Information security: debunking the myths. (2003 Technology & Business Resource Guide).Technology has opened significant new opportunities to small and large businesses. The Internet has become an essential tool for research, communication, conducting commerce and more. Yet always on, high-speed connectivity to the Internet has also brought significant new threats to the security of information resources. These threats are not new, but continue to increase in sophistication and in their ability to do serious damage. As a result, securing the confidentiality, integrity and availability of mission-critical data has never been more important. While few individuals or businesses will deny the reality of a cyberattack An assault against a computer system or network. See information warfare., many have taken precious few steps to proactively defend their information. I find this puzzling. When it comes to physical security, no one would ever think about leaving without securing the building from unwanted intruders. Yet when it comes to information security, many leave the doors and windows wide open. Their information resources are vulnerable to all sorts of unwanted intruders, who are capable of wreaking havoc within their system. Only after being compromised are issues of information security considered seriously. I believe this can be traced to five myths regarding information security. In debunking these myths, the true nature of the existing threat and the potential consequences for not adequately preparing become painfully obvious. MYTH 1: HACKING IS COMPLEX Hacking tools are readily available and becoming increasingly sophisticated. A simple search of "hacking" on Google, for example, provides a plethora of information, tools and tutorials for the would-be hacker. And according to the Feb. 26, 2002 issue of PC Magazine, Symantec--the maker of Norton Internet Security 2002--estimates that more than 30,000 websites offered hacking tools and that anyone could learn to hack in 10 minutes. Increasingly, the perpetrators of cyberattacks are not computer professionals. Fancy certifications aren't required. Junior high and high school kids (aka "script kiddies," "packet monkeys" and "cyberpunks A futuristic, online delinquent: breaking into computer systems; surviving by high-tech wits. The term comes from science fiction novels such as "Neuromancer" and "Shockwave Rider."") have enough tech knowledge to spend their free time spreading malicious software and scanning thousands of computers for vulnerable systems. Once a vulnerable system is identified, the hacker can quickly begin to do serious damage. MYTH 2: HACKERS ARE ONLY CONCERNED ABOUT HIGH PROFILE COMPANIES While it's true that Fortune 500 companies such as Microsoft and Yahoo receive lots of attention when their systems are penetrated, small and midsize businesses are not exempt. The reality is that cyberattacks on these businesses occur just as frequently as the high profile cases we hear about in the media. The reason we don't hear more about these cyberattacks is that the vast majority of them go unreported. Small Business A doesn't broadcast the fact that its computer system was down for three days after being infected by the latest worm. As a result, other small and midsize businesses have a tendency to downplay the threat. But hackers are not picky about their targets. They're simply looking for systems with the lights on and doors unlocked. Why? In some cases the answer is simply because they can. In other cases, data theft and fraud create inroads for greater mischief. MYTH 3: I HAVEN'T BEEN HACKED YET This myth is no different than someone who eats several chili cheeseburgers a day claiming they'll be fine because they haven't yet had a heart attack. Businesses that have had the good fortune of avoiding encounters with viruses such as Melissa or Klez An e-mail virus that exploits a vulnerability in the Internet Explorer browser and executes when the message is read or previewed. Possibly originating in China, several versions of the Klez worm have been introduced since late 2001. They deposit themselves in the PC's Windows directory with a random file name and set the Registry to launch at startup. can be lulled into a state of inaction. The reality is that cyber-attacks are going to continue, will be more sophisticated and will be capable of doing even more damage. Here's what Internet Week said more than two years ago: "If you're not afraid about the state of your company's security, you should be. Hackers are scanning ports en masse, coordinated attacks are gaining popularity and network users who appear to be valid are often imposters. And that's just outside attacks ... The message is simple: Be aware--or be hacked." MYTH 4: I'VE GOT A FIREWALL When most people think of Internet security, firewalls get most of the attention. Firewalls are an essential component, but they are not sufficient in and of themselves to provide an adequate level of security. In fact, no one strategy, no one security appliance, no one vendor can provide full protection against cyberattacks. MYTH 5: I'M TOO BUSY TO DEAL WITH SECURITY As the frequency and sophistication of cyberattacks increase, the price of inaction grows. Those who consider themselves too busy to secure their information and applications haven't seriously considered the risk. Just one attack can negatively impact: * Revenue: A virus can result in days of downtime for a computer network, which can be especially costly to small and midsize businesses, many of which rely on outside consultants for computer support. * Reputation/Credibility: A law designed to combat identity theft takes effect July 1. This law, SB 1386, requires companies that have information security breaches to report it to all of their California-based customers. To trigger the law, the breach must expose customer names associated with Social Security numbers, drivers license numbers, or credit card or bank account numbers. * Customers: Customers want to know that their personal information is safe. Without that confidence, it's not a stretch to think that at least a portion of them could take their business elsewhere. * Productivity: Nearly every company's productivity is tied to a properly functioning computer system. If the system's data is corrupted or otherwise unavailable, the slowdown is not easily recovered. * A lawsuit: Security breaches open up the potential for serious liability--regulatory, contractual or criminal. For instance, companies who ignore the mandate in SB 1386 face the possibility of defending a class action lawsuit. If you're starting to sweat at this point, let me assure you that the threat to information resources isn't a reason to despair-it's a reason to prepare. HOW TO BEGIN PREPARING The first step toward risk reduction is the development of a multilayered defense strategy. Think of an onion. A single layer of defense, such as a firewall, is not capable of providing an adequate level of security. With multiple layers of defense, your ability to withstand the most common attacks increases dramatically. Along with a firewall, another element of information security is anti-virus software. Other security measures that cover wireless access points, servers, intrusion detection and virtual private networks should be considered. And, since not all attacks occur from outside, internal controls and security policies must be set. After a strategy is developed, a security assessment is useful. The purpose of such an assessment is to evaluate a company's level of security and ability to withstand the most common attacks. An assessment is also a good way to benchmark existing security infrastructure with industry best practices. Businesses must realize that information security is an ongoing process and should consider an annual security assessment. Finally, a word of caution: It's important to realize that no security strategy is 100 percent secure. Consider the following from John Pescatore from Gartner: "In the end, no defense is foolproof; the weapons of the hacker's world are getting more powerful and the enticements of Internet sites are getting too rich. But vigilance can and must go long way toward reducing the risk." Vigilance includes acknowledging the severity of the problem, defining a defense strategy, implementing proper safeguards and maintaining a long-term commitment to information security. RELATED ARTICLE: AICPA 20Q3 TOP TECHNOLOGIES LIST Information security is the No. 1 issue for the American technology community, according to the AICPA's 2003 Top Technologies. More that 200. AICPA and information Technology Alliance members participated in the survey, which included 142 CPAs holding the AICPA's CITP designation. The top 10 issues are: 1. Information Security 2. Business Information Management 3. Application Integration 4. Web Services 5. Disaster Recovery Planning 6. Wireless Technologies 7. Intrusion Detection 8. Remote Connectivity 9. Customer Relationship Management 10. Privacy David M. Cieslak, CPA, CITP, GSEC GSEC - Geophysical Survey and Exploration Contract GSEC - GIAC Security Essentials Certification (computer security certification designation) GSEC - Ground State Electron Configuration (chemistry) is a principal with Encino-based Information Technology Group Inc. You can reach him at (818) 380-9900 or dcieslak@itgusa.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion