Lost in the Noise (Archive)

Businesses in Asia that are driven by the recession to strive for leaner, meaner IT, need to consider how their cost-cutting impacts security, warn industry experts.

Even as frugality is expected of IT departments this year, the move to options that support cost-cutting--including software-as-a-service (SaaS)and cloud computing--should be assessed for risk to the business, said Lawrence Ong, regional business manager for security at Datacraft Asia.

An IT risk assessment is something that businesses cannot do without this year, he added. "In IT security, risk management is dependent on the risk assessment process, which usually involves identifying threats, determining vulnerability to threats, the impact of threats and the likelihood of threats occurring."

Judy Wu, IDC's research manager for infrastructure software in the Asia-Pacific region, added that risk management will be a "top concern" for many large enterprises in the region, and such companies will adopt a "more disciplined" approach tapping on frameworks such as Cobit (Control Objectives for Information and related Technology), ISO 27001 and ITIL (IT Infrastructure Library). A significant number will "conduct periodic vulnerability assessments to identify the risk level, security posture and ensure policy compliance", she said.

Referencing to Gartner research, Eric Hoh, Symantec's vice president for Asia South and head of global accounts in Asia Pacific and Japan, noted that cloud-based services will more than triple in many security segments and will "dramatically" impact the industry in 2009.

"Cloud computing will enable security controls and functions to be delivered in new ways and at relatively short notice in response to unanticipated security events," Hoh said in an e-mail. "However, the increase in use of cloud-based services means that many mobile IT users will be accessing business data and services without traversing the corporate network--increasing the need for security controls to be deployed between mobile users and cloud-based services."

According to Paul Ducklin, Asia-Pacific head of technology at Sophos, the emergence and fast-rising popularity of affordable netbooks, even in the enterprise market, can also be cause for concern in 2009.

"This sort of mobile platform won't get theoretically more vulnerable as a platform, since it runs a regular desktop-style operating system and can, in theory, be protected just as well as the desktop PC in your office," he explained in an e-mail interview. "But the increasing prevalence of netbooks certainly puts us at risk of an increase in our collective vulnerability, if only because they make it easy for us to do work in places and circumstances where we also expect to be able to relax and let our guard down."

Mobile threats still a focus Industry experts told ZDNet Asia that enterprises need to guard against threats exploiting mobile phones and handhelds, in the year ahead.

The number of smartphones worldwide increased from around 300 million in 2007 to 450 million last year, and will continue growing, said Jari Heinonen, Asia-Pacific vice president at F-Secure.

"There will be an increasing number of people conducting transactions on-the-go or storing important personal and business-related information such as contacts, photos, passwords or e-mail on their smartphones," he pointed out. "Possessing such a wealth of valuable information, the mobile platform will increasingly become a more attractive target for malware authors moving forward.

"Although there has not been a significant increase in malware for mobile phones as yet, it is important to secure these devices with antitheft or security solutions in case they get lost, stolen or infected with mobile malware," added Heinonen.

IDC's Wu pointed out that over 70 percent of workers will connect to corporate networks via mobile devices, within four years. "This trend will bring data leakage and compliance issues to the mobile platform," she said, adding that the scenario would drive network access control issues to the forefront.

Stree Naidu, regional vice president for Asia-Pacific and Japan at Tumbleweed, said the mobile platform will "without doubt", become more vulnerable as more Web-based services, including e-mail communications, are accessed through it.

End-users either lack education or take it for granted that their communications are secured and remain unaware of the potential threats," he noted. "[They] become even more vulnerable to threats as they are caught off-guard by viruses that may attack Web-based mobile communications."

According to Symantec's Hoh, the number of mobile device threats reported in the wild is "relatively small". However, the types of threats that have emerged demonstrate the advanced capabilities of these devices. "As mobile computing becomes more common and mobile devices become more complex, it is likely that other avenues of attack will be discovered," he said.

In 2009, businesses will also have to deal with increased attacks relating to the global economic crisis, added Hoh. Phishing scams targeting the unemployed, for example, could contribute to greater fraudulent activity.

And, according to Daren Leong, vice president of sales for the Asia-Pacific region at Vasco Data Security, there will be "no single 'magic pill'" for enterprises to cope with the onslaught of security challenges. "Businesses will need to put together a 'cocktail' of defenses in order to effectively protect their networks," he noted.

The U.K. Ministry of Defence is in the midst of an electronic fight with a computer virus that rapidly spread through its computer networks starting Jan. 6.

The virus infected computers throughout the military, including those used by the Royal Air Force and Royal Navy, and is one of the most severe attacks the organization has ever faced, according to a Ministry of Defence spokeswoman.

"Obviously with a computer system of our size we are fighting off viruses daily, but not of this scale," the spokeswoman said. "I don't think we've ever had an instance like this before."

The virus has affected e-mail systems and Internet access but has not jeopardized war-fighting systems, she said. Due to pre-existing security systems, no classified or personal data was compromised, the Ministry said.

Just 27 percent of the Ministry's computers meet current data security standards for holding classified information and personal data, it said earlier this week. About 31 percent of systems meet some standards, while the rest are being evaluated.

Efforts to contain and clean up the virus have resulted in widespread shutdown of systems, but the ministry declined to say how many machines in total are affected. A solution to prevent reinfection of the PCs is being tested.

"The reason why so many people are without their computers is because we've turned them off rather than they've been wiped or destroyed by this virus," she said.

Some Navy systems are now up and running, but the Ministry did not have an estimate of how many of those systems remain down. The ministry declined to say which warships have been affected, but news reports singled out the fleet flagship HMS Ark Royal, an aircraft carrier that went into service in July 1985.

Due to security reasons, the type of virus has not been publicly released, the spokeswoman said. However, the computer security community has been grappling lately with the Conficker worm, which targets a flaw in Windows Service Server, a component in Microsoft's Windows 2000, XP, Vista, Server 2003 and Server 2008 products.

Microsoft issued an emergency patch for the problem on Oct. 23, but security companies have said businesses have been hit hard by Conficker.

Systems become infected when a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which then allows arbitrary code to run on a machine. Finnish security company F-Secure conservatively estimated the number of computers affected by Conficker at 3.5 million on Wednesday. In the span of one day earlier this week, F-Secure said it saw infections rise by 1 million machines.