By the Computerworld Philippines Staff
August 1, 2007

Risks and threats to information assets are fast rising as companies become more connected to the Internet and depend more on Web-based transactions and collaborations.

At Computerworld Philippines’s recent monthly roundtable, three IT security practitioners talk about how the advent of the Internet has given rise to a lot of IT security issues.

The participants to the monthly CIO Roundtable were Amante B. Carreon, IT manager of Penn Philippines Export Inc.; Jonathan C. Pineda, senior manager for service and security management information technology at Chinatrust (Philippines) Commercial Bank Corporation; and Christopher A. Syling, chief technology officer of Level Up!

The executives agree that the rise of security threats have led to more stringent security policies—making users feel uneasy and distrusted. To address this anti-employee sentiment, chief security officers have to talk to users to make them understand the reason for the restrictions. The participants also talked about the biggest security threats today and what they’re doing to mitigate data loss and data theft.

Sponsored by WatchGuard Technologies Inc., Computerworld Philippines’ 6th CIO Roundtable was moderated by the CWP editorial team and was held at the Regus in Makati.

Read more about the interesting opinions of the executives in the following pages.

CWP: How has IT security evolved over the years? Has securing information become more complicated?

Pineda: About 15 years ago, the infrastructure in banks was very simple. There was no need for at an IT security head at that time. Everything was mainframe-based. The users were defined in the mainframe and all had assigned passwords. It was quite secure because diskettes were not a risk to the mainframes. And then when applications were ported to the local area network, security threats began to emerge. For example, boot viruses, which would disable the boot sector of the PC drive, started appearing. But still, the risk was not that big, it was still manageable. This went on until the Internet became popular. I think the Internet became the biggest headache. Because of the increased risks, companies made a new function in the IT department and created the position chief information security officer (CISO) or information security managers (ISM).

Syling: The Internet opened the door to the outside world.

CWP: But because of the Internet your companies became rich.

Pindea: Today, there are so many risks because of the Internet. Visit any website and you’ll be at risk. E-mails you receive carry potential threats. So it has become complicated. You need more tools. Before, anti-virus software was enough. Today, you need anti-trojans, anti-malware, anti-spams. There are many tools we need.

Carreon: You need to back-up everything. You need to physically secure your data center. A primary security risk is an insider. You see, most of the time, the intruder is from the inside [of the company]—a disgruntled employee.

Syling: Then there’s information security. It’s very hard now to filter information that comes in and goes out. You also need to decide which people should have access to what information and what information can they store. A lot feel that these restrictions are anti-employee.

Pineda: It’s difficult to push classifications. Which data should be confidential? Which data should certain employees not access? Some people will ask, “I used to access this information, why can’t I access it now?”

Syling: Or, “Why do others only have ‘read’ access and why can others ‘write’?” or “Why can he save a file and I can’t?”

CWP: How do you explain that?

Syling: Well, you have to manage them. Tell them their functions and their roles. They have to understand that if they don’t need certain information, they shouldn’t get it. But eventually they get the message. In the beginning, some employees would feel that the company doesn’t trust them. It’s not a matter of trust; it’s a matter of control measures.

Carreon: In the early 90s, IT security was just physical security; and the threat was internal because computers were not connected to the outside world. Before, it was just mainframes and AS/400s; and these computers were not Microsoft-based so there were no virus threats. Therefore, the biggest threats were the people inside. So the first level of security was to physically secure the computers. The second was the password.

I agree that the biggest security threat came when the Internet started, because that’s when viruses started spreading.

Syling: That’s why data files of anti-virus servers today have to be constantly updated. All of them; wherever they are because there will always be a new one.

Anyway, when LevelUp! started about five years ago, there was no structure. And when we became more corporate-like and had become more structured, we saw loopholes, including in the security of the IT infrastructure.

As an online gaming service provider, we had empowered a lot of individuals—the game masters—to have access to many things and this was easily abused. So we had to implement some control measures to make the network more secure. We make sure that the tools we provide employees are not to be abused. So we now have an IT security team handling the firewalls, access, passwords. We implemented an RSA database. Our firewalls are complete and we’ve put in biometrics technology.

Security is something that should not be foregone. Any startup company should consider putting security measures from the start of operations so that resources will not be abused.

I would say networks today are more secure. There is a lot of anti-virus software out there. It’s just a matter of selecting one that’s best for you. The challenge right now is information security because people move a lot of information around.

CWP: What are the biggest security threats today and how should these be addressed?

Syling: Well, you can’t prevent some people from giving out valuable information.

The best way to avoid that is to make sure that only the right people should have access to particular information. It may sound too controlling, but it has to be done that way for financial security.

Carreon: The biggest threat is really the data theft and data lost because of hacking and the booming of e-commerce. In fact, there are so many ways you can lose your data. That’s why it’s important to have intrusion detection and intrusion prevention systems. There are is no standard security policy. Each company has its unique security policy, developed based on their needs and their situations.

Actually, there’s this group in the Philippines called ISSP (Internet Security Society of the Philippines). We have been asked to be a member of that. However, until now they haven’t discussed the details on what really are the security issues in the Philippines. Most of the discussions revolve around the products that are being offered to solve the issues. What I would like happen in the group is discussions on how to address the security problems that are happening to us now. Right now, most companies don’t know if they are being hacked or not. Actually, most companies in the Philippines don’t realize how important their data are. Only a few companies know the importance of data; for example, the banks. But, again, the biggest security threat could be the inside intrusions. There may be somebody in your company giving away corporate information.

Syling: While we’re on the topic of inside intrusion, a check and balance is important if a company is developing their applications in-house. Somebody should be checking on the developer’s source code. The project should be well-documented. When the program is done, the security group should do penetration testing. Make sure that the application or source code is ‘clean.’ Try to abuse the program before deploying it.

Carreon: You know, even bots [Internet robots] are a security threat. They can be used for malicious purposes such as automated attacks on networked computers and denial-of-service attacks.

Syling: Bots in general are used widely on the Internet.

Pineda: Used even for illegal purposes.

Carreon: Yes, a lot of people are taking advantage of bots.

Syling: Bots have artificial intelligence.

Carreon: Another threat is keylogging. Keyloggers are programs that capture a user’s keystrokes. These programs can provide a means to obtain important information like passwords.

Syling: If you notice, Citibank has changed the way they enter the password. They now have a virtual keypad. It’s their way of preventing keylogging. It’s actually a Java script.

Carreon: So be careful when giving away information on the Internet.

Syling: There are some companies that detect keyloggers. We actually use one of them; we put it on top of our Website.

Carreon: Another big threat, based on my experience, are spams. They’re taking so much time of my people. There are so many filters, but if you filter so much you could end up filtering those that are lawful. So there’s no perfect spam filter. Another popular form of attack used by hackers is sniffing. It slows down your Internet connection.

Syling: I used to have my own anti-spam software but I just ended up turning it off.

Possibly Related Posts:

• Moving Through the Supply Chain
• Mitigating the Risks
• Greening the Workplace
• The Pros and Cons of ERP Systems
• Learning the Ropes of IT Security

 Print This Post

Pages: