Advertisment

Network Security: Ear to the Ground

author-image
VoicenData Bureau
New Update

Tt's a cat-and-mouse game between security threats and their

solutions. With new technologies come newer security threats. To cope with them

you develop solutions. Threats then find holes in them, surpass them, and new

threats surface. Again come new technologies to fight them. And the process goes

on-a never-ending war.

Advertisment

The enterprise scenario is changing drastically. It is no more

an island operation. Earlier the only point of security or threat used to be the

outside. And to be secured the enterprise only needed to protect its boundaries.

Now the WAN is connecting all the branches, users are spread-out, using the

network from hotels, homes, and cyber-cafes. Mobility has come within the user

enterprise and on top of it the enterprise also needs to provide access to the

contractors, sub contractors, and customers. So the need of connectivity is

growing rapidly. And it is not a luxury anymore. The people using the network

have to be empowered. But how do we secure it? The old style of perimeter

security is obviously no more the answer.

The Wireless Scenario



Not too long ago, the wireless security debate was essentially focused
around wireless LAN or Wi-Fi. Wi-Fi's Wired Equivalency Protocol or WEP were

seen to have flaws. By using freely available hacking tools, Wi-Fi networks

could be easily detected. Data flowing through those networks could be captured

and decrypted. Most of the issues around the Wi-Fi security debate also applied

to PCs, notebooks or the odd PDA with WLAN connectivity.

Advertisment

A Virtual Private Network connection or VPN is the recommended

solution to counter this threat. VPNs can provide an end-to-end encryption

solution that would work over both wired and wireless networks, and across any

protocols-GPRS, Bluetooth, WLAN (802.11) or fixed-line Ethernet. If

implemented correctly with other gateway security applications such as

firewalls, VPNs do offer a reliable and robust wireless security framework.

Fast forwarding to today: Now, the wireless debate has gotten

more complex. It is not just about WLAN-enabled PCs but new converged mobile

devices such as smart phones with GPRS/Wi-Fi connectivity from vendors such as

Nokia, Motorola and HP. In addition, there are broadband cellular networks,

WCDMA networks coming online, GPRS is becoming almost ubiquitous throughout

Asia, and 3G has found acceptance in East and Southeast Asia now. Given the

range of emerging devices and the need to include PC access over high-speed

wireless networks, how should an organization take steps to protect its mobile

data from theft? Are VPNs still the only answer to this conundrum? As it's

rare to find any security on mobile devices, they become more vulnerable to

threats. "Enterprise resources like ERP, CRM, intranet etc, which are

connected to windows-based and smart mobile devices are more vulnerable and

under bigger threat than they are when connected to PCs or cyber networks,"

says Deepak Prasad, vice president, Global Outsourcing, SafeNet Infotech.

"The mobile phone is now turning into a computer which

makes it susceptible to precisely the same vulnerabilities as a PC like viruses,

spam and spyware," says Pranay Jhaveri, sales director, F5, India. Mobile

devices are increasingly coming under attack from viruses. Mobile handsets with

Wi-Fi cards are prone to these attacks as they connect to public networks, while

also being connected to the organization's network. With almost 50 mn people

in India using smart phones and about 6 mn set to join every month, this is

indeed worrying.

Advertisment
CIO

Watch

Protect your smart phones

from threats...

  • Implement an

    antivirus solution tailored for mobile devices.

  • Keep all smart phone

    operating systems and software security patches up to date.

  • Educate employees

    about the latest threats, symptoms of infection, and how to protect

    their mobile devices.

  • Do not disable your

    smart phone antivirus protection.

  • Apply best practices

    for PC security to your mobile device also.

  • Seek IT support if

    your primary machine slows down following a synch-up with your smart

    phone.

...and if you don't

  • Some mobile threats

    involve spyware that can log dialed numbers and record conversations.

    This exposes employees to invasion of privacy and potential identity

    theft, and can compromise corporate intellectual property.

  • If infected, mobile

    devices that are subsequently connected to a "host" computer

    can open that computer-and the network-to a multitude of

    additional threats.

