NamITech-In the IS Security War Zone - Tài liệu tham khảo | Đại học Hoa Sen

Wits Business School WBS-2004-8
NamITech: In the IS Security War Zone
William Wilsnagh, business unit director of technology services at NamITech, reflected on a rather
alarming incident that had just occurred at Manuco,1 one of NamITech’s clients. A virus had hit the
Manuco network, resulting in downtime of a full day. Manuco and NamITech had dedicated
resources to resolving the problem and Manuco was functioning again, but the virus was still lurking in the system.
Manuco had become one of NamITech’s clients in November 2002, when, after a year-long tender
process, Manuco had chosen a consortium, which included NamITech, to be its primary information
technology service provider. The consortium had offered a solution encapsulating everything from
the hardware to the security requirements that had been specified in the Manuco tender. Information
security was central to Manuco’s requirements.
In addressing the virus attack, NamITech had fulfilled all of its responsibilities as specified in its
service level agreement, but, for Wilsnagh, the incident highlighted the need to extend the scope of
NamITech’s services. Information systems (IS) security was all about ensuring the confidentiality,
integrity and availability of information. Although viruses were the high-profile enemies in the IS
security war, he knew that there was more to it than virus detection, prevention and elimination. He
knew that there were additional security improvements that NamITech could undertake for Manuco.
Since Manuco had accepted the tender proposal, its IS security had improved greatly and there had
been no significant IS security breaches. But, as a result of this attack by the Blaster virus, Wilsnagh
knew that NamITech needed to be continuously vigilant and find innovative ways of mitigating Manuco’s security risks.
Corporate Governance Background
The focus on IS was founded in a growing realisation of the importance of good corporate and IT
governance, and in the ever more central role that IT played in the functioning of an organisation.
In 2000, a survey performed by consulting group McKinsey & Co into the value of good
governance had found that investors were willing to pay a premium for shares in a well-governed
company. The Investor Opinion Survey concluded that companies needed not only to be well
1 The name of the company has been changed for the purposes of confidentiality.
This case was prepared by research associates, Claire Gordon Brown and Kate Slade with Professor Neil
Duffy. While it describes an actual situation, some company names have been changed for purposes of
confidentiality. The case is not intended to demonstrate effective or ineffective handling of an administrative
situation; it is intended for classroom discussion only.
Copyright ©2004 Graduate School of Business Administration, University of the Witwatersrand. No part of
this publication may be reproduced in any format - electronic, photocopied, or otherwise - without consent
from Wits Business School. To request permission, apply to: The Case Centre, Wits Business School, PO Box
98, Wits 2050, South Africa, or e-mail casecentre@wbs.ac.za
NamITech: In the IS Security War Zone
governed, but should also be perceived in the market as being well governed. According to the
group, the implications of this survey were simple: managers could potentially add significant
shareholder value merely by developing good governance practices.2
Internationally, the UK led the way in defining good corporate governance. The Cadbury
Committee Report on the Financial Aspects of Corporate Governance was published on
1 December 1992. The basis of the Cadbury Report (headed by Sir Adrian Cadbury) was a ‘Code of
Best Practice’. This provided recommendations on the structure and responsibilities of corporate boards of directors.
The committee also urged that the boards of all companies that were registered on the official list of
the London Stock Exchange (LSE) should comply with the Code. Since June 1993, the LSE, in
turn, had required a statement from each listed company that spelled out whether the firm was in
compliance with the Code. If not, it had to explain why. By 1998, all companies in the Financial
Times 100 and over 90% of all firms on the official list of the LSE complied with the key provisions
of the Code, despite the fact that compliance was not compulsory.3
The New York Stock Exchange also went to work on proposing new rules for boards of directors
following the incidents of corporate fraud in the US in 2000 and 2001. The Securities and Exchange
Commission (SEC) proposed changes in accounting and auditing procedures, and had already
imposed new rules to prevent conflicts of interests among stock analysts.4
In South Africa, the King Committee on Corporate Governance published the King Report on
Corporate Governance (King I) in 1994. King I was replaced by the King Report on Corporate
Governance for South Africa 2002 (King II), which Cadbury declared to be the most
comprehensive document ever published on the subject. It introduced the ‘triple bottom line’ to
corporate governance in South Africa, saying that, in addition to purely financial issues (commonly
referred to as the bottom line), boards now had to consider the environmental and social aspects of a company’s activities.
