With IT security now a boardroom issue and huge area of risk, companies have to balance the need for security with the need to do business. Stuart Fagg reports
There’s no doubt that the ongoing information revolution has changed the world as we know it in the past decade. In 1997, IT security was more likely to involve making sure the computer room was locked, than dealing with the myriad of evolving threats seen today. Indeed, one chief information officer at a major bank told me some time ago of an event that typified the ad hoc approach.
“It was when I was working for broker in London,” he says. “We were perplexed at the ability of one of our systems to reboot itself at the same time every morning. Engineers had pulled the system apart, renewed parts and did everything known to get to the bottom of the issue, until we realised it was the cleaner. Every morning the cleaner would go into the computer room, unescorted and unchallenged, to wipe her feather duster over absolutely everything, the reset switch on the front panel being so sensitive that it would reboot quite easily as she brushed past. I still cringe today when I see cleaners in computer rooms.”
These days, however, things have moved on. The online environment has revolutionised business models, particularly for organisations that previously utilised face-to-face dealings as their main contact point with customers. For financial institutions, the move to online platforms has realised massive cost savings, far outweighing the tens of millions of dollars lost to online fraud of the major Australian banks and their customers.
Indeed, financial institutions’ products present unique challenges, given their ‘virtual’ status. “Banking is effectively virtual,” says Richard Johnson, head of architecture, research and cyber crime at Westpac. “You can’t pick it up, you can’t hold it, and there are even very few passbooks nowadays … So it really is a digitised and virtualised product which is why information security is so integral to what we do. This is one way of conceptualising the alignment that we operate in so there’s a bit of information on that slide. But essentially it’s saying when we think about protecting our assets – and everything is about integrity and confidentiality, availability of data.”
But while the sophistication of online business has grown massively in recent years, so have the threats. Perhaps the biggest and most visible threat to banks has been phishing, which made its debut in 2003. That was followed in 2004 by malware (software used to penetrate and computer systems without alerting the user). Post-2004, malware began being designed to be for profit and used in conjunction with organised crime and spammers.
“When you really start to look at last year and into this year – as you will read in the press and so forth –some fairly sophisticated malware, in the way it works with encrypted subroutines, anti-analysis capability, virtual machine awareness, the ability to disable itself if it thinks it’s being analysed,” Johnson says. “It’s very under the radar, not noticeable. This is where our focus is; working with all of the various people in the industry and outside in law enforcement on counteracting this. There’s been a lot of good work in this country on developing techniques that can shut a lot of this stuff down before it even actually occurs, which is good.”
Looking after customers
Those whose IT security issues include problems created by the use of online customer environments, must also balance their security needs with ease of use, particularly given the importance of maintaining trust in the online delivery channel. Trust can be severely undermined by a user experiencing an attack or a heavy handed approach to authentication. That says, Westpac’s Johnson suggests there is valuable intelligence to be gleaned from security activities. “All of the work that we do in cyber crime – in addition to actually shutting down any instances of criminal [activity] as they occur – then leads to other work in terms of improved fraud detection systems or capabilities to identify spurious or unusual transactions,”he says. “But also into bolstering the security of our online channel. Like most financial institutions we’ve gone through a range of initiatives over time in locking down and securing our channel, the electronic channels, and making sure that usability and business values are maintained, but also that trust in the channel is maintained.”
While there’s no doubt that external security threats require constant vigilance in the world of e-commerce, the growing amount of required authentication for internal systems is also a challenge. In an average, medium-sized company, an employee will have many ‘repositories of identity’ in the organisation, covering everything from internet proxies to voicemail. And with many organisations using electronic HR and other systems, repositories of identity are on the increase. Whittling these multiple identify footprints down, is a massive challenge.
“Our electronic HR system is effectively focusing on getting a single source of truth, which again, anyone in the industry will know that’s quite difficult,”Johnson says. “If you think about how many repositories of identity you have in your enterprise, there are many and they’re often not integrated. And there are many, many numbers on the system that actually identify you; everything from internet proxy, through to LAN log on, through to application log on, database accounts, email, voicemail. There’re a lot of identities that are ‘you’ on the system. So the first challenge is being able to integrate and centralise all, or at least federate those different aspects of you if you want to ultimately get towards something close to single sign-on and a more efficient and safe access control method.”
Access control, however, becomes even more difficult in the increasingly mobile business world, one where personal and corporate technology often converge. For example, the use of company technology at home is increasing as is the use of personal storage capacity (flash drives etc) on corporate equipment. “It’s not necessarily the bad person on the outside with a malicious intent targeting you,”says Williams.
“It’s the potentially the naïve or ignorant internal employee who has no malicious intent at all but who has exposed their own machine. By ‘machine’ I don’t necessarily mean your laptop. Even from an IBM perspective, we’ve got a high level of workplace security: from physical (we bolted the desk down) to electronic, with the latest whatevers we need to have on it. But your PDA devices, your mobile phone [are a risk]. How often would the bulk of people actually know how to truly protect their mobile phone?”
And while employee mistakes are a growing source of security woes, so are employees and service providers who have definite intent. “The technical sophistication of hackers has dropped and now it’s really anybody who gets access to sensitive data,” says Bryan Sartin, global director for investigative response at Verizon Business Security Solutions powered by Cybertrust, which investgates IT security breaches.
“Who has access to it? Insiders are one but there is a particular threat from partial insiders. I’d say as many as two-thirds of the cases we’re investigating now are situations where it might not be an employee. An actual employee would be about 10 per cent of the cases, an inside job. But somebody who that company has trusted with access to their data. They tend to be vendors, call centres, somebody who sold them a software package or sold them an application like a transaction server or a database.”
Security in a virtual world
Virtual worlds, such as the high profile Second Life, which claims to have close to 2 million 'residents' globally are becoming an increasingly potent marketing and networking tool for businesses. The ABC owns a virtual island in Second Life, while Telstra owns three. Dell, Toyota, adidas and IBM are among the global icon companies that have built bases in the virtual world.
However, according to Gartner analyst Stephen Prentice, there are major risks involved, notably brand and reputation risks. "Virtual graffiti and 'griefing' (disrupting events or locations with antisocial behaviour) are commonplace, and although direct attacks on individual avatars [resident's characters in Second Life] are rare, they can be surprisingly disturbing to the individuals who are attacked," he says. Protecting intellectual property is also a major issue.
"Uncontrolled virtual worlds represent an environment fraught with danger for enterprises that are sensitive to brand and reputation issues," Prentice says. "Enterprises should exercise extreme caution in their virtual-world activities. Enterprises that are sensitive to brand and reputation issues should consider confining their activities to controlled virtual environments to minimise (but not eliminate) their potential exposure."
Executives are also concerned that Second Life, like other networking sites such as Facebook, MySpace and YouTube, lead to significant amounts of time and bandwidth resources being wasted.