  • Some mobile threats

    leverage the Bluetooth technology to spread without user intervention,

    which increases the vulnerability of all corporate mobile devices, as

    well as the network.

  • Mobile device

    downtime can translate to loss of employee productivity.

Available Solutions



Vendors are providing solutions for different kinds of attacks. Some are
offering solutions for end point devices while others have offerings for the

traffic, or the way in which data flows from source to destination. There are

other players with solutions to secure the corporate networks, and some have

only anti-virus solutions. However, the need is for solutions that enable online

encryption for online transactions.

Advertisment

Mobile viruses such as Cabir and Commwarrior can spread via

Bluetooth. Commwarrior can also spread via multimedia messaging systems. Most

mobile phone viruses target handsets that use the Symbian operating system.

Infection can be avoided by turning off Bluetooth on a smart phone.

Another feature designed especially for mobile phones is to

block SMS spam that allows an approved sender list, restricts a blocked sender

list, and has the ability to block SMS messages lacking a mobile telephone

number. Mobile users may also initiate manual scans.

Since mobile devices have become a necessity for all top-rung

executives, the demand for security within an organization is growing rapidly.

Hence, the first step that most CIOs practice and recommend is encryption of

data. Other solutions could be creating awareness, conducting training, and

using passwords.

Advertisment

A Holistic View of Mobility



First of all, an organization needs to examine devices that it plans on
supporting, and consider whether the situation might change in the near or mid

term, before deciding on a security solution. IPSec VPNs are still valid for PCs

and certain mobile devices like the Nokia 9500 Communicator that have inbuilt

VPN client software. However, some IT managers may wish to allow current devices

already invested in by their employees, into the network. If so, these devices

may not have the ability to utilize VPNs, as they do not have the requisite VPN

client software.

However, there are other solutions available that an IT manager

can turn to. All notebooks and the majority of mobile devices today have

web-browsing functionality. Generally, these browsers support secure

connectivity using SSL/TLS (Secure Socket Layer/Transaction Layer Security), the

very same technology used when you are using the Internet to make a secure

online payment. SSL VPNs are now readily available to provide an alternative VPN

solution, without the need for client software.

Advertisment

"Enterprise resources

like ERP, CRM, intranet etc are more vulnerable when connected to

windows-based and smart mobile devices"

"The mobile phone is

now turning into a computer which makes it susceptible to precisely the

same vulnerabilities as a PC like viruses, spam and Spyware"

"Right Security

Policies should be in place, and should be monitored and fine-tuned as per

business requirements"

-Deepak

Prasad,
VP, Global Outsourcing, SafeNet Infotech
-Pranay

Jhaveri,
sales director, F5, India
-Ranajoy

Punja,
VP, Business Development, Advanced Technologies, Cisco India

& SAARC

There are also network appliance technologies that assist in

corporate access. These technologies help connect any browser-based device such

as Nokia mobile devices, Sony Ericsson P800/900 series, Windows Pocket PC or PCs

connected with the enterprise, over any fixed or wireless medium, even old

fashioned dial-up. The connection is authenticated using secure two-factor

methods such LDAP or RADIUS. The connection is secured end-to-end via SSL/TLS,

ensuring that the connection is encrypted over the air and over the wire. There

is an additional benefit where the device becomes a "thin client",

that of viewing the data on corporate servers. At the end of the connection, no

session data is left on the device. This last point is important, given the fact

that mobile devices are more easily lost or stolen than laptops or notebooks.

In addition, the more advanced technologies can give users of

any browser-based device access to email, attachments (Word, Excel, PowerPoint

and PDF), calendar and contacts. The most cost effective solution for an

enterprise allows a smooth migration from existing mobile access devices to

newer mobile devices, designed to exploit newer performance and functionality.

These technologies will support connections from older WAP-based devices to view

well formulated XHTML Web pages. Should the IT manager decide to allow users to

download attachments or retain emails, this can be enabled easily.