From September 2003, the Johannesburg Stock Exchange (JSE) Securities Exchange required that
all listed companies comply with key aspects of the King Code. King believed that this encouraged
global investors to consider South Africa as a place to invest. “Something we can be proud of is that
investors such as Templeton (headed by Mark Mobius, who controls one of the biggest emerging
markets funds in the world) regard SA as one of the best emerging markets to invest in because of
the way we govern our corporations,” he said.5 IT Governance
By the 2000s, information technology (IT) had become essential in managing the transactions,
information and knowledge necessary to initiate and sustain all kinds of economic and social
activities. In many organisations, IT became the critical factor in supporting, sustaining and
growing the business. Erik Guldentops, a security advisor for the Society of Worldwide Interbank
Financial Telecommunication, noted that this arose from a number of factors, such as:
• an increasing dependence on information and the systems that deliver it;
• the scale and cost of investments in information;
2 King Committee on Corporate Governance, King Report on Corporate Governance for South Africa 2002, March 2002, p. 13.
3 J Dahua, ‘The Cadbury Committee, Corporate Performance and Top Management Turnover’, 13 January 2000, available
www.mgmt.purdue.edu/centers/ciber/publications/99-004.pdf (accessed 12 March 2003).
4 D Kadlec, ‘Worldcon’. Time, 8 July 2002, pp. 23-27.
5 J Dahua, ‘The Cadbury Committee, Corporate Performance and Top Management Turnover’, op cit. 2
NamITech: In the IS Security War Zone
• a dependence on entities beyond the control of the enterprise;
• IT failures increasingly impacting reputation and enterprise value; and
• the potential for technologies to change organisations and business practices, create new
opportunities and create costs.6
He also noted that, while governance developments had previously been driven by the need for the
transparency of organisational risks and the protection of shareholder value, the pervasive use of
technology had created a critical dependency on IT and called for improved IT governance. Since
IT was such a crucial function in supporting and enabling the achievement of organisational goals,
effective IT governance would generate real business benefits, he said, such as a sound reputation,
stakeholder trust, product leadership, improved time to market and reduced costs – all of which
would increase shareholder value.7
While technology developments could improve governance, they also brought increased risks and
challenges. King II recognised that there had been notable changes in the IT area and addressed the
issue in a chapter devoted to IT. The chapter outlined six main areas in which IT had a significant
impact on corporate governance.8 These areas were:
• internal control system – characterised by auditing issues, enterprise resource planning systems and employee responsibility;
• reporting – dealt with how the organisation made information available to its shareholders;
• fiduciary implications – the laws and regulations affecting IT, as there was a greater emphasis
on intellectual property rights;
• business – e-business and the change that it had introduced by allowing a greater degree of
integration of processes in the supply chain than traditional systems ever allowed;
• technology, and how it had impacted the way in which business was conducted and measured,
and this was especially so in IT companies; and
• the cost/value relationship – management had to give consideration to the cost/value
relationship in considering IT strategy. The high rate of development and obsolescence in IT
made decisions on IT expenditure especially important.
In this chapter, King II formulated a series of recommendations for IT governance. (See Exhibit 2.)
King II said that IT governance was the responsibility of executives and shareholders and that it
consisted of leadership and organisational structures and processes that ensured that the
organisation’s IT continued and extended its strategies and objectives.9 Risk Management
To ensure good corporate governance, it was necessary to identify, monitor, measure, mitigate and
manage the risks inherent in running a business.10 This gave rise to the practice of risk management,
which could be viewed as being divided into two broad groups, each dealing with a different kind of
risk to an organisation. Credit risk dealt with the loss to the organisation if a counter party failed to
perform contractual obligations. Operational risk was the risk of loss arising from inadequate or
failed internal processes, people or systems, and that arising from external events.
