Managing security - A secure thing

In an ideal world, a company's IT system is always completely secure. But, according to Peter Sandilands, Check Point Software Technologies' regional manager Australia/NZ, that is simply not a realistic expectation. "There's no such thing as a completely secure computer system," he asserts. He says people often still suggest measures such as putting a computer in a locked room with no connections in order to achieve total security. "But if somebody uses it then that person is a security problem."

Sandilands cites some disturbing statistics from a study published in the July issue of Security Magazine which found that the average cost of an external security breach was $US57,000. But what is even more staggering is the average cost of an internal security breach -- a whopping $US2.7 million.

The most important thing to keep in mind, suggests Sandilands, is that computer systems and networks should be designed to allow people to communicate. "If you take the premise that security is about making things completely safe, then that completely contradicts the premise of why I put a network in place."

Sandilands suggests the alternative is to start with the premise that the system can't be completely safe, and that access has to be provided. "Security's role in all of this is to allow us to supply the best access we can, given the risks we're prepared to accept."

Geoff Johnson, research director at industry analyst GartnerGroup, agrees, saying there's no such thing as absolute security. "It just doesn't exist."

Steven Laskowski, managing director of security solutions provider Internet Security Systems (ISS), suggests starting with a security audit, likening it to getting a health check from your doctor as it tells you how vulnerable you are. Following the audit you can decide what to do first, how to do it, and what should come next, as well as monitoring security systems over time.

"The first thing organisations need to ask themselves is -- what is the overall financial penalty of a successful break-in?," Laskowski advises. But he adds that this can often be difficult to ascertain. "It's very difficult to quantify because nobody leaves a calling card saying, ‘hey, thanks for the product plans for the next-generation technology'."

Sandilands maintains the risks are actually non-IT. He also suggests coming up with a security policy (see "Getting serious about security" in this online issue) before even considering the type of tools which are needed. "Say OK, we're communicating or accessing information, so what information do we have in the company, how is it classified, who should see it?" he advises, using the examples of payroll details, personal details, inventory levels, sales figures, marketing plans and sales proposals. The importance of protecting information such as this will vary depending upon the type of organisation. "This comes down to -- do I lock the filing cabinets that I put this information in?

"The security policy will then give you the guidelines as to what sort of access controls to set up on your file server," he said. "The security policy will give you a very clear idea of how strong an authentication mechanism you need to implement for staff inside the office and the staff outside the office, versus people outside. You know, if you've got high-risk information then you may want to be very very sure of your user authentication -- are they the right people?"

He advises companies to look at the different levels of access to information. For example, a certain level of information may be suitable to be seen by all internal staff, but nobody outside. Other information may be suitable to be seen by all internal staff and all existing customers outside. "This then devolves down into your IT architecture so, for example, stuff that cannot be seen by anybody outside the organisation you wouldn't put on a system that could be connected to from the outside," Sandilands warns.

Mark Hopkins, national practice leader for security at services company CSC, carries out work such as outsourcing and systems integration for clients. He advises companies to look at how valuable their information is. "Really what you should be doing is applying the right level of security for your particular business needs."

Hopkins cites as an example an online shopping system which will need to be up 24 hours a day, with a level of services to encourage people to come to its site. A government organisation, on the other hand, will have different security requirements.

Tools are chosen to minimise risks and there remains an ongoing need for updating versions or patches. Popular tools include virtual private networks (VPNs), firewalls, intrusion detection, encryption, authentication.

When deciding which tools to use, Hopkins advises considering what level of security you require. "The thing is that with security each additional level, or layer, of security you apply costs money." He makes the comparison between the amount of security you would put in your home, compared to the physical security used at a bank. "The key to security is understand your business, how you're trying to interact with your clients electronically and then look at how valuable that information is and then look at the different tools and techniques you can apply to protect that information."

He agrees security needs to be tailored to each individual company's needs. "There isn't any one solution that's going to satisfy everyone's requirements," Hopkins says.

Some companies opt for working with a consultant when dealing with IT security. Like many business decisions it can come down to finding a partner you are comfortable with. Sandilands suggests asking for references, checking the qualifications of the people in the organisation, as well as looking for an operation which is stable, financially sound, responsible and well managed.

"Look for an operation which doesn't walk in the door and immediately start talking firewalls and intrusion detection," he advises. "Look for an operation which walks in and starts to say ‘what does your business do?', ‘what sort of information do you have?', ‘how do you want to approach this?'"ISS' Laskowski says companies have to ask themselves whether they want to build the security expertise in-house or whether they want to outsource it. He suggests businesses ask themselves questions such as ‘is security a core competency of my organisation?'.

There is such a thing as an ‘ethical attack', according to CSC's Hopkins. He says this involves testing a company's security. There are different methodologies, depending upon what you're trying to achieve. For example, it could involve running the same tools and techniques a hacker would use against your firewalls.

ISS's Laskowski raises the issue of the potential cost of security. "You really have to [ask] ‘what is my threat?', ‘what happens if someone is successful?'," he says. He also advises companies to ask themselves what happens if they are knocked offline with a denial of service attack which means you can't reach your customers or suppliers, and they can't reach you. "What does that do to you financially?"

Sandilands likens IT security to people jaywalking -- they know there is a risk, but they still do it. "People in general don't care about security as an issue; however, with the current groundswell of interest in the Web and the Internet there is obviously a lot of debate about ‘am I safe/am I secure?'In reality they are looking at one part of an overall problem, rather than the whole. What is the point at worrying about whether my Web server is safe if it's a box sitting in the middle of the office and can be stolen at the drop of a hat?"

CSC's Hopkins believes there is now a greater awareness than ever. "A lot of organisations are beginning to take security seriously now," he says.

However, he adds, there is still the "it won't happen to me" belief amongst some companies. He says it is possible a company may not even know it has been attacked if, for example, the hacker just reads information. "For some organisations that could mean the end of them.

"Security costs money - there's no question about that - it is an expensive business. Apply a level of security that's appropriate for your business needs. It's ‘horses for courses'. Do not buy a Rolls-Royce if a mini will do."

Putting the wheels in motion

Once companies have worked out what aspects of their business need protecting, they can get down to the nitty-gritty of putting security systems in place.

Alex Turkington, vice president Asia Pacific for secure Web switching vendor Top Layer Networks International, emphasises the importance of getting it right. Different technologies do different things he says, using the example of a firewall, which controls access from the outside world to a company's internal resources.

He says it is also now common for companies to have tools customised to meet their needs, and believes security has moved beyond just looking at point solutions. "I think they [companies installing security] are looking at ways of gluing a more comprehensive and robust security strategy together," he says. "To do that successfully they have to be talking to very high level and very expert security consulting companies. They're making investments in expertise and product knowledge that will provide them with the ability not just to install a firewall but install a very robust comprehensive multi-layer security system."

Turkington says there are a number of things that can go wrong with installations, which in a worst-case scenario could result in as many problems as not having the technology at all. "Once you start plugging equipment into any network we're talking about fairly complex types of transactions," he says.

Also using the example of firewalls, Ann Knight, national security manager at systems integrator Com Tech Communications, says what is associated with a firewall is a ruleset, which means you establish the rules you want to be in place, such as the type of traffic you want to allowed in or kept out of your network. "So if you get that wrong it can be the same as not having one, because in effect you have a ruleset that doesn't work."

Vivienne Fisher also examines the challenges and opportunities in designing IT security from the ground up in the next article in this online edition.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Check Point Software TechnologiesCheck Point Software TechnologiesCSC AustraliaInternet Security SystemsISS GroupPoint Software TechnologiesSecurity SystemsTop Layer Networks

Show Comments
[]