Advertisment

When supporting a mobile workforce, other areas to consider are

encrypting the contents or files in the device and to install personal firewall

and antivirus software. This gives an organization the confidence that its

mobile devices are as secure as the laptops their users carry.

Challenges for a CIO



Today's CIOs and CXOs must manage and mitigate security and
privacy-related risks that dramatically affect their profitability, corporate

governance and compliance imperatives. From simple yet insidious to complex and

pervasive, these security challenges threaten to overwhelm business boundaries

and protection mechanisms, thus requiring an increasing share of management

attention and IT resources.

The people problem: Part of the problem lies in the fact

that employees are not as technology or security savvy as the IT staff and often

don't realize when their actions or lack of it may pose a risk. A first step

in creating a security-minded culture is making it clear why certain security

policies are in place. It is important to make sure security measures do not

impede business processes. The IT security staff must educate users about why

they have to take such precautions.

Communicating risk: IT managers assume that end users know

why a certain policy is adopted or a particular Internet habit is banned in a

company, such as downloading music files. The end user may think the policy is

in place to prevent bandwidth hogging whereas it's really to avoid a specific

virus-so they download after-hours and still open up their organization to

risk. Security managers believe communicating with business units before

establishing policies will ensure that policies are in sync with business

processes as well as increase the chances of groups actually following the

mandates.

Information flow: There are key partnerships one has to form

within the business units and individuals so that they are educated about what

information is safe to travel on mail and what may lead to undesired disclosure

of confidential information. Other means to exchange information may also be

considered. Setting policies on what can and cannot leave the company in

electronic format is an important exercise between the CSO and the users.

Adding technology: A security culture cannot depend on

people and process alone. Technology available today can help automate policy

enforcement, data collection and protection, and help companies short on staff.

Saving future costs: Companies that start honing their

security practises today will save money tomorrow. While most companies spend

about 3% of their total IT budget on security, those that invest up to around 8%

will-within 18 to 24 months-spend less on total security, according to

research firm, Gartner.

"Security today requires organizations to raise the culture

of IT to do things more securely, not to change how others work," says John

Pescatore, lead security analyst at Gartner. He also says "expecting end

users to think about security in the way that IT needs to, will fail. End users

shouldn't have a choice when it comes to operating more securely. The IT team

should make those decisions, which should be transparent to end users."

On the vendor front: Customers complain that as they have

multiple vendors providing them solutions (and even if there's just one)

ultimately they themselves end up working on integrating security and other

functions.

IT Priorities



Being proactive on security and availability of the network should be high
priority for all IT staff within any organization. The larger a company, the

more it relies on a secure, reliable and scaleable data network. If the company

has more than one location, the network between the offices should be secured

via encryption. External gateways should have firewalls and intrusion

detection/prevention to watch for unauthorized attempts to access systems, and

alert any potential violations. Internally, authentication, access control and

accounting (AAA) servers provide a centralized user management platform,

ensuring that personnel only have access to applications and information that

they need. Web and mail filtering technology should be used to ensure compliance

with the HR policy, remove viruses, and reduce the load on the mail server from

spam.

"Security can

definitely be effectively outsourced if done suitably, and after proper

due diligence"

"Companies should

outsource expert assistance: vulnerability scanning, monitoring but not

management"

"If everyone could

deploy their security solutions themselves, the digital world would be a

safer place"

-Bhaskar

Bakthavatsalu,
country sales manager, Checkpoint Software

Technologies, India and Saarc
-Sajan

Paul,
head, Technology and Consulting, Enterprise solutions, Nortel
-Niraj

Kaushik
, country manager, Trend Micro, India and SAARC

Continuous periodic review or audits of security policies and

vulnerability management are the best ways to judge the security threats, manage

resources and technology optimization for network security. A holistic approach

maintains balance between internal network, parameter and end-point security

strategies.

As the defined line between the internal network and external

network is blurred, it is important to have a holistic approach towards

security. The architecture should have a layered implementation of security.

"Right security policies should be in place and should be monitored and

fine-tuned as per the business requirements of an organization," says

Ranajoy Punja, VP, Business Development, Advanced Technologies, Cisco India and

SAARC.