6 E Guldentops, ‘Asking the Right Questions for IT Governance’, Information Systems Control Journal Vol. 4, 2001. pp. 13-15.
7 H Parkes, ‘IT Governance – Putting it in Perspective’ Information Systems Control Journal Vol. 3, 2001. pp. 17
8 King Committee on Corporate Governance, King Report on Corporate Governance for South Africa 2002, op cit.
9 E Guldentops, ‘Asking the Right Questions for IT Governance’, op cit.
10 Investec Annual Report, 2002. 3
NamITech: In the IS Security War Zone
Nick Louw, of group risk management at Investec, defined operational risk as the newest and the
most vaguely defined, as it dealt with the broad arena of people, processes and systems.11 He also
noted that it was considered to be the area in which most growth was forecast, especially since
‘softer risks’, such as people, were becoming more and more significant – evidenced by the
growing number of frauds and internal attacks on companies.
Louw discussed four challenges facing the arena of risk management: how to quantify the cost of a
loss that had not yet happened; market volatility making the past a bad predictor of the future; the
threat in South Africa of contagion from emerging markets; and global pressure on local companies
to perform, which could encourage fraudulent behaviour in an attempt to make the company appear
to be an attractive investment.
Furthermore, a large gap existed between risk identification and risk mitigation. Risks were often
not seen as being urgent enough, or the impact not significant enough to be dealt with effectively
and efficiently.12 Senior management, as well as the board, was also seen as being problematic in
the practice of risk management, because of apathy regarding risk management, and even risk
illiteracy. William Wilsnagh at NamITech viewed risk management as a practice that companies
undertook only to a certain extent saying that it was intertwined with what was deemed important.13
Due to the illiteracy of the board with regard to risk, except economic risk, this often meant that
those risks placed under the heading of operational risk were excluded from risk management practices.
Information Systems Security
With increasing dependence on IT and growing exposure to the Internet, viruses and hacking had
become major concerns for corporations in recent years. With new threats and vulnerabilities
published daily, it had become increasingly difficult to stay informed and up to date with the latest security developments.14
For example, on 15 May 1999, a virus manifested itself in Edgar’s company computers when a
former employee, Berend Howard, initiated a virus in the company’s mainframe. It caused losses to
the company of about R5 million. Howard, who worked in the IT division, had a grudge against the
company because some IT work had been outsourced and he had had to accept a cut in salary.15
In April 2003, Absa bank experienced online fraud. A hacker siphoned about R530 000 from the
accounts of nine of Absa’s online banking clients by installing software on Internet terminals at
printing shops and capturing the user names and passwords of more than 450 people.16
As a result, organisations had started to realise that, for both legal and commercial reasons,
information had to be protected if they wished to compete in the electronic market place. They
would also have to demonstrate that they proactively safeguarded that information.
The British Standard BS7799, published in 1995 and updated in 1999, was an information security
management system that consisted of two parts.17 The first and most popular part was a best
practices standard, which came to serve as an international best practice in information security.
11 Interview with Nick Louw, 25 August 2003.
12 Interview with Mark Craddock, Group Risk Management, KPMG, 15 August 2003.
13 Interview with William Wilsnagh, 13 August 2003.
14 An example site is www.securityfocus.com.
15 Unknown author, ‘Landmark Virus Case Postponed Again’, www.iafrica.com (accessed 15 August 2003).
16 L Stones, ‘Helpful Software Threatens Security’ www.bday.co.za (accessed 28 July 2003).
17 D Chin, ‘Get Certified!’ Network Magazine. www.networkmagazineindia.com (accessed 15 August 2003). 4
NamITech: In the IS Security War Zone
The standard had since been adapted internationally into ISO/IEC 17799, and locally into SABS
17799.18 This Code of Practice was based on a compilation of the best information security practices
that were in use in many leading international companies.
