Master Class: Hidden dangers - part 2
CRN's security debate continues with a look at the dangers of instant messaging and malicious mobile code.
Taking part in the debate:
Steve Adams, head of messaging compliance and security at HarrierZeuros.
Arthur Barnes, principal consultant at Diagonal Security.
Gareth Blinkhorn, e-service desk manager at System Software Solutions.
David Ellis, director of e-security at Unipalm.
Geoff Haggart, European vice president at Websense.
Nigel Hawthorn, European marketing director at Blue Coat Systems.
CRN: How commonplace is IM now, and how much of a problem is it becoming?
Blinkhorn: There are 50 million people using it worldwide. I think (analyst) the Yankee Group has estimated it's going to go up to about 180 million in the next three years - that's consumers and business.
Hawthorne: The thing about IM is that it is a fabulous business tool, especially if you are in a very distributed organisation.
Ellis: There is also ROI that can be shown, in reduced telephone calls. So there are measurable gains to be made from IM. Gartner says 70 per cent of enterprises have some form of IM running. Osterman Research did a survey in the UK and spoke to 102 firms with more than 1,000 employees; 93 per cent were running IM. This is a corporate issue.
Adams: If I'm sending you an IM message it goes out across the public internet, plain text, through a server, before it gets delivered to you. So that's very easy for someone to snoop on. We could be exchanging financial information and they could break into the conversation, cut me off and carry on the conversation with you, extracting money from your bank into theirs.
Hawthorne: The real threats of IM right now are things like logging and the potential loss of intellectual property, when somebody might communicate something outside the organisation; time-wasting, when people are communicating with their friends rather than with their colleagues; the possibility of viruses being brought in through attachments; and the use of voice and video. We could have a PC on in this room right now, listening to this conversation and broadcasting it out over IM, with no controls.
Ellis: And the scary thing is that a lot of companies don't even have any regulations for the use of IM. Most of the threats are the same as for email, but if you look at IM, no one is regulating it.
Blinkhorn: It is incredible, the things you could do with IM, and it would just go straight out of the company with no problems at all.
CRN: How can you control it?
Adams: We put proxy-based products in the middle of the conversation that regulate what is exchanged. We can introduce content controls such as virus checking and lexical analysis on the words; we can control the granularity of functions that people are allowed. A given user may be unable to assign themselves off-line or idle.
Ellis: One of the big problems is that, because it's not been driven by the business and given to users by IT - certainly in some of the larger companies - it is popping up unregulated and people are just installing it on their PCs. In a lot of cases, the IT security people are just sticking their heads in the sand.
Barnes: And of the seven per cent of companies that say they don't have IM, probably six per cent do - they just don't know. A massive education process is going on.
Ellis: It is about articulating the benefits that you get from using IM productively, and weighing them up against the costs of using it in a safe manner. There are pretty easy calculations that can be done to show the cost-savings.
Hawthorne: For resellers, the best place to start is to find out how many messages have gone backwards and forwards, how many people are using IM, and how many attachments are being sent, and then finding out if is this is something I need to regulate and control.
CRN: What is malicious mobile code (MMC)?
Barnes: MMC is typically a bit of Java script or something that is resident on a web page, and it promises you something: "Download this and you get access to X." It may install spyware or wipe the contents of your hard drive. Remember, you've given it permission to be installed on your machine, so the access level that it is granted is quite high.
Blinkhorn: You get quite harmless things that reset your home page or search engine, or add things to your favourites. It can be as harmless as that, but it can also go right up to having full admin access to your hard drive and formatting.
Barnes: The oldest trick is that this code switches off your modem speaker, then changes the number to that of a Hungarian premium-rate ISP at £9 per minute. You dial up, thinking it's your regular ISP. It can be as sophisticated as that.
Ellis: Once you make the decision to click on a link, the threats are very broad. You can manage that risk, though, and control where users can go. Websense has a product that enables you to stop people visiting sites that are infected with MMC, and you can do basic things such as set up Windows to prompt you before running Active X or Java, or prevent that code from being run.
CRN: What is MMC designed to do, usually? Will it do any damage?
Hawthorne: There are some examples on www.finjan.com. Some are pretty frivolous but another will try to format drive A. Change that to drive C, and that's nasty.
Haggart: We check websites for certain things, such as whether there's some code there that's writing to a hard disk, or whether there's some code that's accessing the registry. Thousands of sites have got that kind of stuff. Again, it may be fairly innocuous, or just annoying, but the potential is there. I'd say five to 10 per cent of users have protection from MMC.
CRN: What's the issue with peer-to-peer?
Haggart: There is no place in anyone's business for peer-to-peer at all. It delivers no benefit to any business whatsoever.
Blinkhorn: It is an epidemic of bad things coming into your organisation. You really don't want porn; you really don't want illegal software being downloaded.
Ellis: This has become more of a problem because people have got more bandwidth. People have got Digital Subscriber Line at home and companies have bigger pipes. Because of that, it is usable.
Haggart: The applications are more sophisticated. When it was Napster, it was just music; now it's anything and everything. Companies think they are blocking access to a port but someone can go onto a site and download some fairly bad stuff.
CRN: How easy is it to stop peer-to-peer?
Adams: You can't block it by port. You have to analyse the protocol.
Haggart: And also stop the applications running on the desktop.
Hawthorne: Just one user can be using a huge amount of bandwidth, so you don't need to find that 90 per cent of your users are using peer-to-peer, you hit that problem a lot sooner.
Haggart: If you go on and try to download Lord of the Rings or whatever, it will go off and download it from 20 or 30 different sources simultaneously. It will use all the bandwidth you can throw at it.
Adams: And it is bypassing all the content filters that you've got in place so you could be bringing in viruses, Trojans - all sorts.
Barnes: It is actually a fairly well-used vector for viruses now.
Ellis: Companies will often take lots of measures to protect email and other routes but won't do anything about peer-to-peer.
Hawthorne: All of these areas are interesting to VARs and potentially lucrative. Educating your customers about potential threats, then consulting with them and supplying them with products to solve those problems, carries a lot of value-add. It will be a really good place, over the next year or so, for VARs to generate business.
Barnes: It has to be a consultative approach. Users must understand the problems. But when you've come out of the blue with it, and it's not on their budget, it is typically a lengthy engagement process. The customer will prioritise what's important to them and deal with that first.
CRN: How do you avoid selling fear and building cynicism about security?
Barnes: You can come across as being Big Brother, so we don't say, "You can't do this, you can't do that." We use a productivity argument, and once we've raised awareness, people want to address it.
Blinkhorn: We push training to the sales guys so they can raise awareness with our customers. That way you are pushing the customer in the right direction. Hopefully, they will come back to you when they can see the problem for themselves.
CRN: Won't all VARs have to address these areas, and do you need specialist knowledge to deal with these emerging threats?
Ellis: They need to look at where their core focus is and whether they want to invest now to get into the market or wait until it matures and there's greater customer-awareness but, potentially, lower rewards.
Barnes: It is an educational process around the sales people. A lot of people don't see these areas as threats yet. They see IM as a handy tool and they don't understand what peer-to-peer is. Yet I'm betting there are plenty of VARs out there that have these issues themselves.
CONTACTS
Blue Coat Systems (01276) 854 111
www.bluecoat.com
Diagonal Security (01256) 869 000
www.diagonalsecurity.com
HarrierZeuros (01256) 760 081
www.harrierzeruros.co.uk
System Software Solutions (0121) 453 0033
www.system-software.co.uk
Unipalm (01638) 569 644
www.unipalm.co.uk
Websense (01932) 796 001
www.websense.com