In today's over-regulated environment, network managers and CIOs face a new responsibility: proactive, holistic IT security.
September 1, 2005
Whenever the subject of network security hits the airwaves, network managers and CIOs know they have a problem on their hands. Once again, they are under the magnifying glass as senior execs and investors demand reassurance that ‘this cannot happen to us.’
In August, media reports gleefully spread word that the Internet worm Zotob had hit venerable U.S. news outlets including CNN, ABC and The New York Times. CNN said it experienced computer failures in Atlanta and New York, causing delays in programming, while ABC had computers on the East and West coasts affected.
Zotob exploits a flaw in Windows 2000 and, although Microsoft Corp. issued a patch the week before, many users did not download it. McAfee Corp., – the number two antivirus software vendor behind Symantec Corp. – said it was the most significant threat the company had seen in 12 months.
It is not just U.S. companies feeling the heat. Last summer, fraud operators reportedly launched a phish attack against Toronto-based RBC Financial Group. And Rick Shi, Telus Communications Inc.’s Vancouver-based director of integrated network management and managed security, says several companies called him in the wake of denial of service (DoS) attacks — where perpetrators deliberately flood a network with more data than it’s pre-programmed to handle.
One Canadian organization was hit badly after receiving an extortion letter of the “pay up or we take you down!” variety. The company dismissed it as a hoax and did nothing. E-terrorists immobilized the network for seven days and the company lost $7 million worth of e-commerce revenue.
The three offer dramatic examples of the need for watertight network security and yet Jeff Platon, vice-president, product and technology marketing, security, Cisco Systems Inc. in San Jose, Calif., bemoans the hype. “Most of what you see sensationalized in the media today is driving large criminal activity,” Platon declares. “It’s changed from 14-year-old pimple-faced kids doing this for a thrill, to young professionals trying to do it for notoriety, into unfortunately what human beings always do, which is exploit it for monetary gain.”
As a result, consumer awareness has gone through the roof.
While it is easy to dismiss mainstream media reports as hysterical, those in the know are worried, too. Last December, CSO Exchange magazine published a list of CxOs’ top security concerns for 2005. Number one was worms and viruses; number two, regulatory compliance; number three, online fraud (identity theft, spoofing and phishing).
Security also topped IT spending priorities for 2005 in a Forrester Research survey of almost 870 large enterprises. Respondents said they planned to budget for gateway antivirus, intrusion prevention and content filtering systems.
Finally, Nortel Networks Corp. polled its largest customers and found that security spending was considered so significant that it was listed as separate line item in many enterprise IT budgets. “That’s why there are new positions like CSO (chief security officer),” says Ralph Santitoro, the company’s director of security solutions. “They raise visibility not just at the funding level but also at the executive level.”
The executive-level comment is telling, for today’s security issues are more business- than technology-driven. It is a given that any decent-sized corporate environment will have a diverse IT infrastructure with multiple internal and remote access points, both wireline and wireless, secured with firewalls, VPNs, intrusion detection and anti-spam software.
When it comes to worrying about security, as Charles Salameh, president of Ottawa-based Bell Security Solutions Inc., points out, the question is a much larger one:
“How do I open up the inner bones of my company to the supply chain, consumers, partners and everybody else that needs my information while at the same time protecting the content from being exposed or manipulated not only while it’s being stored but while it’s in transit?” Salameh asks, posing the question that many large enterprise customers have asked him.
“How do you do that and comply with daily changing legal regulations like SOX? Companies are worried not only about protecting their physical infrastructure but figuring out how to stay out of jail.”
Take a holistic approach
According to Rob Whiteley, analyst at Boston-based Forrester Research, most enterprises have done a good job of “piling up security at the perimeter.” But they haven’t taken it to the next level by defining systematic security policies that span the entire corporation.
“It takes a lot of ongoing diligence,” says Whiteley. “You may think you’re secure, but you may forget one exception.” Telus’s Shi also says that corporations must take a holistic approach to security and apply best practices.
Otherwise, “when it comes to hackers and criminals, if one door is locked they’ll look for the other door.”
With Internet crime rife and as data and telecom networks continue to converge, IT security spells opportunity for vendors on each side of the fence. “The industry is being forced into a more network-based approach,” observes Stan Quintana, vice president of managed security services at AT&T Corp. in Bedminster, N.J. — “one that’s more predictive and offence-related in nature.”
AT&T’s approach is to embed security within the network itself. Nothing new there, but Quintana says when the telco started doing it several years ago, “a lot of folks in the industry thought we were a little bit lopsided — our customers didn’t believe it. We knew we had to address it because of what we were already seeing on our IP backbone.”
AT&T developed a knowledge-based engine that examines hackers’ attack profiles, processes them, and analyzes worm and virus patterns as they evolve in the network. The software is now marketed as a service that alerts customers via phone, PDA or pager, then directs them to a portal where they can see what kind of attack it is and what to do about it. It is popular with customers in the financial and gaming markets –“we’re seeing tremendous amount of rampant activity taking place against these environments,” says Quintana.
Cisco, meanwhile, offers behavioural anomaly software, acquired from Okena Inc. that can identify and prevent malicious behavior on servers and desktops before it causes harm.
