Fight to the Finish

Feb 1, 2005 12:00 PM, BY JACQUELINE EMIGH

Organizations can lose just as much money — and even more — through cyber-abuse than from criminal activities of the physical sort. As hacking techniques evolve more quickly, companies must practically turn handsprings to keep up. The result: Vendors are constantly releasing new and emerging technologies in the information security space — and what's more, organizations are finding it worthwhile to pay for them.

“In comparison to physical security, information security used to be an afterthought. But that's not true any longer,” says Brian Rashed, a senior manager at SSH Communications Security, Boston.

Theft of trade secrets — often involving use of e-mail or other corporate network systems — constitute one well-known type of financial drain on companies. But other big expenses can crop up when organizations are held responsible in court for information transmitted over their computer systems.

Chevron, for example, paid a $2.2 million settlement to four female employees over a complaint that sexually harassing e-mails were creating a threatening work environment.

In the U.K., Norwich Union made a more than $450,000 out-of-court settlement after an employee sent an e-mail asserting that a company competitor, Western Provident Association, was in bad financial straits.

New U.S. federal regulations — designed either to protect privacy, or to prevent corporate financial wrongdoing — are handing out financial penalties to offending companies.

“The government is imposing some very stiff penalties,” Rashed says. Organizations are grappling with laws ranging from the Gramm-Leach Bliley Act (GLBA) to the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX).

Meanwhile, Internet-related exploits such as computer viruses — i.e., malicious software code — is turning into big business for some perpetrators. In one recent survey, IT security vendor Symantec Corp. found “increasing convergence between virus writers and criminal activity,” notes Alfred Huger, Symantec's senior director of engineering.

Some of the newer sorts of viruses try to find financial information, such as credit card numbers, lurking on remote PCs. Often, these viruses are embedded in “spam” — or unsolicited e-mails — broadcast over the Internet.

Information security vendors are battling back against these threats with an ever-expanding battery of technologies and tools. “FIPS 140-2,” “single sign-on,” “content filtering,” and “e-mail archiving” are among the list of acronyms and other jargon. And the list is getting longer.

As a physical security professional, how does one understand the many different types of products that colleagues in information security might be called upon to test and evaluate? This task gets a lot easier after realizing that many of these emerging technologies are really offshoots, in one way or another, of the basic tools information security experts have been relying on for years.

The most common weapons in the bag of tricks include tools for authentication, firewall protection, encryption and virus prevention. Essentially the cyber equivalent of access control systems, authentication products require users to prove that “they are who they say they are” before logging on to a computer network.

Over and over again, experts advise organizations that are looking to authenticate a user to require at least two “identification factors,” or proofs of identity.

While authentication systems grant network access to qualified individuals, firewall systems perform the opposite function — keeping unwanted visitors from the Internet out of the corporate network.

Available in either hardware or software varieties, firewalls typically work by allowing IT administrators to screen out traffic from the wrong side of the Internet tracks. They can block all traffic from Internet addresses seen as undesirable.

Encryption technologies are often built into authentication systems, firewalls and other information security products. The role played by encryption is to “scramble” computer data so that it cannot be read by unintended eyes.

Anti-virus products, on the other hand, use software-based “vaccines” to deter, quarantine or otherwise squelch computer viruses and other malicious code.

By and large, experts advise organizations to use a wide assortment of weapons against cyber-abuse. “Layering security technologies on top of each other is your best bet,” Rashed says. “Hackers generally tend to take the path of least resistance. If you make things too difficult for them, they'll tend to give up and go somewhere else.”

Moreover, traditional standbys such as authentication, firewalls, encryption and anti-virus protection simply cannot do the job alone any more, experts say. “Firewalls are doing a good job of protecting networks from outside intruders. But firewalls are not enough. Today, it's easier to hack internally than externally — and most hacks are internal,” Rashed says.

So what are some of the key products and technologies now emerging for information security, and how do they expand on what's gone before?

SSH's Tectia, for instance, is a “secure shell” that brings together many different software tools for secure network administration, connectivity and file transfer. One of Tectia's crowning touches is compliance across multiple operating systems with FIPS 140-2, the latest and greatest of encryption technologies, targeted at mission-critical communications by government agencies, for example.

But Tectia has many customers among financial institutions and other enterprises, too. Voca — a financial institution that processes more than 90 percent of salaries in the United Kingdom — is using Tectia to comply with corporate information security policies that forbid employees from logging in to the network from remote locations without secure authentication and encryption.

Other organizations are deploying the software to comply with government regulatory requirements, Rashed says.

The same holds true for IntelliReach's product line-up, says Lance Urbas, IntelliReach's CEO. MessageArchive, one of several other products from IntelliReach, is geared to storing large volumes of e-mails for quick retrieval, whenever necessary.

One customer is American Fidelity Assurance Company, the largest privately owned life insurance company in the United States. Because the company sells annuity products that fall under NASD and SEC guidelines, it needed to set up formal e-mail archival, retention and management procedures, Urbas says.

MessageScreen, also from IntelliReach, is a software program aimed at using content filtering and a variety of other analytic techniques to ward off unwanted delivery of spam and viruses through major e-mail systems.

Before turning to MessageScreen, Garland ISD — the tenth largest school district in Texas — was getting overwhelmed by spam, Urbas maintains. In August, 2003, spam accounted for 66 percent of all inbound messages received by the district. By August, 2004, that level had risen to 90 percent.

What about traditional authentication? How are vendors building upon that? One way is through single sign-on, a technology that lets employees use a single password for accessing all of their e-mail and software programs, rather than needing to remember separate passwords for each.

Until recently, single sign-on has posed massive barriers in the cost arena, according to Greg LaRoche, technology manager at Imprivata. But now that's changing, through products such as Imprivata's One-Sign 2.6, a plug-in network hardware appliance for performing single sign-on without expensive systems integration work by specialized consultants.

So for the moment, at least, these are some of the most important technologies emerging on the information security side of the house. But there are plenty of others, too — and the roster is sure to change on a yearly — if not a monthly or weekly — basis.

FOR THE RECORD

About the Companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

IntelliReach	26
SSH Communications Security	27
Symantec	28

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue