16

feature

are lost in transmission and hence thecommunication system relies on match-ing sent bits to received bits by cross-ref-erencing arrival time and transmissiontime. The receiver sends the arrival ofreceived pulses to the sender by a datalink (e.g. telephone), enabling the senderto erase any bits in the sequence that werelost during transmission, thus creatingtwo matching sequences.

The addition of a complementary ran-domization factor guarantees the absolutesecurity of the transmitted sequence.Each sent pulse is subjected to a random-ly introduced 45 degree polarisation rota-tion, whilst the received pulse is subjectedto a randomly introduced -45 degreepolarisation rotation. In this way, the sentbit is randomized (i.e. contains no usefulinformation) when only one of the rota-tors is activated. The sender and receivercompare their records of presence andabsence of their polarization rotators and

retain only the received bits when bothrotated or when both did not rotate. Theresult is that sender and receiver end upwith an identical randomly generatednumber, termed a 'cryptographic key',that can be used as the basis for encryp-tion and subsequent decryption of con-ventionally transmitted data.

At present, the system is confined torelatively short-range communication,but it is only needs electronic engineeringto extend it to satellite ranges. This wouldrepresent a significant breakthrough insecure global communications, for itwould render covert monitoring futile.

The trial was also exciting from a sci-entific perspective because it was thefirst pure application of quantummechanics. It is true that quantumeffects are significant in a number ofexisting processes, notably semi-conduc-tors, but in these cases they are merelyproperties that have to be taken into

consideration. Quantum cryptographyexploits the properties directly.

There are other potential applications ofquantum mechanics currently at an earlierstage of research and development, mostlyIT-related. Of these, the one where mostprogress has been made is for searchinglarge databases, where significant improve-ments in search times are achievablethrough quantum parallelization.

But the most dramatic potential perfor-mance gains will come in a more special-ized application, which is factorizinglarge numbers, where a quantum paral-lelisation can be exploited to a muchgreater extent. Ironically, this would jeop-ardize the security of public key cryptog-raphy, which relies for its security on thedifficulty of factorizing the product oftwo large prime numbers. So, what quan-tum computing takes away from IT secu-rity with one hand, it gives back with theother.

Network security issues are in theheadlines almost daily. The dauntingtask of measuring how organizationsmay be open targets for hackers andvirus writers is continual, with manyrecent reports giving corporates somereal food for thought. One particularreport of interest is The InformationSecurity Breaches Survey 2002, producedby the DTI and PriceWater-houseCoopers which discusses many ofthe important issues surrounding thecurrent security market. Reports like thisare not only a useful indication of indus-try trends, but they also help to show the

level of end users’ awareness — or lack ofit — of possible security breaches. Thissurvey produced some interesting find-ings which highlight the irresponsibleand inadequate security measures thatare still employed by organizations in the21st century.

The first surprising finding from thereport states that “34% of businesses areconfident they have adequate antivirusprotection”. If over a third of businesseshave adequate protection then why dowe read about new virus attacks hittingcompanies almost daily? And these arenot new (unique) viruses: despite the

recent attempts of virus writers to infectJPEGs — a truly unique way of spread-ing a virus — we haven’t had a new virusstrain in over a year. My belief is thatwe’re due for a ‘headline’ virus such asKlez or Melissa soon — and many orga-nizations out there are still not ready.Even if there isn’t a superbug waiting inthe wings to make its grand entrance,virus attacks are hitting harder each year,with the number of successful attacksrising. The confidence of those 34% ismisplaced: many businesses simply don’thave adequate protection.

Place your bets…It’s clear from this one statistic thatmany organizations have the wrong atti-tude and approach to ensuring systemsecurity. It’s an area where mistakes canbe expensive, with a considerableamount of time and money spent onresponding to virus attacks. Judging bythe increasing amount of virus out-breaks, I’m sure many companies’ securi-ty strategy is based on wishful thinking:“if I don’t think about it, it will go away”— or foolhardiness: “it’ll never happen

All Quiet on the VirusFront?Julian Bogajski, Sybari

So what are the hot issues in security at the moment? Are companies getting com-placent – if so, why? In this article, Julian Bogajski, UK commercial director ofSybari, discusses some of the findings of the recent PwC report, outlining whatthey mean for the security market.

printlayout.qxd 8/13/02 10:26 AM Page 16

to me”. Neither way is a particularlysecure or professional way of conductingbusiness: it’s akin to going into workeach day and flipping a coin to deter-mine whether everybody leaves atlunchtime. Heads we win, tails we cor-rupt half our files on the server and gohome for the afternoon. What’s plain tosee is that many company directors aregambling with system security on a dailybasis. Brave people: I’d prefer to do mygambling in casinos, rather than bet onmy network security.