The objectives of the Code of Practice were twofold:19
• to provide a common basis for companies to develop, implement and measure effective security management practice; and
• to provide confidence in inter-company trading.
The Code of Practice consisted of two parts. The first included the introduction, which gave some
background information on the code, and then the security categories and controls. The Code was
based on ten categories that should have been present in most companies.20 (See Exhibit 3.)
The second section of BS7799 was more crucial to those seeking certification, and brought a key
continuity and change management system to BS7799, commonly known as the PDCA (Plan, Do,
Check, Act) cycle. This ensured that the management system would constantly evolve along with
current prevailing threats.21 (See Exhibit 4.)
The value of the BS7799 standard lay in the ongoing management of information security risks and
threats, and the continuous loop of evaluating and adapting to new risks. The first step in the
Information Security Management System (ISMS) involved a gap analysis to assess how far the
enterprise was from objectives which it had set for itself. The organisation would then set up a
management framework and risk assessment, followed by implementation and documentation.
Auditing procedures were then to be carried out. A stringent certification assessment ensued
auditing and this, finally, was followed by certification. The organisation was continuously assessed
and monitored. The scrutiny and accountability of the process made the standard one which was
dependable and predictable. In 2003, there were no South African companies that had obtained the certification.22
Such was the concern about IT and Internet security that the South African government enacted the
Electronic Communications and Transactions (ECT) Act in August 2002. This marked the end of a
process that the government had initiated in 1999 in an attempt to establish a structure that would
define, develop, regulate and govern e-commerce in South Africa.23 The key issues that the act
sought to address were IT security and the registration of cryptography service providers, the
accreditation of electronic signature technologies by authentication service providers and the
protection of critical databases. The government noted that the Internet had started to present
security challenges which, without an effective regulatory framework, would pose a threat to the
security of consumers and the state.24
The majority of successful attacks on operating systems were typically targeted against only a few
of the many software vulnerabilities, noted Emile Parkin, IS security consultant at NamITech.25 This
18 See SABS Standards Division: STANSA, www.stansa.co.za.
19 R von Solms, ‘Information Security Management: Why Standards are Important’, Information and Computer Security,
Volume 7 Number 1, 1999, pp. 50-58. 20 Ibid.
21 D Chin, ‘Get Certified!’, op cit.
22 In Q1 2004, there was only one South African company that had obtained the certification, in comparison with Japan’s
296 and the UK’s 132 certified organisations. A list of certified organisations is maintained at www.xisec.com.
23 Author unknown, ‘Guide to the Electronic Communications and Telecommunications Act, 2002’,
www.michalsons.co.za (accessed 22 August 2003). 24 Ibid.
25 Interview with Emile Parkin, 15 August 2003. 5
NamITech: In the IS Security War Zone
could be attributed to the fact that attackers were opportunistic, took the easiest and most
convenient route and exploited the best known flaws with the most effective and widely available
attack tools. They counted on organisations not fixing problems, and often attacked
indiscriminately, scanning the Internet and corporate networks for any vulnerable systems.26
Security issues continued to evolve as technologies changed and threats altered themselves to new
environments. Parkin summed this up by saying, “There is always a way in … one just has to make
it more difficult for an attacker”.27 An information security manager’s approach to security had to be
revised and adapted daily, or there would be holes in the armour of the system
Even in organisations with extensive deployment of firewall, encryption and intrusion detection
systems, attacks still occurred with alarming frequency. According to a Computer Security
Institute/FBI survey of Fortune 1000 organisations that have suffered attacks, 91% had deployed
firewalls and 61% had installed intrusion detection systems.
Parkin outlined a number of challenges that were at that stage facing the field of information
security. One was that organisations often did not define a clear role for information security
management. Instead, it would get bundled into the IT manager’s portfolio, or the risk manager’s
portfolio, neither of whom understood the full scope of information security.
