Printer Friendly
The Free Library
5,676,108 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Making sensible investments in security.


It's three o'clock in the morning, and your phone rings. A hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes.  has compromised your company's computers. Not only are your operations shut down, but confidential financial information about your firm and your customers has been disclosed. Immediately, you wonder, "What did we do wrong?"

That scenario is one of every executive's worst nightmares. Unfortunately, it is a recurring re·cur  
intr.v. re·curred, re·cur·ring, re·curs
1. To happen, come up, or show up again or repeatedly.

2. To return to one's attention or memory.

3. To return in thought or discourse.  nightmare, because most business leaders don't know Don't know (DK, DKed)

"Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party.  enough about computer and network security to understand what level of expenditure they need to make and what security programs and practices they have to implement to appropriately protect their business. Consequently, security efforts are often unfocused un·fo·cused also un·fo·cussed  
adj.
1. Not brought into focus: an unfocused lens.

2.  and under-funded.

Effective security is driven by business needs, so it is more important to think clearly about security from a business perspective than from a technical perspective. Start by understanding what you need to protect--it is usually a very short list. For example, a hedge fund hedge fund, in finance, a highly speculative, largely unregulated investment device. Originating in the 1950s, the funds "hedge" by offsetting "short" positions (borrowing a security and then selling it at a higher price before repaying the lender) against "long"  company might determine that the three most important things it needs to protect are its analytics, its positions and investor information. With those clear goals in mind, it is straightforward to develop measures and control processes that will genuinely protect the business. Let's look at the key elements of a security program.

The Key Principles

Practical security rests on three key principles and a simple corollary corollary: see theorem. . The key principles are authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.

(2) Verifying the identity of a user logging into a network. , authorization and auditing.

Authentication addresses the need to verify the identity of users and software processes. In its simplest form, this is usually accomplished with a user name and password (something you know). Applications handling highly sensitive Adj. 1. highly sensitive - readily affected by various agents; "a highly sensitive explosive is easily exploded by a shock"; "a sensitive colloid is readily coagulated"  data often require a higher level of identity verification Noun 1. identity verification - the automatic identification of living individuals by using their physiological and behavioral characteristics; "negative identification can only be accomplished through biometric identification"; "if a pin or password is lost or . Sometimes hardware tokens or biometrics are used for this purpose (something you have, plus something you know). To verify the identity of servers, for example to make sure your systems are interacting with legitimate business partners, software mechanisms like digital certificates are often used.

Authorization addresses the need to manage access to resources. This principle applies at all levels in an IT environment, ranging from administrator access to devices like touters and computers to role-based access to particular applications. For example, a banking application may allow a teller to cash a check for up to $5,000, but requires a branch manager to perform withdrawals above that limit.

Auditing addresses the need to be able to track who did what and to ensure the integrity of information. While automated mechanisms are necessary, effective auditing usually combines electronic means with manual control policies and practices.

The Corollary

The corollary involves the concepts of prevention and detection. Prevent what you reasonably can and be sure to detect what you can't prevent. Too often, companies deploy prevention-oriented security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security  that hurt the conduct of the business because they fail to consider alternative detection-oriented approaches. The detection measures are often closely related to compensating controls.

To illustrate the importance of considering both prevention and detection in securing your company, consider the example of the foreign exchange trading Foreign Exchange Trading or FX Trading, clients are able to hedge against, or speculate upon, changes in the exchange rate of two currencies. For example, a speculator can long EUR/USD in foreign exchange market in order to profit from capturing the appreciation of Euro against the  desk of a major financial institution. It had designed its trading application to prevent traders with expired authorization credentials from performing any actions. Clearly, the firm was trying to protect itself from traders whose employment had been terminated. What the firm had not considered was that authorization credentials expire all the time (by firm policy). It had created a situation in which traders were regularly locked out of their accounts for hours at a time while the market was moving. Traders couldn't get out of bad positions or take advantage of the market moving as they had anticipated.

The solution was to change the trading application to support the detection philosophy. When a trader's credential expires while the market is open, the account is no longer locked. Rather, a control program is launched that carefully monitors and records all of the trader's actions and alerts a supervisor if certain trigger conditions are detected.

These twin concepts come to play in the hacker scenario at the beginning of this article. With hackers developing new exploits hourly, you should take measures to prevent as many attacks as are reasonable, but you will never be able to prevent all possible attacks. Once you accept that the power of prevention is limited, you can turn to detection. In this case, it means instrumenting your systems so that they can recognize anomalous a·nom·a·lous  
adj.
1. Deviating from the normal or common order, form, or rule.

2. Equivocal, as in classification or nature.  conditions or activity and quickly alert appropriate personnel.

Most organizations that are hacked Modified. Attacked. Having code altered. See hack and hacker.  don't even know it. There is no excuse for that, because routine and inexpensive measures such as reviewing firewall and system logs will tell you what you need to know. In larger organizations, where manual inspection of logs would be impractical im·prac·ti·cal  
adj.
1. Unwise to implement or maintain in practice: Refloating the sunken ship proved impractical because of the great expense.

2. , deploying a commercial intrusion detection See IDS and IPS.  product makes sense.

Mapping the Security Space

Sometimes while developing a practical security program, it is hard to know what aspects of security to consider. The ISO (1) See ISO speed.

(2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI.  17799 standard serves as a useful framework for thinking about security because it identifies the various dimensions of the problem. How far you need to go in any dimension depends on the specifics of your business. The standard covers a wide variety of security areas (see table on the next page).

A discussion of an ISO security standard automatically raises the topic of certification. Frankly, security certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification.  is one area where many companies spend their money foolishly. The most common mistake is to hire an accounting firm to perform a SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. 70 assessment. Before dropping $250,000 or more on such an assessment, step back and take a few moments to understand why you think you need it.

