Wednesday, September 08, 2010

Under attack

PDFPrintE-mail

Written by Janet Paterson

special focus
SECURITY

cc09security1
With all the hype and talk surrounding Google, YouTube, Facebook, Twitter and anything that carries the merest whiff of “social media” doing the rounds, you’d be forgiven for thinking we’re simply floating through the next big bubble.



Even as investors pump hundreds of millions of dollars into “Web 2.0” offerings that have taken the online world by storm, the cautiously inclined readily point to the fact that as yet, none of these sites has turned a profit and, so far, none has indicated any method by which they can do so.

 

CONSTANTLY EVOLVING THREATS

According to the IBM X-Force 2009 Mid-Year Trend and Risk Report, the number of new malicious Web links discovered in the first half of this year increased by a whopping 506% in the first half of this year. What’s more, the problem is no longer limited to malicious domains or suspicious websites – the report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal websites, online magazines and mainstream news sites. It is the ability to gain access and manipulate data which remains the chief consequence of vulnerability exploitations. The key problem is that security threats are constantly evolving…

Due attention

By and large, companies are well aware of the risks and are spending accordingly. According to Gartner, security software and services spending will outpace other IT spending areas in 2010. Security software budgets are expected to grow by approximately 4% in 2010, outpacing all other areas of infrastructure software, while security services budgets are projected to grow almost 3%, significantly outperforming other service areas.

Specific areas of projected security-related software spending growth in 2010 includes security information and event management (SIEM), email security, URL filtering, and user provisioning. However, as the Gartner report notes, the continued, relatively strong emphasis on security extends beyond software. The survey showed that security services spending will also outpace spending in other services areas, with budgets expected to grow 2.74% in 2010. This anticipated increase is being driven in part by a growing movement towards managed security services, cloud-based email/Web security solutions, and third-party compliance-related consulting and vulnerability audits and scans.

Regardless of the size of your business, one of the biggest threats to security is your employees. From Facebook to screensaver downloads, taking online surveys and clickingthrough for “special offers” while browsing online, they’re not only chewing company bandwidth, they’re exposing you to all manner of viruses, malware and social engineering ploys. Add to this the prevalence of laptops, USB storage, MP3 players, smartphones and, in the current economic climate, disgruntled former employees you’re looking at a veritable feast of options and opportunities for the criminally minded.

According to Gartner, infrastructure protection – as they put it, keeping the ‘bad guys’ out while enabling the ‘good guys’ to do the right thing – is “one of the most-critical enterprise security concerns.” Point solutions have their place, but procedures have come to the fore in the fight for information security. Awareness now joins with procedural governance and system checks at every level of the enterprise to form a holistic approach that offers an allencompassing enterprise IT risk management framework (EITRMF) that integrates with the overall enterprise risk strategy.

THE WEB OF DECEIT

So while it’s well and good – and essential – to lockdown your applications and your network, but the major trend to be thinking about what’s coming in through the browser. Given the centrality of the Internet’s role in the workplace, this is not easy to control. According to the X-Force report, more than half of all disclosed vulnerabilities during the whole of 2008 related to Web applications, and of these, more than 74% had no patch. Links to dodgy Flash-enabled sites, infected PDFs and malicious URLs as key culprits but social networking sites are playing a massive role in increased malware attacks globally. Malware delivery through badly configured sites and social networking sites is expected to increase substantially.

cc09security2

The X-Force report also notes that the level of veiled Web exploits, in particular PDF files, are at an all-time high, pointing to increased sophistication of attackers. PDF vulnerabilities disclosed in the first half of 2009 surpassed disclosures from all of 2008. From Q1 to Q2 alone, the amount of suspicious, obfuscated or concealed content monitored by the IBM ISS Managed Security Services team nearly doubled.

