WHITEPAPER - Internet Security and Business
By Cloud Direct • 29 May 2014
Introduction - the key issues at stake
The Internet is now indispensable. In the current commercial environment, businesses have no other choice but to connect all or part of their network to the rest of the world to allow them to stay in contact with their customers, suppliers, partners and employees.
In parallel with this growth in Internet connectivity in businesses, new threats emerge regularly, particularly in the guise of hackers, industrial espionage, computer crime, etc.
These different threats facing the IT network are generally conveyed by thefts of business assets or intellectual property; they induce the shutdown or failure of the information systems in place, damage businesses' images and reputations and alarm consumers.
Unless businesses can rely on solutions allowing them to eliminate most of these risks proactively, it is highly unlikely that they will be able to make use of the tremendous potential that the Internet offers in the development of their business.
The conventional data security approach is not sufficient. In spite of several decades of research in the area of data security and more than one hundred products and items of equipment available on the market, the hazards associated with Internet use are continuing to grow exponentially.
The increased complexity of the Internet and its applications, the determination of businesses to provide users with more services and content, the need to interconnect a growing number of items of equipment help undermine the security of IT environments.
Security based on product installation remains insufficient for various reasons:
- Ongoing detection of new vulnerabilities within systems and applications,
- Continuous development and improvement of tools used to attack systems,
- Need for regular patch installations on security equipment essentially due to its imperfection.
As a result, the corporate network becomes vulnerable at an increasing rate.
Security depends on individuals. In the event of attacks, the network configuration or security equipment installed is of little importance. It is also of little importance who the person responsible for the defending the information system is. The only way not to be affected by new vulnerabilities or new attacks lies in detection methods and possible solutions.
If we compare the situation to the real world, it is characterised by alarm systems and the use of security services. With permanent on-line corporate networks, the term monitoring solutions may be used.
A business needs the best skills available to defend its system when it is subjected to attacks. The business also needs to detect attacks or vulnerabilities instantaneously and provide effective solutions. To access all these services, businesses need to supervise their systems, which an MSSP (Managed Security Services Provider) would typically propose in its service offerings.
Network security monitoring remains one of the key components still lacking in most corporate data networks. Monitoring provides immediate information on the effectiveness of the security policy set up on a network. This information is updated in real time, as new attacks, new threats, software updates and system configuration modifications develop. Monitoring may be compared to a window on network security. Without this window, the company's security or information system manager would be blind.
Monitoring takes on a strategic aspect wherever network security is set up.
Definition of security services market
One can define the security services market as activities relating to the planning, architecture definition, implementation and management (administration) of corporate network security.
Consultancy, integration, implementation, monitoring and administration services represent the majority of the services currently available on the market. However, training and education services specific to security are also included in this sector. The different offers comprising these sub-sectors are defined below.
Security consultancy services include:
- The security audit
- Intrusion tests
- Security architecture and design analysis
- Security policy and strategy planning
Integration and implementation services include:
- Purchase of hardware and software
- Secure network architecture integration
- System migration
- Performance tests
- Skills transfer
Monitoring and administration services are conventionally offered round the clock, seven days a week and are carried out remotely. Typically, the services in the sub-sector include:
- Equipment administration services (routers, servers, Firewalls, VPN, etc.)
- Vulnerability prevention services
- Off-site data backup and archiving
- "Log" monitoring services (hardware and applications)
- "Anti-Virus" administration
Security is important
While the development of information system security was initiated by the desire to protect sensitive military and scientific information, the arrival of the Internet has brought about a number of changes.
Indeed, one of the promises of the Internet is to offer a genuine mirror of society. Users using the Internet to do a large number of things that they do in real life: have private conversations, store personal documents, sign letters or contracts, talk anonymously, play, vote, publish electronic documents etc. All these actions rely on the concept of security. For this reason, data security is a fundamental factor in the development of Internet technologies, making it possible to transform the Internet into a genuine tool enabling a business to develop. The limits of security correspond to the limits of the Internet. All businesses and users have security-related needs.
