Adequate security Even a basic written policy on information security cuts out some of the main risks to a business, says Chris Knowles from Computacenter. It is surprising that so few companies have one. Most UK companies recently surveyed spend approximately one per cent of their IT budget on security, well below the recommended spend on security of three per cent of IT budgets or 10 per cent of IT budgets in the case of financial services companies. Only 27 per cent of companies spend more than one per cent of IT budgets on security. It is important to remember that security spend needs to be justified in terms of business benefit and return on investment (ROI) with a comprehensive cost/risk-benefit analysis, especially as you need to be sure that any security spend can be fully explained to your board members. So what technologies are companies currently spending their security pounds on? Research by industry analysts suggests that the most highly implemented network security elements are server and workstation security, network perimeter firewalls and remote access and authentication services. The aim for many enterprises is to secure the visible weaknesses in their environments and to develop new security architectures.

Where to start implementing IT security

Any enterprise wanting to make improvements in security must take a broad view of its information assets and understand their value as well as the threats to these assets and their vulnerabilities. The first thing a company should then ascertain is whether or not there are any existing company security policy documents. This is a formal published document that defines roles, responsibilities, acceptable use and enterprise security practices. Very few companies have a formal written security policy in place; however, if there isn’t one to refer to, how can you determine whether or not you’ve applied all the correct security measures? With even a basic security policy in place, organisations can go some way to alleviating some of the key risks to their business. For example, according to Gartner: ‘90 per cent of security breaches take advantage of poorly configured or unpatched servers; such breaches are easily preventable if security processes are followed.’ Companies with existing security policies generally have a far greater understanding and appreciation of why they need to manage the confidentiality, integrity and availability of their information assets, than those without such policies. Nevertheless, if you are considering implementing a security policy framework, Computacenter recommends that the policies are not created in isolation.

As Gartner comments: ‘Because a security policy affects all parts of an enterprise, it should be created by a collaborative process that involves participation from the IS department, human resources (HR) and legal, administrative and executive business teams.’ But adequate security isn’t just about policies, especially if it’s to be the business enabler that it should be. It’s about making services, applications and information securely available at the right cost, to the right people, at the right time, and from the right place. Only by understanding how end-user services are delivered and by conducting a companywide audit can you assess the risks and vulnerabilities they are subjected to. It is essential to look at the bigger picture; IT security extends beyond protecting against the actions of recently terminated employees to unknown threats and risks. As a result of carrying out such an audit, areas you need to prioritise, address and subsequently manage will become evident. From the findings of their Security Breach Survey for 2002, the DTI has compiled a checklist to help companies who are looking to implement security solutions. 1. Staff education – create a security aware culture. 2. Have clear, up-to-date security policies in place. 3. Assign dedicated staff to security – as well as using external consultancy staff as needed – policing the policemen. 4. Evaluate security spend and the ROI on that spend. 5. Build security into all IT requirements rather than trying to bolt it on later. 6. Keep technical defences up-to-date – patched server operating systems, etc. 7. Put in place procedures to ensure compliance with regulatory requirements. 8. Have contingency plans to respond to a serious security breach or incident. 9. Understand the status of insurance coverage against damage from a breach. 10. Test the compliance with/of your security policy – audits, penetration tests etc.

Different approaches to security Many data security issues are common sense – just as you wouldn’t drive a car on the road without brakes, similarly you shouldn’t put unprotected web servers on the Internet. The risks are simply too great. Adequate IT information security is about being able to reduce those risks by continually:

Protecting This means sufficiently recognising, prioritising and protecting your organisation’s information assets by acknowledging the wide abuses they could be subject to because of their importance, uses and location – this primarily involves business issues concerning people, policies and processes.

Detecting You must be able to recognise abuses no matter who or what is responsible for them – this involves people, policies, technology, settings and processes.

Responding You should defend your assets from misuse either automatically or with rapid decisionmaking, or even with manual intervention, to stop the misuse. The word ‘continually’ is key here. IT security is not about buying hardware and software, setting it up and then forgetting about it. New risks and vulnerabilities occur every day, especially as hackers get smart to new technologies and applications. Adequate security requires continual assessment and vigilance by your security team, excellent processes and thoroughly planned quality controlled updates.

The ‘Seven Rules’ approach A rather simplistic yet more pragmatic way of looking at IT security is the ‘Seven Rules’ approach to website security, which Computacenter has updated below so it can also apply to networks:

1. Have/create a security plan Have a solid security plan and adequate policies in place – ideally before you open your new systems to real-world users and hackers! Also, ensure that you conduct regular vulnerability assessments and penetration tests on all your systems.

