|
Small & insecure
By Yan Barcelo
Illustration: John Ueland
 There has been significant improvement in overall IT security, but not necessarily in the
little firms where key measures are scarily lacking
A Toronto travel agency
bought more than 20 computersat the end of 2004. Very pleased with his purchase, the ownerhired a high school
student to take care of the network. Fast forward a few months down the road. The computers are constantly
crashing, and the owner cannot understand why. Finally he calls in a technician from the computer company.
The problem, the technician discovers, is a near total absence of security measures. The computers are deeply
infected with viruses and spyware that slow their performance to a crawl and cause them to crash constantly.
Sure, the owner had installed antivirus software when he bought the machines, but he had never thought to
update it and had never performed the smallest data backup
“This entrepreneur did not realize that cheap can be very expensive,” says Geoff Kereluik, vice-president of
small and medium business at Hewlett-Packard, in Missis-sauga, Ont. “Worse, he didn’t see that com-puters
represent, in his kind of activity, nothis index finger or his right arm, but his spinal cord. His business
couldn’t survivewithout them. Yet, the minimal things he’ddone gave him a false sense of security.”
There has been a great improvement in overall computer security, but as the travel agency example shows, it
has not necessarily happened in small companies. A recent research report by CA Canada, an IT management
software provider, ( not connected to the profession) shows that while security threats are still growing
dramat-ically, especially on the Internet, companies and organizations report less damage than they did three
years ago. In 2003, 87% of companies reported lost workforce produc-tivity as a result of attacks over the
previous 12 months, and 12% reported lost revenue, customers or other tangible assets. In the last report,
those two numbers stood at 76% and 11% — still quite high.
“When you compare the situation to that of a few years ago on issues like lost productivity, things are
somewhat stable,” says Warren Shiau, lead analyst in IT research at marketing research firm The Strategic
Counsel, which conducted the CA Canada survey. “The picture is very positive when you consider the growth of
threats and areas of exposure. So defence has solidified.”
But the bad news is that many companies, especially small professional outfits, are quite lacking on the
security front. “Our goal is to create a security culture, and that simply does not exist, especially in
small and medium-sized companies,” says Jacques Viau, director of Montreal’s Institut de la sécurité de
l’information du Québec, which is an information security support company.
The outer ring
For most small and medium-sized firms, security need not reach the fundamental levels sought by large
organizations, though they can be just as sophisticated in some cases. Let’s begin with the components people
usually associate with security: restrictive access devices such as passwords and the more high-tech
fingerprint and iris readers. Passwords are the most readily available access control tool — and the least
secure. “Passwords suck,” says Michel Kabay, associate professor of information assurance at Vermont’s
Norwich University. “And they cost a lot of money to maintain. You have to pay administrators to tell people
the password they keep forgetting.” Luckily, this can be overcome with software packages such as CA’s eTrust
Identity and Access Management Suite, which allow users to reset their own passwords.
Fingerprint, iris or voice recognition devices have a fascinating Star Trek appeal, but they have
drawbacks. For example, fingerprints can be replicated by plaster models, voice imprints can be reproduced
via numeric recorders, and the glass of an iris reader can become dirty. The handiest device, says Kabay, is
a dynamic password generator such as SecurID. Such devices incorporate a chip, synchronized with a program in
the company server that randomly generates passwords. To get into it, users need a first password, which
works as a primary security barrier. Having punched this in, they have only a few minutes to type the second
password the device presents to gain access to the company’s IT resources. If they fail to do so, their
passwords expire and they need to generate a new one. “If people refuse to use them based on cost, it’s
unfortunate since it costs no more than a meal,” Kabay says, “especially since you very rarely lose them, not
any more than your car keys.”
Passwords and access devices are obviously crucial to security, but they form the outermost ring. Without
such devices, a userwould be on the same footing as any potential hacker or wrongdoer trying to gain illegal
access to the firm’s IT resources. That’s why along this outer ring, we find many other devices that people
are increasingly familiar with because they are associated with the fast-rising problem of Internet threats:
firewalls, intrusion detection and prevention systems, antivirus, antispyware and antispam software and
virtual private network encryption.
Some companies, such as Websense and Surfcontrol, sell all-in-one modules that integrate many of the above
functions. They are installed in a server at the point where the Internet connection enters the company,
behind the firewall. Modules suchas Websense Security Suite, which sells on an annual user licence fee of $25
to $50, block the most common Internet threats, but also keep spyware from clandestinely transmitting its
information back to its contact site. They supervise access to authorized websites and control instant
messaging and peer-to-peer transmissions. However, many specialists advise against depending on such
universal devices and recommend equipping each computer in a company network with its own malware prevention
software (antispam, antivirus and antispyware).