Parkin also pointed out that it was always difficult to motivate the need for information security
countermeasures, as the threats and security risks to a business were not understood or taken
seriously. In contrast to physical assets, which were easy to measure and quantify, it was
significantly more complicated to measure the value of information assets. One way to counteract
this problem, Parkin suggested, was to present information security to clients in ‘business speak’,
ie: the concepts of corporate governance and risk management that were widely understood and critically regarded.28
There was also pressure to keep up to date with new threats and to develop new technology to
mitigate those threats. New threats came about with every new software application written and installed.
Parkin believed the most important requirement in information systems security was for a method to
measure the risks that a company faced in its use of information systems, based on the simple
business principle that it is not possible to manage an environment if you cannot measure its
attributes. Along with this came the need to educate companies about the importance of IT security
and the risks that they faced should their system fail or be attacked from the outside.
Maeson Maherry, general manager of NamITrust, the security arm of NamITech, characterised the
nature of IS Security when he said that there were “too many techies trying to sell the stuff, without
being aware of the business need behind the product or service”.29 He said that there was therefore a
need to bridge the language gap between technology, risk and business. Background on NamITech
In 2003, NamITech was a technology solutions provider to a number of key market areas, including
the banking, mobile, industry and government sectors. The company started out in March 1972 as
26 Interview with Emile Parkin, 15 August 2003. 27 Ibid. 28 Ibid.
29 Interview with Maeson Maherry, 13 August 2003. 6
NamITech: In the IS Security War Zone
Brown Davis and McCorquodale (Pty) Limited (BDM), a division of packaging company Nampak.
Initially it focussed on printing secure documents, such as drafts and cheques, for the major banks
in South Africa, but in 1987 moved into the manufacture of magnetic stripe bank cards. When the
demand for cellular phones mushroomed in the mid-1990s, so too did the demand for GSM SIM
cards. To take advantage of this opportunity, BDM developed Integrated Card Technology and, in
1997, the company extended this business to the rest of Africa.
BDM changed its name to NamITech (Pty) Limited in October 2000 and, in November 2001,
acquired the South African Certification Agency (SACA), which was a specialist in the field of
Public Key Infrastructure (PKI)30 and encryption technology. Through further partnerships and new
ventures, NamITech became a true secure technology company, specialising in solutions and
applications to meet the custom needs of various clients.
NamITech was divided into three market-facing units. The largest, and most established, unit was
Mobile Solutions, a specialist division that focussed on providing products and services to the
mobile network operator market. Products in this unit included prepaid vouchers for cellular
phones, starter packs, fulfilment packs and SIM cards,31 which Glenda Babaya, NamITech’s
marketing and corporate services director, described as being the biggest business line, accounting
for about 70% of NamITech’s turnover.32
The second business unit was Banking Solutions, geared toward the needs of clients in the banking
sector. Products in this unit included bank cheques, magstripes (magnetic stripe cards) and chip
cards, otherwise known as smart cards, which are plastic cards containing a silicon computer
microchip. The chip was able to contain files and store data, as well as perform processing
functions. The rationale behind the development of these smart cards was to reduce the chances of
card fraud, as the information on the chip could not be copied onto another chip.
The least established business unit was Industry & Government, which had three main focus areas:
Card Solutions, Gaming Solutions and Secure Product Sales. Products and solutions in this division
included standard products, such as cabinets and industrial PCs, Gaming Management Systems
(GMS) for casinos and nightclubs, and retail cards, such as the Clicks Club card or Foschini account card.
NamITrust was set up as a specialist division in late 2001. NamITrust products and services
included Managed Public Key Infrastructure (PKI) and Intrusion Detection Services (IDS),
Strategic Security Consulting, Penetration Testing, and Vulnerability Assessments and Firewall Management.
Although security was central to all NamITech’s business units, NamITrust was the specialist
security arm within NamITech and provided security solutions for business risks associated with
information systems. Its solutions were based around a framework for enterprise security that
recognised that every business had to address security issues on three different levels. The
framework stemmed from the premise that a language barrier existed between IT issues and
business issues, resulting in over-investment in IT which did not show any quantifiable business
value.33 The aim, therefore, was to change the process in which the IT spend occurred, with less
30 PKI is an encryption system that provides a standard mechanism through which all parties can obtain their cryptology
keys, and also ensures confidentiality and integrity in how they are stored.
