IT security fears widen

By Tracey Caldwell

Organisations are facing a threat from criminals targeting their information systems. Yet many are failing to grasp the scale of the risk, while others are failing to underpin complex security systems with basic measures, according to security experts speaking at a recent webinar, ‘IT security – winning tomorrow’s battles’.

Phil Huggins, chief technical architect at Information Risk Management, says, “The key issues we face are the more porous nature of data and the massive growth in malicious software. Attacks are changing and there is an increasing threat from organised crime. This is something for the law enforcement agencies to solve, but we do need closer links with them.”

Cisco’s chief security architect, Paul King, says it is important to distinguish between the effect of a virus that infects a PC and then spreads to other PCs and an attack specifically designed to attack an organisation’s vulnerabilities. He points out that security should not be viewed as a constraint because it is the enabler that has allowed remote working and multiple connections.

“Security must be pervasive, not a point solution. How many organisations’ penetration tests check phone or fax machines? What is their security policy on employee modems? Potentially the worst attack of all is the internal attack,” says King.

Companies often overlook simple security measures. “A bank was talking to me about their level of encryption but they didn’t even have a particularly strong password policy, which should have come first,” says King.

Huggins spells out the threat from malicious software: “There are now 100,000 items of Malware available and this has an impact on the performance of anti-virus scanning – we are looking at a lot more attacks.” The volume of outbreaks looks to be quadrupling. In 2003, there was an attack every 22.75 days on average whereas in 2004 there was an attack every 5.5 days on average, according to the 2004 DTI Information Security Breaches Survey.

There is no doubt too that denial of service extortion is growing. A recent example was when multiple betting sites were threatened and attacked during the Cheltenham races. 15 per cent to 20 per cent of companies suffered from denial of service attacks in 2003, according to an NHTCU survey.

Good security should be integral to software and systems, according to Huggins. “Security must be considered before the code is written. Security is still not a priority for developers. They are still taught insecure coding and security does not feature in integrated methodologies. There has been an improvement in web-facing applications but little movement in packaged applications.” He adds, “Forensics, too, has become a hot topic in the last year and one of the most alarming developments has been the production of bugs specifically to attack forensic software. The software industry is not equipped to cope with this.”

Chris Knowles, practice leader of networking, security and management at Computacenter, believes patch management is one of the main security issues. “Fifty or sixty patches a month are needed for operation systems, network operating systems and applications. But there is a reducing exploitation time and companies are facing attack before the patch has been deployed, due to the eight-week lead times many have in testing patches.”

Enterprises might well wonder where to start to strengthen their security in the face of multiple threats and the need to comply with new regulations. Knowles has some reassurance: “If security standard BS7799 is in place and updated and audited properly it will meet the demands of section 404 of Sarbanes-Oxley.”

Huggins recommends that companies deploy active defences such as client-side intrusion-prevention systems (IPS): “Supplement IDS with network IPS, don’t replace it. And don’t rely on a single software solution; detection and protection should be separate functions.”