Printer Friendly
The Free Library
19,607,059 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Before circling the wagons, know your needs: financial executives need to focus on critical technology needs and vulnerabilities, and not be swayed by technical jargon and their own lack of knowledge. Establishing priorities and striking a cost-effective balance are critical.


Before you find the right solution, you need to ask the right question. That's long been a sturdy maxim, but probably never more true than with information technology (IT) security.

[ILLUSTRATION OMITTED]

"Beware the barrage of facts and statistics calculated to belittle be·lit·tle  
tr.v. be·lit·tled, be·lit·tling, be·lit·tles
1. To represent or speak of as contemptibly small or unimportant; disparage: a person who belittled our efforts to do the job right.  an executive's understanding of technical issues," warns Jim Litchko, a former staff chief for the director of the National Computer Security Center. "They promote FUD--fear, uncertainty and doubt--that dire consequences will ensue if the client doesn't fly toward the solutions being sold. This is often peppered with acronyms to keep the technical jargon confusing.

"This isn't an arena where executives, particularly financial executives, can just toss the ball to outsiders, or even in-house specialists, to call the shots," adds Litchko. "These are decisions about risks, priorities and what strikes a cost-effective balance. They require a keen understanding of a company's business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets , overall needs and growth direction, and officials who routinely make such judgment calls. If managers don't lead this effort, it will lose focus, become unwieldy and expenses will slide up."

Litchko teaches network security at Johns Hopkins University Johns Hopkins University, mainly at Baltimore, Md. Johns Hopkins in 1867 had a group of his associates incorporated as the trustees of a university and a hospital, endowing each with $3.5 million. Daniel C.  and advises managers in organizations from the Defense Department to casinos. He stresses that managers need to approach an analysis like picking up a new card game. "Learn the rules and objectives, then study players' capabilities, motives and weaknesses before building a strategy," says Litchko. "Go for proactive interference, don't just wait for things to happen and luck to intervene."

Assessments start with defining a goal, says Litchko. Why are solutions needed? Are they driven by regulation, law or fear; who is involved; and who should be? What are the individual motivations, and where is the organization in its budget cycle?

Security assessments are cyclical processes that review an IT system's security to determine what the appropriate level of security should be, what the risks are and if there is a contingency plan A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning.  to recover from any security incidents.

This begins with identifying what information is sensitive, what services are vital and which information must be highly accurate. "A critical judgment call," says Litchko, "is who and what software applications need access to specific information, and when. Then the focus shifts to a system's vulnerabilities and the threats that might exploit them, and weighing the impacts if security is compromised."

It is at this point, after identifying an organization's biggest security concerns, that one can start seeking the right solutions to counter the worries. Then, it's also easier to identify residual risk--where countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare.  are currently too expensive to completely eliminate the threat, and identify a recovery plan if the worst happens.

"You can provide total security solutions, but you can never make something totally secure," says Litchko. "If you get too hooked on the technical approach, you'll miss that some of your best solutions may be oriented to physical, personnel and procedural security."

The more complex the security solutions, in fact, the more likely things will go awry, with multiple points of failure along multilayer security defenses of firewalls, tunneling, encryption and intrusion detection See IDS and IPS. . These ratchet up management and troubleshooting costs, with open-ended expenses that are particularly onerous for small businesses short on IT staff for a security arms race.

The connection to physical security is underscored by Keith Flannigan, who heads Atlanta-based International Dynamics Research Corp. Flannigan, whose focus includes the theft of proprietary information by corporate spies, says it's of critical importance that the directors of physical security and information security work closely together, to understand the total security picture and the give and take of the security budget, with both reporting to upper management.

Flannigan also advocates developing a company security culture that lets employees know security is taken seriously, with informational programs on proprietary security that include sending out memos on situations and incidents that have happened to other companies.

For example, Flannigan says many employees are oblivious to the fact that "one of the largest current threats today is the widespread use of Wi-Fi." He says a recent study determined that only a third of companies using wireless Internet technologies were using encryption--and of those, more than half used it at an insufficient level.

But Litchko notes that such efforts walk a fine line, and that executives with a total security focus must often be tempered so they don't create a situation where the measures may not be friendly to employees, who won't use them, or to customers.

"Deploying the strongest and best security solution can kill your business faster then any virus or hacker," says Litchko. "When selecting authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.

(2) Verifying the identity of a user logging into a network.  solutions, you must take into consideration the capabilities, expectations and patience of the user. You can force your customer to use the best solution, but if it requires them to wait or install something on their computer to use your service, there's a high probability that they will go to your competitor."

Perfect Is Enemy of the Good

Moreover, reaching for the last percentage of achieving total security is often far more expensive than achieving what is good enough in most cases, says Litchko--echoing that notion that "the perfect is the enemy of the good." Such decisions require balancing costs and priorities, including the cost of a particular security failure.

