BENEFITING FROM AND SURVIVING DEFENSIVE ESPONSIVE CONTAINMENT INFORMATION WARFARE

BENEFITING FROM AND SURVIVING DEFENSIVE ESPONSIVE CONTAINMENT INFORMATION WARFARE

In 2000, hackers launched the now-famous denial-of-service attacks that cost high-profile Web sites about $3 billion in revenue. The events during that 48-hour period in February 2000 were especially fearsome to service providers, who found out just how vulnerable they were. As a result, some ISPs have begun issuing ultimatums to corporate customers: Meet certain security standards or take your business elsewhere.

To be sure, most service providers have not created a formal list of security requirements. But many have some kind of policy that dictates what companies can and cannot do as customers, and the kinds of security systems that must be in place before they can purchase services. Service providers that have such a policy include Ameritech, AT&T, and CTC Communications, and national ISPs EarthLink, Exodus Communications, and PSINet.

These service providers want to see IT managers install encryption and authentication products, firewalls that interact with intrusion detection software, dedicated servers, and VPN links to secure data. They also want IT shops to use tools such as antivirus software, specified intrusion detection systems, and antispam content filtering. All these security installations are being implemented with the hope that private companies will benefit from and survive defensive responsive containment IW.

A good example of this emerging trend is CTC Communications in Waltham, Massachusetts, one the largest CLECs in New England. CTC bans the use of spamming and pornography and doesn't let its customers use a router for more than one core application. The company also demands that its customers protect all servers with firewalls. Customers either do these things or they don't become customers of CTC.

Precisely when ISPs started getting tougher is hard to determine. But it's clear that ISPs weren't making these types of security demands before the denial-of-service (DoS) attacks occurred. The attacks made service providers aware that it's not just corporate customers getting hacked. The ISPs' systems were commandeered and used to launch virus attacks and DoS attacks, as well as to commit vandalism and theft. That's why some of the most common requirements of the ISPs have to do with customers' outgoing traffic-which can directly affect the ISPs. From the ISPs' point of view, their own customers or prospective customers are now security threats.

This new approach by ISPs is being felt by IT shops. When an IT manager at CLD Consulting Engineers Inc. in Manchester, New Hampshire, wanted to lease a T1 line from CTC in May 2000, CTC wouldn't agree to deliver service until the civil engineering firm beefed up its security. CLD spent nearly $13,000 to build a hardware firewall, change the IP address scheme to be much more secure, and install separate routers-one dedicated to Internet access, the other for branch office access.

CLD's experience is not unique. Customers of Boston ISP Breakaway aren't allowed to have dial-up Internet access to company databases from off-site locations, and they must use a VPN or dedicated T1/partial T1 link. This makes it tough on smaller companies, many of which have employees access company data remotely via a dial-up Internet connection. Analysts also say many companies use basic security mechanisms such as IDs and passwords to secure this access. But standard security methods don't cut it for companies that want to sign on with Breakaway.

Now, all architecture has to be approved by the security desk before services are offered, and a customer with single-tier access won't be approved, even though many want to be. They have to lease a site-to-site VPN or a dedicated T1 link. The VPN (the cheaper of the two options) costs an additional $460 per month.

The ISP demands don't always result in higher costs for corporate customers. Sometimes providers want to look under the hood.

But ISPs' fears may be justified. According to a survey in 2000 by the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad, 80% of CSI's 696 member companies detected unauthorized use of their systems over the previous year, up from 73% in 1999. The rate of hacking is growing faster than e-commerce itself. CSI has 640 security professionals onboard (more than one IT person per company in some cases), and 92%consider disgruntled employees to be the biggest security threat.

Insiders, many service providers agree, are the ones who send spam, launch viruses, and DoS attacks. The FBI reports that there are now 200,000 known computer viruses, and that at least 70% of American companies reported that some type of computer virus has plagued them.

As far as the ISPs are concerned, viruses are among many security problems they face. In the past year, ISPs have set up entire departments devoted to fielding phone calls and handling subpoenas from individuals and companies, claiming that ISP customers are spamming, sending viruses, vandalizing Web sites, and launching DoS attacks.

One example is the Policy Enforcement Group at Exodus Communications. The group has an official abuse policy that covers both unintentional and intentional abuses. It specifically lets Exodus shut down services if a customer is abusing the service, even if it's doing so unwittingly. For instance, if Exodus is monitoring a company's network and sees traffic patterns that look like a DoS attack, it can shut down the company's network to clean machines and do whatever else is necessary. Cleaning machines means that all applications have to be reloaded.

