Bug Watch: The new threat

This week Iain Franklin, European vice president of Entercept Security Technologies, looks at the increasing threat that new types of hacking can have on companies. He suggests ways that companies can assess their level of risk and discusses how a change in company mindset can lead to a new approach to security.

During the last 12 months worms, Trojans and viruses have got nastier and more sophisticated. The growing complexity of corporate networks and the severe financial penalties of suffering a breach have also made the challenge of securing the network an ever-increasing headache. Yet security is critical to customer confidence and continued growth in the economy.

The Computer Emergency Response Team (CERT), a federally funded research and development centre in the US, has warned that the amount of malicious activity on the web is climbing at an alarming rate. The total number of reported attacks in 2001 - 52,658 - was almost a 160 per cent increase on the previous year.

A recent survey by the consultant KPMG has also highlighted the ever-increasing cost that security breaches are bringing to companies. According to their survey, each security breach costs UK businesses an average of £77,000. Virus incidents were the most common cause, with 61 per cent of companies falling victim and costing organisations an average of £113,700 and 68 days of lost work.

Incidences of hackers attacking servers directly - rather than attacking websites or networks - through new worm technology will continue to rise.

It is on these servers that valuable corporate data lies, and such attacks take advantage of server and system vulnerabilities. Hackers can then steal or tamper with the vital data that makes up the essence of a company. This year we are certain to see a raft of new hacking exploits, as hackers continue to push the boundaries of their capabilities to create new attack types.

So what can companies do about it?
To start with, companies need to seriously consider the impact that a security breach will have on their systems. By educating themselves on the dangers, IT or security directors can start to assess their organisation's level of risk.

Once the level of risk has been ascertained, they can start to look at changing the company's attitude to security and putting systems in place that can deal with the dangers.

The impact from a security breach normally falls into one of four categories: cultural, legal, commercial or financial. With this in mind there are a number of points within each of these areas that companies should consider when assessing risk.

• Cultural: Do you need to change the way your organisation thinks about security? Are you prepared for internal breaches? Can anyone get into your systems or is access limited?
• Legal: Are you aware of the legal liabilities your company might face as the result of a security breach? Legislation that might apply includes the Data Protection Act, contractual and negligence issues, breach of confidence, corporate responsibility and obscenity laws.
• Commercial: Will your customers still trust you? Will they come back to your site? Can you continue to trade?
• Financial: Can you still operate if your system is down? Downtime is lost time and revenue. What will be the impact on the bottom line? The Nimda virus for example, in its first four days, was estimated to have caused $500m worth of damage.

In light of this, companies are going to have to recognise that the network perimeter effectively no longer exists. It is no longer acceptable to rely on firewall and network protection to protect critical systems.

Companies need to change their mindset: they need to start with the data and think about what the consequences would be if that data were compromised.

Hackers now know that the server is where the real damage can be done and consequently this is where they are increasingly aiming their efforts. Reliance on incumbent systems will leave companies vulnerable not just to new attack types but also to existing techniques - in many companies, it is currently a case of 'ignorance is bliss'.

As an IT issue, security is going to be increasingly in the public eye during the coming months for companies in all sectors. Relying on a firewall and network systems will no longer be enough in the face of increasingly clever, malicious and more frequent attacks. Ignorance of the issues or available solutions will cost companies severely.