# IT Security - Oversold?



## Brendan Burgess (11 Mar 2004)

There is a very good article in the Sunday Business Post _Computers in Business_ section by Adrian Weckler suggesting that small businesses worry too much and spend too much on protecting against viruses and hackers.



> But while everyone knows that there is always a risk of being burgled, very few companies employ an armed guard and four rottweilers on the premises. That's because the risk of being burgled is proportionately small. And the amount of money to be spent on that security is handled in the appropriately proportioned way.
> 
> ...the majoriy of Irish companies are low-risk targets. ...It is sensible to have proper IT security but we really do't need as much as some security companies say. It's time to stymie the hype.



The very long article is followed by short responses from Security consultants, all of whom disagree strongly.


----------



## capaill (11 Mar 2004)

Hi Brendan

I have not read the article so cannot comment on it directly, however a few points I would like to make from my own experience;

People understand the risks faced in the real world.  Thats why we deploy burglar alarms on our premises, have a safe to store important documents and have policies in place to ensure a safe working environment.  If my company is a small professional firm then I would deploy burglar alarms and ensure I had good locks on the doors.  If my company trades in diamonds then I would ensure that I do have "an armed guard and 4 rottweillers" roaming the building.

Securing your business is all about risk management.  You identify the threat to your business, be that burglars, theft from staff, fraud or fire.  You then decide what you need to put in place to manage that risk.  

In the IT world the risks are not as easily understood by business people and to a certain extent not by a lot of IT people either.  However once you deploy computers and/or connect to the Internet, there are still very real threats to your business.  Computer viruses, hackers and inhouse threats exist and need to be managed.

Computer viruses are a fact of life, anyone who has a PC has at one stage or another come across a computer virus, just look at the IT forum on AAM.  The risk assesment that has to be made is, what impact will a computer virus attack have on my business?  This is in the terms of lost productivity, lost revenue and the cost of cleaning up the infection.  You then manage that risk the same way you manage any other risk to your business.

Hackers are real and are a threat.  The image of someone hacking into your network to steal money is far from reality (unless you are a prime target like a bank etc.)  Hackers attack computers to use them for various means ranging from the pure thrill of "owning" someone elses computer, boasting to their friends how many computers they "own" , or using other computers to attack their real target thus hiding their identity.  A point to note is that these hackers also employ automated tools that identify and exploit unprotected systems not caring where those computers are.  Again this is a real risk and one that needs to be managed.  Can your business afford the impact of discovering your systems have been compromised?  What about the cost of fixing the breach and the damage to your reputation?  On my own PC at home my firewall blocked an attack from a server located in the First Federal Bank of Boston's network.  This machine had been automatically attacked and exploited and was then targetting my machine.  Having deployed various security tools on my PC I was able to detect and prevent that attack.  What damage would that have been done to the bank's business if their server had attacked a major customers system and not some Internet user in Ireland?

I agree that there has been overhype by certain sectors of the IT market, but there is still a lot of truth amongst all the hype.  Computers make it easier and quicker to do things including spreading viruses and hacking into systems.  While a burglar can only attack one company at a time, a computer virus or hacker can hit many companies at the same time.

From my experience, a lot of small businesses spent little or nothing on managing the risks posed by viruses and hackers simply because they do not understand what the risks are.  Once you understand the risk you can manage it appropriately.

C
Major disclaimer, I work in the IT security business.


----------



## <A HREF=http://pub145.ezboard.com/baskaboutmoney.s (11 Mar 2004)

Most commercial features (of which Computers In Business is effectively one) will generally hype up the product/service in question. IT security is no different. You don't read the property supplements for independent, objective and balanced advice about buying property for example? The need for a certain level of IT Security in business (AND AT HOME!) is a real one and people should not be complacent about it but, on the other hand, as with any product or service they need to make informed decisions in order to choose the appropriate level of cover and suitable products/services. Simply throwing money and resources at this or any other business challenge (to use the argot  ) is stupid and anybody who does so will probably, and deservingly, go out of business sooner rather than later. The minimum protection that anybody should have in place is (a) an appropriate and suitably configured firewall and (b) an appropriate virus checking infrastructure. In addition they should make sure to keep abreast of system and application patches, fixes, updates, upgrades etc. This is basically the three step programme that Microsoft and others promote. Some organisations may also need or benefit from further enhanced IT Serurity policies and services on top of this (of course I'm assuming a priori that physical security and password/credentials management are already taken care of).