Service providers, in effect, are establishing rules that make it clear that they no longer want to bear the burden of the risks corporate customers are willing to take. They say it's no longer up to clients to determine how risk-free they want to be when it comes to e-commerce. Ultimately, companies that want ISPs to deliver any service at all (even a simple pipe to the Net) will pay more in hard costs, internal policy changes, infrastructure, and business processes.

How much more companies will pay depends on how secure the ISP thinks its customers' network should be. But the ISP is, in many cases, dictating the terms. And whether the customer buys the needed security technology from the ISP or elsewhere, this technology will have to be bought before network services begin. This could mean a huge cash outlay before service even starts.

Fighting Back

IT managers may be told to spend more on security prerequisites, but there's still room for negotiation. This is an emerging trend, not a government regulation. So it's entirely fair for IT managers to bark back, particularly when many ISPs still can't deliver the security services they're asking customers to have up front.

For example, security is something companies must buy from security-management companies, not ISPs. So if a company must go elsewhere for security, it then begs this question: What level of security does the ISP itself offer corporate customers? And if ISPs are demanding that customers walk into the relationship with higher levels of security, corporate customers can turn the tables and demand the same of the ISPs.

Corporate customers should be encouraged to push back. When an ISP tells you to open up your system so they can look around and see if you meet their standards, tell them you want them to do the same.

The ISPs must either ensure that their security mechanisms will work or be responsible for damages, so ask about their network-monitoring tools and alert mechanisms. Once companies open up the conversation to include both sides, it becomes more of a negotiation, and less of an ultimatum.

Before a company gives an ISP access to its entire network for inspection, it should ask the ISP if it's actually going to manage every aspect of the network. If they're not going to manage a certain aspect of your network, like a certain server, then they don't need access.

It may prove to be more trouble for ISPs to deliver security if parts of a potential customer's network are unknown to them. But that's the ISP's problem. Besides, it's the ISP's responsibility to monitor a customer's outgoing traffic, so the ISP already has access to what it needs to know to protect itself. If the ISP's monitoring tools aren't robust enough to give it intelligent reporting, traffic analysis, and alerts to red flags, that's something corporate customers should try to get the ISP to deliver.

The best way to protect the company is to handle these issues in the service level agreement (SLA). The ISPs have the leverage to force customers to implement security, but customers also have a certain leverage. The ISP market is more competitive than ever.

According to Gartner Group, there are now thousands of full-service ISPs, up from less than 1,000 since 1999. The competition means it's in the ISP's best interest to offer corporate customers as much value-add as possible.

But there's one caveat: The idea is to get the ISP to concede some points-for example, help with making the company's network compatible with the ISP's and/or on-site tech support.

The reality is that even if ISPs can dictate security policies, they will be eager to offer value-added services. If you do the negotiating in the context of drafting an SLA agreement, it shows the ISP you're a serious customer and gives them an opportunity to offer you fee-based services over the long term.

A good SLA won't get the company out of paying more for ASP and ISP services in the end. In fact, it can end up costing more-but it will at least get the company the most bang for the buck. The truth is that ISPs will dictate how much security customers will have because they can. They are the conduits to the networks.

IT managers should understand that pushing back at the ISPs will only do so much. This is a trend that's here to stay. The ISPs started the trend, but it won't end with them. Business partners and regulators will step in and give the security push even more teeth, including standards such as best practices and default security requirements.

For example, Visa's approach to surviving defensive responsive containment of information warfare offers some insight. Visa's new policy requires merchants that want to accept Visa on-line to follow a Visa-condoned list of 10 best practices. The rules are nothing earth-shattering. Companies have to have a firewall, up-to-date antivirus software, and SSL encryption. What does this have to do with the ISP security trend? Simply that there's support for the ISPs' position in the financial world. So, if IT managers think they can push back at the ISPs for their demands, they'll find they can only push so far.

Ultimately, the ISPs will protect themselves from outgoing traffic by shutting Web sites down that have been commandeered for DoS and other attacks. The ISPs that survive will start offering security services. It's only during this interim period that the onus will be on companies that use ISPs to pick up the slack. Whether the time period is six months or six years is hardly important. Companies that want to do business with top-tier providers had better get serious about security.