On reflection, most organizations come to understand that what they really need is an independent third-party security review performed by security experts that generates a written report that can be given to prospective customers, auditors or regulators, and not a SAS-70 report. These security reviews generally cost far less than an SAS-70 and provide the necessary information to correct deficiencies that are found.

While the framework of the ISO 17799 standard offers much value, the certification provisions prescribed pre·scribe  
v. pre·scribed, pre·scrib·ing, pre·scribes

v.tr.
1. To set down as a rule or guide; enjoin. See Synonyms at dictate.

2. To order the use of (a medicine or other treatment).  by the standard are largely unworkable and will not make economic sense for most organizations. Nevertheless, there is value in the act of assessing compliance with the standard, rather than certification. It is an excellent way to quickly determine the strengths and weaknesses of a company's own security infrastructure, as well as the security infrastructure of critical thirds parties that it uses--for example, Internet service providers Internet service provider (ISP)

Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password.  (ISPs), application service providers (ASPs) and development partners.

Thinking About Security by Analogy

In the late 1970s, the manufacturing community changed the fundamental way it thought about quality. Manufacturers realized that quality was not something that could be inspected at the end of an assembly line producing widgets. Rather, they realized that quality was something that had to be inherent in every stage, from design through delivery.

Security and quality are much alike. Just like quality, security has to be thought about and integrated into every aspect of a business. And just like quality, designing it in actually costs less in the long run.

What does "designing it in" mean? In a Web application, for example, it might mean designing a subroutine A group of instructions that perform a specific task. A large subroutine might be called a "module" or "procedure." Subroutine is somewhat of a dated term, but it is still quite valid.  to check the value of parameters passed to the server from the client browser. At an architectural level, it means moving away from the old notion that you can put a hardened perimeter around your enterprise by using firewalls and instead adopting the concept of defense in depth.

This change in mindset mind·set or mind-set
n.
1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations.

2. An inclination or a habit.  is necessary because with today's technology, there are simply too many ways to pass malicious content through even properly configured con·fig·ure  
tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures
To design, arrange, set up, or shape with a view to specific applications or uses:  firewalls. The situation is further compounded by the prevalence of electronic connections to business partners and application service providers (such as payroll processing, 401(k) plans, benefits management). Many organizations can no longer distinguish between "inside" and "outside."

The defense-in-depth approach means that you build business-appropriate security mechanisms, practices, procedures and controls into every system and application.

Ongoing Expenditures

No one likes to hear it, but there is no free lunch where security is concerned. Ensuring the security of your enterprise costs money, and those costs are likely to increase for the foreseeable future. They are driven by required equipment, security products, personnel and outside expertise. Just like application development, security initiatives typically require a significant one-time investment and then generate ongoing operational costs. It makes no sense to detect anomalous activity if you are not going to have someone respond to the alert.

From a financial management perspective the right questions to ask are:

Is the budget we are allocating to security commensurate com·men·su·rate  
adj.
1. Of the same size, extent, or duration as another.

2. Corresponding in size or degree; proportionate: a salary commensurate with my performance.

3.  with our security threats and the damage to the business that might result? In most organizations, reputational damage far outweighs direct loss and cost of recovery.

Are we spending our security dollars wisely, in ways that best support our business?

Do we need to allocate security dollars to other departments in order to make security integral to our operation?

The essential security principles of authentication, authorization, and auditing are not hard to understand. However, understanding security by itself is not enough. Effective security begins with understanding what your business needs to protect, and developing practical plans to accomplish that. That practical approach includes developing a security architecture embodying the defense-in-depth philosophy, and it comes to fruition fru·i·tion  
n.
1. Realization of something desired or worked for; accomplishment: labor finally coming to fruition.

2. Enjoyment derived from use or possession.

3.  when organizations recognize that security cannot be bolted on; embracing the ideal that security is integral to every aspect of the business.

Unless driven by a specific regulatory or customer requirement, it is almost always better to think in terms of security assessment or compliance assessment, rather than certification, because you simply get something meaningful for the money spent. Finally, security costs are likely to rise for the foreseeable future. The management challenge is to figure out what is the least you can spend to adequately protect your enterprise and then spend those funds wisely on the necessary people, products, and services.

Areas covered by ISO 17799

Security Policy

Organizational Security

Asset Classification and Control

Personnel Security

Physical and Environmental Security

Communications and Operations

Management

Access Control

System Development and Maintenance

Business Continuity Management

Compliance

Jonathan Gossels is President of System Experts Corp. (www.systemexperts. com), a network security consulting services Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.)
service - work done by one person or group that benefits another; "budget separately for goods and services"  company based in Sudbury, Mass.
COPYRIGHT 2003 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:special section
Author:Gossels, Jonathan
Publication:Financial Executive
Geographic Code:1USA
Date:Dec 1, 2003
Words:1694
Previous Article:SFAS 150's unintended Alchemy: turning positive into negative.(private company)(Statement of Financial Accounting Standards)
Next Article:Network security: as the worms turn.(special section)
Topics:



Related Articles
Agricultural computer guide and directory.
Insights: Arts in Special Education.
Revision of IRS record retention procedures.
Guns, Crime, and Freedom.(Brief Article)
Model recordkeeping and retention regulation: January 10, 1997.
FALL BEAT : STAR-SPANGLED.(SPORTS)
Book advises on cost-effective humidity control. (Products and Services).(Advertising)
Staying power: life insurers value fairness and institutional memory in government, traits that Susan Nash provides. (Regulation: The Big Picture).
TITLE GOES TO VILLAGE VILLAGE CHR. 54, L.A. BAPTIST 14.(Sports)
BOYS' VOLLEYBALL NOTES: TALAMANTES BROTHERS FOCUSED.(Sports)

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles