Techscope 2003: e-Security
e-Security: The way ahead

India Inc has finally woken up to the security threat. But merely deploying firewalls or anti-virus solutions isn't enough. Here's how organizations need to strengthen their defences in the wake of new threats. by Vishwajeet Deshmukh

A global study by KPMG in 2000 reveals that Indian companies achieved the dubious distinction of having the highest number of e-commerce security breaches in the world at 23 percent, followed by UK and Germany at 14 percent. Of the 60 percent companies that were victims of some security breach, 21 percent recorded actual loss in revenue. About 58 percent have still not been able to quantify their loss. According to a PWC-CII study, only five percent of the survey respondents reported a revenue loss of over Rs 5 million.

Over 65 percent of the respondents admitted to not running security audits on e-commerce systems. Only 50 percent have incident response procedures in place in case of security breach and 83 percent of the firms that were victim to a security breach have taken no legal action. About 38 percent fail to perform background checks on entities that assist them with development, maintenance and/or administration of their e-commerce systems.

Almost 70 percent of Indian firms conduct background checks on e-commerce system suppliers. And 72 percent companies said they were reluctant to report security breaches for fear of damaging their reputation.

Waking up
There is no doubt that India Inc has woken up to the reality of security threats. In the past year (2002) the number of companies implementing a security policy has doubled. However, effective security implementation is still needed. This is due to the lack of a clearly defined security policy. Merely deploying firewall, IDS and anti-virus solutions is not enough. There is a need for a set of rules that are based on business objectives of the enterprise, to secure information and systems—or a need for comprehensive security policy. Further, the policy has to be documented and reviewed/revised frequently, in accordance with change in business objectives and change in technology. In other words it has to be dynamic.

The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive security policy across India Inc and hence lack of effective security implementation. To quote from the report: Though 68 percent of the respondents accorded a high priority to security, only 41 percent had a comprehensive security policy in place. Worse, about 47 percent of the respondents continue to operate without a security policy.

This is a fairly large number with far reaching consequences.

Threats
To elaborate, the main areas where companies face a threat are security of online systems, system availability, confidentiality of customer and company information, and maintenance of the integrity of data. Further, in an increasingly networked world, it is a no-brainer that any device/client (desktop, notebook, PDA) that the user connects to in the network (Internet, Intranet, or Extranet), needs to go through a firewall and an anti-virus system. Also, the entire computing infrastructure (switches, routers, LAN, WAN, WLAN, Web servers, application servers, databases, etc.), need appropriate security protection.

However, merely investing in security products without a comprehensive dynamic security policy that is based on the business goals of the enterprise will leave the door open for ever-increasing threats. Enterprises have to take a top-down approach to frame a comprehensive security policy rather than treat it as a technological issue in the realm of CIO, CISO etc. The Board and the CxOs must show commitment to security with a clear mandate through policies.

Security is a process
For this, it is key that the enterprise should realise that security is a process. It does not exist without education and awareness at all levels within the enterprise. Further, implementing security is an on-going task given that new threats emerge all the time. Hence, the challenge lies in dealing with the absence of a dynamic security policy coupled with the complexity of technology and the lack of trained manpower to effectively implement and monitor security systems. Additionally, a bottoms-up approach and dearth of high-end network consultants does not help matters.

Other than this, organizations need to have a hard look at the statistics on security incidents and vulnerabilities.

As per CERT statistics, a clear pattern has emerged over the last three years (since 2000). There is a rising and direct co-relation between security incidents and vulnerabilities. In other words, it indicates that a security incident almost always happened following the disclosure of vulnerability and before the vendors could release the patch to be implemented by the organisations. The CERT statistics translates to 272 incidents and 12 ulnerabilities
per day.

Besides this, research sources from IDC, ICSA Labs and Computer Economics indicate that last year (2001), 83 percent of viruses were spread through e-mail. Now consider these numbers. This year (2002), the global e-mail message traffic has reached 31 billion. By 2006, it is estimated to reach 60 billion. The clincher: viruses such as Nimda and Code Red self-propagated globally in less than a day. The economic impact runs into billions of dollars.

Challenge
Hence, the growing challenge is to protect ourselves against attacks that are automated and polymorphic—one that changes every time—and in keeping up-to-date with hot-fixes and patches on a daily basis. This point cannot be emphasised enough. If there is a virus outbreak in the US or say, Philippines, a CEO should consider how rapidly the enterprise security system can respond to the threat and make it a non-issue. Next, if the company does get hit, of paramount importance will be the speed with which the infection is cleaned and business resumes. Because the past events have shown that infection spreads globally in less than a day, a benchmark for cleaning has to be set. If it takes more than a day, it is unacceptable.

Currently, solutions that provide virus protection at the perimeter (on gateways), servers, desktops, PDAs in a wired as well as wireless environment, have taken the priority in enterprises. Manageability is becoming the next priority. Solutions that provide centralised control, management and visibility to heterogeneous corporate networks across WAN and LAN segments, distributed geographically, is clearly being recognised as mandatory.

To conclude, we live in an inter-networked environment today. There is a growing recognition of using network traffic to understand performance and security issues at all the levels, i.e. at the network, server, the application and database level. More enterprises have started using network-monitoring solutions to identify not only the network bottlenecks but also server, application and database bottlenecks. We have already started observing convergence of network monitoring tools that recognize virus signatures. Next year (2003), we will see more of this convergence, but more importantly, there will be a growing trend for solutions that provide ease of manageability.

The writer is Country Manager-SAARC, Network Associates