Security Starts With Hard Thought, Not Hard Ware

The latest hardware and software security solutions are a necessary evil in this modern age, but many companies commit funds and manpower to the information security without taking a wider view of their management of security policies and procedures.

Information and IT are vital business assets, so effective information security management systems (ISMS) are essential. They help ensure you develop the right controls, systems and products to meet the ever increasing requirements of customers and partners. This is absolutely key, as without undertaking a considered and all-encompassing risk assessment of security issues facing your organisation, then any subsequent actions and procedures you set in place will be compromised.

The two-part BS7799 standard was introduced by the DTI in 1995, with Part 1 now adopted by the International Standards Organisation as ISO IEC 17799 (BS 7799-1:2000). Non-assessed, this Part 1 does not offer a total security solution for a fixed price, but rather offers best practice guidance in information security management.

Part 2 is the assessment standard (albeit not yet adopted by ISO, so still referred to as BS 7799-2:2002), and is a risk-based management systems approach which uses a ‘plan – do – check – act’ format for continual improvement. It refers to Part 1 with its wide range of information security controls to be adopted, as appropriate for your business.

The security measures selected by a good risk assessment will be those focused on the real needs of the business and therefore both cost effective and easy to integrate into the business processes. Subsequent accredited certification to BS 7799-2:2002 is a powerful demonstration of an organisation’s commitment to its ISMS and can offer the following key benefits:

Competitive advantage, through BS 7799-2:2002 certification providing public and independent statement of capability; minimising business risk, putting appropriate controls in place to reduce the risk of security threats and to avoid exploitation of system weaknesses; confidence that your approach to security addresses all aspects, including IT, people, physical and business continuity; legislation compliance, through identification of existing and potential legislation as part of BS 7799-2:2002 compliance;

Increased confidence in your own security measures as judged against best industry practice, through objective assessment by independent management systems experts (qualified in IT and information security); and demonstration of ongoing compliance and ISMS development, through regular ‘surveillance’ visits by your chosen certification body.

BS 7799-2:2002 is now internationally recognised as a useful management tool in the battle against a wide range of information security hazards. Typically, those organisations pursuing BS 7799-2:2002 do so for a number of reasons. Contractually they may be obliged to demonstrate compliance and/or they want to gain marketplace differentiation to further raise their profile and help secure additional business. Some simply recognise the standard as best practice in security management and recognise the positive benefit it can have in risk management and corporate governance.

Government is urging us to take IT security more seriously and more companies demand BS7799/ ISO17799 compliance from their suppliers. No organisation can afford to be complacent in the way it manages, stores and protects its data, yet many businesses appear to be slow in progressing certification to BS7799.

The average cost of a serious security incident hits five figures, but many will reach six! Compare this to the fact that 53 per cent of organisations spend a mere one percent or less of their IT budget on information security. A managed approach to security means that your limited budget is spent wisely; the ideal situation of improved security at lower cost. The risk-based approach and link with corporate governance means more effective justification of security investments.

Whilst IT has a key role, there are significant issues that broaden the security field. A key area is the human factor, e.g., a laptop left in a taxi or passwords on sticky notes stuck to monitors. Most personnel are not under direct supervision of the IT department and yet all too often, security is considered to be solely an IT issue. Security policies need to be set by the business, reflecting the true value of data and the impact of security breaches.

You need to consider integrity of data and availability of information, in addition to confidentiality. Authorised users need ready access to relevant data and they need to be confident that it is accurate and complete. The newest version, BS 7799-2:2002, contains an ISMS model similar to that for ISO 9001. Simple in concept and yet powerful in execution, organisations with a good QMS have the basis for a good ISMS.

The Risk Management basis ensures that it is appropriate and cost effective. The measurement and control aspects ensure that you know just how effective it is. Most organisations have the basis of an ISMS already in place, by way of some security controls and ISMS system elements. Implementation should be a group project approach, involving all business levels and functions, not something allocated to a single person. There is a wealth of information available from a range of sources, such as the DTI.

As for a time scale to achieve certification, the real answer depends on current status analysis, expertise, resources and market needs. These are all things which can be achieved with an independent Gap Analysis, offered by certification bodies (such as LRQA!) or by security consultants. Security consultants typically identify how they can help you develop the ISMS, whereas a cert body will give neutral analysis of readiness for formal assessment and key areas to address.

Fighting the Future of Spam

It’s no surprise that recommending the appropriate technology to fight the current and future development of spam is putting the IT profession into a real quandary, and with 500,000 new and unique spam outbreaks hitting the Internet each day, it’s evident that spam is not going anywhere.

Directive 58, an Electronic Communications and Privacy Law implemented by all EU member states, regulates against the use of spam for purposes of direct marketing, but its specifications as to the definition of spam are vague and as an EU Directive, it is only applicable to Europe. As over 80 per cent of spam is sent from countries outside the EU, such as China and the US, the full force of the legislation making a difference to European countries will be limited.

Following the implementation of this Directive, the Institute for Information Law in Amsterdam began a year-long study on the impact of the legislation and spam, in general, across European businesses.

In mid-2004 the results of the study concluded that the majority of businesses who regard spam as a major concern have little confidence in the role that government plays in supporting them directly or imposing legal restraints to stop spammers. So, it is up to the experts of anti-spam technology to take measures and resolve their problems through the provision of groundbreaking, innovative software.

Virtually the entire spam fighting community assumes that they are fighting spam, and that all that has to be done is ‘recognise the messages’. Unfortunately, the reality is that they are fighting spammers and not spam. The future of fighting spam is to focus on the one fundamental aspect – it is sent in bulk. Spamming is an economic activity done for profit, therefore all spammers must send mail in large quantities.

Each spam is sent in the millions and with the huge rise in spam volumes, anti-spam solutions need to block an increasingly larger percentage of spam to reduce the actual number of spam reaching e-mail users. As a result, solutions that blocked 90 per cent of spam were once considered effective. Now, to be effective, solutions must block 95 per cent of spam.

Current or last generation spam products are based on content and are effective for current or old spam but cannot provide proactive defense against today’s and tomorrow’s spam. They focus on the characteristics of the content of the message itself rather than on the characteristics of the message and spam attack.

As soon as the industry begins to think like a ‘spammer’, the requirements of their chosen anti-spam solution become clear. It needs to track spam across the Internet based on bulk mail characteristics and apply algorithms along with information about known sources of spam (campaigns, etcetera). This allows spam to be detected and reacted to in real-time.

This technology known as ‘Recurrent Pattern Detection’ has been acknowledged by IDC, a global market intelligence and advisory firm in the information technology and telecommunications industries, in its recently released white paper titled ‘Choosing the Best Technology to Fight Spam’.

The method also dramatically reduces false positives because of an overly sensitive reaction to certain words. And, a solution that is language-neutral and format-neutral detects spam even if the contents are nothing more than a single embedded image file.

While spammers specifically design messages to avoid content-based filters, they have no way to avoid statistical analysis other than to drastically drop their message volume, which would invalidate their entire business model.

Nobody wants to repetitively spend money on new anti-spam technology, but more and more, they are faced with the fact that their technological choices to fight spam are deemed insufficient before they have been implemented. Dedicating time, effort and finances to obsolete anti-spam ‘products and solutions’ is causing frustration.

It is now essential for the IT security manager to focus on the technology in order to choose a reliable solution that provides them with a real opportunity for growth.

Only by considering the working process of the spammer can the IT managers truly begin to understand and demand the right solution to fight the future of spam. And, through the recommendation of anti-spam solutions based on this understanding, the end-user will finally begin to get on top of their ever-increasing deluge of spam e-mails, thus managing its business’s future concerns.