----------



## Brendan Burgess (11 Mar 2004)

Hi 0

Just in case I didn't make it clear, Adrian Weckler is the editor of Computers in Business and he argued strongly that the security is oversold, and  I think he even acknowledged that his magasine is a major beneficiary of the advertising which does this overselling.

Brendan


----------



## capaill (11 Mar 2004)

Brendan

The Sunday Business Post also sponsors the NITES seminar which is an annual security seminar held in February each year.

C


----------



## Brendan Burgess (12 Mar 2004)

My own experience:

Our company spends around €500 a year on McAfee anti-virus software.
We have a firwall for which we pay around €150 a year in annual maintenance. 

Separately from all this, we pay around €2500 a year for an email filtering service. We got this initially to filter for spam, but it doesn't work effectively against spam, because it cannot be tailored to our needs. But it does stop thousands of emails each month with viruses attached.

We haven't had an attack for some years. Before that, we did have problems where clients were refusing our emails because there were viruses attached. This was a disaster for us in terms of earning fees and in terms of bad p.r.  It looks very unprofessional to be spreading viruses, especially to clients.

In the overall context of things, €3000 a year seems reasonable. 

Brendan


----------



## MugsGame (12 Mar 2004)

I also feel IT security is vastly over-sold. Most money spent on it would be better spent educating users in responsible computing.

Anti-virus companies in particular are snake-oil salesmen, treating the symptom rather than the cause.

What threats does infection pose?
* System downtime - I've had  more down-time and reduced performance due to broken anti-virus software than to actual viruses.
* Corruption of data - this can happen due to numerous other causes; you need to have reliable backups.
* Legal damages due to data protection violations  (exposure of confidential data etc.) - what is confidential data doing on a system connected to the Internet? 
* Negative PR due to outbound viruses - one solution: hold for manual approval any outbound e-mails with attachments.

I am the first to admit this is a contrarian position with little support, even among the technical community. It is based on over a decade's experience developing and installing networked computer systems, including for banks and the health service.


----------



## capaill (12 Mar 2004)

Interesting article on 

C


----------



## hmmm (12 Mar 2004)

(disclaimer - I partly work in security)

Some areas of security are completely overhyped, but saying that isn't the same as saying that security should be ignored. If anything can be solved by selling a product, then the hype merchants will be in selling. Most companies seem to think that spending 10 grand on a shiny box that sits in a corner (doing who knows what) makes them secure - educating users not to share their password costs nothing and probably gives you a greater increase in security.

It's really a matter of cost benefit - unfortunately getting impartial advice is tough when it comes to security. There's also a lot of cowboys who seem to have got into "security" recently. As someone who works in the corporate sector I'd say avoid anyone who starts by suggesting installing a product when you ask them "how much security do I need".


----------



## <A HREF=http://pub145.ezboard.com/baskaboutmoney.s (12 Mar 2004)

Totally agree with hmmm - basically the gist that I was trying to get across earlier. I think that the description of anti-virus vendors as snake oil salesmen  earlier is ridiculous. As in any business there are competent and trustworthy vendors and there are cowboys. In fact many of the vendors kindly offer free versions of their tools for personal use as well as free advice/updates.


----------



## Jason Collins (13 Mar 2004)

*Email Filtering*

Hi Brendan,

Did I hear you right when you said that you paid €2500 for an email filtering service?

I assume that you mean SPAM & Virus filtering, but I cant understand why it is costing you so much. Our ISP (UTV Internet) provides these free of charge. 

On the point you mad about bad P.R. I completely agree. I work for a small software company and we have 4 levels of security - hardware firewall, software filewall, AV software and regular Windows Updates. Yet despite this we still live in fear of something slipping through, but so far so good. However, despite our defenses we have fallen foul of a slightly different problem - spoofers!

There is a virus doing the rounds at the moment called Netsky (with many variants) that is a mass mailing work that spoofs the "From" address in the mail so it looks like the virus is comeing from someone else.

