Master Class: Hidden dangers - part 1
Security threats are emerging in the form of spyware, malicious mobile code, instant messaging and peer-to-peer. CRN brought together some leading IT figures to discuss their effect. Simon Meredith reports.
Taking part in the debate:
Steve Adams, head of messaging compliance and security at HarrierZeuros.
Arthur Barnes, principal consultant at Diagonal Security.
Gareth Blinkhorn, e-service desk manager at System Software Solutions.
David Ellis, director of e-security at Unipalm.
Geoff Haggart, European vice president at Websense.
Nigel Hawthorn, European marketing director at Blue Coat Systems.
CRN: Why is it important to focus on emerging threats right now?
Ellis: The market has moved very quickly in the past year. It is easier than ever to write viruses, and there has been a big rise in the use of instant messaging (IM), springing up from the consumer market into the enterprise.
The workforce is much more mobile now and people are using different devices, so the perimeter is blurred. And the drive towards broadband has also increased the risk, as has the big increase in use of peer-to-peer computing.
Haggart: In a lot of organisations the executives are simply not aware of the threats that are out there and they don't know what to do about the ones they are aware of.
They have anti-virus software but they still get viruses. They know people are using peer-to-peer and downloading music but they are not aware of the risks that go with that. They know people are using IM but they don't know what to do about it. There is a general lack of awareness.
Hawthorn: The fact that users can now download applications is also a factor. Most large applications, such as SAP and Oracle, can be used with a browser front end; once you give users a browser they can access anything on the web. Peer-to-peer and IM are easy to download and use without sanction from the IT department.
Barnes: Some of these things come from the operating system (OS). If you roll out XP now, IM comes with that, so you have to think about secure builds. Vendors try to add functionality and it's the security guy's job to let you use that functionality safely, but he might not always have the budget and the time to look at the OS, the network, and all the stuff that's coming in and being downloaded; there is an awful lot there.
It's the interaction from the desktop to the internet now, rather than the perimeter to the internet, which has been the traditional security space.
Adams: It is sometimes a matter of budget. You can talk to people about the risks of any particular technology and the security people are often aware of them but are constrained by the budget. They need to convince the people above them to commit money. There's a lack of willingness to do anything about it at board level.
Barnes: We did a survey of customer concerns and one of the biggest was building justification for projects and proving ROI (return on investment). It comes back to this perimeter issue: whose responsibility is this? Is it the network guys or the desktop guys?
Security is moving across the whole spectrum, but there is not an unlimited budget, so you have to prioritise. The consultancy we do is often about building a case to take to the board.
Ellis: Executives will be aware of virus outbreaks and the high-profile stuff but not the other risks: people using their mobile phones to do their email or dialling in from home and not doing it securely. They will know they've got some security in placed but won't be aware of the nuts and bolts.
CRN: But you can understand that, can't you? A lot of executives just want the security people to make the problem go away.
Ellis: The problem is security is a moving target and the risks today are different to those a year ago. Things move quickly.
CRN: But cost is always going to be an issue, isn't it? Even the justification exercise is going to cost something.
Barnes: One of the push-backs (from customers) is, "We've bought intrusion detection and antivirus - why doesn't it stop this?" They want to know if it ever ends.
We are playing a chasing game. I work in a testing team so I work on reconnaissance as well as defence, and the fact remains that, at the networking level, security has got a lot better - we are not finding the vulnerabilities we used to find.
If you want to do a successful penetration test now you have to move up the stack to the applications layer. We find some fabulous stuff there. The thing we struggle to test is the desktop environment. We'd have to come inside the network and then it would be very expensive.
Adams: As soon as you solve one part of the problem, the behaviour of hackers changes. And it is not just a management issue; the behaviour of people at the desktop level has an impact as well. People are downloading IM clients and using peer-to-peer, and that's often lack of awareness.
Ellis: There is an opportunity in training and managing people, but you'll always get the employee who will push the limits. My view is that you need to lock the products down to enforce the policy.
Haggart: There has been a lot of talk about defending the perimeter, but what we are talking about now is defending from the inside out and what people can do when they go outside the organisation.
Hawthorn: This is where VARs have a great opportunity - if they can get the customer's IT and human resources departments to talk to each other. Over the years companies have set rules for the use of the telephone, or company cars, or working from home. We need to make sure technology is used in the proper way as well.
