No computer connected to a network is completely safe. Any computer that communicates with another, even occasionally, can fall victim to the threats that race around our interconnected world. Hackers live in any country. And the worms and viruses with the cute names--Code Red, Blaster, Nimba, Slammer, Sobig--don't recognize national borders. "There's no difference between the Blaster that hits Europe or the United States," says Gene Fredriksen, VP of information security at financial-services firm Raymond James & Associates, which has offices in several foreign countries. "We all swim in the same pool."
Cultures may differ and languages may vary, but the security threats IT systems around the world face are pretty much the same, according to the InformationWeek 2003 Global Information Security Survey of 2,500 business-technology and security professionals. And the tactics used to fend off those threats are similar the world over.
First the good news. In the 12 months ending in July, virus, worm, and Trojan-horse attacks hit 45% of sites surveyed, down dramatically from 66% in the same period two years ago. Those kinds of attacks occurred more often in South America (55%) and the Asia-Pacific region (49%) than in North America (46%) and Europe (41%). About 15% of sites surveyed suffered denial-of-service attacks, the same as in 2001, but more businesses in Asia-Pacific (19%) and North America (19%) experienced such attacks than companies in South America (14%) or Europe (11%).
As businesses are repeatedly hit by viruses, worms, and denial-of-service attacks that travel over the Internet, it's no surprise that security managers are paying more attention to external threats. Of the 1,255 sites reporting security breaches this year, 58% point the finger at hackers or terrorists (up from 42% in 2000) and 32% cite unauthorized users or employees (up from 22% in 2000). The number of survey respondents who suspect current or former employees declined slightly.
There are regional differences. Businesses in South America and the Asia-Pacific region, which have been getting hit harder by worms and viruses, plan to increase their security spending more than other regions. Some 53% of South American companies and 44% of Asia-Pacific companies say they'll boost their security spending, compared with 39% in North America and 30% in Europe. Only about 10% of companies in all regions say they'll spend less on security.
Most South American (71%), North American (68%), and Asia-Pacific (64%) businesses plan to improve operating-system security. Another top business priority is enhancing application security: South America, 74%; Asia-Pacific, 68%; North America, 63%. The main problem for many businesses is simply keeping up with the number of threats, the speed with which they attack, and the number of patches they must test and deploy to protect their systems. The Blaster worm first struck on Aug. 11 and within a week infected more than 1.4 million systems worldwide, even though a patch was available to protect systems. Clearly, many people--mostly home users, but many businesses and government entities around the world--hadn't bothered to install the patch; those who had installed it helped keep disruption to a minimum.
ABN Amro, an international bank with 3,000 branches in more than 60 countries, understands the importance of keeping security up to date. Following the Nimba and Slammer attacks, "we identified impacts on revenues in the tens of millions of dollars, mostly because of trading systems that went down," says Craig Hollenbaugh, head of standards and controls in the bank's wholesale division.
ABN Amro relies on a technology unit in the United Kingdom to analyze security threats and determine how urgent it is to install patches. Based on the unit's evaluation that Blaster posed a high-risk threat, the bank moved aggressively to patch systems. "We threw everybody at it and performed integration testing to make sure the mission-critical applications worked with the patch," Hollenbaugh says. "We fared well with this one."
Even when the threat is clearly understood and a patch is available, security managers can face resistance. At Prudential Financial Services Inc., which has offices in more than 25 countries, some business units didn't want to take the time to install software fixes. "They were questioning why we were putting them through this patching misery," says Ken Tyminski, chief information security officer. "They had to bring in developers who had to work late, and other projects had to be put on the side."
The cost of being secure can be daunting: Between 200 and 300 application developers did tests to make sure the patch wouldn't hurt Prudential's most-important applications, and more than 150 people spent several days installing the patch throughout the company's IT infrastructure.
Those efforts, combined with tighter security policies, ongoing security-awareness training, and properly placed defensive technology, all worked together to keep Blaster at bay. To improve security even more, Prudential is completing a rollout of 20,000 copies of Sygate Secure Enterprise, which provides desktop firewall and system-security policy enforcement, to remote and mobile employees. That should help the company enforce security polices, as well as increase control over and reduce the cost of managing remote systems, which often provide the hole through which viruses and worms enter company networks. "It was a good feeling knowing it was out there," Tyminski says. "We had another layer of protection in our defenses."
