With IT security now a boardroom issue and huge area of risk, companies have to balance the need for security with the need to do business. Stuart Fagg reports
There’s no doubt that the ongoing information revolution has changed the world as we know it in the past decade. In 1997, IT security was more likely to involve making sure the computer room was locked, than dealing with the myriad of evolving threats seem today. Indeed, one chief information officer at a major bank told me some time ago of an event that typified the ad hoc approach.
“It was when I was working for a broker in London,” he said. “We were perplexed at the ability of one of our systems to reboot itself at the same time every morning. Engineers had pulled the system apart, renewed parts and did everything known to get to the bottom of the issue, until we realised it was the cleaner. Every morning the cleaner would go into the computer room, unescorted and unchallenged, to wipe her feather duster over absolutely everything, the reset switch on the front panel being so sensitive that it would reboot quite easily as she brushed past. I still cringe today when I see cleaners in computer rooms.”
These days, however, things have moved on. The online environment has revolutionised business models, particularly for organisations that previously utilised face-to-face dealings as their main contact point with customers. For financial institutions, the move to online platforms has realised massive cost savings, far outweighing the tens of millions of dollars lost to online fraud to the major Australian banks and their customers.
Indeed, financial institutions’ products present unique challenges, given their ‘virtual’ status. “Banking is effectively virtual,” said Richard Johnson, head of architecture, research and cybercrime at Westpac. “You can’t pick it up, you can’t hold it, and there are even very few passbooks nowadays … So it really is a digitised and virtualised product which is why information security is so integral to what we do. This is one way of conceptualising the alignment that we operate in so there’s a bit of information on that slide. But essentially it’s saying when we think about protecting our assets – and everything is about integrity and confidentiality, availability of data.”
But while the sophistication of online business has grown massively in recent years, so have the threats. Perhaps the biggest and most visible threat to banks has been phishing, which made its debut in 2003. That was followed in 2004 by malware (software used to penetrate computer systems without alerting the user). Post-2004, malware began being designed to be for profit and used in conjunction with organised crime and spammers.
“When you really start to look at last year and into this year – as you will read in the press and so forth – some fairly sophisticated malware [is in circulation], in the way it works with encrypted subroutines, anti-analysis capability, virtual machine awareness, and the ability to disable itself if it thinks it’s being analysed,” Johnson said. “It’s very under-the-radar, not noticeable. This is where our focus is, working with all of the various people in the industry and outside in law enforcement on counteracting this. There’s been a lot of good work in this country on developing techniques that can shut a lot of this stuff down before it even actually occurs which is good.”
What has followed in recent years, however, is akin to a war trapped in a vicious cycle. One side gets a big gun, and the other retaliates with a bigger one, the first gets an even bigger one, and the second tops that and so on. On one side are Australia’s corporates (there can be few companies that don’t have some kind of platform requiring sign-on or electronic payment mechanism) and on the other, an increasingly sophisticated supply chain; the global trade in banking details and other secure information, for example, has generated a sophisticated supply chain, through which details are sold to those with the skills to launder the proceeds, said Guillaume Lovet, of security firm Fortinet. Lovet, who was speaking at a major IT security summit in Canada earlier this year, claims to have identified four ranks in the supply chain: programmers and coders, ‘kids’, organised crime figures and ‘mules’.
Paul Kastner, director, financial services, Symantec added that the criminals are increasingly banding together. “The criminals are consolidating their efforts and forming cybercartels to attack financial services firms for financial ends,” he said. “It’s no longer for fun or for notoriety, it’s simply to steal money. And the threat is not just from redirecting transactions to phishing sites or breaking into people’s bank accounts. It’s as much about identity theft and the secondary market for selling people’s identities as it is directly stealing money from the organisations.
These ‘tit for tat’ engagements with cybercriminals have made it increasingly difficulty for organisations to focus on proactive IT security as they get bogged down in the quagmire of responding to the latest threat. “The maturity level is still in a sense around trying to put in place solutions to problems that I had yesterday and putting spot fires out,” said David Williams of IBM’s security and privacy services division “The really mature companies, however, are thinking about what their business will look like in 18 months and if they can put in place something now that’s flexible. They’re thinking about how they’re going to be dealing with their clients and suppliers in 18 months time and how that’s linked to security.”
While the focus on what has already occurred and the constant battle to keep up with the emerging threat landscape has consumer time and resources, there are other conflicts within organisations with security zealots on one side, and revenue-focused staff and customers on the other.
Dr Martin Carmichael, chief security officer at McAfee, said that while many risk and security analyses use colour codes and maps to denote severity, business people want to talk numbers.