We started to recieve some emails on Monday stating that emails we had sent had been blocked because they contained viruses. The strange thing was that the emails were from people/companies that we had no previous dealing with (and as such would not be in our address books), but we decided to disconnect our LAN from the internet just in case.

We ran a full check from top to bottom on each and every device before we could be 110% sure that we were not the source, but it took us a whole day before we felt confident enough to re-connect to the internet.

It would seem that one or more of our real clients has been infected, but we are getting the bad PR - how can you fight this?


----------



## rainyday (13 Mar 2004)

*Re: Email Filtering*



> how can you fight this?


By educating the complainers as to how 'spoofers' work.

I'm not sure that IT security is oversold, any more than cars are oversold, or PRSA's are oversold, or widescreen TV's are oversold. I agree with other posters who point out that emphasis on user education/training is far more important than black boxes. How many users are educated (and authorised) to question/deny entry to an unidentified person who 'tailgates' them through an access-controlled door.


----------



## monk (13 Mar 2004)

*Re: Email Filtering*

Jason, I work for one of the largest corp's in the world & we spend a fortune on IT security, but we were still hit by the netsky virus ( twice in the last 2 weeks). I think (not an IT person) we just blocked messages with .zip attachments (there was another attachment type but I can't remember I'll find the mail on Monday and advise)


----------



## Brendan Burgess (14 Mar 2004)

*Re: Email Filtering*

Hi Jason



> Did I hear you right when you said that you paid €2500 for an email filtering service?
> 
> I assume that you mean SPAM & Virus filtering, but I cant understand why it is costing you so much. Our ISP (UTV Internet) provides these free of charge.



We use eircom net and they don't seem to have any such service.  We looked at installing a spam filtering service directly on our server, but it worked out at the same price supplied by a company called TopSec Technology.

But as I said, the spam filtering doesn't work properly but the side effect is that it filters out all the viruses. It also allows us to quarantine executables and emails with offensive language. 

I find eircom.net fairly good otherwise. Reasonably good technical support so I would be slow to move. We had disasters before with other ISPs,although that was some years ago now.

Brendan


----------



## <A HREF=http://pub145.ezboard.com/baskaboutmoney.s (14 Mar 2004)

*Re: Email Filtering*



> We use eircom net and they don't seem to have any such service.



Is this not their equivalent?

[broken link removed]


----------



## Brendan Burgess (14 Mar 2004)

*Re: Email Filtering*

Thanks 0

I will look into that. I get the impression that it's for home users with an eircom.net email address? We have our own SMTP server as distinct from a pop 3 server ( does that make sense?), so I don't know if it applies to us.

Brendan


----------



## Jason Collins (15 Mar 2004)

*POP 3 & SMTP Servers & Email Filtering*

Hi Brendan,

We have MS Exchange 2000 on our LAN which acts as our SMTP server for all outbound mail (SMTP only deals with delivery of mail I think), but we maintain a set of POP 3 accounts with our ISP (we still do not have a public IP address) to receive our emails.

There is a tool called a "POP 3 Connector" that allows MS Exchange to fetch email from POP3 accounts and route them to Exchange users.

The upside of all of this is that we get the benefit of the ISP's SPAM & AV filtering. (We still do our own scanning also)

Jason


----------



## crumdub12 (9 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

Bren,


        Get a college kid to setup SPAMAssasin (freeware) between mail and internet link, it is good.

spamassassin.apache.org/



                      Slan / Ed


----------



## capaill (13 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

>>Get a college kid to setup SPAMAssasin

With all due respect, as an IT Professional I do have to sigh when I hear of companies trusting their IT infrastructure to untrained and inexpereinced people.  I am not saying that technically they cannot do the job but would you get a college kid to set up your accounts or do your legal work?

IT Security is crucial in managing business risks for companies and needs to be done in a professional and qualified manner.

C


----------



## ClubMan (13 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

I appreciate that point, and totally agree that companies need to have appropriate security procedures/mechanisms put in place properly, but I have seen the other side of the coin - e.g. so called professionals not doing the job properly. The company I started working for recently had a badging process to register and badge new employees in _Silicon Valley_ and while it was being carried out by the security personnel we noticed that they were logging into the system with a password of "security". The IT department then issued our domain accounts with default passwords of variations on the word "password" which, due to the constraints of the domain security policy could not be changed until 30 days had elapsed. Initially we only had access to our corporate email accounts over _Outlook Web Access_, rather than the native _Windows Outlook_ client application, using a an insecure _H_TTP_ link although, on inquiring, I was told that I could use secure _H_TTPS_ if I really wanted to. This is a company which is ranked about third or fourth in its market and has a market cap of c. US$500M! :eek


----------



## capaill (14 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

Clubman

I have to smile at your anecdote.  One of my main areas of work is consulting in IT security and I see your scenario and similar over and over again.  As in any area of IT there are complex issues to consider and speciliast skills required, i.e. I can write an app for my own use but know that I am better leaving it to other qualified professionals for my customers .  However often IT security is designed, implemented and managed by someone who does not fully understand what they are doing but everyone claims to be an expert in the field, or theycan find a solution to their problem on the Internet.  

In my humble opinion the problem is that IT Security is treated as a security problem and not a business problem.  Therefore the solution is left to lie within IT and not within the business where it is.  Yes IT can find technical solutions but the business needs to first identify what its risk goals are and what their risk appetite is and then get IT involved, together with HR and legal

C


----------



## rainyday (14 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*



> In my humble opinion the problem is that IT Security is treated as a security problem and not a business problem.


Or worse still, it is treated as a technical problem, not a people problem.


----------



## ClubMan (14 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

Indeed!


----------



## crumdub12 (15 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

Capaill,

         Did,nt mean to slag off IT Network/Security people, as I am in that group !!!


          I agree that businesses should have overall look at security, I just commented on cheap SPAM solution, that I now for certain works.

           Clubman is correct, There are IT Security consultants
(cowboys) out there that are not giving value for money, and , in turn undermining its credibility.


----------



## capaill (15 Mar 2005)

*Re: POP 3 & SMTP Servers & Email Filtering*

Hi Crumdub12

No problems

When you hang around AAM long enough your learn not to take things personally<g>

C


----------



## spudnik (24 Mar 2006)

Saw a thought-provoking article on this theme on Silicon Republic (the online newsletter) and thought it might be worth linking here:
[broken link removed]

Hype, by it's nature, involves overblowing your subject - whether that be IT security threats to your business/home, the favourite's chances in the Gold Cup or even your national team's hopes for a second Triple Crown in three years! (wahay!) 

Problem is, it can get in the way of an important message.

As a home-user, I want to communicate using the internet and access information on the web - that means I have to protect my home setup from viruses, spyware and all manner of other hacks - just as much as I need to use a house alarm, locks on the doors, etc. to deter burglars. Okay, so not everybody without an alarm or who forgets to lock the back door gets robbed - but they're asking for it and I think it's fair to say that their inaction makes getting burgled more of a probability than a possibility. 

The world is full of opportunists and they come in all flavours of techie capability. I am happy to take steps to try to keep them out because I don't want to be burgled or hacked even once! That feeling of "closing the stable door" after an IT security incident is just as nasty trying to recover from a physical break-in - it leaves you feeling vulnerable and violated and resolving not to get caught out ever again!

I am fortunate that my employer allows me to use the internet/web from my desktop - but that brings responsibilities with it too and so I want to be sure that I have taken whatever steps I need to take to prevent a security incident. As a professional, I don't want to threaten my good name or that of my company by exposing us to that kind of thing.

So, taking responsibility for managing IT security risks is EVERYBODY's business - but some people are better equipped to help you evaluate where the threats may lie - so you defer to them. It's the same as taking out insurance - you don't want to bear all the risk so you have to trust other experts in the field to help you mitigate the risk as much as you can. Of course, you should still try to satisfy yourself that you're getting the best tools and advice for your money.

I think some key messages from the Silicon Republic article for anyone trying to assess their potential exposure and take appropriate action to limit it are:
Know what you're up against (in fairness, I don't think the security vendors are your main problem)
and then
Shop around! - a message that should be close to the heart of every askaboutmoney subscriber!

God Bless Mary Harney!


----------

