Embed Size (px)
Citation preview
Brian McKenna and Sarah Hilley
Hosted Security: Trends andIndicatorsComputerwire
Most organizations think hosted security is tooexpensive. Research released by the McAfeeSecurity division of Network Associatesindicates that most businesses are apprehensiveabout managed security, with a third of thecompanies polled stating cost as the mainbarrier to them considering outsourcing.Thefindings also revealed that 18% of organizationslacked confidence in third-party providers, withanother 22%, mostly larger businesses, actuallyhaving security policies that prohibit theoutsourcing of their enterprise securityprocedures. Only 14% of organizations quizzedwere found to be outsourcing some part of theirsecurity framework. Outsourced firewallmanagement looks to be the most popularchoice.ComputerWire, 1 May 2002
How will you cope if your systemgoes down?Mark Samuels
Businesses are increasingly concerned by thedevastating effect of hacking and viruses, butmany still do not allocate funds directly forresponding to premeditated attacks or systemdowntime.Forrester Research interviewed securitymanagers at 50 blue-chip companies. Whilemost recognized the potential damage caused bysystem outage, few could quantify the cost ofincidents.More than half of the respondents said a one-day outage would have a disastrous effect ontheir business.One food and drink company lost $2 million forevery hour of system downtime. Anothersecurity manager at a manufacturing company
said the Nimda virus had affected thecompany’s order fulfilment capabilities. Despite the potential damage of this downtime,less than half of the interviewees knew theexact cost of responding to security incidents.Up to 60% of respondents said they couldn’tcalculate their losses because costs were toodifficult to determine.“We can’t seem to quantify the cost ofresponding to incidents”, said the securitymanager of one telco. “Because it’s so difficultto sort out all the pieces, we just simplify andtrack time spent and equipment required. So weonly get the tip of the iceberg.”Despite virus and open network anxieties, just28% of respondents allocated funds directly toincident response. The majority of managersinclude their incident response spending withingeneral IT expenditure.“We certainly don’t have a budget item forincident response”, said the security manager ofone retail company. “In fact, we don’t evenhave a security line-item on our IT budget fornext year, because we can’t show return oninvestment yet.”Virtual response teams are generally createdfrom internal system and network administra-tion staff. And less than a third of securitymanagers use the help of external expertresources, such as consultants or outsourcers.Computing, 2 May 2002
Symantec seeks secure accessBien Perez
Symantec is pushing its Internet securitytechnologies as the standard for Hong Kong’snascent managed content and network securityservices market.North Asia director David Sykes said thecompany hoped to make the leap from being anInternet security vendor to becoming a majorsupplier to service providers.
338
Digest of recent ITsecurity press coverage
In briefBusiness Fails to AdoptOnline SecurityBritish companiesdemonstrate a keen ardour forE-commerce but this is notsupported with sensiblesecurity precautions. Thismeans that customers are atrisk of having their sensitivedata penetrated. Thissituation has been brought tolight by the UK Departmentof Trade and Industry’sInformation SecurityBreaches Survey 2002.According to the surveyfindings half of companieswho conduct transactionsonline don’t implement anyencryption technologies.Under one-third of businessesencrypt files containinginformation such as creditcard details. One-third ofcompanies don’t bother tovalidate customer details andthe list of findings goes on. Amomentous rise in E-businesshas occurred in the UK. Onein five websites can nowtransact online orders.www.security-survey.gov.ukInformation Security Bulletin
May 2002
PDAs expose sensitivedataLisa Kelly
One in four users do notsecure their personal digitalassistants (PDAs) with apassword, leaving confidentialbusiness information exposed.A study from Pointsec MobileTechnologies revealed thatemployees will often storesensitive information such asPIN numbers, passwords andcustomer details in plain-textformat. 71% of those whostore customer information donot use encryption. Accordingto the managing director ofPointsec it only takes a hackera few seconds to hot-sync datafrom an unencrypted PDAwith a laptop or PC.
Symantec is targeting Hong Kong’s smallcommunity of Internet service providers (ISPs)and application service providers (ASPs), whichhave only recently started to deliver morecomprehensive anti-virus scanning and contentfiltering programs to individual Internet usersand enterprises.Sykes said Symantec was in negotiations withcomputer services firm COL to package itsInternet security products as part of specificoutsourcing services offered to the local firm’sline of banking, insurance and securities brokerclients.Hickerson said local interest in managedInternet security services had been given aboost by the recent Klez worm outbreak, whichmany internal anti-virus software and firewallsystems failed to block.IDC has estimated that gateway securityappliance sales in Asia-Pacific would reach$236.3 million this year, and grow to $522.7million in 2005.South China Morning Post, 14 May 2002
Control phreaksStefanie Marsh
Were he so inclined, kp could hack into yourbank account, access your email or shut downyour computer from a distance. At a push, hecould hack into your medical records and insertthe letters HIV+ under the ‘any seriousillnesses’ category. “That would seriously f***up your insurance policy, wouldn’t it? Perhapseven your life.”By day kp is a reasonably well-paid systemsoperator. By night he is a black-hat hacker.Why does he do it? “Because I’m morallybankrupt and I don’t give a f*** about beingcaught,” he says. Dr K, once a black-hat hacker and the author ofThe Complete Hacker’s Handbook, thinks thevast majority of black hats are under 16 and“poking about”. Furthermore, “if you can’t keepa teenager out of your network, whose fault isthat?”
