IT security: From cottage industry to organised crime

By Jim Mortleman

But although it will never be possible to protect a company fully from these threats, with the right processes, technologies and services in place IT heads can bring the risks down to an acceptable level for a reasonable (although not insubstantial) cost.

So what exactly are the threats and how serious are they? At the most basic level, unprotected systems face attack from viruses, worms, trojans, spyware and other malicious software, or 'malware'.

These are programs that infect your system either via an email attachment, web page, compromised file or application, or via physically connected devices such as USB memory sticks.

There are millions of variants. Payloads vary wildly, from doing no serious damage right through to deleting/stealing data and giving hackers total control over your system (often as a node in a 'botnet' - a network of compromised machines that work together to carry out further, co-ordinated attacks).

The cat-and-mouse game between security specialists and 'black hat' hackers is like an arms race. As security researchers solve one problem, the black hats develop ever sneakier means to stay under the radar.

At one time, countering viruses was a simple case of finding the individual 'signature' of each and adding it to a database of known offenders. Today's malware often uses sophisticated techniques to conceal itself - polymorphic and encrypted malware can bypass traditional detection systems, change its shape and hide itself.

Methods of infection have also become more sophisticated. There's no longer any need to persuade people to open an attachment or download and run a file - your system can be compromised simply by visiting an infected website.

And black hats are using ever more subtle psychological tricks to get people to click on infected links, hiding malware in a legitimate-looking page on a item of current interest, say, then distributing a link via email or, increasingly, sharing it on social networks like Facebook and Twitter.

Adrian Marsh, Managing Director of Growth Markets EMEA at Trend Micro, says: "We have seen more variants of malware over the last 12-18 months than in the previous 19 years of the company's existence combined. Email-borne threats have not gone away, but the fastest-growing means of infection is now via the web.

'Threats are increasing in sophistication by targeting individual organisations, reacting very quickly to high-profile events and blending together different elements such as email, web and social engineering techniques."

Heuristic and behavioural analysis

Most of the key system security vendors like Trend Micro, Symantec and McAfee do a good job of keeping up with known threats. Their layered anti-malware products today not only check files against a databases of signatures, but also use so-called heuristic and behavioural analysis technologies.

These can protect (to some extent) against unknown threats, by examining whether a piece of code looks similar to something else known to be harmful or is behaving in a suspicious way (for example, trying to download additional components or change system files). They will never catch everything, and can also throw up 'false positives', but along with firewalls they are a good first-line defence.

Larger Middle East companies and multinationals understand the need for strong levels of security to protect the business. Within these organisations, there is a good understanding of the risks with respect to the importance of the company's information, says Ranjit Rajan, Senior Research Manager for the Software Group at analysts IDC in Dubai.

'In large companies, CIOs have a good understanding of the risks that they face and the ways in which that information can be compromised. But in the mid to small businesses, there is not that much of an understanding. Most [Middle East] SMEs don't have a comprehensive IT strategy.'

Clive Longbottom, a Senior Analyst at Quocirca, adds: "Some companies in the Middle East see anti-virus software as an insurance cost and they'd rather carry the risk, but in fact the virus threat is the easiest, quickest and most cost effective to mitigate against."

Threats are also becoming much more targeted. Security expert Ross Anderson, author of the respected (among CIOs and IT directors) "Security Engineering", says: "The transition from a cottage industry to organised crime happened in 2004/5. Now people who write malware sell to gangsters.

'Rootkits can't be detected by antivirus software and since the suppliers know the hackers will just come up with smarter technology if they detect these things, they simply don't bother."

In addition, these targeted attacks use ever more sophisticated psychological techniques to persuade people to part with confidential information. That means companies also need to put additional layers of protection around sensitive data, to ensure that if systems or staff are compromised, their data won't be.

Longbottom says: "Data leaks are the biggest growing issue in the Middle East. Because you've got a lot more people who are only beginning to use computers, it's very easy for them to make mistakes and allow sensitive information to go outside the organisation."

Mitigating against stupidity

Trying to educate people in the right behaviours and policies is expensive, difficult and rarely works, he says. Instead, Longbottom advocates the use of data loss prevention (DLP) technologies, which are designed to detect and prevent unauthorised use and transmission of information.

"I think it's more cost effective to go straight for technology that mitigates against stupidity. So if something marked for your eyes only is suddenly being emailed by somebody else in the organisation, the system can either automatically stop it or raise a box in front of them which says something like 'You do realise what you're doing? If this goes out and it shouldn't have, you're sacked,'" he says.

The average spend on information security in the West is around 20% of the annual IT budget, but this tends to be much lower in the Middle East.

However, with threats on the increase many multinationals and Western corporations will increasingly refuse to do business with any organisation that doesn't have sufficient protection in place. Normally, this means demonstrating your conformity with international standards like ISO 200001 and ISO 17799.

Although it's a big step for many, the most cost-effective way to obtain such certification is by outsourcing the management of security to a third-party provider which does have it. However, in the Middle East, which is steeped in geo-politics, it is much more difficult to convince firms to embrace outsourcing, particularly if their data is held externally.

That becomes even harder if data is held outside the country. But as companies in the Middle East increasingly do business with organisations elsewhere in the world, the need for strong security measures and policies becomes ever greater.

And Longbottom believes that Middle Eastern firms in this bracket will need to accept that there are 'external organisations with far better physical and data security policies than they could hope to implement in-house'.

'Looking towards organisations that can manage this [who might not be in the Middle East themselves] is very cost-effective, gets them up and running rapidly and gives them that key differentiator on the market - the ability to say 'Yes, we are secure.'".