What works when trying to protect a company network against information security threats? We ask the information security officers charged with doing exactly that. AS TECHNOLOGY MARCHES ON and the corporate network and its number of functions grows, enterprise IT security must evolve right along with it, expanding and morphing to cover each new aspect.

The importance of a secure IT environment cannot be stressed enough. The cost of a breach, whether in lost productivity, stolen data or misappropriation of funds, can be enormous. In 2005, reported security breaches cost organisations around the globe a total of US$140 billion (IBM 2005 Global Business Security Index Report). And considering that an estimated figure of only one in ten security events are ever reported, it could be much, much worse.

Dr. Hettie Booysen, senior manager of the Sars (SA Revenue Service) risk management division, which addresses the agency`s information security concerns, reports having noticed a definite increase in malware (malicious or harmful code such as viruses, worms and Trojan horses) recently. "It`s not only viruses or spam coming through anymore, but also malicious code that exploits vulnerabilities where patches have not been deployed timeously."

The thing to ask yourself is: are you prepared? And one step towards certainty is to ask those in the know, those entrusted with information security in their own organisations.

DIFFERENT FOR EVERYBODY

One point made very clear by all the business and industry representatives we spoke to is that, in the security game, no panacea exists for every company or security threat, nor can one ever be built. Each organisation uses its information technology (IT) differently and with different goals in mind, each has its own regulatory requirements, governance standards and risk profiles, and therefore each needs a tailored basket of information security tools to protect their information assets (data repositories) from attacks.

Richard Peasy, group information security officer (ISO) at Absa, touches on the heart of the matter: "Three years ago it was easy to highlight technology areas that needed attention from a security perspective. Now, it`s more difficult. Information security requires far more than a point solution.

"These days, having spent time and money on putting policies and training in place, we know our business risks and have much more control over the security-related behaviour of our people. No technology solution exists [that satisfies this end-state of readiness]."

But still, a number of trends did emerge in 2005 which any business could benefit from taking heed of. They are what ought to be the prime focus of the chief information office (CIO) for 2006 if he or she is to ensure the safety of the company network.

IT SECURITY - AN ENTERPRISE CONCERN

"We`ve noticed an increase in the number of boards becoming interested in their organisation`s security," opens Gary Middleton, general manager of the security practice at solution provider Dimension Data. This is because IT security has become a business risk issue, likely to engender substantial financial loss when breached.

Colin Erasmus, Microsoft SA security solutions manager, adds that existing and imminent law and compliance with them have further fuelled executive concern. This is true not only for multinationals that must comply with Sarbanes-Oxley, or HIPAA, if in the medical industry, but locally as well, in the ECT Bill and forthcoming Privacy Bill.

Absa`s Peasy adds to this: "There is an ongoing wave of new regulations that heavily affects the full breadth of large organisations like Absa. Compliance affect your info-security budget and has a roll-on financial effect. For instance, we have massively increased data storage obligations on promulgation of data archiving laws." He advises minimum compliance "on the first stab", and "sorting out ancillary ripples" later.

Erasmus believes IT security must begin with a thorough investigation of `security posture`, or vulnerability, as defined elsewhere in this issue. And for that to be effective, he says "mature organisations are involving the board, not just the IT department".

Paul Strauss, manager of the Absa information security division, says only by coordinating the security efforts of disparate divisions can a company`s information security be effective. And only by establishing clear security policies can this be supported.

WHAT TO LOOK OUT FOR

The threat profile shifted noticeably in 2005. While viruses, worms and the like are still the top concern, IBM`s 2005 Global Business Security Index Report found the number of viruses spread via e-mail to be half that of 2004.

"The rise of phishing - targeted or randomly sent e-mails intended to trick the user into divulging sensitive information - and spyware - which collects and distributes data unbeknownst to the user - was alarmingly pronounced during 2005. From one in every 943 attacks in 2004 to one in 304 in 2005, this marks a threefold increase," says IBM certified consultant in the security and privacy infrastructure practice, Alkesh Patel.

But as scary as this sounds, solutions have become sophisticated enough to deal with malware. Absa`s Strauss says the effect on the bank`s has become fairly minimal. So what are the real threats?

MOBILE MANIA

The rapid proliferation of mobile technologies, such as BlackBerry devices, smartphones (cellphones with computing abilities) and now, dual-mode WiFi (wireless network) cellphones, has led to the effective dismantling of the old perimeter-based approach to network security. Not that this matters much. The perimeter model (keep the outside world out) has after all failed to address internal threats, from which most breaches stem.

Peasy comments: "All we can do [about securing mobile users] is ensure that rigorous processes are in place. The mobile threat is still largely unknown. We simply cannot know what we don`t know. We strive to strike a balance between [security and user mobility and freedom], and foresee a lot more focus on the systems management of mobile technologies."

To prevent the loss of enterprise intellectual property in the event of a mobile-borne exploit, today`s network security models are moving perimeter security solutions (such as firewalls) onto each workstation connecting to the central network. Personal anti-virus, firewall and intrusion detection software packages minimise the user-introduced risks of malicious code, while the core network defends itself in a more robust manner. Networks themselves often have much of this functionality hardwired into switches and the like.

"There are two ways of responding to mobile threats," says Middleton. "The first is policy, the second is through technology."

Booysen believes mobile devices are not as much of a threat as many say, and says the media is often guilty of hyping the problem. "The resultant awareness however helps; when these technologies do get used, information departments often already have security policies for their use and deployment."

GOVERNANCE

All these approaches fall under the umbrella of good IT governance, a multi-layered term covering all technologies in the enterprise, but also established corporate security policies.

Effective vulnerability management practices play a crucial role in IT security governance, as the blended threats hitting the network today propagate faster than ever. Often vulnerabilities are reverse-engineered and exploited within 24 hours of being discovered - known as a zero-day threat release. By contrast most organisations do well to deploy patches within seven days.

"An effective vulnerability and patch management process is critical," says Patel. "For this to work efficiently, IT management and security management cannot remain separate."

For Absa, policies and processes were found to be invaluable during its `identity management` project - assigning user identity-based roles and systems access rights - currently almost finished. "Our security team in this case leapt ahead of the IT team, [supplying] a staggering number of processes for the solution to deliver what we required of it. But we discovered that without processes, identify management will fail," stresses Strauss.

ID management has another benefit, aside from good user authentication on a system. In the past, systems like firewalls, intrusion detection and prevention ran as silos. Each generated reams of `logs` (incident reports) as they went about their tasks. Enter ID management-enabled incident management, and this greatly relieves the stress.

"A unified reporting infrastructure is definitely a strong need in most organisations today. Through this manner of automation the risks of administrative errors are almost entirely eliminated," explains Booysen.

A CLEAR FOCUS EMERGES

Easily the most critical aspect of information security for the CIO to address in 2006 is in fact a soft issue. As IBM`s Patel neatly summarises: "Awareness, awareness, awareness. You just can`t have enough user education or communication."

It is the people who make up the enterprise that must remain the key focus of an effective information security architecture.

Adds Booysen: "We`re seeing the `low-hanging fruit` or `easy win` today as not the technology itself, but the people."

Booysen closes: "The other thing organisations must focus on this year is getting security standards, policies and procedures in place and applied consistently across all platforms. With these basics right, security becomes an integral part of any new technology implementation."