“Computer crime is exaggerated,” he says, oftenby those who might profit from reinforcing thesecurity of a company’s network. “I’ve neverseen a cyber-criminal drive up in a Porsche, butI’ve seen lots of people in the computer industrymaking lots of money. The best security expertshave all been black hats at some point.”For kp, hacking is “a control thing. The initialbuzz is the most amazing feeling, but you knowthat you’re not going to be happy unless yougain more control. I’m still going to be hackingwhen the police break down my door.”The Times (London), 15 May 2002
Hackers can hijack mobile systemsMandy Bryan
Wireless networking has lost some of its glosssince the emergence of a sinister new threatdubbed ‘drive-by-hacking’.Stories abound of roving hackers armed withjust a global positioning system, a laptop, awireless card, an antenna, a Pringles tin andlittle expertise tapping into a wireless local areanetwork.Nor is this the only security threat stalling thecorporate take-up of technology which promisesto increase mobility for workers and slashnetworking costs.Ironically, the senior executives to whichwireless networking most appeals arecontributing to the problem, according tosecurity experts.“Those that benefit most from the wirelessnetwork, like the CEO and senior sales andmarketing executives, are usually the leasttechnically skilled. Their computers tend to bethe least secure and they also contain the mostsensitive information”, said Matt Barrie, aconsultant with Infilsec.Wireless networks were not designed withsecurity in mind. The wireless signal cannot becontained within a building and while thisproblem can be minimized by the use ofdirectional antennae, it can never be solvedcompletely.
Recent press articles
339
Hot MailSarah Left
It was once proclaimed thatwe should consider emails inthe same manner as postcardsrather than sealed letters.Most of us bestow a trust inemail confidentiality, whichdoesn’t exist. There are avariety of common mistakesthat do happen with email anda lot of embarrassment andtrouble can be avoided. Acommon click-happy mistakeinvolves hitting reply insteadof forward, where you receivea controversial email and wishto forward it to a peer withyour comments andaccidentally send it back tothe sender! It is also importantto remember that pressingdelete just means that youremail is transferred to analternative server, it has notbeen terminated, just moved.An email is hard evidence andcannot be denied, unlikespeech, an email can be re-read and recovered.The Guardian, 7 June 2002
This means that hackers can, relatively easily,mimic legitimate users via a PC or laptop, byaccessing the black box connectivity device in acorporate network or even by introducing a fakeaccess point, dubbed an evil twin, to whichlegitimate users then mistakenly connect.Adding to the problem, many companies do notenable the wireless network’s inbuilt security,dubbed Wired Equivalent Privacy or WEP, anddo not encrypt traffic.“Until WEP is improved, companies should usea handheld device to scan the airwaves forunauthorized signals and check theconfiguration of legitimate networks”, Mr Barrie said.Australian Financial Review, 21 May 2002
Would you trust Whitehall with yourPKI?SA Mathieson
The present British Government’s work withthe IT industry to establish confidence indigital certificate-based security may be amongits most lasting legacies.In April, successful trials resulted in thegovernment approving public key infrastructure(PKI) for secure email, and early indicationspoint to the NHS as the likely first adopter.Some form of the technology may also be usedfor a future entitlement card scheme.However, PKI is effectively unbreakable, andgovernments have a problem with that. For agovernment, the ideal communicationstechnology is one that’s secure, but not sosecure that it can’t be tapped by its own securityservices.The UK Government’s initial solution wastrusted third parties. Everyone using PKI wouldstore their keys with an organization, whichwould pass them to the security services whenrequired, and the end-user would never know.But this didn’t go down well. On reachingoffice, Labour revised the legislation so thatkey-holders would be their own trusted thirdparties.
