Policies with a purpose: ensuring business continuity.When the Internet launched in 1991, its future impact on the everyday activities of both the public and private sectors was likely underestimated. Since then, the Internet has brought about an interconnected, virtually borderless world where transactions and communications are instantaneous from one continent to another. And Internet technologies continue to evolve, creating new opportunities for business and individuals. Yet, the digital world has also created risk. Blended threats Using several techniques to attack a computer system or network. After all, why adopt just one method when viruses, worms, Trojans and software vulnerabilities used in clever combinations can help to ensure that more systems are compromised and more people are harmed? See virus, worm, , vulnerabilities, and Internet attacks are on the rise. Attacks are increasingly leveraging worms to carry exploits of known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. as a means of creating exposures or security holes on larger numbers of systems. Attackers are then able to install backdoor See trapdoor. Trojan Horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
More and more vulnerabilities are being discovered and exploited, as well. Moreover, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a recent security study, nearly half of vulnerable systems are still left unpatched as much as 30 days after security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. are released. That's bad news because hackers are creating exploits faster than ever. For example, in January 2003, the Slammer A worm that caused a billion dollars worth of damage on the Internet on January 25, 2003. Slammer infected computers all over the Internet by generating random IP addresses and causing the computer's buffer to overflow with its own instructions that replicate itself and start the process worm took its time and appeared six months after the discovery of its targeted vulnerability; but the Blaster worm of the summer of 2003 appeared just 26 days after its targeted vulnerability was discovered. Factor in a recent estimate that nearly 60 new software vulnerabilities are identified every week, and the risk level multiplies. Today's cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. attackers are also quickly responding to widely accepted innovations such as instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or and peer-to-peer networking See peer-to-peer network. by devising tools that compromise these specific networks and services. A recent report by Symantec shows that of the top 50 malicious code submissions documented over the first half of 2003, 19 used peer-to-peer and instant messaging applications--an increase of almost 400% in only one year. What's more, attacks on confidential data are increasing. The release of a Bugbear variant in June 2003 offered a clear example of this growing trend. Bugbear extracted file names, processes, usernames, keystrokes, and other critical information from infected in·fect tr.v. in·fect·ed, in·fect·ing, in·fects 1. To contaminate with a pathogenic microorganism or agent. 2. To communicate a pathogen or disease to. 3. To invade and produce infection in. systems, then delivered it to an unauthorized third party. Bugbear's primary target? Banking institutions. And Bugbear was not alone. According to Symantec, the first half of 2003 saw a 50% increase in confidential data attacks using such backdoors. That's the bad news. The good news is that help is as close as a corporate information security policy. A Framework for Security Implementing a comprehensive information security program to protect enterprise assets is critical in the digital age. However, not all security programs are created equal, and their differences usually begin with their design rather than their purpose. An information security policy should be designed to ensure that a corporate security program is based on true business needs. Information security policies reflect corporate philosophy and expectations for safeguarding the company's critical assets. If they are well written, effectively communicated, and consistently enforced, information security policies are instrumental in protecting companies from the risks associated with the use of computer systems, software, e-mail, the Internet, and other resources. Corporate security policies do more than protect information from within; by clarifying what is and is not appropriate behavior for employees, they also help protect against electronic attack from outside the organization. In addition, as government regulations call for tighter corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and auditing rules, information security policies offer a framework for enforcing and measuring compliance with those regulations. Healthcare organizations, for example, have a variety of security requirements to address as a result of the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ). This privacy rule calls for strict handling of patient health information, especially regarding how electronic data is transmitted, stored and received. An information security policy can help address the administrative, physical, and technical security issues set forth by HIPAA by identifying the security controls required to secure patient data. Who, What, and Why? A corporate information security policy begins with a comprehensive risk assessment to pinpoint what is at risk and then identify what acceptable levels of risk are. To do that, an organization must understand which assets need protection based on their value to the corporation, weighed against the cost of their protection. During this process, it often becomes clear which assets are more important than others, which make prioritization of protection--and the dollars associated with it--a great deal easier. It is also essential to know from whom or what these prioritized assets need protection. Corporate information assets typically face both internal and external threats--often with equal potential for damage. For example, an untrained employee with an inappropriate level of access to a critical system might accidentally cause as many problems as a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. who gains unauthorized entrance into a corporate system and intentionally causes harm. [ILLUSTRATION OMITTED] Based on this supporting information, a security policy can be created that addresses three basic components of security: confidentiality, integrity, and availability. In general, the policy should make it clear that sensitive corporate data is to be read only by authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal and that it is not to be disclosed to anyone else, including the public. Issues surrounding the prevention of improper or unauthorized modifications to data should also be addressed. In addition, the uptime and accessibility of systems, networks, applications, and data by authorized users should also be covered in the policy. At this point, some organizations may wisely choose to supplement their corporate information security policy with more in-depth but separate standards and procedures documents. These documents are far more detailed than the policy itself; they spell out exactly what needs to be done on which systems in order to meet the security standards of the corporation. Because these documents are more dynamic in nature than the security policy, they are updated frequently in order to reflect the current environment. Consequently, keeping them separate is advisable ad·vis·a·ble adj. Worthy of being recommended or suggested; prudent. ad·vis  a·bil .
Other organizations find it useful to divide the corporate security policy into sections, categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat by issues or system, then add specific procedures associated with protecting those issues or systems, and make the resulting policy and procedures document available to relevant end users. For example, one combination policy and procedures document might address best practices for using the company's electronic and voice mail system. Another might cover acceptable use of the company's wireless network. Still others might detail the proper use of antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. or personal digital assistants. In all cases, a corporate information security policy and its associated standards and procedures must not only be created but enforced as well. One of the most practical ways to accomplish this is to use an automated tool. These programs manage corporate policies, standards, and procedures and can detect changes to security settings or files as well as evaluate and report conformance con·for·mance n. Conformity. Noun 1. conformance - correspondence in form or appearance conformity agreement, correspondence - compatibility of observations; "there was no agreement between theory and and non-conformance. Integration with best practice policies adds the ability to check for current vulnerabilities as well as with government regulations and industry standards, which helps keep protection viable and up-to-date. Ensuring Uptime Creating, maintaining, and enforcing corporate information security policies goes a long way toward ensuring business continuity--even as threats to that continuity increase in complexity, number, and speed. A durable security policy reduces the likelihood of a security failure, giving organizations a competitive edge in today's very challenging yet decidedly promising digital age. Mark Ungerman is director of product management at Symantec (Cupertino, CA) www.symantec.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion