Threats within an organisation
By ABDUL HALIM JUSOH
25th March 2002 (Computimes)

AFTER 11 years serving as Omega Engineering Corp's chief programmer, Timothy Lloyd, aged 39, was demoted. Disgruntled, Lloyd retaliated by setting off a computer "time bomb" that deleted the company's most critical software programs.

He was found guilty and was sentenced to more than three years in prison, but the damage had already been done. Omega Engineering lost more than US$10 million (RM38 million) in sales and future contracts.

The case epitomises how lack of information and communications technology (ICT) security can be detrimental to a business' continuity and growth.

Lloyd may not be the only threat to Omega Engineering as other employees have also easy access to the company's network system and could have committed the same or similar deliberate act of sabotage.

Security experts from IBM warn that in the growing wave of concern over critical infrastructure attacks, the real threats, contrary to common belief, emanate from the business' internal environment. The Lloyd case is one such classic example.

"The threats don't come from outside. More often than not, it's the internal environment, be it disgruntled former employees or current employees," says Tan Chin Bin, IBM Global Services, Asean/South Asia solutions manager.

He adds that the internal factor represents 70 per cent of the threat to business security. This contradicts the popular belief that hackers and viruses are the major security menace to many corporations around the world, especially those with Internet presence.

Tan, however, says security breaches are not only caused by technology-savvy employees like Lloyd, in which the attack was done deliberately. It can also be done unintentionally by others, right from the top management to administrative personnel who are given the authorisation to access the company's network.

"An employee may accidentally delete important files in the network or his username or password is stolen by a colleague with malicious intention," Tan says, adding that another common mistake made by many employees is writing down their username and password, and making them visible to others.

Mitchell Young, director of Tivoli Software, IBM Asean/South Asia, agrees that the need for sound IT security systems has become more imperative than ever, more so with things going online.

He says this is because in the electronic business (e-business) environment, network data can be accessed by not only the people within the organisation, but also directly by customers or/and business partners. "As more users gain access to the enterprise network, software must not only address security vulnerabilities, but also enable the organisation to grow and expand its business," he adds.

According to Young, sound security measures need to be taken to maintain confidentiality, integrity and availability of business data for sustained business performance.

Vulnerabilities. In the early days of e-business, many organisations rely on security products such as firewall, anti-virus and encryption software to address the security vulnerabilties. But now, more than ever, customers and business partners are asking serious questions about the organisation's ability to protect and secure their information on the Internet, Young says.

In light of the vulnerability of network infrastructure to human interference, IBM sees the need to move to automatic computing, a move which sees the model of self-managed computing systems with little or no human interference. One way of addressing the issue is by deploying security authentication, authorisation and administration software (3A).

According to research company International Data Corp, the 3A software is growing faster than the conventional security software such as firewall and encryption software, with anticipated sales growth from US$2.8 billion in 2000 to US$9.5 billion in 2005.

Young says IBM has the right 3A software for a total end-to-end security management for secure access across business disparate applications. IBM, through its Tivoli Software Group, offers a comprehensive suite of offerings for 3A security, consisting of Tivoli Identity Manager, Tivoli Risk Manager and Tivoli Policy Director.

This expanded software platform for enterprise threat management, IBM claims, will help businesses improve their protection against internal and external attacks, threats, and vulnerabilities.

Tivoli Risk Manager allows organisations to manage security information centrally from a broad range of security products, including anti-virus, intrusion detection systems, firewalls as well as other systems across the e-business which affect security.

And Tivoli Identity Manager manages user information and provisions new user services across legacy and e-business applications. It also provide user access rights to applications by interoperating with Tivoli Policy Director.

IBM claims that the Tivoli software can help companies bring more users, systems and applications online faster without compromising security policy.