s networks. Hackers are no longer disaffected university students in the game for kudos from their peers or trying to make a statement to the world at large; organised crime has realised that there is a lot of money to be made from hacking, phishing and identity theft. As a result of this shift in emphasis AusCERT said the number of cyber attacks has actually reduced slightly over recent years but the average amount of money each successful attack costs organisations has increased. And malware such as phishing sites, Trojans and other forms of website-based malicious code have become the dominant means of attack.

Adding to the challenge, the changing ways we are working means that securing the network is harder than ever for resellers, systems integrators and security professionals. Contractors and consultants, telecommuters, travelling executives and other road warriors have all pushed the perimeter of the network out to the point where for a multinational company it’s the whole world. And that’s not to mention the increasingly common practice of exposing parts of the network – such as the extranet or inventory system – to business partners.

These trends have all been happening for a while but over recent months a new threat has been added to the list – social networking sites. Studies have shown that many workers access sites such as Facebook, MySpace and to a lesser extent YouTube from office computers. These sites are often havens for malicious code and a lot of people, seemingly oblivious to the dangers of identity theft, post large amounts of personal information on them.

When it comes to network security, IBRS analyst James Turner, believes that there will be continued emphasis on enabling, but it’s going to be different for every company according to their business environment. “There’s a constant tussle with security, and that’s the balance between confidentiality, integrity and availability. That play is different for every single firm looking at it.”

One way that the balance between confidentiality, integrity and availability is playing itself out is the tension between perimeter and internal network security. Trend Micro’s premium services manager, Australia and New Zealand, Adam Biviano, said the idea of a perimeter is blurring which necessitates a rethink in emphasis. “What do you define as your work perimeter? Half of Trend’s workforce is mobile, these individuals roam the country using their laptops in all sorts of places, airport terminals, home networks, Starbucks etc. which are far from trusted entities, so while protecting the perimeter is a sound idea, it’s becoming far more complex.”
Because it’s difficult enforcing policy across a fleet of machines which are very rarely in the office and rarely hooked up to a network that is trustworthy, Biviano said each machine needs a subset of the overall security network infrastructure sitting off to one side of it so it’s able to defend itself against the same sort of threats as the network.

Beyond perimeter versus internal security arguments, Check Point Software country manager ANZ, Scott McKinnel, believes the biggest concern facing network and security professionals today is the weight of change and complexity. “From the network perspective it’s just the sheer complexity and the introduction of human error because of all the different components. Even if each security component is configured correctly, has the right release of software, is managed properly and does what it’s says it’s meant to do; you still have all the complex interoperability issues and patching just to keep everything current.”

The other big concern in a complex and fast-changing security environment is the capacity for human error. “Keeping your staff trained properly and giving them the time they need to do things properly,” is of prime importance said McKinnel. In the event of a breach occurring, often the very speed of events can mitigate against effectively dealing with it. “That is often the biggest risk and the way it is being addressed is that there is a lot of emphasis on management, event reporting and correlation.

“If there’s an incident or some sort of compromise, typically multiple systems will report that because the incident will trigger an event, an alarm goes off in the management system. If you’ve got multiple systems and technologies deployed all the management consoles will alarm. What event management does is correlate all the alerts and then present it in a centralised and simplified way. Your security systems are only as good as you can manage, monitor and maintain them so we’re seeing a shift in the market of more emphasis on event management and management of systems.”

Generally speaking, organisations are responding to the current security environment by implementing defence in depth strategies which cover endpoints as well as all the network access controls. While this strategy includes all the traditional IT security apparatus such as anti-virus, firewalls, intrusion detection etc, Symantec’s vice president, channels, Asia Pacific and Japan, John Donovan, said it’s also vital to be able to have a degree of trust with other people. “[This is particularly the case with business] partners with which you’re hooked into in a B2B environment. Because everyone wants open access; banks, government etc, you want to be able to get access to your own records to be able to update them, modify them etc. Networks are opening up with customers demanding access to information and with that comes risk.”

Aside from the potential for productivity issues some of the biggest security risks gaining currency are social networking sites such as Facebook, MySpace and YouTube. Websense ANZ country manager, Joel Cammisar, said over the past year various security companies have put up dummy Facebook accounts to see how many people would reply with enough credentials so that a hacker would be able to compromise their identity. “It’s been quite astounding how many people give out critical information on Facebook and MySpace kind of sites. That alone poses a security risk for organisations, but there has also been other cases where social networking sites have been used to harbour malicious code. This is a growing trend, gone are the days when mass mailing viruses make up the majority of hacking threats. The main threat vector now is the web and hackers are using a variety of means to beguile users into going to sites which are launching pads for malicious code.”
While some security professionals will try to control access to such sites, Symantec’s Donovan believes they’ve got no place in the business environment. “There’s just far too much risk,” he said. “It’s not vulnerabilities and malicious code that could be hosted by the site, or even the time-wasting aspect, it’s that people populate them with information they really shouldn’t be putting there. Facebook is a really good example, it’s a nefarious weed-like system that encourages people to put in more and more information and makes that information available to more and more people.

“You start off with; date of birth, name, address, mobile phone number, then you say where you’re going on your holidays then you put pictures in of your holiday and before long through the extended friends link, someone you don’t know has access to all that information and knows where you’re going away on holidays. It’s not that hard to work out where you live. They have your date of birth and your email address, which is more than enough for them to start off some sort of social engineering which then leads to more information and then you’ve got issues with identity theft. And it’s not only business, it should be individuals as well should be thinking twice about the information they put into it.”

Nevertheless, despite the concerns of people such as Donovan, there are opportunities for organisations to be had when dealing with sites such as Facebook, so social networking sites are unlikely to be going away anytime soon and resellers and SIs are most likely going to have to learn to help their customers deal with the issues. For example, Salesforce.com currently has a tool that allows users to import data from Facebook into Saleforce.com and this feature could be used to generate mailing lists and also to cross-tabulate existing data.

As a result, IBRS’s Turner said a lot of Australian organisations are taking one of two paths. “The first is that they’re not doing anything, they’re steering away from it all together to put off having to make a decision about that and you can’t blame them because it is a minefield potentially. The second path [organisations are taking] is proceeding with caution but it’s hard to do, not swimming, not in the boat. And a lot of these initiatives require a lot of commitment before they’ll actually deliver results and a lot of vendors in the market are pushing Web 2.0 initiatives around business and a lot of businesses are saying, ‘yes it sounds wonderful but how do I make money from it?’”

By Darren Baguley