Just like Prudential, about half of all survey respondents say they'll be securing remote users. BT Group plc (formerly British Telecom) is installing personal firewalls from security vendor InfoExpress for 5,000 remote and mobile workers. Currently, BT employees are forbidden from logging on to the Internet or untrusted networks with their notebooks. "This is part of an integrated approach to desktop security," says Paul Washington, a manager and operational team leader with BT Exact, the research, technology, and operations arm of BT Group. "You need the virtual private network, the personal firewall, and the antivirus--all three things--to make a secure desktop."
Another crucial step for multinational companies is to impose standards and policies worldwide. APL Ltd., a subsidiary of Neptune Orient Lines, has a fleet of 80 container ships that serves more than 100 markets around the world. The $3.4 billion-a-year shipper is moving more applications to the Web and exploring products to help defend against Web-based attacks, which analysts say make up about 80% of all hacker attacks.
"We have to do everything on a global basis so there's no isolation on a regional basis," says David Arbo, director of information security. He's looking at an integrated offering that combines a Web-security application gateway from NetContinuum Inc. and application security-assessment software from SPI Dynamics Inc. APL intends to set up a security console to give it a complete picture of security throughout its global operations. "Manually, you can't keep up," Arbo says. "We're stretched to serve so many areas, and we have so many desktops, for us not to have a tool like that."
The company also is looking to improve the physical security of its shipping ports and IT systems. APL uses radio-frequency identification technology for building access, and it's examining smart cards and tokens with RFID-type technology. "We're looking for some sort of token that would serve a dual role for physical and logical IT access," he says. Like APL, many companies want to integrate physical and computer security. Some 35% of those surveyed called it a strategic priority, up from 27% in 2002.
Few, however, have as great a need as the U.S. Department of Defense. The agency has launched an initiative called Common Access Card, which features a smart card enabled with public-key-infrastructure capabilities that runs the Java Card run-time environment on chips with 32 Kbytes of memory. The department has issued more than 3 million cards to military personnel and contractors. They are used to gain access to military bases around the world, log on to computers, obtain medical or other benefits, and digitally sign and encrypt E-mail. The military is issuing 10,000 cards a day at about 1,500 locations in 15 countries and hopes to have 4.3 million cards deployed by the end of the year. More than 150,000 smart-card readers also have been deployed.
"We've always said that we're trying to bring the Department of Defense to the same place that the credit-card world has always been," says Bill Boggess, a division chief for the access- and authentication-technology division at the Defense Manpower Data Center. "Today, you can't buy at McDonald's without them prechecking your card." The department hopes its card will provide that type of swift authorization for its personnel around the world. In addition to protecting against enemy threats, just keeping track of the large number of people entering and exiting military facilities poses a challenge. One base in the Midwest has 400,000 personnel coming and going each day, Boggess notes. "When you're dealing with numbers like 4.4 million active duty and reservists, knowing who they are and where they are when they log on to systems is a huge step forward," he says.
Deploying up-to-date security in the military, where orders are usually followed, may be easier than in the private sector. Users often become complacent when they read about serious worms and viruses and then see little disruption to their companies' IT systems. A security analyst at a major software maker, who asked not to be identified, saw a lot of resistance in the past month. "Some of our business units didn't want to patch. Some pushed back, saying it would postpone other priorities. Some just ignored our call to patch," he says. "Those units were the first to look like the Fourth of July when the worm got into our networks."
Computers throughout the world face the same security threats, thanks to the Internet and global supply chains.
Worms, viruses, and Trojan horses hit only 45% of companies worldwide in the past 12 months, down from 66% two years ago. A greater percentage of companies in South America and Asia-Pacific suffered from these attacks compared with those in Europe and North America.
More companies in South America and Asia-Pacific plan to boost security spending this year than those in other regions.
Improving operating-system and application security is a top priority for companies in all regions of the world.
More automated patching tools could help managers overcome that resistance. "We're looking at ways to push the patch out," says the software-company security analyst. "Next time, we'll have the resources to deploy the patch and the corporate policies to make sure each unit does its part to protect our systems."
Making sure employees understand that security is everyone's responsibility is key, and there's much work that still needs to be done to accomplish that. Yes, deploying sound security technologies is necessary to secure global IT systems. But just as important is enforcing companywide security policies and raising the security awareness of all employees, Prudential's Tyminski says.
A virus, worm, hacker, or insider-gone-bad can strike at any time, and computer users need to understand that every connected computer--and the person using it--is on the front line of the battle. Raising security awareness at Prudential is one of Tyminski's most-important accomplishments during his three years on the job, he says. "When I used to ask who was responsible for security at Prudential, everyone used to say me," he says. "Now when I ask, most everyone raises their hands, because they now know they each play their own important roles."
-- with Steven Marlin
Article from InformationWeek, Sept. 1, 2003.