The risks are real. Most security-related problems currently stem from direct risks associated with hacking such as the theft of commercial secrets, customer information, etc. In parallel, productivity losses related to data security problems are the subject of discussion. What are the business's losses if the e-mail system is down for two days? Or, if several people are assigned to restarting the information system after an intrusion?
For example, these global losses are estimated at billions of dollars for viral attacks such as "I LOVE YOU", with a large proportion attributable to productivity losses.
In addition to direct risks, risks of indirect losses are even more important: loss of customers, damage to company image or theft of customer credit card numbers. In parallel, other indirect risks are developing: European countries in general and the UK in particular have very strict legislation on personal data protection. Businesses may be held responsible if they do not have procedures to protect their customers' private data.
Despite all the risks it may represent, businesses have no other choice but to be present on the Internet. The attraction of new markets, new customers, new sources of income and new business models is so strong that businesses will move to the Internet, irrespective of the risks. There are no other alternatives at the present time. For this reason, data security is of paramount importance.
The inadequacy of conventional security solutions
A few years ago, network security was relatively simple. No-one had heard of DoS (Denial of Services) attacks resulting in Web server failures, security faults in CGI scripts and the latest vulnerabilities in Microsoft Outlook Express.
Gradually, Intrusion Detection Systems (IDS), public key infrastructures (PKI), smart cards, VPNs and biometric protection solutions emerged. The new services set up on corporate networks, mobile terminals or other types of hardware regularly put network security to the test. Today, the product offering on the security market is made up of over one hundred references and all these offerings promise total security. These promises are regularly not kept, but it is still possible to hear company directors state: "of course my network is secure, we have installed a firewall".
If the Internet has taught security professionals anything, it is that the concept of security is relative. Nothing is invincible. What is secure today may well not be secure tomorrow. In view of this observation, even large corporations can be attacked by hackers.
Inside attacks should not be forgotten. However, while attacks initiated and carried out exclusively inside the business do not represent the strongest threat; over half of attacks involve a person inside the business under attack and an outside accomplice.
The direction in which the security market is moving is no longer towards new products but towards innovative processes.
Security and risk management
When network administrators are asked about the reasons for their security needs, they describe the threats to their information system such as modifications to the appearance of a website, data corruption or loss, denial of service (DoS) attacks, viruses and Trojan horses, etc. This list seems to be without end and new events relating to information system attacks prove that these threats are more real than ever.
If the same administrators are asked about the assistance offered by security technologies, they will mention how to prevent attacks. This represents the conventional idea of data security stemming from mentalities in the IT sector: define existing threats and set up technologies to prevent them, including simple and somewhat obvious online data backup so that data recovery is possible after attack.
Businesses manage the risks involved according to their own activity. Data security is part of the process implemented. Several methods exist, depending on the business's specific context.
Take for example the case of a house. When the plans are being drawn up, the customer and the architect can call on a specialist to advise them on the choice of the types of windows, shutters, armoured doors, or alarms according to the assets to be protected. All this equipment provides protection against theft. This approach helps reduce the risk of burglaries with the aid of technologies.
System vulnerability detection, prevention and responses
With the events of the 11th of September, 2001, the development of Internet access in businesses and various virus attacks such as Nimda or Code Red, businesses have reviewed their security policies. Data security has not been left out. In a context where attacks and vulnerabilities are on the increase, implementing a system vulnerability detection, prevention and response policy is more than ever an essential factor in the overall corporate information system security policy.
The vast majority of security tools available on the market are sold as a set of measures intended to prevent disease from appearing or spreading:
- Encryption prevents espionage,
- Firewalls prevent unauthorised network access,
- PKIs prevent encroachment of identities.
- Online backup allows fast data recovery and minimises down time.
In the real world, a house with armoured doors and an alarm system is equipped with protection associated with a defined period of time. Armoured doors are conventionally sold to withstand attempted entry over a determined time in minutes or hours. This also applies to safes and the principle is roughly the same for data security.
The life cycle of a vulnerability ranges from its detection to the time when a patch is available and installed. It generally takes several days to several weeks for the patch to come out and sometimes several months for it to be installed on the hardware and application installed base.
The average time required between the detection of the vulnerability, its notification and distribution is approximately three days. Therefore, continuous vulnerability evaluation is essential to maintain the security level of a business on a constant basis.