Another approach is to use outside service providers such as Bell Security Solutions or ESI Technologies.
From a distance, these specialists monitor all activity in a client’s network components: servers,
workstations, firewalls and switches. By keeping an eye on all parameters of these components, they can
determine if a hacker attack has failed or succeeded and to what depth it has pene-trated systems. Costs for
such providers are about $100 a month per piece of equipment monitored. These suppliers and specialists such
as Zerospam also track e-mail traffic in a firm to filter out spam, spyware and phishing contents. (Phishing,
which is growing exponentially, is a type of e-mail that pretends to come from a respectable financial
institution in order to get unsuspecting readers to give out confidential information that is then used to
empty their bank accounts or run up their credit cards.)
The inner ring
A large part of security has to do with IT resource management and operations security. This means if you
have certain types of data that are of greater value, you create tightly sealed security zones for it within
the company network. You also make sure to encrypt them. Resource management also involves things as diverse
as keeping a record of the company’s total IT device and software resource portfolio and assigning different
user authorization levels and keeping them up to date.
Backup management is also a crucial component of operations security. Where are the backups kept? Are they
verified? Are they encrypted? Who keeps the encryption keys? How do you get rid of confidential information?
Does the frequency of backups reflect the rapidity of change or does it reflect activities in the
company?
One rule to remember is that those who perform a task should be separate from those who supervise it. “The
worst error is to place the security director under the supervision of the IT manager,” says Viau. “How can
he be independent and how can you guarantee his integrity if he is going to be pressured by an IT supervisor
who might want to justify imprudent decisions?”
Such mobile devices as portable computers, PDAs and intelligent phones are a growing part of the IT
landscape and represent an increasing security threat. Mobile users often neglect to adequately protect their
devices from theft. They also connecttheir devices to Wi-Fi hot spots and Inter-net sites, exposing them to
contaminations, which risk slipping into the company network when connected back to it.
Because they are so small, portable de-vices tend to be seen as corporate toys of little importance. This
is regrettable. “Today’s por-tables can contain more information than mainframe computers of 20 years ago,”
says Puneet Jain, senior marketing manager at Sony Canada. “Leaving your device without protection is like
saying to robbers and industrial spies, ‘Look at all this information about my company I carry around.’”
To physically protect a portable computer, computer accessory supplier Targus sells the DEFCON 1 Ultra
module for $49.99. It allows users to lock their device in place with a steel cable and arm a movement
detection system. When the device is armed, the cable holds the computer in place and the movement detection
apparatus emits a deafening 95 db noise. Users must remember to disarm the mechanism when they pick up their
baggage.
To protect the data in a portable computer, manufacturers such as IBM, Hewlett-Packard and Gateway insert
a chip in their high-end products. The chip automatically encrypts all data on the hard drive. If a thief
does pick up a computer, chances are he or she won’t be able to extract the data. Some suppliers include a
fingerprint reader that acts as an enhanced protection system.
But the best protection for mobile devices is to keep users from carrying any sensitive data on them. IT
managers would be well advised to force these users to connect to the company network through an encrypted
VPN link to retrieve and store information they want to process on the road. The idea is to treat the mobile
device somewhat as a remote dumb terminal.
The physical ring
Of course, data is the very core of what security strives to protect. But data becomes unavailable and
useless when the machines in which it rests falter, crash or disintegrate. That’s why physical security and
disaster recovery planning exist.
Physical security requires a good dose of common sense informed by years and years of practical
experience, says Kabay. It does not mean only putting secure locks on the doors leading to the server room or
installing surveillance cameras. It means also avoiding setting up a data centre in a high-crime area, near
oil cisterns or against an external wall of the building. It means making sure door frames are securely
anchored to the walls and that adequate air conditioning, backup power and generators are provided. “And
don’t connect servers to accessible wall outlets where the janitor can just unplug them to put in his vacuum
cleaner,” Kabay says.
Disaster recovery at small companies is inadequate. Many that did business in the vicinity of New York’s
World Trade Center went under after September 11 not because their IT capacity was destroyed, but because
they did not have the resources and the backup to bring it back online sufficiently fast. They were blind to
the fact that, in the absence of disaster planning, their business could not survive more than a few days or
a week without access to their data.
Recovery involves putting in place mirror systems for IT, telephony and data telecommunications. A
recovery centre has to be separate from the basic treatment site and can adopt many stances. It can be active
24/7 and act as a support for the main operating centre, receiving regular updates of all crucial data. It
can be a hot site, which can ramp up to full throttle inside 24 to 48 hours and take over the main IT
activities. And it can be a cold site, which remains inactive until disaster strikes but which can be brought
up to full status within a few days or a week. All depends on the initial planning phases, which should have
determined how long the company can withstand the absence of its different IT systems.