A perfect storm

What this all means is that there is no such thing as safe browsing. X-Force director Kris Lamb says that a tipping point has been reached, where “… every website should be viewed as suspicious and every user is at risk. The threat convergence of the Web eco-system is creating a perfect storm of criminal activity.

cc09security3

 

The X-Force report also found a significant rise in Web application attacks with the intent to steal and manipulate data and take command and control of infected computers. For example, SQL injection attacks - attacks where criminals inject malicious code into legitimate websites, usually for the purpose of infecting visitors - rose 50% from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.

 

Lamb notes that “the trends seem to reveal a fundamental security weakness in the Web eco-system where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate website users.”

 

Other findings from the X-Force report include:

 

• Vulnerabilities have reached a plateau. There were 3,240 new vulnerabilities discovered in the first half of 2009, an 8t% decrease over the first half of 2008.

 

• PDF vulnerabilities have increased. Portable Document Format (PDF) vulnerabilities disclosed in the first half of 2009 already surpassed disclosures from all of 2008.

 

• Trojans account for more than half of all new malware. Continuing the recent trend, in the first half of 2009, Trojans comprised 55% of all new malware, a nine% increase over the first half of 2008. Information-stealing Trojans are the most prevalent type of malware.

 

• Phishing has decreased. Analysts believe that banking Trojans are taking the place of phishing attacks geared toward financial targets. In the first half of 2009, 66% of phishing was targeted at the financial industry, down from 90% in 2008.

 

• URL spam is still number one, but image-based spam is making a comeback. After nearing extinction in 2008, image-based spam made a comeback in the first half of 2009, yet it still makes up less than 10% of all spam.

 

• Nearly half of all vulnerabilities remain unpatched. Similar to the end of 2008, nearly half (49%) of all vulnerabilities disclosed in the first half of 2009 had no vendor-supplied patch at the end of the period.

 

cc09security4

 

PRE-EMPTIVE PROTECTION

 

According to IBM, businesses need to adopt an approach of layered, pre-emptive security – the combination of people, processes and products referred to earlier. When it comes to the human side of the approach, there are some golden rules for people-management than can make your overall security strategy more effective:

 

• Enforce and impress: Familiarity breeds contempt and maybe it’s the fact that we’re bombarded with virus and security scares on a daily basis that causes people to switch off. By providing your employees with regular updates on policies regarding security and actually following through and enforcing them, you’ll create a culture of vigilance.

 

• Be reasonable: Make it very clear to your staff what constitutes acceptable use of company networks and hardware – and be even clearer about the consequences for breaching them. Explain why security is an issue – a lot of the time employees don’t seem to make the connection between compromising company technology and the security of their and their colleague’s jobs...

 

• Standardise: You’re unlikely to win a popularity contest for it, but put in place rigid standards regarding external devices that can or can’t be used on the company’s network.

 

Similarly, be strict about the software employees are allowed to download and use on company laptops. And enforce them.

 

cc09security5

 

AND THEN THERE WAS MOBILE…

 

With the proliferation of mobile, and often personal mobile, devices, organisations now have to think about mobile security too. Research and analysis firm Freeform Dynamics suggests the following steps for companies to consider when defining and implementing an effective policy around mobile security:

 

• Always remember who is in charge. The personal nature of mobile devices coupled with early adoption activity among important and influential groups of users such as business executives, means that organisations often fall into the trap of allowing the user to call all of the shots. While working user opinion and preference into the equation is always desirable, this must not be at the expense of effective management of risks in the areas of security, privacy and compliance.

 

• Remind users of their obligations. Users may well have signed a contract of employment or received written policy statements relating to their responsibilities with regard to protecting the confidentiality of company information, but they rarely make the connection between this and their use of mobile technology.

 

• Spell out the risks very clearly. IT professionals, who are typically responsible for worrying about system security measures at a practical level, may regard most of the user and usage related risks we have been discussing to be very obvious, and assume that it is the same for users. The reality, however, is that users typically only think of technology in terms of what it can do for them and how they can use it, so many of the risks to do with how it works and the environment within which it is being used really do not occur to them.

