New technologies have improved corporate Australia's security arsenal but a changing threat profile makes progress invaluable. David Braue catches up with the exploding information security industry
Fear of the known
New technologies have improved corporate Australia’s security arsenal – but a changing threat profile makes progress invaluable. David Braue catches up with the exploding information security industry.
Information security breaches have that same sort of visceral appeal as a good horror movie: you cover your eyes, but can’t help peeking to see the gory details as the doomed teenagers pick their way through darkened, killer-infested hallways. Just try, however, to leave the theatre and walk back to the car without checking between the rows of cars in that darkened parking lot.
For years, the security industry has been a self-feeding monster, propelled to massive size and public profile by ongoing reports of security breaches.
In the past, the overriding fear was of dramatic financial losses as mysterious black-hat hackers breached company defences to suck confidential data out of our corporate networks. Still too scared to peek at their own potential risk, companies--often fearing the wrath of governance auditors--furiously bought intrusion detection systems (IDSes), smart firewalls, strict user authentication, virtual private network (VPN) encryption and the many other products emerging onto the market.
The hope, of course, was that technology could provide unbreakable information security--but that was difficult with an often unknown and ever changing threat lurking just outside the firewall.
Fast-forward a few years, and the tone of security discussions has changed substantially. Although the threat from malicious outsiders is still back of mind for any information executive, the to-do list has changed substantially as spam, spyware and other nuisance security breaches continue to multiply.
AusCERT’s 2006 Computer & Crime Survey found that about one in five Australian companies had suffered some sort of attack in the previous year, with viruses and worms reported at 45 percent of companies. Average financial loss from the attacks increased 63 percent compared with the year earlier, weighing in at $241,150 per incident.
That has meant big business for security providers, who have scored a big hit in email security after watching infrastructure technologies like IDSes fell relatively flat. Email is an obvious candidate for protection for another reason: IDC recently estimated that an average of 84 billion emails, 33 billion of which are spam, will have been sent every day this year. With total volumes estimated at 3.5 exabytes (3.5 billion GB) this year alone, that’s a whole lot of places for unknown nasties to hide.
Whether you see spam as a nuisance or a security threat, you’re going to need a way to deal with it if only to stop it choking your networks. Recognising this, email security has become an integral part of the corporate security arsenal, which has entered a new phase of consolidation after years in which one acquisition after another brought together small vendors offering niche technologies.
Part of the recently labelled secure content management (SCM) market, sales of email scanning solutions grew 34 percent from 2004 to 2005, and the technology accounts for 57 percent of the entire security software market, according to IDC.
Despite convergence in the marketplace, however, a steady stream of contenders continues to offer new options to customers whose understanding of the threat has gradually improved over time. Security appliance vendors have simplified the process of installing a full suite of security tools, while managed security service providers are pushing new models that let companies offload complexity and risk.
Little wonder that the security market continues to grow from strength to strength. IDC has forecast double-digit growth in security product sales for the next few years, driving the market from US$805 million last year to US$1.7 billion by 2010--including Australian market growth from around US$300 million last year to A$1.3 billion. In Europe a projected 15.2 percent cumulative annual growth rate is expected as companies worldwide act to strengthen their security infrastructure.
Expanding the secure core
At the most basic, every company needs--and probably already has--a robust corporate firewall. Designed as the border guard for your corporate network, your firewall is your first line of defence against unknown security attacks that could congest or disable your network from outside.
Even commodity firewalls offer a typical range of features, including the ability to block or allow network access via Internet Protocol port or application, and support for virtual private networks (VPNs) that have become the de facto way of accessing company networks over the Internet.
Because of their strategic position at the edge of the network, firewalls have been the natural target for the merging of technologies such as IDSes--which have not so much died a painful death as been subsumed into other parts of the company network, where machines and not people can deal with the flood of information they produce.
Just like training guardhouse soldiers on new surveillance techniques, such integration allows firewalls to adopt a more aggressive posture against suspicious types, including stealth attacks that rely on small, repeated jabs of security defences over long periods of time. Network equipment vendors have also taken a string from this bow, building fast hardware-based scanning into their products--particularly as concerns over voice over IP (VoIP) security increase.
As with most new technologies, VoIP security discussions are still being driven by the fear, uncertainty and doubt that accompanies any new technology. Whether VoIP can be exploited to compromise a corporate network remains up in the air, but there are some unique problems that make it particularly important to consider--primarily, that anybody with freely available software tools like VOMIT (voice over misconfigured Internet telephones) can intercept a VoIP stream, pick out a VoIP conversation, and convert the conversation into a playable audio file.
Of course, a similar breach could be conducted on existing phones simply by tapping into the PABX network’s wires. The obvious solution against VoIP snooping--encrypting all VoIP traffic--is readily possible but introduces other issues such as encryption/decryption overheads. If you’re implementing VoIP and concerned about the security of your calls, it’s a good idea to look around to make sure you’re happy with the level of security your equipment provides.
“A lot of the threats that plagued data networks in the past also affect voice networks,” warns Colin Lim, regional sales manager with equipment maker Fortinet, who also points out the growing discussion about the potential for SPIT (Spam over Internet Telephony) to clog up next-generation voice networks. “There’s a need to put technology into the LAN to enhance security; you need it there as insurance against the potential loss of productivity.”
The other major, disruptive technology that has changed the security profile in recent years is mobility. Increasing use of smartphones to empower field workers has produced considerable benefit for companies in all kinds of industries, but each of those data terminals is a potential point of entry into the corporate network--and must be managed that way.
