Regional Security through Data Protection

abstract

Author: Nemanja Nikitovic

Hacking Team Srl
nik@hackingteam.it

Title: Building a Security Infrastructure - Maximizing Return of Security Investments

Abstract:

Risks to Business Online
Internet is critical to business. Companies have no choice, they can either connect their internal networks to the rest of the world -to link with customers, suppliers, partners and their own employees- or they will constantly be a few steps behind the competition. By this "step forward" many new opportunities arise, but usually the attention is only later turned to the elements of risk that it involves.

At the very moment you connect to the Internet, Internet connects to you. By means of this connection, companies face for the first time malicious hackers, Internet criminals and Internet-based industrial spies. These "predators" are present since the first days of the Internet and have always been representing a continuous threat to both companies and end users

What are the risks? They are intellectual property theft, nonfunctioning of mission-critical systems, financial losses, serious damage to company's name and reputation, loss of clients' confidence. Until companies successfully mitigate such risks, they will not be in the position to take advantage of Internet's full potential. The risks companies are exposed to by the act of connecting to the Internet have to be understood, mitigated and accepted. Being an Internet company implies straightforward advantages. The discovery of new markets, new clients, new sources of profit and, last but not least, new ways of doing business are benefits that companies just can not ignore any longer. But, as we said, risks need to be mitigated. Computer security is the key for mitigating risks and unleashing Internet's full potential. In other words, computer security if the enabling factor for doing business over the Internet.

Direct and Indirect Losses
When talking about risks, we usually have in mind direct losses such as theft (of money, trade secrets, company information, digital assets) and productivity losses (corruption of data, diversion of funds, recovery and continuity expenses). For instance, everybody remembers when the "ILOVEYOU" virus was spread: thousands (if not millions) of users were infected. It caused a 10 billion dollars loss. Or when EBay, Amazon, Yahoo and others where shut down for hours in 2000.

More insidious and long lasting are indirect losses. They are secondary losses (loss of potential sale, loss of competitive advantage, negative brand impact, loss of goodwill) and legal exposure (failure to meet contract, failure to meet privacy regulations, illegal user activity, Officer Liability). For instance, when Microsoft was attacked in October 2000, it spent much more money to (trying to) restore clients' trust that to fix the technical problem.

The Security Market
Traditional security systems just don't work anymore. The market that deals with Internet security -a huge and profitable market- culminated in the past few years, and thousands of new products and services were released. Nevertheless, product-based security is usually very fragile.

Every day new ways of attacking computer networks are found, and their number is directly proportional to the number of (security) products available in the market. Most of the largest (security) companies, in fact, have a strict Anglo-Saxon strategy when it comes to security. Their strategy prioritizes time-to-market and product new features, neglecting extensive testing and robustness.

What is more, most computer security is sold as a prophylactic: firewalls prevent unauthorized access to the network, smart cards prevent legitimate user impersonation and intrusion detection systems prevent undetected illegal activity. Looking globally, this is a very strange marketing strategy. A car alarm was never sold under the slogan: "This alarm makes theft impossible". No one ever asked to buy "a special device that prevents murder". But this is the way computer security products are sold. Companies regularly try to buy "a device that prevents hacking of their systems", which is, looking from an expert's side, less possible than "a special device that prevents murder".

Real security is what most companies lack of. Ten years ago, the situation was simpler. At that time, very few knew about denial-of-service attacks, there was no mentioning of problems that later appeared in the frameworks of Outlook Express, etc. Today, security systems are becoming very complex. They are composed of firewalls, intrusion detection systems, smart cards, VPNs, wireless components, new services, etc. Innovative products themselves can jeopardize the level of safety, there are thousands of them, and they appear every day. Even after all the chaos in the security market, it can still be heard from the CEOs: "Of course my network is safe. We bought firewall." But, from the hacker's point of view, successfully solving one of the security problems is usually enough.

Ethical Hacking
In order to approach this complex and sometimes chaotic scenario, one of the most popular services offered by my company is Ethical Hacking. This service is focused on detailed security testing by means of simulated attacks upon client's request. Ethical hacking has the goal of defying client's security infrastructure and possibly correcting the mistakes made through security bugs, human errors and time, following the trend of a confused security market.

Some of our clients are large and world-known institutions. The point of ethical hacking could be posed as follows: "What would the consequences of an attack to my network by malicious hackers really be?" Or: "Is my security infrastructure really working?"
The results of a ethical hacking activity are usually very surprising. For instance, the simulated attack goes totally unnoticed most of the times. It is not uncommon that we are able to access company confidential information (such as the payroll database) o mission-critical information (such as intellectual-property data). It is also not uncommon that we completely defeat firewalls, public key systems, hardware token systems, company proprietary security systems, etc.

Second mover advantage
Western Europe companies have been following the security market trend for a long number of years, and few have never been experimenting serious losses from security problems. Their security infrastructure has been developed from different sides and was subject to countless interventions. In other words, their security model was built "bottom-up", that is, going from solving actual contingencies to policy generation. Yet unavoidable, this was a troublesome and inconvenient approach.
Serbia and Montenegro is a country in transition, quickly adopting modern IT environments. Since it is "second mover" in respect to other countries, it can capitalize others' experience in order to build up a modern an efficient business online infrastructure maximizing the return of security investments.