A business will never be 100% securefrom virus attack: whilst anti-virus compa-nies strive to ensure the maximum securitypossible, the act of protection is by its verynature constant, not finite. UK businessesmust start to understand that this continu-ing complacency will challenge profitabili-ty. They must look to implement amulti-level security policy that covers andprotects networks at all possible entrypoints, understanding that no one solutioncan do it all.

You are the weakest link:goodbyeAnother lesson organizations have tolearn and then preach to their employeesis security education. Just as all employ-ees play a part building a company’sbrand awareness and marketing, they arealso vital cogs in helping to police thesecurity of its IT systems. Although amajority of businesses recognize that itspeople are its greatest assets, they haveyet to understand that in the world ofemail security, its people can be its great-est liability — today’s viruses can alwaysbenefit from internal email prolifera-tion. Security is considered to be a tech-nical issue: few consider the securityrisks their staff pose — or address thatrisk. In the eyes of many employees –and board directors too — the buck forsecurity rests firmly with the IT depart-ment. This is no longer the case: securityis an issue that the company as a wholemust take responsibility for, not just theIT department.

Companies need to adopt a forward-looking approach to ensuring ongoing

security. Firstly, IT managers should begiven the power to block the worstoffending type of files (there are a fewsecurity products on the market thatenable them to do this). This will domuch to remove the risks associatedwith employees spreading virusesthroughout an organization. Secondly,they should take the step of educatingemployees about potential security risksand the responsibility they have inguarding against those risks. Taking a‘three strikes and you’re out’ approach tothis may be too draconian for manycompanies, but it’s worth making it clear– in whatever way the company wishesto – that every employee’s actions have adirect impact on the security of theirbusinesses IT systems.

Get a second opinionIt’s not just a company’s internal staffthat can help strengthen the securitypolicy. It is often advisable to have a sec-ond, independent opinion — especiallywhen many companies hand the task ofsecurity to a contractor (many of whommay not have much ‘buy in’ to the resultof their work). Registered securityexperts can ‘audit’ a company’s securitysystems and judge their efficacy: it’s notenough to buy a product and sit on lau-rels — badly configured or maintainedsystems will not provide adequate pro-tection. The most widely recognizedaccreditation for this is a CLAS listing— this is the Listed Advisor Schemefrom the Communications-ElectronicSecurity Group, an arm of the UKGovernment body, GCHQ. Whilstmany businesses would be wary of open-ing up their systems to external bodies,CLAS consultants are government-regis-tered and have to undergo rigorous ‘positive vetting’ to gain and maintaintheir registered status.

The good, the bad and thevulnerableIt’s always interesting to see that certaincompanies are better at protecting them-selves than others. According to thePwC report, larger businesses are nearly

twice as likely to have procedures forresponding to incidents as small busi-nesses, they spend more of their IT bud-get on security and they tend to be theearly adopters of technology. Perhapsthis is because most large companies arealert to the threat of ‘glory seeker’ hack-ers looking to make the headlines withhigh-profile security alarms, or that thechances of an employee spreading avirus throughout a large corporation isstatistically more likely than in a smallto mid-range company, simply becauseof the number of employees’ email sys-tems at risk.

What’s the worst that couldhappen?It follows that, with less tight security inplace, many smaller companies are leav-ing their systems open to attack.However, the real area of interest is inthe mid-range company. In these busi-nesses, security tends to be less policedthan in their larger counterparts, butthey are still at risk from the hacker andare just as likely to be infected by virusattack. As a result of this, the report con-firms that the medium-sized businesseshave the greatest incidence of websitesecurity breaches. It’s clear that bothsmall and medium sized businesses needto ‘beef up’ their security. It’s no goodhoping that a virus attack won’t happen:the question that businesses need to askthemselves is what if it does? For anycompany, no matter what its size, weestimate that the average recovery timeis 21 hours – that’s an expensive gap insecurity policy.

