Hack to the future

by Brian Davis

Electronic stored information is probably the most valuable asset in many firms. It is also vulnerable to attack, both from outside – by hackers or viruses like the ExploreZip worm – and from within, as information can be copied, deleted or modified in seconds by employees. And as electronic business on the internet increases and networks expand, so the vulnerability increases.

Ian Stewart, security marketing manager of Farnborough-based Siemens Computer Systems, says: `With the rapid growth of open IT communication and new applications such as electronic commerce, IT security is becoming a necessity.’

A vast range of security options are on offer to protect information from outside attack and inside malicious abuse – from firewalls and digital authorisation systems to encryption. But there is no uniform approach, or guaranteed solution, for keeping systems secure.

Andy Campbell, managing director of London-based data security vendor Reflex, blames the rapid spread of ExploreZip – a virus delivered as an e-mail attachment which, when opened, copies itself onto the hard drive and starts destroying files – on a false sense of security instilled by the `100% protection’ claims of some anti-virus software vendors.

He says the answer lies with generic solutions such as his firm’s Reflex Disknet Data Security for Windows NT, `as it prevents the creation of unauthorised programs or modification of selected files on every hard disk.’ But this sounds like another challenge to hackers.

Campbell has little time for security experts: `Their advice can often be summed up as: (1) draft and implement a security policy; and (2) use an up-to-date anti-virus scanner. However, this strategy has been tried over many years and hasn’t worked.’

This hasn’t stopped security from becoming very big business. Security scanner developer Christopher Klaus built up a £200m fortune by the age of 27 by tackling hackers. He dropped out of The Georgia Institute of Technology to set up Internet Security Systems (ISS), which now employs 500 world-wide. Its flagship products are Internet Scanner, a `virtual hacker’ that probes systems for weaknesses, and Real-Secure, an intrusion detection system popular with automotive and aerospace firms.

Kevin Black, ISS European marketing director, says manufacturing is trailing the financial, telecommunication and government sectors in coming to terms with e-business security. `Traditionally, security has involved building a fence around yourself, like a firewall, but the biggest problem was often internal abuse,’ he says. `This approach no longer works, as you want to make networks more accessible, but protect them from risk.’

Traditional tools like access control, authentication and encryption still have a role, but security needs managing more dynamically, Black says. `It’s like having a glass door and needing a steel shutter over it in case a criminal tries to drive a Land Rover through it at 2am. Security must be an enabling technology, so you can safely open up networks based on the level of risk you’re willing to accept.’

Russell Paul, marketing director of Reading-based MessageNet, says: `Companies can’t keep up with all the new viruses. If you haven’t got the latest virus checker, you’re not protected.’ MessageNet has just launched a service called e:)scan, which it claims is the first of its type in Europe. This checks all incoming e-mail for viruses, unwanted e-mails and large attachments which may clog up disk space.

Firewalls, such as Gauntlet and Cyberguard, can protect internal systems and ensure only authorised users get across the boundary – but they are not infallible. `Bugs which need fixing are discovered nearly every day,’ says Stuart Hayes, an IT security consultant with UK company Insight Consulting.

He suggests reducing the number of e-mails coming in using a package such as Mimesweeper from Axent, which opens e-mails and virus scans them. He also points to software which can check information leaving a firm by identifying phrases, terms and names.

Hayes estimates that the cost of a virus clear-up can be about £50,000 for a small network, and much more for a bigger business if a good security policy isn’t in place.

Malcolm Skinner, European product marketing manager for Axent, says: `Security was always seen as an overhead, but with the emergence of e-business, it is now seen as a business enabler. If we are secure then your company can do business with us.’

Axent has a $101m (£64m) global turnover and sells security products including the Raptor firewall, intrusion detection products such as NetProwler and vulnerability assessment tool NetRecon, which acts like a hacker to identify the weak links in a network. However, Skinner admits: `No matter what firewalls are put in, there’s always a way around it.’

The biggest growth area for security software is e-commerce between businesses, a market which consultant IDC estimates will be worth $43bn this year, compared to $8bn for consumer e-commerce.

People ignore e-business security at their peril. As Skinner says, `It is impossible to have 100% security, but you need to balance risk against your business requirements.’