The use of the Internet as a route to market is well established, with more and more organisations now realising significant revenues from their online presence. But many experiences tell of a growing struggle to wield the sharpest of double-edged swords. On one side are the enormous commercial benefits of using the Internet as a sales channel, on the other is the spectre of increasingly sophisticated cybercrime threatening the very existence of the business.
As a provider of managed hosting and security solutions, Globix has witnessed the evolution of security threats first hand. Where once hackers sought only notoriety among their peers, many are now backed by organised crime and use extortion for direct and immediate financial gain.
The impact of a security breach can be devastating, exposing confidential customer data and violating local jurisdiction privacy laws. Not only can this adversely affect revenues and brand integrity, it could also result in criminal prosecutions against the company’s executives.
As attacks have evolved, so too has defence. Physical security, such as biometric access and CCTV are still important, but today the most significant threat to any online business comes from the exploitation of vulnerabilities in a company’s web infrastructure and applications.
At the network level, the growing threat of Distributed Denial of Service (DDoS) attacks has spread from the online gambling market into other industries. In fact, recent research suggests that etailers now account for over 16% of victims, a more than fourfold increase since the end of 2003 (Symantec Internet Security Threat Report, 2004).
Given some of the inherent weakness in off-the-shelf applications, the time-to-market pressures faced by development teams and the demand for feature-rich functionality, it should come as no surprise that vulnerabilities will exist in production code.
As more organisations embrace alternative technology platforms like iTV, wireless and mobile to reach larger customer bases, hackers will seek to exploit their vulnerabilities. With some operating system source files freely available online, there are already examples of fat-client smart phones being ‘hijacked’ in the same way PCs are for DDoS attacks.
It would be misleading to suggest that all Internet security issues arise because of technology vulnerabilities. Many breaches (over 70%, according to Gartner) originate from staff within the organisation. While authentication and encryption technologies can help minimise this risk, somebody still needs access to sensitive systems and data for administration and maintenance purposes. As long as this is a requirement, the threat from disgruntled or plain incompetent employees will continue to exist.
So what can a business do to reduce the security risks in today’s challenging online environment? Organisations need to adopt a layered approach to security, considering the physical, infrastructure and application layers alongside bespoke code. Globix’ approach is to conduct a vulnerability analysis at each layer to build a risk profile, enabling informed investment decisions to be made that improve the overall security strategy.
At the infrastructure and network layer, a well-managed Intrusion Detection System (IDS) adds a great deal of value for non-intrusive monitoring and provides early warnings of potential threats. In the event of a threat becoming reality, well-designed, monitored and correlated IDS systems can provide invaluable forensic data to support criminal investigations. Intrusion Prevention Systems (IPSs) and DDoS mitigation solutions provide proactive protection from both probing and targeted attacks.
At the application layer, the prohibitive cost and potential service disruption of re-engineering production application code will force many organisations to deploy application firewall technology.
The security market for alternative distribution platforms is still emerging but a move back to thin-client smart phones, where application code is centralised and therefore easier to protect, will certainly help.
Finally, organisations should re-evaluate and assess vulnerabilities in their wider business and HR processes. Remedial actions such as new employee security checks, locked-down system access and clean desk polices should be used to augment existing security best practice.
The underused Computer Misuse Act provides a robust legislative framework for bringing criminal prosecutions against the perpetrators of cyber crime. While there is satisfaction in seeking reprisal after a security breach, it’s a bit like locking the stable door after the horses have bolted. Why wait until the damage is done before taking action?
Globix understands that robust and reliable security is a key factor in deciding to outsource the management of your Internet infrastructure. Maximising the commercial benefits of the Internet is vital, but maintaining the knowledge, tools and techniques to manage your security strategy effectively is a full-time job that many companies can’t afford to allocate resources to. That’s why Globix offers a full suite of security services ranging from threat assessments to intrusion prevention and DDoS protection. We stay vigilant even when you can’t be.
By Paul Court, Operations Director, Globix UK