Ours, at Echelon Consulting, illustrates perfectly the co-existing drivers and barriers that dominate the information security world.
On September 12 we had a call to our offices in Hampshire, England, from the head of security for a major telecommunications company. He wanted a full penetration test of all its data centers throughout Europe, some of which were critical to the functioning of the internet. Following the twin towers attack, security had become the number one priority and the company was worried about a terrorist or anti-globalization incident. We discussed the requirements for a full physical attack. He said he would need approval from the board and would get back to me the following day. The next day nothing happened. Similarly, the day after that, and finally a week later security had been superseded by another pressing priority.
The past decade has seen many changes in information security but in some key respects nothing much has changed. There is more awareness, there are more products available, but there is still boardroom ignorance, apathy or, in some cases, selective blindness.
Ten years ago if you told someone that you were in the security business, their first thought would be burglar alarms, razor wire and guard dogs. Businesses were more worried about their computers being stolen than the information stored on them getting into the wrong hands. Today we are more security conscious, but only up to a point.
What have been some of the drivers to effect change? A decade ago, the information security market was really being driven by the Government. Information security hadn't filtered down into the commercial sector. No one understood it, they didn't think they needed it and they certainly weren't aware of the potential damage to their business.
During the early 1990s virus attacks were beginning to make it into the headlines. In 1993 it was still a novelty in most commercial organizations to have a corporation-wide anti-virus package. There were only two or three firewalls on the market and intrusion detection software wasn't widely available as a commercial product. Then, the hacker phenomenon came along. It was the arrival of hackers that opened the floodgates, carrying rising levels of insecurity and paranoia among businesses along with the flow.
Some key government initiatives in the U.K. have helped shape the information security business, including the introduction of formal security certification schemes to ensure consultants are properly trained and vetted.
In the late 90s the Communication Electronics Security Group (CESG) of GCHQ established two certificates. The first is CLAS, the CESG Listed Advisor Scheme, which ensures security consultants have met the required criteria on security experience, security vetting and have been briefed on the Government's standards for risk assessment, accreditation and policy writing. The second is CHECK, CESG Health Check, a rigorously enforced registration scheme for approving penetration testing. A third certification is the British Computer Society's security practitioner scheme, which requires a record of significant security experience, references and tough interviews by a panel of peers.
Another important driver has been the advent of the information security standard BS7799. In the early days it could have been better and delivered more quickly but, nevertheless, it provides a useful way for organizations to judge their security arrangements.
BS7799 was drafted in 1993 and had some obvious limitations, but was a sensible start. A new draft was written in 1995 and by 1999 it was set in concrete and was taken up by the International Standards Organization as ISO17799 in December 2000. This year all U.K. Government departments must produce their plans for achieving compliance with BS7799 and be compliant by 2005. While several Government departments are up to speed with the standard, many aren't. And throughout the U.K. there are currently only 91 companies certified – it's a drop in the ocean.
Legislation that has also impacted on information security in the U.K. includes the Computer Misuse Act 1990, the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000.
So where are we now? Many commercial companies have adopted point security solutions by buying products to boost their security and in doing so have established the building blocks for a more secure environment. But two examples illustrate how differently a problem of exposure can be handled.
A company in the finance sector didn't believe we could hack into its computer systems and steal millions of pounds. So, with their permission, we sat down in their London office and went out onto the internet and back into the company via one of their production sites in another part of the country. Eventually we worked our way through to where the money funds were distributed and moved £7 million from one of their accounts to another. We could just as easily have moved it to any other account, including our own. The demonstration worked and the company signed up as an enthusiastic customer.
More recently, a retail company could have had their flotation plans scuppered when we found they had been seriously hacked. We discovered applications all over their server that shouldn't have been there and may well have been used to spy on the floatation plans. We set up a rapid response including intrusion detection systems to make them more secure. This worked well and despite being under attack, we stopped anything getting through. But what they needed was a properly designed solution that matched their requirements. Often, once the initial problem has been detected and quickly fixed with a patch or working solution, companies don't want to commit to a more exacting properly architected and ultimately more effective security solution.
Equally, some companies invest large sums in the latest products and believe they have 'ticked the security box.' For example, they buy a firewall. But unless it is properly configured and maintained it is worse than useless because it will give them a false sense of security. One company, which had spent over £100,000 on a firewall solution, gave an external party FTP access to their system. They needed the file transfer protocol port turned on and it was the equivalent of blowing a huge hole in the firewall and inviting in the hackers. In a decade of penetration testing many dozens of systems, we have never failed to penetrate them, and that is very worrying.
Last, but certainly not least, what about staff? After all, we could have excellent security if we didn't have any users. The last security breaches survey (2002) showed a decrease in the incidence of internal hacking and for the first time external hacking had become the bigger problem. I am not convinced and believe the results mask considerable under-reporting of internal incidents.
What then are today's businesses doing to educate and train their staff? Clearly not enough. The public and private sectors are both guilty of not enforcing information security. If you don't tell people how and why they need to be secure how can you expect them to be? Many organizations don't even have an information security policy. Of those that do, it often ends up stuffed in a bottom drawer shortly after it is written to satisfy the venture capital company, quality auditors or government accreditors. Staff should be given constant reminders of how to keep the company's valuable and often sensitive information secure. And if the company policy says staff email and internet access will be monitored, they must be told about this, monitoring should take place and it must be audited. There are tools available which can highlight the most important incidents and help spot anything suspicious.
One of today's hot issues is the possibility of a large-scale cyberterrorist incident. My perception is that there isn't really the capability out there amongst the general terrorist community or the will to launch a major e-attack. It is much easier to strike at systems and infrastructure in other ways, as the attack on the World Trade Center so devastatingly showed. Perhaps the biggest challenge and concern is the rise in industrial espionage, now arguably the third biggest growth area on the internet, after porn and music downloads. Access to your competitors' sensitive information can enable you to bypass the cost of the millions they have invested on original research and development.
A final thought. An organization had developed a world-beating application and took it on a laptop to a trade fair in Europe. The laptop went missing. What was the damage? The laptop was worth around £1,000, the information on it was estimated by the organization to be worth about £5,000, the cost of developing the application – £1.5 million. The price of being insecure sure adds up.
Kerry Davies is managing director of Echelon Consulting (www.echelonltd.com), celebrating its 10th anniversary this year.