|Securing your Information
|Network Security Solutions, NSS
Rakesh Aggarwal is the Chairman of Network Security Solutions, NSS. A serial entrepreneur, Mr Aggarwal has been involved as an angel investor in several start-ups and has business interests in media and entertainment, IT, healthcare, architectural ceramics and other industries. His other ventures in India include Fitch Ratings India, Private Limited, the only independent rating agency in India, which was co-founded by him as a joint venture with Duff & Phelps Credit Rating of Chicago. He has been a career banker, having worked with Citibank – India, Thailand, Sri Lanka and Singapore for 15 years. He has also worked for seven years with Union Bank of Switzerland, Singapore as Chairman of the East Asia Credit Committee. He was Senior Advisor to an infrastructure fund sponsored by the Prudential Insurance Company of America. He is a Director of SET Singapore and several other companies.
Recent virus attacks and threats to data make computer security of paramount importance. “Security” is a multifaceted word with many different connotations; but, broadly speaking, it involves protecting an organisation’s critical information from threats, both internal and external. In any organisation, information security is ultimately driven by business needs and is a balance between confidentiality, integrity and availability. “Securing your information” is a big issue that is getting more complex every day.
The whole world is abuzz with information security architectures, products and equipment. But what does it mean to you? Information security is a multifaceted phrase; it has different connotations for different organisations. For a SWAT team about to launch an operation, keeping their strategy secret is vital to the success of the operation. For a web hosting company, ensuring that none of the websites hosted by them are defaced is of great concern and has a direct impact on their business. An ISP’s main concern is to ensure that its services are available at all times. Information Security and the CSO Most organisations in the Asia-Pacific region are now beginning to realise that security and continuity are important issues. Forty per cent of IT Managers rated security as their highest priority. Most Chief Security Officers, CSOs, are doing all they can with the available resources, but it is never enough. In its research, IDC predicts that within five years, 10 per cent of the total IT budget will be spent on security – which means a total security spend of US$118 billion! Security challenges are getting more complex as ‘the perimeter’ becomes fluid. Therefore future trends include policy-enforced client security, identity management and the convergence of physical and virtual security. Another focus area for the CSO is delivering business resilience in an “always-connected” global economy. He/she needs to evolve security and business continuity programmes, thus making security a top priority on a limited budget. He also needs to balance the ROI of existing infrastructure to match future requirements. Therefore, the arduous task of the CSO is to realistically identify security requirements for business, including threat exposure, security management, integration and continuity. Information Security and the Organisation Information security can be summarised as the protection of an organisation’s critical information from threats, both internal and external, by minimising the risks posed by these threats. In any organisation, information security is ultimately driven by business needs; it is a balance between confidentiality, integrity and availability. Each time that you are online to surf the web, chat or download data from the Internet, you may be vulnerable to a plethora of attacks. In the past, one of the nastiest events that brought the operations of numerous organisations to a standstill was the DoS (Denial of Service) and DDoS (Distributed Denial of Service) attack. The most recent victim the media highlighted was the SCO Group Inc, in Utah, whose servers were attacked continuously for more than a week in December 2003. The premise of a DoS attack is simple: send more requests to the machine than it can handle! Ironically, it is also one of the simplest forms of attack, because the availability of toolkits in the underground community makes this a simple matter of executing a program and telling it which host to attack. Organisations should have high redundancy and availability in their networks to avoid a single point of failure. A single point of failure, if attacked can cause the entire network to shut down. To protect one’s network from DoS and DDoS attacks one must have a layered Defense In-Depth strategy with perimeter defense, intrusion detection systems, antivirus solutions and host hardening. Host hardening involves upgrading the OS (operating system), applying relevant patches to the OS and required applications, closing irrelevant services, customising and tightening configurations and using Access Control Lists (ACLs) for the required services. Changing default passwords, applying good password policies and periodic vulnerability scanning also help in detecting vulnerable hosts in the network. Organisations continue to prosper and contribute to the phenomenal growth of the Internet by taking advantage of its vast services and extending their computing environment beyond their network gateway. However, with its many benefits, the Internet has brought significant hazards to the doorstep, as organisations expose their mission-critical information and networks to an unprecedented level of risk. The Global Information Security Survey 2003 conducted by Ernst & Young records that more than 34 per cent of organisations rate themselves as less than adequate in their ability to determine whether their systems are currently under attack. More than 33 per cent of organisations say they are inadequate