It is also earning kudos from Forrester with a port-based switch that incorporates authentication software.
This plays in a new market space known to analysts as network quarantine, and the idea is to restrict client access to networks based on their compliance with policy. “Think of it as the proactive way of keeping the bad guys off your network,” Whiteley explains, “but if they somehow manage to get through, I’ll kick it over to a reactive device like an intrusion prevention system that looks at traffic behaviour. That, too, can make the choice of quarantining your user.”
Cisco is just one of dozens of companies hoping to profit from network quarantine solutions. Products fall into three categories: server-based software from vendors like Sygate, Microsoft and McAfee; switches that have it built in from Cisco, Nortel et al; and then hardware appliances that sit on top from companies like Juniper and Checkpoint.
Whiteley predicts network quarantine will hit its stride in 2006 with mainstream adoption in 2007. Enterprises should prepare by buying a mix of port-based switching and server-based software solutions, as well as standalone appliances in smaller locations and remote offices.
To minimize management costs, though, try to standardize on just one or two vendors. Also, if you’re not using a third-party service provider, make sure you appoint a project manager who can coordinate and deploy the technology across all necessary departments.
Almost 40% of 650 large enterprises surveyed by Forrester have deployed network quarantine products — a high number considering it’s only been a product category for a year. The market is expected to surge in the second half of 2005.
Will the walls tumble down?
Of course, CIOs would rather not have to deal with viruses and worms at all — and they may not have to if a combination of schemes comes to fruition. The first is “clean pipes,” a plan for ISPs to deliver traffic to customers completely free of viruses, worms and other pernicious hangers-on.
Many service providers claim they’re close to achieving this.
A far more ambitious idea is the Jericho Forum, initiated by British Petroleum in Europe as a reaction to internal frustration over restrictive firewalls.
Instead of making security an inside/outside distinction, BP reasoned, why not make it a managed/unmanaged issue? Jericho (named because its proponents plan to send firewalls tumbling down) takes the quarantine notion to the Nth degree: no one should be able to contact anyone else via the Internet unless the recipient’s system has authenticated them first. This would involve a lot of complicated public key encryption, and a lot more frustrated security hardware and software salespeople. Notes Whiteley: “Quite frankly, the vendors are slow because they’re scared of it.”
With one notable exception: Microsoft Corp. has jumped right in with a software program that only lets devices only talk to each other if they’re authenticated. Whiteley explains: “Even if you and I are plugged into the same LAN and we’re sitting two desks down, for me to send an e-mail to you, my machine would quickly authenticate and send it over to you.”
Sounds good in theory, but if you extrapolate the Jericho theme to its logical conclusion it would ultimately make all unsolicited e-mails – and phone calls, if carried over VoIP networks – impossible. Concedes Whiteley: “It will solve technical issues and create practical issues. It’s not there yet but it’s a good way to start evolving the discussion of network security.”
As for the role of network professionals in this increasingly uptight IT environment, Whiteley predicts they will get more involved in data security operations and management. “We now have a better handle on security, some of the technologies have matured, and they’re getting baked into the network anyway. So the guy who sets an access control in the network switch can also set an access control on a firewall.” Meanwhile, security-savvy IT staff will assume a more consultative role: setting policy, monitoring threats and challenges, and tying this analysis into the corporate regulatory framework.
Whiteley does emphasize, though, that security vendors and other solution providers must offer adequate training to support what they’re selling. “We have to make this stuff a little bit easier to deploy,” he says. “Networking guys are not exactly security experts.”
Alison Eastwood is a Toronto-based freelance writer. She can be reached at firstname.lastname@example.org.
VoIP: Security threat or simply a non-issue?
“The real world is not a friendly place for VoIP networks,” declares Nortel in a recent white paper. Indeed, when it comes to securing voice over IP, a popular school of thought is that once you expose voice traffic to IP gremlins, it becomes infinitely less secure than a regular PSTN telephone line. While this theory has yet to be proven, many companies are jumping on the VoIP security bandwagon.
One of them is three-year-old VoIPshield Systems Inc., an Ottawa-based company comprised of telco/security veterans. VoIPshield is bringing two products to market, one that audits enterprise and carrier networks, another that detects and mitigates VoIP threats.
Even though vendors like Cisco and AT&T claim VoIP is just another application on the network and can be managed as such, VoIPshield counters that most data networking vendors are ill-prepared to secure voice applications.
“You tend not to get the requirement for in-depth security features that have to be tightly embedded with the application,” says Richard Timmons, the firm’s vice president of business development.
He is certain the real-time aspect of IP telephony will present a huge hurdle to data networking specialists. On a data network, if a virus hits a company’s e-mail, IT can quarantine the e-mail server and turn it off. With VoIP, “you cannot successfully respond with human intervention. You need automated response.” VoIPshield’s software has already garnered interest from Bell Security Solutions Inc., among others.
Robert Whiteley, security analyst at Forrester Research, says he hasn’t heard of many VoIP hacking instances. “It’s a lot of data, so you’d have to do something to make sense of all that. But,” he concedes, “security through obscurity is not exactly the best practice.” – A.E.