With over half of all major commercial organisations reporting unauthorised computer and systems use just now, there's never been a more opportune time to secure your company's networks. What are the major points to bear in mind? Should you employ a consultancy, or seek a dedicated IT security professional to solve your data hacking worries? We offer SMT readers a handy beginners' guide.
The majority of blue chip organisations now – at long last – recognise that securing their computer networks against attack is every bit as necessary as locking the front doors at night. That recognition is strongest, of course, among companies with mission-critical data, but other end user organisations are beginning to pick up the baton too.

Despite this positive trend, both private and public sector organisations are suffering from more security violations than at any time in the past. In a study carried out by the Computer Security Institute (CSI), 56% of respondents reported unauthorised computer and systems use. That figure is broadly in line with similar surveys from recent years.

But why has the number stayed the same?

Industry experts continually lead us to believe that security technology is improving daily, and that more companies are deploying improved technology. If that's the case, why aren't breaches of IT security not decreasing on a dramatic scale?

The status quo in systems violations indicates a growing lethargy among companies reviewing their IT security options. It would appear that many end user organisations are merely adopting a 'tick in the box'-style approach, and that the procurement of an IT security system isn't followed through in terms of a strategic security programme.

An external overview
Many larger organisations have chosen to hire management consultants to take an external overview of the company, and help them assess where they're going wrong. For the medium-sized company with neither the budget nor the inclination to turn to a consultant, it's not so easy. In addition, many such companies that don't tend to have data-sensitive information on their networks believe they don't need to invest in security solutions. They're wrong.

Potential hackers scan networks daily for signs of vulnerability. An unprotected network is unmistakably visible to the experienced hacker. An organisations' networks can be attacked from anywhere in the world in this day and age. When those attacks occur, the loss of confidential data isn't the only repercussion for the host company. The hacker can then use the attacked business' system as a 'host' to pollute other organisation's networks. This might also result in an organisation's systems going down for over 24 hours – a process known as 'zombieing'. That will impact upon any company requiring its computer systems in order to conduct business.

Analysts at The Gartner Group estimate that two out of every five companies experiencing any form of 'disaster' – including IT security violations – will go out of business within five years. However, businesses are so inundated with security solutions that they find it easier to ignore the problem without having thought through the longer term implications.

A casual glance across the security options available will identify numerous security 'fixes' for vulnerable networks. For many, detailed technology information clouds the issue.

Strategic IT security programmes
Practitioners shouldn't be scared. Putting security plans in place doesn't have to be a complicated or lengthy process. It does, however, require some forethought by security managers and IT specialists, and must always be backed up by a strategic security programme. Just simply buying and installing IT security systems will not be enough.

Depending upon their budget and levels of expertise, there are a number of options open to the end user looking to implement an effective security strategy.

A good, cost-effective solution would be to sign up to an advisory service such as the Computer Emergency Response Team (CERT), a non-profit making organisation originally set up by the US Government and run by the Carnegie Mellon University. Organisations such as CERT supply information on how to protect an organisation's system against potential problems, and advise on what to do if and when a security breach occurs.

In practice, this will involve handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems and developing information and training to help improve security at an organisation's site(s).

The advisory service takes the form of a free e-mail which is issued to any security practitioner that wishes to subscribe. That said, although these services are a good source of information, they are just that. They don't give advice about how a violation will affect an organisation's individual requirements, or the business impact of a security breach.

Some organisations may choose to employ a specific security administrator who's then responsible for updating the computer systems such that they can respond to any threat. This is perhaps the most costly solution of all, but certainly a very essential resource in today's information age.

For a company that has a firewall, these too can be exploited if they aren’t properly set up and monitored. Hackers may exploit known vulnerabilities and persuade the network to break its own firewall. Devices most commonly affected include the web server

Organisations can also employ an external third party to conduct vulnerability scans and penetration tests of their network on a regular basis. A vulnerability scan is an automatic process undertaken by a remote server with a library of known vulnerabilities which is designed to test networks. These scans are usually carried out on each IP address and can take place daily, weekly, monthly or as often as a business' management team chooses.

The scans produce an automated report that can be used to close the system vulnerabilities down. Cost here is relatively low due to the automated nature of the process.

Penetration testing procedures
A penetration test will involve an individual actually trying to hack into a customer's network using known hacking tools. Although this is a far more costly exercise, the tester will also use 'social engineering' to break into the network. This can include calling up the business and finding out peoples' names, and then trying to hack using common passwords (it's surprising how many people use 'password' as their own password!). At the end of this period, an organisation can expect a detailed report into the system's vulnerabilities and those of the company as a whole.

Certain types of vulnerability are most common. If a business doesn't have a firewall that's designed to prevent unauthorised access to private resources, it's most likely to be hacked into within a matter of days. Traditionally, hackers will scan entire IP address ranges, and your unprotected network will stand out like an elephant at a mouse convention! Hackers can take over servers or desktop machines, and either access the boxes at the root level and copy or delete all their data, or install malicious programs that will not only take over their machines but attack other networks into the bargain.

For a company that has a firewall, these too can be exploited if they aren't properly set up and monitored. Hackers may exploit known vulnerabilities and persuade the network to break its own firewall. Devices most commonly affected include the web server, e-mail server, file and print servers.

When choosing an Internet Service Provider (ISP), a business needs to have confidence that their ISP is protecting itself. If not, a violation to the ISP's network can have catastrophic effects on any business that partners with it. Organisations must therefore ensure that their provider fully explains its security procedures and policies towards denial of service attacks and unauthorised hacking.

A denial of service attack occurs when a compromised system attacks a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby preventing access to any legitimate users. The ISP will also need to show that it has its own security administrator and audits its own network.

Dedicated to IT security
In summary, then, a business ideally needs to employ an IT security administrator if at all possible or, at the very least, somebody that's responsible for security of the company network. This individual should have (or be able to gain at very short notice) detailed knowledge of the company's systems and all the software it operates, carry out regular network scans and change passwords on a frequent basis.

If your company has a person solely dedicated to IT security then any problem is also more likely to be rectified quickly should any violations occur. Statistics show that 50% of all violated systems networks remain unfixed after 30 days. That can only leave your company open to further attacks. A dedicated IT security administrator will focus all of his or her attentions and resources on re-protecting the network.

The monitoring of security alerts and patch announcements can be managed through advisory services like CERT (as these are usually the best form of alerts), as well as the vendor's own advisory service. In addition, third party vulnerability checks might provide an invaluable insight into an unprotected network.

A final point to note is that a successful IT security programme is most effective if it has the full endorsement of the chief executive officer. In addition, the person responsible for security needs to have an avenue to communicate with the chief executive.

Perhaps most important of all is the fact that a security policy must be enforced throughout the entire organisation.

Source

SMT

Postscript

Jon Haynes is hosting and security product manager at GX Networks (UK) Ltd (www.gxn.co.uk)