Firewalls no protection for sloppy systems, says expert

By ADAM GIFFORD

Many security consultants are not up to the challenges of large organisations, and some are more likely to create gaping holes in your network, says David Spratt, who heads the security team at systems integrator gen-i.

"They configure the firewall and leave again, ignoring the fact that the receptionist, who has access to the CEO's files, sticks her password on a sticky note by the PC."

Security is taxing the minds of many IT service organisations. Quality Assurance Services and Deloitte Consulting are both looking at offering ISO/IEC certification.

Mr Spratt says gen-i does not intend to compete with the big five accounting firms by offering audit services, but will work with organisations to get them to a certifiable state.

"If you ask me to crack your organisation's system, the place I'd start would be to come to your office at lunchtime and try every PC.

"If I have the names of people who sit at the desks, I'll put their first name and last name into the user name, and put nothing or the word 'password' into password. In a large number of organisations I'd probably get a 20 per cent hit rate."

If that did not work, he would look for the sticky note with the access code written on it.

Gen-i has about 15 staff in its security division, six fulltime. All have Government clearance, many to "top secret" level.

Mr Spratt says the drive for security is now coming from directors rather than IT managers, who have security near the top of their want list anyway.

"They're becoming aware of what the legal requirement 'to take reasonable steps' really means."

Much of gen-i's security practice is built around methods developed with help from Colonel Peter Hotop, a former attache at the New Zealand Embassy in Washington.

A survey is used to assess the security needs of organisations.

"There's virtually no technology content in the survey - it's things like whether you have a security policy, asset control, personnel security such as what you do about checking references, physical and environmental security, systems access control, disaster recovery, what you do about legal compliance, how you manage contractors," Mr Spratt says.

"We've seen time and time again where consultants do a security audit, then sell a $100,000 firewall.

"The largest firewall on default settings is as vulnerable as IIS (Microsoft Internet Information Server) is on default settings."

Senior technical consultant David Hunter says gen-i has moved beyond prevention to intrusion detection and response, using technology from market leader Internet Security Systems (iss.net).

"The tools we have can detect a session going on it doesn't like and close it."

A small hardcore of professional crackers, funded by organised crime, can break systems, says Mr Hunter.

"A professional cracker going after a system will characterise a site over perhaps months. They may try to connect to a few ports, then come back again later.

"A person is not likely to spot that but a system could."