When iWeek asked the experts what information security horrors we can expect this year, a light went on for us. Rather than focusing on a meaningless list of bullet points, citing zombies, spear phishing, botnets and such, why not concentrate on an organisation`s readiness to combat them, and its hitherto unattended vulnerabilities? A failure to fix those first are, after all, the greatest threat of them all. CONSIDERING the growing risk of inadequate information security, you`d think that CIOs (chief information officers) would be more worried.

But to most of this ilk, security plays second fiddle to other matters, as most surveys show.

"The reason is simple. Safeguarding the perimeter of your organisation is a given today," says Pieter du Plooy, CIO of Engen Petroleum. "Where for us, protecting against security breaches was a number two priority last year, this year it`s moved to number seven on the list".

INTERNAL BATTLEGROUND

"It`s simply your ticket to the game," he quips. But this doesn`t make it an easy battle. "The next battleground," he says, "is internal. It centres on locking down parts of an organisation`s internal IT infrastructure, ensuring that access points like exposed wireless networks and unsecured remote access links cannot be exploited by people with malicious intent."

Du Plooy says organisations don`t usually give careful consideration to their internal threats. "Take wireless networks, for example. Most organisations have wireless network hubs scattered across the IT environment, generally connected to a local wired network. The worst part is that these `hotspots` could potentially be entry points for people with malicious intent.

"If an organisation doesn`t have the right level of security on its wireless network, the risk of hackers tampering with systems on the network and gaining access to confidential information is massive," he cautions.

Internal threats also involve the activities of disgruntled employees. Tom Scholtz, research analyst at Gartner, says, "For me, the top two [to look out for this year] are undoubtedly identity theft-related fraud and employee misbehaviour."

IDENTITY CRISIS

"The main reason for the former being such a threat is that more and more attacks are becoming financially motivated."

Stealing a person`s identity can give miscreants access to bank accounts, or even his or her employer`s mission-critical business systems. To add to the worry, "there`s word that organised crime syndicates are leading this trend," Scholtz adds.

His solution? "Companies should look at traditional technical measures like personal firewalls and anti-spyware solutions. But this will only be effective if companies drive user awareness. And as this is part of good corporate governance, it is a responsibility organisations should be shouldering.

"Organisations should also look at better application and business process design. And by improving the ways in which employees and users are authenticated to business-critical systems, many of these issues can be resolved."

Hettie Booysen, senior manager, risk management at Sars (SA Revenue Service) agrees with Scholtz.

"With increasingly more applications and traditional paper-based functionality available online, resulting in systems sharing more information than ever before, customer information is potentially more at risk than ever.

"This provides ample opportunity for identity theft, fraudulent transactions, and even an increase in spam and phishing attacks," she adds.

Booysen adds that these types of attacks are likely to emerge from within areas of the world where computer criminals traditionally weren`t prevalent, such as the Middle East.

As solutions, she cites continuous awareness amongst users, focusing on combating social engineering techniques (tricking unsuspecting computer users), methods to recognise phishing attacks and inculcation of general information security principles. "Appropriate control measures must also be implemented to provide protection against spam and inappropriate content," she says.

DONE ME WRONG

The second internal area Scholtz says companies should safeguard against is employee misbehaviour.

"And here, too, the main motive is financial. Employee misbehaviour can involve fraud or selling off an employer`s intellectual property, or entail malicious damage.

"The solution lies in better internal and external audits of employee behaviour and the systems they have access to. Once again, training and awareness is a key point. While you can`t exactly train this kind of trait out of employees," he admits, "you can make fellow employees more vigilant of their co-workers.

"We`re also seeing the emergence of more analytical approaches," Scholtz says, "where data mining techniques are used to identify which employees are more predisposed to this kind of misbehaviour."

FALLING DOWN THE HOLE

Of course, even if employees are loyal, naivety can be a threat in itself.

Charles Leaver, Obsidian Online manager, says, "The Internet can be a very unfriendly place, with security threats lurking around every corner.

"This problem is compounded by software vendors that take longer than necessary, in most cases longer than a week, to release patches for serious holes. It makes life far easier for `point-and-click hackers` to download graphical tools that give them a licence to compromise computers and networks.

"Most often, such tools turn computers into `zombies`, which as the name suggests are in complete control of the hacker, and may be used to launch further attacks or send spam messages," he explains.

"The main remedy against this is education. By making users more aware of where the no-go areas are, for instance, much of the impact can be avoided. "Also, it`s important for organisations to choose wisely when selecting an operating system on which to house their business-critical systems. And they should think twice before installing third-party software, since these could also introduce chinks in the armour," Leaver says.

THE PATCHING DEBATE

Gartner`s Scholtz adds that patching operating systems and software as new versions become available is not necessarily the best solution. Patches have in the past been known to introduce further vulnerabilities.

"The best way seems to be a dual approach. Many larger organisations are unable to thoroughly test a patch before rollout. Instead, they implement intrusion protection systems (IPSs), which, on release of the patch, are immediately configured to identify network traffic seeking to exploit the hole. This buys enough time to test the patch, and once satisfied, roll it out."

OUT THERE

While internal security is a main focus area for the coming year, CIOs shouldn`t discount external threats.

Citing `malware` (malicious code, including viruses, Trojan horses and spyware) as the major external threat for 2006, Alexander Forbes" rel=tag>Alexander Forbes` IT director, Brad Eliot, says vendors have not risen to the challenge.

"Phishing is another growing trend," he continues. "These are targeted attacks generally using e-mail as the transport medium to get the target to provide information that can be used to steal money or misappropriate information.

"While this is quite a new area, we have already seen a couple of high- profile attacks in South Africa, and the feeling is that it is only going to get worse," Eliot says. Karel Rode, business technologist: eTrust Security Management at CA (formerly Computer Associates) says he agrees in principle with the top threats as listed by the FBI last year. The highest financial losses were found by the FBI to have been suffered at the hand of virus attacks, unauthorised access, theft of proprietary information, denial-of-service attacks and insider abuse.

BUDGET BLUES

But Rode bemoans a lack of budget devoted to securing the enterprise. "A reversal of this should be top of mind.

"Finally, the threat that I feel should be top-of-mind is the lack of incident response capabilities. Most organisations have logs from perimeter devices like firewalls, routers, intrusion detection and prevention systems - all listing events that run into their millions per week.

"The sheer volume of data to analyse and the lack of skilled resources to deal with issues poses a significant threat." Rode has discerned large-scale denial of the problem, but says compliance legislation will force the issue. "It is then that we will see the hurried deployment of security event and incident management solutions," he says.

Gordon Love, head of security at Faritec, has a solution. Faritec runs a security operations centre (SOC), and offers managed security-related services, taking much of the pain away from the IT manager. "The ability to correlate information from events across the enterprise is a key responsibility. From our SOC, we collect information from as many points in the customer`s enterprise as we want. We then analyse this data - against known attack `signatures` and patterns - and take action based on the results that are generated.