 

• Consider all aspects of mobile working. The trigger to consider mobile security is often an IT led project, typically associated with the rollout of a new mobile data solution. It is important, however, to make users aware of the risks associated with the complete range of mobile working practices, not just the use of wireless handhelds, but notebook PCs, Internet cafés, home computers, removable storage devices and so on. It is also important to remember that not all of the equipment used for mobile working is provided by the IT department: the policy needs to take into account personal, as well as corporate acquisitions.

 

• Make it easy for users to cooperate. Highly complex, onerous or inconvenient measures implemented in an attempt to achieve the highest possible levels of security are generally not very effective. Users will either ignore or find ways to work around them, and will always have a valid sounding excuse for doing so, at least enough to justify to themselves and perhaps to their boss that they were not knowingly acting irresponsibly.

 

• Provide the right kind of instruction. A few words of warning about security and privacy when handing a new device to a user does not constitute effective instruction. Users need to be taught about mobile security objectively and comprehensively in a manner or environment in which their attention and focus is properly held. Classroom based training is ideal, but can sometimes be overkill as instruction needn’t take that long and typically doesn’t require elaborate training aids. As an alternative, walkthroughs of risk scenarios and how to deal with them can typically be conducted in an hour or two with small groups in a relatively informal setting.

 

• Put the necessary support into place. Regardless of how well users are instructed, questions and issues will continue to come up from time to time that they will need support with or advice on. Ensuring that support personnel, if in place, are well versed with mobile security issues is an obvious move, as is exploring extended support options and advice available from mobile operators. In addition, many organisations find it useful to have a resource centre available on their intranet containing policy information, guidelines, tips, tricks, traps and so on. (Source: Freeform Dynamics)

 

cc09security6

 

MANAGING SOLUTIONS

 

With 98% of businesses suffering a “tangible loss due to security risks” at some point, it’s not surprising that many organisations are turning their focus to managed security services. In the e-business arena, where business success depends on organisations to a greater or lesser extent opening up their systems to those of partners or customers, managed services can help keep a centralised handle on everything – either completely in-house or on an outsourced basis.

 

It seems that an integrated, holistic approach that involves people and device management along with hardware and software solutions and a strategic approach offer the best defence. Where organisations do choose the managed or outsourced option, it is vital that they do not simply then sit back and think everything is all right and security is entirely someone else’s responsibility. Apart from the obvious importance of Service Level Agreements (SLAs), consideration should be given to important areas such as industry experience, accessibility (having someone in the next province really isn’t a good idea), their willingness to invest in current technology and the availability of high-quality staff to manage it all are all vital areas of consideration. If you decide to keep things in-house, hold yourself up to the same standards.

 

In the end, due to the evolutionary and aggressive nature of security threats, all the procedures and technology in the world cannot guarantee absolute protection. Prevention as much as possible remains better than cure.

Contents

In depth

The convergence landscape
Telecommunications
Networking
Mobile
Wireless
Cloud Computing and virtualization
ISPS and VANs
Contact centres

Special features


Web 2.0
Security
 

Thought leadership


Edwin Thompson feels the need for flexibility and innovation.

Pierre Marais on data centre infrastructure.

Jayesh Ranchod and Merlin Naicker explain how the Internet killed the video star.

Botha Lebepe gets to grips with mobile marketing.

Leonard Cremer and Norman Parkin consider aggregating the African market.

Cindy van Wyk believes customer retention is key to surviving the recession.

Brendan van Staaden highlights the shift in customer service provision in contact centres.

Case studies

Driving the adoption of convergence
South Africa's first converged telecoms network provider
Consumers take charge of convergence; Business gains the benefit
MTN Business moves to ip PBX
Telkom makes it services play with CyberNest launch
Enabling South Africa’s X factor: Telkom connects IEC during 2009 elections 
Acsa soars to record heights with help of new it technologies
Doing the country proud
DSTV chooses Siemens Media Solutions as a strategic provider

Company profiles


Internet Solutions goes mobile
Next generation services
Unlocking the local gateway
Africa's leading velue-added services aggregator
360-degree communication services
The converged service provider of choice for SMEs
Using the right solution to build a proactive service environment