in their ability to respond to incidents. Seven Best Practices in Information Security Have a defined information security policy, in synergy with the business objectives and culture of the organisation. Deny all, unless explicitly authorised and allowed. Encrypt all data communicated over public connections. Classify information according to vulnerability. Use information-handling procedures based on the classifications. Enforce access control. Minimise, or eliminate exceptions to the rule. The last few years have seen a tremendous increase in the number of hackers in the Internet community. Many of them work as groups, targeting specific organisations and countries. However a large number of hackers are actually inexperienced, they are called “script kiddies”. They hack into systems merely for the thrill of the deed. However, that does not necessarily avert damage to the targeted systems. What makes them especially dangerous is the fact that they do not have any specific target. They are like loose cannons hitting whatever comes in their path. In order to adequately address security, all possible avenues of entry must be identified and evaluated for the risks they introduce. Technical, physical and administrative controls must be applied based on acceptable risk levels, to ensure balanced hardening or security at each entry point. Companies must look at organisational, operational and strategic factors to evaluate their information assets and then take an integrated approach to information security. The risk management process should not be treated as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organisation. Security is not just a job function of the technical IT team; it is everybody’s responsibility. Each individual is responsible for the security of the information assets that he/she deals with. It is absolutely vital that all the staff attend a security awareness programme as part of an orientation that familiarises them with the security posture and policies of the organisation. An inexperienced user in his/her ignorance may share confidential information pertaining to the company or download malicious software. Statistics have revealed that, despite the best technological advances, security breaches have happened. Incidents occur with even the most sophisticated technology – firewalls can be bypassed, and even the strongest password can be cracked. Most of the incidents that have occurred are not because technology failed to deliver, but because of human failure. The following scenarios illustrate that sometimes even the best technology can fail The SQL slammer worm that affected millions of users worldwide exploited a particular vulnerability in SQL. Microsoft, though, had already released its patch six months earlier. Then why did this technology fail? Obviously, people had not updated their systems with the latest patches and hence were affected by the worm. A company was losing confidential data due to corporate espionage. In order to combat this, the organisation decided to opt for the latest and best encryption technology for its critical confidential information assets. After a while, they found that critical information was still getting lost. A complete study revealed that information assets were being leaked via an “impossible to detect” key logger installed on one of the systems by an internal employee! Did Technology Fail? Yes and No. Yes, because in spite of the best technology in place, security had been compromised. No, because the technology did not fail to deliver, the breach was a human failure. An up-and-coming company, with some notion of a layered network defense, opted for a commercial firewall to secure their private network. With the highly sophisticated firewall still in place, the network was hacked. The problem – poorly configured rules for allowing and denying traffic. The company had opted for the latest and the best technology they could afford, but the technology must still be configured and used properly to be effective. The strength of a chain is determined by its weakest link. The weakest link in security is the human element: “We have met the enemy; and he is us”. A security programme is effective only if every individual in his/her respective capacity is security conscious and implements the information security policies of the organisation. The front desk can easily be cajoled into revealing information. No fancy exploits coded, no firewalls bypassed and voila! – the critical information is in the hands of the attacker. In this case, the attacker is not looking at any fancy gizmo or breaking any code; all he/she has to do is take the pulse of the person he is interacting with and exploit his mindset. The only countermeasures to this menace are to have comprehensive security policies in place, adequate training, and security-conscious users. Having the latest gizmo in place will not guarantee complete security. One cannot rely exclusively on technology to offer protection. Technology and human factors have to go hand-in-hand while implementing a complete security solution. Neither can be used exclusively when talking about security. It is imperative for every individual in an organisation to take part in a security awareness programme that makes him aware of his security responsibilities. A security conscious and alert employee may often be able to identify, avoid or contain an information security incident to ensure minimal damage to the organisation. Scientists and information security professionals across the globe are conducting research to build intelligent and automated security systems. However, the human element continues to be a stumbling block for even the best state-of-the-art technology. What is required is a practical and user-friendly approach to information security that is driven by strong management commitment. Information security is a concern for every individual connected to the Internet.