The security services can demand an encryptionkey (on issuance of a warrant from the HomeSecretary), on pain of a prison sentence. Youcan also be punished for handing over a key andnot keeping it secret.This is also true for access to ‘traffic data’, asopposed to the content covered by the rules onproducing keys.Under the Regulation of Investigatory Powers(RIP) Act, the police and security services canget at this with a self-issued warrant. But thisprocess conflicts with data protectionlegislation, which demands deletion of thetraffic data when it becomes redundant.Following new British anti-terrorism legislationlast year, some ISPs have increased their emailtraffic data retention period.Freeserve used to keep it for three months, butnow has at least seven months’ worth.All the security legislation and guidance thathas emerged from the government started in atougher form, before being tilted back towardsindividual liberties by select committees andthe House of Lords.If technology firms want to resist being turnedinto a branch of the security services, they needto put their case vigorously.Computing, 23 May 2002
Legal reform alone won’t beat hackingMichael Gubbins
The stark facts about the UK’s ComputerMisuse Act (CMA) tell the whole story: asmany as two-thirds of companies have suffered amalicious security breach, but in 12 years onlyseven people have been jailed.A seminar on the Act, currently under reviewto test its compliance with European legislation,was recently organized by computing and lawfirm Tarlo Lyons.Tarlo Lyons IT specialist John Mahwood drewanalogies with the creation of the Road UK’sTraffic Act, which gradually strengthened as thevolume of road use grew.Companies often cite inadequacies of the
340
Recent press articles
New task force to tacklecyber-crimeChicago Tribune
US federal authorities haveannounced the formation of alocal task force to prevent andprosecute cyber-crime,including terrorism, identitytheft and the hacking ofcorporate databases.“This is community policingin the cyber-world. It’s a newchallenge”, US Senator DickDurbin said at a newsconference at the Chicagooffice of the Secret Service.“We have to send out themessage that if you want tohack into a computer, you’regoing to pay a price.”The Secret Service launchedthe task force in Chicago andeight other cities as a pilotprogram in response to theUSA Patriot Act, passed inOctober to tighten homelandsecurity.The Electronic Crimes TaskForces are not fully funded, soDurbin has introduced anamendment to thesupplemental appropriationsbill to provide $17.2 millionnationwide.Chicago Tribune, 21 May 2002
enforcement system and the law as the mainreasons for not taking hackers to court. Thetruth is more often that publicity about securityfailures can and does damage revenue.“There’s no return on investment inprosecuting. The only reason would be to makean example of someone, to explain to the bosswhy there’s a hole in your accounts”, said BobAyers, director of business risk services at UKcompany @stake.Incentives might help. Meeting the costs ofdisruptive forensic operations on hackedsystems would be a start, said consultant PhilCracknell.As well as the civil courts there are third-partybodies that can weigh in, rather as theFederation Against Software Theft (FAST)does for software suppliers.“Businesses need an incentive to name andshame, and sentencing can be a part of that.Sometimes the incentive might just be thatsomeone suffers for what they’ve done”, saidJulian Heathcote Hobbins, Legal counsel forFAST.“When the law was introduced”, said RobertSchifreen, former hacker turned consultant andjournalist, “it was taken very seriously. Spottyyoung hackers ran off to bury floppy discs intheir mum’s gardens”.Computing, 30 May 2002
Europe votes to end data privacyStuart Millar
European law enforcement agencies are nowempowered to monitor telephone, Internet andemail traffic. Despite opposition from civil liberties groupsworld wide, the European parliament has bowedto pressure from individual governments, led byBritain, and approved legislation to give policethe power to access the communications recordsof every phone and internet user. The measure, which will be approved by the 15EU member states, will allow governments toforce phone and internet companies to retain
detailed logs of their customers’communications for an unspecified period. Although police will still require a warrant tointercept the content of electroniccommunications, the new legislation meansthey will be able to build up a complete pictureof an individual’s personal communications,including who they have emailed or phonedand when, and which internet sites they havevisited. Tony Bunyan, editor of Statewatch, said: “Thisis the latest casualty in the war against terrorismas far as civil liberties are concerned. Theproblem with wanting to monitor a few peopleis that you end up having to keep data oneverybody.” The measure is contained in an amendment toa bill originally intended to improve thesecurity of E-commerce transactions. “Lookingat the results, it amounts to a large restrictionon privacy and increases the power of thestate,” said Italian independent MEP MarcoCappato, the bill’s author who tried to preventthe amended clause being added. The Guardian, 31 May 2002
Security chiefs broaden roleJohn Geralds and Elspeth Wells
A new function is being created called the chiefsecurity officer (CSO) is an increasing numberof organizations. The CSO has combinedresponsibility for both data and physicalsecurity. A new report has been published called‘The Changing Nature of the Chief SecurityOfficer’. Hunt writes in this report that theneeds of security often intersect betweendifferent departmental boundaries within atypical organization. According to Hunt, manyCEOs were shocked to learn that in a widevariety of companies there are two separatemanagers in charge of physical security and ITsecurity and more often than not they don’teven cross paths. Senior managers areincreasingly beginning to realize that securitygoes beyond technology. Hunt said that ideally
Recent press articles
341
CSOs should be knowledgeable in IT inaddition to physical security methods. A lot ofCSOs are present in the financial servicessector.
UK’s secret sites pictured on Web
Anyone can view in intricate detail Britain’smost private intelligence units over theInternet.Images of the GCHQ and the Aldermastonatomic weapons research centre are available topurchase. Getmapping.com has produced a
photographic map of the entire country and ispitching for sales of such detailed buildingimages on its website. Getmapping.com is notbreaking the law by doing this but defenceparties are concerned that the images could beexploited by terrorists, so have called for theban of sale of such images. So-called ‘secretplaces’, such as Aldermaston and GCHQ can bebought for £45 plus VAT. According to aspokesperson from the Metropolitan police theimages could be “incredibly useful” to terrorists.BBC News, 7 June 2002
342
Recent press articles
