'Total defence' security fixes needed for SAR

Most computer users in Hong Kong pay scant attention to computer security, according to industry experts.

Computer Associates managing director Pang Shaw-choong says most security incidents result from lapses in security vigilance.

'I am sure there are enough seminars in Hong Kong for educating people and there is enough news in the market place as well,' says Mr Pang.

'It [awareness] is certainly heightened, but I don't think it is enough. A lot of news and awareness is just targeted towards hacking,' Mr Pang adds.

He says any security policy should cover 'total defence', to protect computers and networks from both external and internal attacks.

'A lot of attacks take place internally. They occur because people know the information and the system well, especially in open systems like Unix where the system administrator is all-powerful.'

He says people worldwide were slow in realising that internal systems and processors also needed observation. 'As attacks can be very indirect . . . there should be a combination of policy; perimeter defence (anti-virus, intrusion detection), as well as back-end access control.'

He says that local businesses, especially the small- and medium-sized enterprises (SMEs), have been made aware of virus attacks and so purchased the software and believed they were well-protected. However, they often took their protection for granted and rarely updated their virus patterns or passwords.

'Some of the tools may not seem like security tools - but they go towards addressing the key things in security lapses.'

A survey by Hong Kong Productivity Council and Hong Kong Computer Emergency Response Team Co-ordination Centre in October found that the number of companies using basic security measures fell 3.6 per cent from 75.8 per cent to 72.2 per cent compared with the previous year. Only 78 per cent of companies used anti-virus software, 59 per cent used password protection and 35 per cent had physical security protecting their computers.

About 12 per cent of Hong Kong companies had no protection against virus attacks or hacking, up from 7 per cent last year. And only one in 20 companies had adopted advanced security measures such as file encryption, encrypted logins, intrusion detection systems or digital identification.

Meanwhile, another security solutions provider Symantec also agreed that having an anti-virus solution was far from enough.

'Now it is very clear that an anti-virus solution is not enough,' says Christine So, Symantec's marketing manager for enterprise solution division. 'Companies should also be equipped with multi-layer firewalls, intruder detection and vulnerability software management.'

The company's northern Asia director David Sykes says many new worms and viruses were designed to exploit network vulnerabilities.

The Code Red worm, which exploited a known vulnerability in servers running Microsoft's Internet Information Server Web software, infected 300,000 computers and caused an estimated US$2.6 billion (HK$20.2 billion) in damage.

Nimda, a hybrid trojan/worm program which topped Sophos' ranking of the world's 10 most detected viruses in 2001, infected more than 1,000 companies in Hong Kong and cost an estimated HK$30 million in productivity losses.

Although new viruses and worms are released every day, Mr Sykes says most use familiar approaches.

'What we are seeing now is not so much a new attack. All the things we are seeing, we have seen them before,' he says.

He believes future attacks would be 'blended threat', combining different malicious codes and new means to attack computer networks.

The management solution - either by automatic scanning by software or assessment by professional consultants - have been used by some local banks and financial companies especially those offering e-banking services and online transactions.

'People should not turn to doctors only after they fall sick,' Ms So says. 'They should do more to prevent problems occurring.'