"Ensure there is a business reason for everything," says Litchko. "Of the over 100 systems that I have reviewed, all were connected to the Internet, but only 81 had a business reason to be connected. For the rest, it was the 'cool thing to do.'

"Risk is a balance of business and security requirements, and approving what is an acceptable risk is a management decision, not a technical decision," he adds. "Risk decisions are made by those with operational, political, policy and, finally, financial authority."

Skip Kaltenheuser (skip.kaltenheuser@verizon.net) is a freelance writer in Washington, D.C., who has written about corporate security issues.

RELATED ARTICLE: Touching the Internet Lightly

Prior to the widespread use of the Internet, "Security was only a minor issue, as networks were inherently secure," says Marc Coluccio, chief technology officer (CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. ) of Straitshot Communications Inc., a provider of intelligent network services. "It wasn't even anything anyone had to think about, it just was. Point-to-point connections and frame relay A high-speed packet switching protocol used in wide area networks (WANs). Providing a granular service of up to DS3 speed (45 Mbps), it has become popular for LAN to LAN connections across remote distances, and services are offered by most major carriers.  are physically secure from outside attacks; the pipes cannot be accessed from the outside. Hence, companies running their critical applications--point-of-sale systems, accounting systems, etc.--could be confident that the network was truly theirs. There wasn't a need for additional security."

But one side effect of the Internet is physically connecting internal systems to anyone who can hack their way in. The drawbridge drawbridge: see bridge.  to the Information Superhighway is a marvelous thing, says Coluccio, but access to cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace.  necessitates gates and barricades to protect a company from marauders.

"Security is now almost always software-based, even when embedded in hardware like firewalls," he says. "Encryption is also a software-based security feature, effectively acting as a disguise for your traveling data. It is fighting an uphill battle Uphill Battle was an metalcore band with elements of grindcore and noisecore. The group was based out of Santa Barbara, California, USA. History
Uphill Battle got some recognition releasing their self-titled record on Relapse Records.  to try to overcome a physical shortcoming short·com·ing  
n.
A deficiency; a flaw.

shortcoming
Noun

a fault or weakness

Noun 1.  with software-based solutions. In virtual security vs. physical security, physical wins."

Exposure on the Internet doesn't require using applications; the issue is the connection, even merely for email. The big vulnerability coming down the road is the emergence of virtual private networks (VPNs) that connect an organization over the Internet. "In a U.S. wide-area network market already worth over $24 billion," says Coluccio, "VPNs have already caught a quarter of it. They are less expensive, using the lowest-cost carrier at each customer location instead of one big carrier. As more companies migrate to Internet-based networks, ever more companies are exposed to security risks."

For most companies, the most critical applications are voice calls. As Voice over Internet Protocol See Internet and TCP/IP.

(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol.  (VoIP) migrates onto networks, security experts predict widespread "denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. " attacks for VPN- and Internet-based VoIP. Private networks still need local area network (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ) security, including basic antivirus, says Colluccio, but the private network mostly eliminates the need for encryption and tunneling.

Straitshot's customers include some using third-generation (3G) wireless networks, connecting mobile workers with laptops back to the home office LAN via a 3G (cellular) antenna on their laptop. Laptop to cell tower to private network to customer LAN--the Internet is never touched. With no overhead from tunneling or encryption, more bandwidth is available to the laptop. Once connected to the LAN, users can still get to the Internet, but through company security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security  that don't expose their Internet addresses directly.

--Skip Kaltenheuser

RELATED ARTICLE: Other Technical Leaps for Security

While there are few silver bullets that fit everyone's gun, there are emerging tools and network approaches showing promise, despite the avalanche of sensitive information into electronic formats.

Better email security is coming to meet the growing concerns of insurance companies, doctors, banks, CPAs and other businesses with critical information security needs, says Harry Segal of Hudson, Mass.-based Networks Unlimited. Encryption and storage in web-based systems is allowing consumers to read their email without someone else eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. , thanks to browsers already having built-in encryption and decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext.  capabilities so consumers don't have to install special software. All popular browsers have incorporated these abilities.

Authentication is also making strides, in part, says Segal, because of a directive from federal banking regulators that will require banks to implement "two-factor authentication The use of two independent mechanisms for authentication; for example, requiring a smart card and a password. The combination is less likely to allow abuse than either component alone. See authentication. " for online bank access by the end of 2006. Customers will have to enter more than just a user name, PIN or password. Instead, access will require a more secure method, such as entering a random set of numbers and/or symbols generated by a smart card. This should reduce the odds of online withdrawals by unauthorized users, and of successful "phishing attacks" that con consumers into sending account information to data thieves.

Jim Litchko, a former staff chief for the director of the National Computer Security Center, is impressed by authentication smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications.  and USB USB
 in full Universal Serial Bus

Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer.  (Universal Serial Bus See USB.