“Sales people live and die by the numbers,” he said. “Businesses live and die by the numbers. There’s no sales person that could ever come back and say ‘how was your quarter?’, ‘mine was blue’. We’re in the upper-right pocket. We’re dark orange, moving to orange’. You could never exist like that. The business process has to come into ‘hey this is where we were. We were 10 per cent below, we were 4 per cent above. Our numbers look like this.”
He added that consistency can also be difficult achieve in security when competing influences are at play.
“We struggle with the idea that we need to have a consistency across our organisation and then the way to achieve that because we’ve got a group of people that are passionate about security,” he said. “You’ve got them in your organisation, right? They’re the ones that are so secure they can’t log onto their own stations. They want to use all the toys. Then you’ve got the other ones who are your business guys that tell you that you are stopping their business no matter what you do. Having a patch around there is inhibiting them making a sale or performing a function and you can’t do it. If that weren’t fun enough, a CIO or your CEO flies internationally and reads a magazine and finds some article on security and decides that you need to do that [deal with security] immediately.” Part of the solution, he said, is to approach security from a business point of view in business terms.
Organisations whose IT security issues include those created by the use of online customer environments must also balance their security needs with ease of use, particularly given the importance of maintaining trust in the online delivery channel, which can be severely undermined by a user experiencing an attack or a heavy handed-approach to authentication. That said, Westpac’s Johnson said there is valuable intelligence to be gleaned from security activities. “All of the work that we do in cybercrime – in addition to actually shutting down any instances of criminals as they occur – then leads to other work in terms of improved fraud detection systems or capabilities to identify spurious or unusual transactions,” he said. “But it has also led to bolstering the security of our online channel. Like most financial institutions we’ve gone through a range of initiatives over time in locking down and securing our channel – the electronic channels – and making sure that usability and business values are maintained, but also that trust in the channel is maintained.”
Maintaining trust is an increasingly key deliverable, given the massive investments banks have made in online distribution channels. “That’s becoming a larger concern,” Symantec’s Kastner said. “Not just because of the immediate financial loss, but because of the confidence loss and the reputation risk that the banks and the other financial institutions will suffer if this gets worse. There’ve been a number of surveys over the last couple of years that clearly indicate that consumers are concerned about giving out their identities. And as hacking events become publicised there’s a backlash in the customer market in terms of people willing to do online transactions, especially financially oriented ones.”
While there’s no doubt that external security threats require constant vigilance in the world of e-commerce, the growing amount of required authentication for internal systems is also a challenge. In an average, medium-sized company, an employee will have many ‘repositories of identity’ in the organisation covering everything from internet proxies to voicemail. And with many organisations using electronic HR and other systems, repositories of identity are on the increase. Whittling these multiple identity footprints down is a massive challenge.
“Our electronic HR system is effectively focusing on getting a single source of truth which anyone in the industry will know is quite difficult,” Johnson said. “If you think about how many repositories of identity you have in your enterprise there are many and they’re often not integrated. And there are many, many numbers on the system that actually identify you, everything from internet proxy through to LAN log on through to application log on, database accounts, email, voicemail. There’re a lot of identities that are ‘you’ on the system. So the first challenge is being able to integrate and centralise all, or at least federate those different aspects of you if you want to ultimately get towards something close to single sign on and a more efficient and safe access control method.”
Access control, however, becomes even more difficult in the increasingly mobile business world, one where personal and corporate technology often converge. For example, the use of company technology at home is increasing as is the use of personal storage capacity (flash drives etc) on corporate equipment. “It’s not necessarily the bad person on the outside with a malicious intent targeting you,” said IBM’s Williams. “It’s the potentially the naďve or ignorant internal employee who has no malicious intent at all but who has exposed their own machine. By ‘machine’ I don’t necessarily mean your laptop. Even from an IBM perspective, we’ve got a high level of workplace security: from physical (we bolted the desk down) to electronic, with the latest whatever’s we need to have on it. But your PDA devices, your mobile phone [are a risk]. How often would the bulk of people actually know how to truly protect their mobile phone?”
And while employee mistakes are a growing source of security woes, so are employees and service providers who have definite intent. “The technical sophistication of hackers has dropped and now it’s really anybody who gets access to sensitive data,” said Bryan Sartin, global director for investigative response at Verizon Business Security Solutions powered by Cybertrust, which investigates IT security breaches. “Who has access to it? Insiders are one but there is a particular threat from partial insiders. I’d say as many as two-thirds of the cases we’re investigating now are situations where it might not be an employee. An actual employee would be about 10 per cent of the cases, an inside job. But somebody who that company has trusted with access to their data. They tend to be vendors, call centres, somebody who sold them a software package or sold them an application like a transaction server or a database.”
News