Bug Watch: No such thing as absolute security

This week Laurent Stoffel, chairman and chief executive of French firm Intranode, gives an overview of the current threats and explains why absolute security does not exist.

Security management has become a crucial concern for companies with the opening up of computer systems to the outside world through websites and the growth of online exchanges.

Guaranteeing a high level of confidence to all users, clients, suppliers and partners is a real challenge and, if this challenge is not faced, it will jeopardise the relationships between the various people involved.

Moreover, an increasing number of vulnerabilities are found in systems, increasing the risk of attacks. No company can consider itself to be free of danger.

Statistics from the Computer Emergency Response Team show that the number of newly discovered vulnerabilities continues to more than double each year.

In 2001 2,437 vulnerabilities were reported, and in the first quarter of 2002 1,065 incidents have been reported, which is 43 per cent of last year's annual figure.

So why is this number escalating at such a rate, given the variety of security products on the market, and what can be done to overcome this issue?

Firstly, the types of vulnerability which can cause considerable damage, such as viruses, worms, software bugs and poor hardware configuration, have increased. Viruses alone cost industry some $13bn worth of revenue in 2001.

Secondly, attack tool developers are using more sophisticated technologies to penetrate networks. This is making it harder to detect attacks even when antivirus software and intrusion detection systems are used.

Moreover, the community of potential hackers is relatively widespread. In fact, exploitation of the various vulnerabilities requires differing degrees of expertise and computer knowledge.

However, because of the availability of automated operating tools to anyone using the internet, the amount of time businesses have to patch vulnerabilities before another threat appears is decreasing.

The motivation of these hackers is varied: simple amusement, a need for recognition, theft of data, industrial espionage, attacks on brand image, blackmail, etc. These attacks can have significant financial, legal, technical or environmental consequences.

The recent Information Security Breaches 2002 report from the Department of Trade and Industry states that 44 per cent of UK business have suffered at least one malicious security breach in the past year.

The average cost of a serious security incident was £30,000, with several businesses surveyed having suffered security incidents that cost them over £500,000.

Security is interdependent and a dynamic problem. Businesses need to be aware that specific solutions are the not the answer and that vulnerabilities on networks occur continuously.

Companies need to monitor their networks from an outside-in perspective to reveal weaknesses that are difficult to uncover using traditional methods.

Vulnerability assessment software enables users to optimise risk management and efficiently drive the security of their information systems and associated networks by simply and effectively assessing their security level.

By remotely scanning the internet perimeter of corporate information systems for vulnerabilities, companies can proactively implement countermeasures to manage internet security.

However, absolute security does not exist because the interconnection of networks and differences in systems lead to weaknesses.

Companies must therefore be able to carry out a detailed and objective measurement and analysis of the risks incurred so that they can control and adapt their security policy depending on the constraints of their field.

With the right investment in the right areas businesses can be in a stronger position to minimise their risk of attack, resulting in savings of thousands of pounds.