Playing the numbers gameWhen companies make mistakes, usuallythere is a figure attached to the mistakeand a lot of explaining — either to theboard or to shareholders — as to how itcame about. What’s not clear is whetherthis is true for security breaches. It’s oftenhard to equate a figure to the cost of avirus attack since many of the measurablesare intangible, such as loss of staff produc-tivity, damage to reputation and the dam-

17

feature

printlayout.qxd 8/13/02 10:26 AM Page 17

The devil went down toGeorgiaI was in Georgia in the US some time agoexamining the Georgian states newcounter-cybercrime training facilities andmeeting with a group working towardsdefining criteria for implementing digitalforensics. We were discussing many issuesrelated to network forensics and it was anexcellent opportunity to meet and engagewith cybercops and other digital forensicspeople from around the nation.

Among the people I met were several ofthe FBI leaders in digital forensics andstate and local investigators who have

examined the digital evidence of manycrimes over a period of many years.

I want to emphasize that I am notpointing any fingers with regards to theabove comment about the devil visitingGeorgia, but I will say that among thepeople I met, there was one person whoalways wore a hat and seemed very com-fortable with the hot weather we wereexperiencing.

He was looking for a soul tostealSome months later, I was contacted byan investigator from Florida who had

discovered the evidence of what I con-sidered to be a rather serious computerbreakin and one that concerned mequite considerably. Someone I had metin Georgia, which is how I got this con-nection into the article, referred thisinvestigator to me. In this case, some-one had broken into a DNS server(Domain Name Servers translatebetween host names like all.net and IPaddresses like 1.2.3.4), and after someinvestigation, it was determined that,from this server alone, they had brokeninto some 500 other DNS serversthroughout the US.

Now to me, the DNS system is prettymuch the heart and soul of the Internet.In effect, if the DNS system is subvert-ed, almost all of the traffic on theInternet of use to almost all of its userscomes under the control of the attacker.You cannot find the URL you want tovisit, e.g.all.net and you may be pointedto badguys.org instead! You might be ledto a Trojan site (like they did to RSA afew years back), or you could cause net-work-wide collapse by routing traffic inhuge volumes all over the place.

You're in a Bind! Fred Cohen

Networks dominate today's computing landscape and commercial technical pro-tection is lagging behind attack technology. As a result, protection program suc-cess depends more on prudent management decisions than on the selection oftechnical safeguards. Managing Network Security takes a management view ofprotection and seeks to reconcile the need for security with the limitations oftechnology.

18

MANAGING NETWORK SECURITY

age associated with spreading viruses topartners, suppliers and customers.

Conversely, security spend is difficultto justify. It’s seen as an overhead, ratherthan an investment, for the same rea-son: ROI on spend is difficult to quan-tify. This may explain why securityspend is so low — only 27% of busi-nesses spend more than 1% of theirannual IT budget on security. Based onglobal experience, PwC estimate thisshould be 3-5% and should rise to 10%for high-risk areas such as the financialsector. Perhaps this current low level ofspend is because security has tradition-ally been the domain of IT directorsand managers, who have not regularlyquantified the benefits and justified thespend on security to those who are ulti-

mately responsible for the allocation ofbudgets.

Certainly, in order for businesses toprotect themselves adequately, this situation must change. Whilst seniormanagement may pay lip service to secu-rity as a high priority, until an effectivebusiness case is put to them, they areunlikely to put their money where theirmouths are. The only thing that will con-vince them to back up their words withactions is either a sound business case —or a catastrophic security attack.

The future does not look bleak, but noris it rosy. It’s clear that whilst businessesare aware of the need for security, manyfail to educate their staff and under-invest. Armed with a little securityknowledge and an even smaller security

budget, complacency is rife. And even for those who are not complacent - inmany companies, the role of ChiefSecurity Officer has been created - fewhave managed to fully communicate theresponsibility of security to the entireworkforce. With 97% of viruses spreadby email, security is now everyone’sresponsibility. A company’s security needsto be guarded at several points within anorganization including at the organiza-tion important communications hub —the email server. It is also advisable to addseveral layers of security products andeducate an increasingly vigilant work-force. Let’s hope that companies combinemulti-faceted protection and education.The alternative is that they learn too latefrom mistakes.

feature

printlayout.qxd 8/13/02 10:26 AM Page 18