Barnes: Security has always been a people business, but it is difficult to show ROI in training people in the fundamentals. Teaching people to choose better passwords is great from a security perspective, but very few firms do it because it is easy to assign a cost to it but the benefit is difficult to track. The other issue is that you train people then they move on, so you have to commit to this for the long term.
Adams: Back in the IBM mainframe days security was great, because users had a green screen that could do virtually nothing. Now we have put so much power on the desktop, it is hard to control them.
CRN: Do companies change their attitude once they have had a bad experience?
Barnes: They do but it wears off very quickly. They forget.
Ellis: Firms may well be protected from the threats that were out there a year ago, but there are new issues now. Spyware is moving up the security agenda, for example.
CRN: What exactly do we mean by 'spyware' and how sinister is it?
Adams: It covers programs that capture keystrokes, or 'adware' that delivers focused adverts to your desktop. It tends to be transmitted to you, perhaps in the form of a spam message. It is hard to control, detect and trap at the gateway.
Haggard: Basically it's something that is going to gather information and send it out of your network.
Ellis: Without you knowing about it or even being aware of it.
Haggard: Most of it is used for gathering marketing information, but the potential for malicious applications is massive. How difficult would it be for an application to search for your budget files on your system? There are cases where spyware has switched on the microphone on the PC and listened to a conversation going on.
Barnes: The classic one was Back Orifice, which was developed by The Cult of Dead Cow - there were loads of these hacker groups at one time; they are not so prevalent now. Netbus, Back Orifice, Sub-Seven: they were described at the time as Trojans.
Ellis: The difference between spyware and these Trojans is that you would sign up for spyware, usually unknowingly. You go onto a peer-to-peer site such as Kazaa or something and you sign up for it and agree that this spyware can operate on your PC, but it's normally hidden among pages of Ts & Cs - and that's the difference. You've accepted - unknowingly - that this spyware can be run, whereas with a Trojan, you don't sign up for it and don't agree.
Hawthorne: I have a customer example. Gateway in the US put our systems on the network because they realised they had bandwidth issues and the legitimate applications were finding it difficult to get through. They didn't know what was causing this huge amount of bandwidth to be used.
They found the most common website that their PCs were going to was Gator.com, which is the spyware utility that comes with Kazaa. There were huge amounts of data going backwards and forwards, unknown to the users and the IT department, between the PCs and Gator.com.
What Gator does is push personalised adverts to you, so if you go into a search engine and type in the name of an airline, you'll find that a window pops up trying to sell you travel.
You could argue that it's not necessarily malicious, but it is gathering data on your employees and using up bandwidth delivering content that they haven't actually asked for.
CRN: How common is spyware?
Hawthorne: I ran Spybot Search and Destroy on my laptop PC. It checked for 5,800 types of adware and spyware, and found about 14 pieces. But then, Spybot lists Windows Media Player as spyware, because it can pass information back.
CRN: Where is the real threat then? And can we stop it?
Ellis: If you speak to customers, normally the only effect they will see from spyware is that their PC runs a bit slowly sometimes, or they might get some sort of toolbar up that they don't recognise. But that doesn't mean it won't be used tomorrow to gather credit-card information.
Blinkhorn: One of the easiest ways to deal with this is to lock down PCs so they can't install any more applications.
CRN: What's the level of awareness of the spyware issue among users?
Haggart: The percentage of our sales that includes anti-spyware software is fairly low - less than 25 per cent. I don't think the channel has switched on to selling all the options yet, and to going back and updating customers on the latest threats. Spyware protection is a really easy sale when people know what is happening.
Blinkhorn: And it is quite easy to show them with the right tools.
Hawthorne: In all these areas, a channel that can offer assessments to its customers is going to have two great advantages: it is a service they can sell that gives the customer value and it leads on to selling the appropriate tools and consultancy.
Ellis: I think resellers are trying to catch up and are still coming to terms with other threats. It is early days with spyware, and we need to educate people along the way.
Adams: The approach we have taken is to develop a number of audit services where we say that, for a package price, we will put this device on the network and discover if this is a problem for you. Having proved it is a problem and given a report to the customer you can go back and say, "Do you want a solution to this problem?"