Vendors are only now offering robust tools that can control the backup of data on mobile devices and the movement of sensitive information onto them--yet no matter how it’s achieved, mobile security must be adequately addressed for any company planning its information security strategy.
Equally problematic are the now ubiquitous memory sticks capable of carrying several gigabytes’ worth of corporate data. These devices, which must also by extension include mobile devices like iPods and other music players, can be easily exploited by data thieves--or can become unwitting carriers for sensitive corporate data if they are lost or stolen from their owners. Companies like Centennial Software and Altiris offer technologies specifically designed to counter this threat.
Simplifying the complexity
The evolution of corporate security from straightforward firewall to multi-faceted access protection device has taken years, and is continuing as startups think of new protection methods and new threats emerge.
Security vendors’ goal, then, has become not only to protect against threats, but to package their offerings in a way that makes it easier for companies to digest the myriad offerings--and demonstrate their compliance to governance requirements.
One simple way of doing this is to package the various email and network security technologies into a single, easy to manage security appliance. Such appliances--Asia-Pacific sales of which grew 39 percent US$549 million last year--do away with the painful complexity of configuring and interlinking standalone software solutions, combining firewall and IDS with antivirus and other functionality to provide a single unified front that’s easier for companies to install and update.
These solutions reflect the growing trend towards unified threat management (UTM), basically a new term for the combination of SCM and conventional security solutions. As well as the UTM appliances protecting the gateway, the industry is also converging around UTM messaging solutions (antivirus, antispam and content filtering) and endpoint solutions (antivirus, antispyware, personal firewall, and host intrusion prevention.
The rising popularity of UTM solutions is hardly surprising, given a recent IDC survey that found managing the complexity of security solutions was the third highest IT priority amongst respondent organisations--and security overall remains the highest priority.
These trends have also lent weight to a growing trend towards outsourcing of key security functions via the software-as-a-service (SaaS) model--most notably in the SCM space, where it is relatively easy for organisations to leverage third-party expertise without disrupting internal systems.
The NSW Department of Health, for one, recently committed to SCM vendor MessageLabs’ antispam and antivirus services after a trial saw often crippling loads of spam reduced to just 0.02 percent of the 600,000 emails it receives every month.
Expect SaaS security solutions to become even more common as vendors shore up their products and capabilities over time. SaaS resolve the traditional problem of security software currency since updates are installed at the vendor’s end without any involvement from end users. They also free staff from the time-consuming task of managing spam and other nasties manually, eliminating the most common threats before they even reach the corporate network.
The corporate mind-meld
Let an infinite amount of monkeys type on an infinite number of typewriters for infinity, the saying goes, and they will produce the complete works of Shakespeare. Such might also be said of hackers, who have shown enormous patience and determination to find ways around corporate security methods--if only to prove that they can.
Recent technological advances have, of course, provided many more opportunities for those code monkeys to cause harm. Mobile devices, changing content profiles, VoIP, wireless LANs and myriad other technologies have all changed the risk profile for companies operating today. So, too, will Microsoft’s introduction of Windows Vista--which, with its new architecture and substantially revised security model, will have system administrators scrambling to adapt.
As is the unfortunate reality of the security industry, vendors are keeping one step behind the perpetrators--although, fortunately, the length of that step has shortened considerably in recent years as increasingly intelligent solutions bring problems like spam under control.
It can never be said too strongly, however, that companies shouldn’t rely just on technology to solve their security problems: guards, after all, don’t protect property better if they carry bigger guns. As always, policy is as important as technology in building an effective corporate security environment--and even more so now that there are so many more potential carriers for data and incoming attacks.
There are signs that companies have finally gotten the message about security policies: the 2006 AusCERT survey found that only 29 percent of attacks were attributable to internal sources, compared with 37 percent last year; this statistic, as well as one finding a slight reduction in the percentage of respondents citing a need to change users’ perception and behaviour about security (60 percent in 2006 vs 65 percent in 2004), suggest that corporate culture and policy are finally delivering the kinds of cultural modifications that have been talked about for years.
This change has led to a slight softening of security priorities in many companies: AusCERT found that fully 10 percent of respondents thought they were managing all aspects of computer security reasonably well--a jump from seven percent in 2005 and just five percent in 2004, and only 50 percent of companies increased security spending in 2006 compared with 68 percent in 2005 and 70 percent in 2004.
There are other challenges, of course: increasing workloads and complexity of information security requirements are forcing companies to search for dedicated security specialists, for example, and large businesses as always face the challenges of scaling any security strategy so it applies equally across the entire enterprise. Partners, too, add a potential spanner in the works: you can take all the protective measures in the world, but if a trusted partner isn’t being as diligent it’s a recipe for disaster.
Nonetheless, the fact remains that it is now more possible than ever to both anticipate network security problems, and to do something about them. If nothing else, that knowledge is finally allowing the traditional victims of information security attacks to put the battle on a slightly more even footing.
That has, so to speak, finally imbued the clueless co-ed with the foresight to turn on the lights. Just what she sees will still be a cause for alarm--but at least there’s hope. Give her the right tools and the determination to succeed, and her struggle may just get that much more interesting.
Like This Article?
www.technologyandbusiness.com.au
Technology & Business is Australia's premier enterprise technology title, providing useful and high-quality news, reviews, analysis, interviews and opinion on issues key to Australian business and IT leaders.
Technology & Business is the only title to provide independent lab testing and analysis of enterprise products, looking not only at performance but also interoperability, future proofing, return on investment and service as testing criteria.