2. Understand your risk levels Regular assessment lets you set the levels of risk you are taking and relate them to your ‘adequate’ security protection posture. It is important to remember that while security is an enabler, it also takes both time and money to implement, so systems should not be made substantially more complex for end-users. For instance, you may want a simple password system to allow users to access low-value information services but more complex authentication and authorisation procedures for more confidential, sensitive or valuable information. A leading IT portal, CW360.com, recommends using at least an eight-character password that doesn’t relate to users’ lives and isn’t made up of dictionary words or dates. It suggests that, ‘a password must be easy for the owner to remember, yet resist intuitive cracking’. And that’s the problem, and why in real life they are usually so insecure!

3. Don’t depend on firewalls You need them, but there’s more to a complete security system than just adding one to external connections to your local area network. Firewalls are often single points of failure, so work out the implications of losing connectivity or external access to systems. What’s the risk or cost to your organisation? Don’t forget to consider HA (high availability) solutions. A badly configured firewall is often more dangerous to an organisation than no firewall at all, so make sure that when you set up rules for usage, you have stringent testing procedures to reveal any potential loopholes and examine daily firewall logs correlated with your other network security log information. According to Vnunet.com, approximately nine per cent of firewalled networks suffer security breaches. Computacenter’s recommendation is to be aware that, at heart, a firewall is a dumb protocol-rules and packet-inspection engine – a single defence layer that can be compromised – so even if it’s set up correctly, you always need more protection layers!

4. Have an access policy Have an access policy and ensure that it is adhered to. As is common in most environments, you will need different levels of user access. You want customers to buy goods online, but you do not want to provide hackers with an open door to your system and data. You also want to authenticate remote and teleworkers more stringently, as well as their system authorisations and privileges. Access via wired or wireless connections and devices needs to be examined to ensure that it is secure. Strong authentication and encrypted virtual private network (VPN) links are a good place to start.

5. Test, test, test Get somebody else to test your security regularly. Ethical hackers and security service providers are now being employed by companies such as IBM to break into client networks and find their weak spots. Whilst it may be worrying to think that you are offering someone else the chance to break into your system, it is essential to independently test your systems and act upon the findings of those tests.

6. Keep monitoring Monitor your security regularly, ideally using software-alerting and management tools, and ensure that results are analysed. This may sound obvious, but companies often don’t check and review security procedures once they’re in place, and regular monitoring can identify any changes that need to be made as your network and/or your website’s functions and capabilities evolve.

7. Plan for disaster Have plans in place for when it all goes wrong. This should be a natural progression from the vulnerability assessment, but it is often forgotten about. All organisations should have contingency plans, covering areas such as who should be contacted in the event of a breach, what back-up systems are required and/or disaster recovery provisions. Vnunet.com suggests that seven out of ten companies have no disaster recovery strategy in place and that a serious systems crash would put their companies in dire straits. Whilst these approaches may appear simplistic, they do communicate the basic need for you to start establishing some form of framework that works within and supports the maxim ‘some security is better than no security’.

Conclusion Security is clearly becoming a big issue for enterprises; however, not all companies have yet adopted sufficient security measures. There is no great mystery behind information security, and there are a number of roadmaps out there to help you, no matter how basic or sophisticated your business, to prioritise and create an ROI for every layer of security you adopt. The key message is that it’s important to start considering the risks, build companywide security policies and justify the deployment and management of security technology within all your new IT initiatives. User education is also imperative to the implementation of a successful IT security solution and should be built into any security solution. However, it must be recognised that security is not an end in itself: it enables businesses to protect themselves from major threats in their operating environments and to carry out processes and transactions that are otherwise too risky to carry out. Importantly, it is a continual process of assessment and evaluation.

Businesses change, IT infrastructures change and, unfortunately, attackers get smarter. Deploying the right security technologies is by no means an easy task. As George Anderson at Computacenter comments: ‘Security is a key component that must cut across the infrastructure stack no matter what the layer. It’s essential that organisations take a holistic approach – a single weakness can mean that the walls come crumbling down.’ The Computacenter Security Practice specialises in providing vendor-independent information security solutions, consultancy and services to the public and commercial sectors, often in the role of a trusted security advisor. As our customers have opened up their networks to embrace new and interactive technologies, and in response to the greatly increased risks that have made tight security businesscritical, Computacenter has developed a breadth and depth of skills and expertise in the IT security services sector. For further information contact: Computacenter (UK) Ltd, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW. Email: enquiries@computacenter.com; Website: www.computacenter.com