Network security monitoring
It is noted that an increasing number of businesses will progressively turn to monitoring services which are essential for an effective data risk management strategy. Information system managers must now account for investments in monitoring services for the overall management of risks associated with the information system.
In the real world, building surveillance involves several factors: door sensors, cameras to monitor outside the building or the car park entrance, a central alarm system which is activated if the sensors detect information, etc.. Building security also requires the definition of a response procedure when alarms are activated. In concrete terms, this is characterised by transmission of the alarms to a security firm or the nearest police station. Without this, the security is ineffective since no one can counter the attack in the event of intrusion.
It is possible to make a parallel with network security that requires a number of similar factors. Network security involves a series of detectors within and around the network. All network devices (routers, servers, firewalls, etc.) supply a continuous flow in data when in operation. Intrusion Detection Systems (IDS) send messages when they identify a specific event.
The first essential point is to provide a certain form of intelligence to the alarms. Network attacks can sometimes be very subtle and essentially depend on the context. To meet these requirements, it is essential for solutions to be open to all types of hardware and applications.
The set-up of an intelligent alarm requires human intervention to analyse what the software finds to be suspicious and detect the causes initiating the alarm in detail. Only experts with an understanding of the context are capable of distinguishing between harmless alerts and genuine attacks.
However, an alert alone is not sufficient. Prior definition of a security policy makes it possible to define the level of criticality of an attack or vulnerability and is based on an incident processing and escalate procedure. The most important thing is knowing how to respond. This represents the second essential point of network monitoring. There is a response to every attack. This response may be as simple as deleting an IP address, but may also require the total disconnection of the network. Once again, in this context, human intervention remains essential.
The risks associated with network security will continue to exist and develop. The number of tools used to generate malicious attacks on information systems is growing. In addition, these tools are available on the Internet and, as such, accessible to everyone. In parallel, hackers are increasingly young and do not have much time (around 15 minutes) to enter a system before being detected.
In view of the recent reports published by CERT, the number of vulnerabilities detected in 2001 had doubled compared to the prior years. Conversely, the significant decrease in the number of updates distributed by suppliers or publishers in 2001 is related to two facts:
- Updates undergo an increasing number of tests (hence a reduction in incorrectly developed updates or updates which do not completely resolve a problem)
- Security updates that correct several vulnerabilities at the same time are more frequent.
Given the increase in the speed at which vulnerabilities are disclosed, spot security audits are insufficient even if they are conducted on a quarterly or half-yearly basis. Without continuous information on their level of security, businesses are not protected.
While security equipment is essential, it will not solve overall Internet security problems any more than it solves security problems in the real world. Some attacks bypass the procedures implemented and new threats sometimes cause equipment failure. In spite of this, the openness of corporate information systems with the outside (customer and supplier partners) continues to rise. Information system managers need to identify attacks and must be able to respond to new types of threats.
Therefore, data security is synonymous with vigilance that involves continuous monitoring of the security level. However quickly data security technologies develop, security alarms and services will remain at the core of the problem resolution.
Automation of some tools is inevitable and facilitates the execution of some tasks, but it seems unlikely that all security-related processes will become fully automated. Therefore, the key to security lies in human intervention and analysis that is performed when alarms are transmitted.
The ideal solution consists of managing risks in an acceptable way, using technologies and procedures that do not affect the business's activities. One of the basic damage limitation measures a business can put in place is using online data backup. This ensures that, as a minimum, key business data is protected and recovered quickly in the event of loss, as the data is kept off-site in secure locations.
When an attack takes place, it is not enough to assign this management to an often overworked network administrator. The business will need considerable security-related skills to provide a rapid response to this attack. For this reason, businesses will increasingly call on specialised outside experts who will be responsible for security management and monitoring.
These different factors justify the importance of offering round-the-clock services since attacks are independent of the place and time variable.
Security management and monitoring services are a combination of experts, processes and equipment to set up a security information system environment within the business.
This commitment on the part of a service provider is an essential factor of the security service offering. This type of contractual commitment should develop on the security service market since it meets businesses' needs, guaranteeing that security management and monitoring services are carried out correctly.
Share this post