31 A Subscriber Identity Module (SIM) is a security device that contains all the necessary information and algorithms to
authenticate a subscriber to the network.
32 Interview with Glenda Babaya, 23 August 2003.
33 Interview with Maeson Maherry, 13 August 2003. 7
NamITech: In the IS Security War Zone
emphasis being placed on the functionality of the solution and more on the business value of the solution.
The first of the three levels was that of IT infrastructure, in which most organisations had already
invested heavily. The business need here simply was availability, and steps had to be taken against
malicious or accidental loss of this infrastructure through electronic attack.34 NamITrust did this by
assessing the organisation’s infrastructure, implementing products to address any vulnerabilities,
and then monitoring and managing the products and the environment continuously for security breaches.
The next level dealt with business applications and the information assets of the organisation. Here,
NamITrust sought to ensure that an organisation’s applications were used for business purposes
and, in order to ensure proper business flow, that they could be trusted. This entailed the ability to
hold a party legally responsible for its part in a business deal. Again, NamITech used a three-step
process. The assessment that formed part of the first step involved an analysis of the critical
business processes of the organisation. The next step was to design a solution that would satisfy the
required business trust requirement, and here the focus was on a solution instead of a product. The
final step at this level was to document and execute the ongoing management of the solution as required.35
The final level of the framework was business processes, which aimed to use the opportunities
created by technology and legislation to improve the profitability of the organisation. The
opportunities were twofold, the first being to digitise existing paper processes and reduce paper
processing storage and retrieval costs, as well as the number of errors made in data capture from
paper to electronic systems.36 The second opportunity was to apply IS solutions which would
benefit customers and make business of more value to them.
Apart from the three market-facing units, NamITech had six major internal business lines, or
delivery units. Each delivery unit supported all of the market-facing units. The delivery units
included Technology Services, Technology and Innovation, Operations, Finance, Marketing and Corporate Services.37 Background on Manuco
Manuco was a large, South African-based manufacturer, which operated on a global scale and had
interests in European and African countries.38 In 2001, the company had moved to consolidate and
centralise many of its South African service functions, from operating sites and divisions to
clusters.39 IT was also going through this consolidation process and, since 2001, services and staff
had started to move from separate sites and divisions to a group IT division.
Manuco’s IT Outsource Decision
Many of the services, systems and processes in the IT division had not yet been upgraded to cater
for future demands. Manuco’s IS director knew that much work was still required to create an IT
solution that would benefit the organisation. He believed that, as it was, the IT function at Manuco 34 Ibid. 35 Ibid. 36 Ibid.
37 Interview with Glenda Babaya, 13 August 2003.
38 Manuco IT Service Provider Selection, Request for Proposal, 18 December 2001
39 A cluster was a grouping of between one and six Manuco divisions that used similar manufacturing processes and
materials, or serviced a particular market segment. 8
NamITech: In the IS Security War Zone
was a cause for concern, as Manuco effectively had relationships, or partnerships, with many IT
firms, yet there was little change and not much development in the IT division.
He believed that the ideal situation would be to have strategic partnerships with a few key players.
By reducing its number of IT partners, Manuco would have a team of IT partners that considered
Manuco as a sizable partner. He believed, therefore, that inasmuch as the IT firms would be a
strategic partner for Manuco, so too would Manuco become part of these firms’ own strategic plan.
Manuco therefore decided to put out an RFP for an IT service provider, or a chief outsourcing
provider. The company wanted to follow a primary service provider model, according to which all
outsourced services would be delivered by or through one main provider.
