e-Security: The way ahead - Cover Story - Network Magazine India Page 1 of 3

Archives || About Us || Advertise || Feedback || Subscribe-

-
Issue of January 2003
-
-
Home > Cover Story Print Friendly Page || Email this story

Techscope 2003: e-Security

e-Security: The way ahead

India Inc has finally woken up to the security threat. But merely deploying firewalls or
anti-virus solutions isn't enough. Here's how organizations need to strengthen their
defences in the wake of new threats. by Vishwajeet Deshmukh

A global study by KPMG in 2000 reveals that Indian companies achieved the dubious
distinction of having the highest number of e-commerce security breaches in the world at
23 percent, followed by UK and Germany at 14 percent. Of the 60 percent companies that were
victims of some security breach, 21 percent recorded actual loss in revenue. About 58 percent have
still not been able to quantify their loss. According to a PWC-CII study, only five percent of the
survey respondents reported a revenue loss of over Rs 5 million.

Over 65 percent of the respondents admitted to not running security audits on e-commerce systems.
Only 50 percent have incident response procedures in place in case of security breach and 83
percent of the firms that were victim to a security breach have taken no legal action. About 38
percent fail to perform background checks on entities that assist them with development,
maintenance and/or administration of their e-commerce systems.

Almost 70 percent of Indian firms conduct background checks on e-commerce system suppliers. And
72 percent companies said they were reluctant to report security breaches for fear of damaging their
reputation.

Waking up
There is no doubt that India Inc has woken up to the reality of security threats. In the past year
(2002) the number of companies implementing a security policy has doubled. However, effective
security implementation is still needed. This is due to the lack of a clearly defined security policy.
Merely deploying firewall, IDS and anti-virus solutions is not enough. There is a need for a set of
rules that are based on business objectives of the enterprise, to secure information and systems—or
a need for comprehensive security policy. Further, the policy has to be documented and
reviewed/revised frequently, in accordance with change in business objectives and change in
technology. In other words it has to be dynamic.

The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive security policy
across India Inc and hence lack of effective security implementation. To quote from the report:
Though 68 percent of the respondents accorded a high priority to security, only 41 percent had a
comprehensive security policy in place. Worse, about 47 percent of the respondents continue to
operate without a security policy.

This is a fairly large number with far reaching consequences.

Threats
To elaborate, the main areas where companies face a threat are security of online systems, system
availability, confidentiality of customer and company information, and maintenance of the integrity of
data. Further, in an increasingly networked world, it is a no-brainer that any device/client (desktop,
notebook, PDA) that the user connects to in the network (Internet, Intranet, or Extranet), needs to
go through a firewall and an anti-virus system. Also, the entire computing infrastructure (switches,
routers, LAN, WAN, WLAN, Web servers, application servers, databases, etc.), need appropriate
security protection.

http://www.networkmagazineindia.com/200301/cover7.shtml 07-Jan-08
e-Security: The way ahead - Cover Story - Network Magazine India Page 2 of 3

However, merely investing in security products without a comprehensive dynamic security policy that
is based on the business goals of the enterprise will leave the door open for ever-increasing threats.
Enterprises have to take a top-down approach to frame a comprehensive security policy rather than
treat it as a technological issue in the realm of CIO, CISO etc. The Board and the CxOs must show
commitment to security with a clear mandate through policies.

Security is a process
For this, it is key that the enterprise should realise that security is a process. It does not exist
without education and awareness at all levels within the enterprise. Further, implementing security is
an on-going task given that new threats emerge all the time. Hence, the challenge lies in dealing
with the absence of a dynamic security policy coupled with the complexity of technology and the lack
of trained manpower to effectively implement and monitor security systems. Additionally, a bottoms-
up approach and dearth of high-end network consultants does not help matters.

Other than this, organizations need to have a hard look at the statistics on security incidents and
vulnerabilities.

As per CERT statistics, a clear pattern has emerged over the last three years (since 2000). There is a
rising and direct co-relation between security incidents and vulnerabilities. In other words, it
indicates that a security incident almost always happened following the disclosure of vulnerability
and before the vendors could release the patch to be implemented by the organisations. The CERT
statistics translates to 272 incidents and 12 ulnerabilities
per day.

Besides this, research sources from IDC, ICSA Labs and Computer Economics indicate that last year
(2001), 83 percent of viruses were spread through e-mail. Now consider these numbers. This year
(2002), the global e-mail message traffic has reached 31 billion. By 2006, it is estimated to reach 60
billion. The clincher: viruses such as Nimda and Code Red self-propagated globally in less than a day.
The economic impact runs into billions of dollars.

Challenge
Hence, the growing challenge is to protect ourselves against attacks that are automated and
polymorphic—one that changes every time—and in keeping up-to-date with hot-fixes and patches on
a daily basis. This point cannot be emphasised enough. If there is a virus outbreak in the US or say,
Philippines, a CEO should consider how rapidly the enterprise security system can respond to the
threat and make it a non-issue. Next, if the company does get hit, of paramount importance will be
the speed with which the infection is cleaned and business resumes. Because the past events have
shown that infection spreads globally in less than a day, a benchmark for cleaning has to be set. If it
takes more than a day, it is unacceptable.

Currently, solutions that provide virus protection at the perimeter (on gateways), servers, desktops,
PDAs in a wired as well as wireless environment, have taken the priority in enterprises.
Manageability is becoming the next priority. Solutions that provide centralised control, management
and visibility to heterogeneous corporate networks across WAN and LAN segments, distributed
geographically, is clearly being recognised as mandatory.

To conclude, we live in an inter-networked environment today. There is a growing recognition of

using network traffic to understand performance and security issues at all the levels, i.e. at the
network, server, the application and database level. More enterprises have started using network-
monitoring solutions to identify not only the network bottlenecks but also server, application and
database bottlenecks. We have already started observing convergence of network monitoring tools
that recognize virus signatures. Next year (2003), we will see more of this convergence, but more
importantly, there will be a growing trend for solutions that provide ease of manageability.

The writer is Country Manager-SAARC, Network Associates

- <Back to Top>-

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site
managed by BPD.

http://www.networkmagazineindia.com/200301/cover7.shtml 07-Jan-08
e-Security: The way ahead - Cover Story - Network Magazine India Page 3 of 3

http://www.networkmagazineindia.com/200301/cover7.shtml 07-Jan-08