(hardware, standard) Universal Serial Bus - (USB) An external peripheral interface standard for communication between a computer and external peripherals over an inexpensive cable using biserial transmission. ) tokens from RSA Security RSA, The Security Division of EMC Corporation, is headquartered in Bedford, Massachusetts, and maintains offices in Ireland, the United Kingdom, Singapore, India, and Japan.

RSA organizes the annual RSA conference. , which include a version that Central Intelligence Agency employees hang around their necks. A logarithm logarithm (lŏg`ərĭthəm) [Gr.,=relation number], number associated with a positive number, being the power to which a third number, called the base, must be raised in order to obtain the given positive number.  is constantly changing the password that connects the user with the network or application. Among other things, it addresses password overload; an RSA (1) (Rural Service Area) See MSA.

(2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key.  survey showed many of its respondents managing over 13 passwords at work, and nine of ten frustrated with the challenge.

Litchko also sees improvements in fingerprint authentication, now used in some laptops and even some Japanese cell phones. "Some banks are using them at ATMs. Piggly Wiggly's are using them for credit cards, as they have the credit card information on file. Some school lunch systems are employing fingerprints, putting a crimp crimp

a regular wave formation of small dimensions, e.g. the crimp of wool fibers epitomized in the Merino breed and its derivatives.

crimp marks
marks made by wrinkling the x-ray film while holding it between the fingers.  in a bully's plans to demand kid's lunch money. Because scanners can get dirty at, say, construction sites, hand identification is a promising approach for employee sign-in."

A promising big-picture development to secure data over fiber optic networks comes from Raptor Networks in Santa Ana Santa Ana, city, El Salvador
Santa Ana (sän'tä ä`nä), city (1993 pop. 129,873), W El Salvador. It is the second largest city in the country and the commercial and processing center for a sugarcane, coffee, and cattle region. , Calif. A patented decentralized de·cen·tral·ize  
v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es

v.tr.
1. To distribute the administrative functions or powers of (a central authority) among several local authorities.  switching architecture eliminates latency and bandwidth bottlenecks, increasing data transfer speeds 10 to 100 times above current norms.

According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3.  Ananda Ananda

(flourished 6th century BC, India) First cousin and disciple of the Buddha. A monk who served as the Buddha's personal attendant, he became known as the “beloved disciple.” It was Ananda who persuaded the Buddha to allow women to become nuns.  Perera, Raptor CTO and founder, the technology encapsulates data in ways that so disrupt ethernet monitoring devices that they can't read the data, which can only be monitored at a location using a Raptor adaptive switch. Internal access to data can be controlled by specific user-selected addresses on any port. Data packets that are not tagged to enter a specific port are swept into a security bucket.

Moreover, because there's not a central device, Perera says there is no single point of failure. This is critical for disaster avoidance, particularly for financial operations that can't lose a beat on transactions.

The system has wire speed (the fastest speed a wire is built to handle) resiliency backing up storage at any network locale within 80 kilometers of another. If part of the network is taken down by a catastrophe, the rest of the network continues to operate as a single switch, and none of the other locales is disrupted.

--Skip Kaltenheuser

RELATED ARTICLE: takeaways

* Financial executives need to keep a close eye on overall corporate goals and priorities to keep IT security from getting hit by runaway costs.

* Most security systems are software-based, and ever more sophisticated, but physical security is also a key aspect of an overall plan.

* Deploying the strongest security systems could backfire if users are inconvenienced and customers need to wait or install software on their own computers.

* Emerging tools such as encryption, authentication smart cards and network switching architecture are expected to grow in popularity and importance.
COPYRIGHT 2005 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Author:Kaitenheuser, Skip
Publication:Financial Executive
Geographic Code:1USA
Date:Dec 1, 2005
Words:2075
Previous Article:Best practices: organizational structure that supports compliance; Traditional organizational structure is crumbling under the weight of...
Next Article:How buyers can get an edge in middle-market deals: it's a sellers' market out there. Two attorneys argue that buyers need to avoid overpaying and...
Topics:



Related Articles
What's your IT score?
The first 100 days: don't set up your new leader for failure; here's how to ensure leadership success. (People & Politics).
Wet end management: paring down, pairing up: mills and suppliers can cooperate to manage increasingly complex chemistry successfully despite...
Strategic marketing technology: information technology is being used to take strategic marketing to the next level.
A preventative maintenance approach to ethics: ethical compliance is not just an issue for external review. Financial executives must look inward to...
Managing e-business risk to mitigate loss: along with the speed and convenience of e-business come new risks, such as identity theft and...
Continuity of business operations.
Risk assessments and future challenges.
Introducing a speaker: what are the three professional attributes that contribute most to creating an effective Defense financial manager?
Developing future program leaders: Part I.

Terms of use | Copyright © 2012 Farlex, Inc. | Feedback | For webmasters | Submit articles