Manuco released the RFP in late 2001. The document outlined Manuco’s intent to achieve
standardisation and consistency across the group, and to deliver a more effective IT service. It said
that, to do this, the IT division needed to consolidate its use of service providers and adopt a more
strategic focus.40 It also said that the service provider had to be able to support over 3 000 users and
more than 100 sites across the country.41
The RFP outlined the scope of services for which the primary service provider would be responsible as follows: • IT strategy and planning;
• IT architecture and standards; • IT vendor relations;
• IT business unit management; • IT operations; • end-user computing; • wide-area networking; • data centre; • business systems; and • user support. 42
A central concern in each of these areas was the field of information security, and the primary
service provider had to either be able to provide the security itself, or partner with a company that
could provide a flexible and appropriate security solution. Manuco had previously had both internal
and external security problems as a result of various portals that opened their network up to
customers and suppliers. The company needed a system that would allow customers and suppliers
access to the network, but that would have different behind-the-scenes security levels based on who
was using the system. The security offering would therefore weigh in heavily as a criterion in the
selection of the chief IT outsourcing partner, as entrenched technical skills were required for Manuco’s specific needs.
Manuco received 15 responses to its RFP, one of which came from the consortium of which
NamITech was a part. The solution the consortium had proposed was that each company would
look after its own specialised areas, with NamITech’s being IS security.
40 Manuco IT Service Provider Selection, Request for Proposal, op cit.
41 Manuco sites ranged from manufacturing plants to distribution centres, sales offices and the head office. More than one
division could operate from one site.
42 Manuco IT Service Provider Selection, Request for Proposal, op cit. 9
NamITech: In the IS Security War Zone
In addressing information security requirements, NamITech’s proposal offered the deep technical
skills to manage the environment that dealt with firewalls.43 The company also said it could provide
intrusion detection systems, which would provide round-the-clock network surveillance and enable
users to respond to security breaches before systems were compromised. For this kind of system to
be effective, a 24/7 monitoring and management system with human intervention was necessary.
NamITech indicated that NamITrust specifically had years of experience in monitoring networks.44
NamITrust’s security solution included anti-virus and content scanning, which monitored and
controlled information entering the corporate network via the Internet and email paths. NamITrust
could also provide training in cases where a security concept needed clarification by the user.
Manuco accepted the consortium’s proposal in November 2002 and, since then, IS security at
Manuco had improved substantially and there had been no major breaches of security at the organisation. Enough?
Wilsnagh thought back on what had happened during the Blaster virus attack. Network response
times had slowed down to the point where Manuco had had to close down both the main network
and all connected sites – of which there were many – because the virus had resulted in denial of service.
Once the virus had been identified, the first task had been to isolate the problem by looking at the
network traffic to identify the PCs and servers that had been infected. Once this had been done,
teams had to identify the infected sites to install the latest patches from Microsoft and the latest
updates from their anti-virus software vendor. This was happening all around the country,
depending on where the infected processors were. A major problem was that the virus reconstituted
itself on any processor that had not been disinfected, so that, when people who had been on leave
and blissfully unaware of the situation booted up their PC, it started a new round of problems. The
virus simply disabled the patches and resumed generating pseudo transactions to flood the network.
The war room established at head office to deal with the virus had been in a state of pandemonium.
There were specialists in routers, firewalls, servers and intrusion detection systems and
representatives from the various vendors. They were a bunch of kids. None of them seemed older
than twenty-five. Everyone seemed to be talking on a telephone or to one another. The conference
call speaker to other locations added to the general hubbub. The vibe was almost tangible. They
were on the hunt and seriously fired up. There was no thought of stopping until the virus had been
found and neutralised, and they had succeeded.
All of this was fine if you were one of the kids seeking ways to cut off the virus’s head, but neither
Manuco nor NamITech was keen on a recurrence of this situation. Wilsnagh wondered whether the
virus would be Manuco’s biggest threat, or if there were more security breaches on the way. The
non-intrusion services of NamITech were a vital part of the Manuco defences and had worked well
thus far, together with the firewalls and the anti-virus software. Of course, all of this would have to
be backed by appropriate governance, risk and information security policies. But the question that
was increasingly occupying Wilsnagh's mind was whether the security of Manuco’s information could be guaranteed?
43 A firewall is a device that controls network traffic and connections to and from the company network.
44 NamITech, NamITrust: The Trusted Enterprise Security Provider in Africa, no date. 10