IT security tools may strengthen an organisation's cyber defences against the relentless onslaught of computer viruses and other malware from the outside, but a moment of human weakness could wreak havoc from within.
Security experts have long stressed that the end user is the weakest link in the entire IT security chain. While a host of hardware and software solutions can help ward off external security attacks, employees could unwittingly introduce a virus by plugging an infected thumb drive or CD-ROM into their corporate PCs.
Hoping to plug this loophole, local authorities have embarked on a multitude of initiatives to improve the security of their IT systems both at a network and end-user level.
Central to this push is a project called CAFE or Centrally Administered Desktop Firewall. The $6 million effort involves the development and deployment of a desktop firewall solution for the public sector, a move aimed squarely at addressing the human element in cyber security.
All laptops and desktop PCs in designated government agencies will be loaded with the firewall to prevent malicious software from seeping into prized government networks. Besides acting as a invisible barrier between the computer and the underlying infrastructure, the tool also improves desktop security through its integrated antivirus and anti-spyware capabilities.
The task of building and rolling out CAFE fell onto the hands of local IT services major Frontline Solutions in December 2005. By April 2006, the company had completed the backend infrastructure needed to support the new desktop firewall.
'CAFE ensures that desktop and laptop computers that are connected to the government network conform to a set of security policies such as what applications can be run on the computers, what incoming traffic is allowed, where the computers can connect to or whether a computer has an updated anti-virus signature file,' said Shirley Wong, managing director of Frontline Solutions.
'It addresses security threats from a different angle. Instead of detective measures, CAFE provides preventive measures to ensure that computers that are connected to the government network are not susceptible to attacks. In the event that an infected computer is connected to the government network, CAFE will prevent the computer from spreading threats to other computers on the network,' she added.
According to Ms Wong, the deployment of the desktop firewalls is still ongoing but nearly 33,000 PCs in the public sector have been equipped with the new tools.
While the benefits are clear, the magnitude of this government-wide move did present some initial hurdles. For one, the project involved the deployment and management of a large number of computers located across various parts of the island. Secondly, Frontline had to ensure that end-user PCs are not impacted by the massive rollout.
To resolve these issues, Frontline had to design a backend infrastructure that is scalable to accommodate the needs of both large and small government departments. In addition, the solution chosen had to be flexible enough to inter-operate with other security systems that are in place. A structured approach also had to be used during the rollout phase to minimise disruption.
Through the implementation of CAFE, government agencies can now enforce a 'consistent security baseline' to minimise security risks to an acceptable level, Ms Wong said.
'With viruses, Trojans, spyware, and adware being released at greater frequency and speed, current security solutions such as intrusion detection systems, gateway firewalls, antivirus software, and patch management systems have to be complemented by security measures that allow more transparent and efficient control over these end-user systems,' she stressed.
This article first appeared in BT on June 11, 2007