Since small companies often don’t have the means to maintain a recovery site, they could consider
coordinating a disaster plan with that of another small firm. Each can reserve a section of its servers to
house the other’s key data and ensure operational capacity when the need arises. They can agree to make
office and conferencing space available to greet employees in exile.
Disaster recovery should also include a plan for alternative telephony and data telecommunications
networks in case the main ones become impaired. And the plan should not concern itself only with machines and
software, but with people, too. Who will have authority if the president is disabled? Who will take over if
the database specialist ends up at the hospital? How will employees get to work?
The crucial ring
The human factor is not only important in the case of disaster recovery; it is foremost all the time.
Security experts agree. “Half of all security attacks are committed by members of the organization,” says
Andrew Pridham, director or information security at CGI, an IT and business process service provider. “They
are a willful contravention of acceptable use policies but not necessarily malicious.” In fact, most security
problems humans generate stem more from incompetence and negligence than from malicious intent.
When negligent, employees will keep their passwords written on a pad near their computers or post the
company e-mail address on websites, thereby inviting hackers to use it to flood the e-mail server with spam
and spyware. When malicious, employees can pass confidential information to competitors or tamper with
sensitive information. And Employee negligence or maliciousness can be due to lack of management care and
supervision, says Kabay.
The human dimension of security extends over hiring, ongoing management and firing. When hiring, the goal
is to recruit personnel the company is confident about. That means doing background checks on prospective
employees and on suppliers, such as the cleaning staff, that will have access to IT equipment.
Of course, management practices are paramount. Immediately after hiring, employees should go through
training to be made aware of what they can and can’t do concerning the use of IT resources, surfing the Net,
receiving and sending e-mail. A succinct and clear document outlining security policy and practices should be
handed to all employees. It should state that all infringements will be punished. The company should also
seek to reward good security practices, for example, by linking evaluation and promotion in part to good
security performance.
Companies that don’t promote loyalty and honesty in their employees expose themselves to higher security
risks stemming from employee negligence or ill will. Kabay points to companies that keep their eyes fixed on
quarterly fluctuations only and are quick to lay off workers when business dips. “This revolving door policy
that devalues human relationships is pernicious not only to security,” he says, “but to many levels of
employee performance.”
Firing is a crucial variable in the security equation. Employees are the most dangerous when they resign
or are fired. There have been cases where such employees plant viruses in the company network or use their
passwords to access databases and steal valuable information. Obviously, security procedures should include
the immediate cancellation of passwords and authorization codes assigned to an employee who leaves. Kabay
recommends directing employees who leave to vacate their work area immediately and have a security personnel
accompany them as they pick up personal belonging. At the same time, company policy statements should make
all employees aware that such a radical procedure is not hostile and that the presence of guards should not
be perceived as an attack on the integrity of the person. “The guards should smile,” Kabay says.
The security process
Too many firms believe security is a one-time affair. You slam into place a few devices or pieces of
software, and that’s it. Wrong. “Security is an on-going process, says Serge Bertini, director of security
solutions at CA Canada. “It’s not something you do once and forget about it.”
The security process begins at the highest strategic level of the company. As soon as management is made
aware of all the security components, it should determine how security will be designed to support the
company mission. It should also name a director of security with a clear set of responsibilities, one who
will propose a general framework stating, for example, the company security policy, the areas where key
interventions will be carried out and who will be responsible for assigning authorization levels.
A key phase of this strategic reflection deals with risk assessment to determine the key areas of
priority. The assessment should detail what threats the company is confronted with (viruses, spam, unhappy
workers, criminal groups, fire); the vulnerability level of systems submitted to these threats; and the
impact that actual security incidents would have on systems and business operations. Of course, security
interventions should first target systems where vulnerability is highest.
These security threats should not be formulated only in terms of information system risks, but also in
concrete dollar terms, which managers and executives better understand. Talking the language of business will
allow them to take a business decision instead of a technological one. Finally, the last step in the
strategic reflection leads to writing an action plan. This is where all the concrete components of IT
security specific to the company situation are chosen and balanced: specific access and authorization devices
and procedures, Internet protection software and modules, mobile computing directives, authorized desktop and
mobile computer configurations and employee education programs.
The key in all this is to remain aware that security is not a static condition but a dynamic process. As
the situation of the company evolves, as it branches out into new ventures, new markets, new technologies, as
personnel changes and matures, all the security components and procedures should adapt.
Security should not be an obsession; it should be a mindset, a series of habits and common sense
decisions. You don’t let anyone access your computer without authorization or let a server sit in a hallway,
just as you don’t leave the doors to your home unlocked and don't install water pipes near a wall where they
could freeze.
Yan Barcelo is a
Montreal area journalist
|