There is no one-size-fits-all security policy for enterprises.

Every organization needs to define its policy based on the challenges faced by

it, immediate and long-term focus, like scalability, applicability etc.

A security policy is like a wheel, which includes the following

cogs:assess the organizational security posture; assess the impact of a security

breach and classify; define a security policy for the organization; test the

security policy; implement the security policy; and continuously monitor and

refine the security policy.

It is equally important to have end-users educated on the

security policies, and the Dos and Don'ts within the network as well as with

their hosts/end-points.

Outsourcing: Not a bad Idea



"If everyone could deploy their security solutions themselves, the
digital world would be a safer place," says Niraj Kaushik, country manager,

Trend Micro, India and SAARC. However, the problem with such a situation is that

there is a shortage of qualified security professionals. Hence, many

organizations assign the task of security to a single person or a group whose

job role is different. These guys take security as a task to be done when time

permits. But security simply cannot take a back seat. Here pops up the idea of

outsourcing the security tasks to a more qualified service provider. But a

debate is always there.

The primary argument for outsourcing is financial: a company can

get the security expertise it needs much more cheaply by hiring someone else to

provide it. While it is possible for companies to build detection and response

services for their own networks, it's rarely cost-effective. Staffing for

security expertise 24 hours a day, 365 days a year, requires full-time employees

who require training and is difficult to come by. Again, the problem of

retaining them would be even harder, as attacks against a single organization

don't happen often enough to keep a team of this caliber engaged and

interested. This is why outsourcing is the only cost-effective way to satisfy

the requirements.

Deciding whether outsourcing security is right for your business

needs great understanding of both the risks and the benefits associated with

outsourcing. "Security can definitely be effectively outsourced if done

suitably, and after proper due diligence," says Bhaskar Bakthavatsalu,

country sales manager, Checkpoint Software Technologies, India & SAARC. Most

operational tasks of security, such as updating firewall policies, monitoring

logs and patch management can be outsourced. "Companies should outsource

expert assistance: vulnerability scanning, monitoring, consulting, and

forensics, for example. But they should not outsource management," says,

Sajan Paul, head, Technology and Consulting, Enterprise Solutions, Nortel.

It is always best to control security from the data owner's

premises but if security isn't one's core competency, it is advisable to

outsource it to experts under predefined SLAs. Services such as auditing,

penetration testing, security policy documentation, security solution design and

implementation, disaster recovery, education, monitoring and proactive

management are best left to the experts, ie, your outsourcer. IDRBT, IISc, NIC

are good examples of institutions which manage security for multiple banking and

government organizations.

Outsourcing doesn't guarantee a risk-free enterprise. It may

even expose your organization to greater risks, if not handled correctly. But it

can provide remarkable benefits in terms of total cost of ownership and

operational efficiency.

One suggestion to ensure a faultless outsourcing relationship is

to sign a Service Level Agreement (SLA) with the security vendor. Also, impose

penalties for failure to deliver. Always check for case studies with the vendor,

ask before making a choice. The most crucial element here is one of trust. One

must be able to trust one's security provider. Another prime reason to

outsource security management is the expectation of receiving better service as

there are explicit SLAs in place, which can be enforced. These SLAs are often

harder to enforce internally. The service provider has up-to-date hardware and

software. Also in terms of reliability and responsiveness, the outsourcer

responds and provides services at the promised time; and when users have issues,

the service provider is genuinely interested in solving them within time.

Although a security strategy can save the organization valuable

time and provide important reminders of what needs to be done, security is not a

one-time activity. It is an integral part of the system lifecycle.

The toughest challenge for an enterprise is that there is no

early warning system for hitherto unknown threats. Therefore, the enterprise can

never be better prepared to meet them head-on with confidence and impunity.

Hence, the growing challenge is to protect organizations against attacks that

are automated and polymorphic-one that changes every time-and in keeping

up-to-date with hot-fixes and patches on a daily basis.

Gyana Ranjan Swain





gyanas@cybermedia.co.in

Advertisment