Secure, or paranoid?Today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. is increasingly dependent on information systems in one shape or another. As with most things in life there's good and bad--easy information access is a good thing, and information security threats are bad things particularly for organisations holding sensitive data. Lets not get into the political aspects of the information revolution phenomenon, but let's examine the commercial implications, and some of the inherent risks. Most companies are still making little progress in countering rising information security threats, despite the increased awareness of computer related risk. In many cases, counter measures are only installed once a problem has been detected, which of course is too late. The majority of older business systems still in use, weren't designed with information security in mind, but for efficiency, transparency, and profit in the way goods and services In economics, economic output is divided into physical goods and intangible services. Consumption of goods and services is assumed to produce utility (unless the "good" is a "bad"). It is often used when referring to a Goods and Services Tax. are delivered--but are these two objectives incompatible in today's more risk ridden IT environment? We're not just talking about big companies. Information security concerns affect SME's just as much as multi-nationals. No one is immune; even if you don't Even If You Don't is a single released by the band Ween in 2000 on Mushroom Records. Formats Enhanced CD single Includes the quicktime video of "Even If You Don't" directed by Matt Stone & Trey Parker of "South Park". run your own IT systems anymore and have outsourced your systems to someone else, it's still an issue. It's increasingly common for example, that outsourcing contracts now include comprehensive information security clauses. Threats come from hacking, intrusion, and viruses to name just a few. Counter measures are available--firewalls, security software tools--but it takes time and effort to implement and maintain an effective information security system. Not all hacking and viruses are malevolent ma·lev·o·lent adj. 1. Having or exhibiting ill will; wishing harm to others; malicious. 2. Having an evil or harmful influence: malevolent stars. , some just aim to gain access to email directories and then use those addresses to replicate themselves elsewhere, but even this seemingly innocuous in·noc·u·ous adj. Having no adverse effect; harmless. innocuous (i·näˈ·kyōō· activity can create major system issues--the resulting increase in network traffic can clog up bandwidth, hindering legitimate communications, with attendant huge cost and frustration implications. Hacking When commercial computing first started in the 60"s & 70's to be called a 'hacker' meant that you were regarded as being technically gifted with no implication of anything sinister. As time and technology has moved on, the definition of hacking has evolved to 'obtaining and exploiting unofficial access to a computer system'. Hackers have developed their own philosophies and attitudes, which are often at odds with the law and generally accepted commercial practices. Typical hacker actions include accessing both public and private databases, sometimes simply just to see if it is possible, sometimes for more serious reasons, personal or commercial for example. Information on how to accomplish these and other tasks is sometimes posted--anonymously--on specialist bulletin boards. Serious hackers may use a succession of IT networks as staging posts staging post n → escala staging post n → relais m staging post n → Zwischenstation f , to route a continuing series of attacks on different systems, complicating the task of tracking them down. The route cause of hacking lies in human curiosity and intellectual challenge coupled with a rebellious statement against 'the system' but the process of hacking can be prevented, or at least made more difficult by introducing technology based counter measures to defend your systems against attack. It is no wonder that militaristic mil·i·ta·rism n. 1. Glorification of the ideals of a professional military class. 2. Predominance of the armed forces in the administration or policy of the state. 3. terms are often used in hacking terminology when a constant war is being fought between hackers and IT security individuals and organisations attempting to protect their systems from a hacker's attack. Intrusion Government and commercial networks face an increasingly hostile security environment, or so the computer media would have us believe. The trouble is that, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. many recent surveys, they're right. One study has shown that security incidents have increased at an astonishing a·ston·ish tr.v. as·ton·ished, as·ton·ish·ing, as·ton·ish·es To fill with sudden wonder or amazement. See Synonyms at surprise. annual growth rate of 94% over the last three years. Most security solutions like firewalls and intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. focus on the perimeter of the network to prevent and detect hackers getting through. Unfortunately, attack strategies have adapted and the 'enemy' can often be found from within. Disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see , ignorant, or irresponsible employees, compromised VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. connections, rogue administrators, and service contractor staff all have the opportunity to circumvent your perimeter security systems. At the same time as security environment changes, many government and commercial organizations are moving towards aggregated storage networks. In many cases, economic or corporate reasoning has encouraged data sharing The ability to share the same data resource with multiple applications or users. It implies that the data are stored in one or more servers in the network and that there is some software locking mechanism that prevents the same set of data from being changed by two people at the same time. and consolidation among multiple organisations. The business case for storage networks is compelling: reduced costs, increased scalability, reduced maintenance overheads, and added operational flexibility for example. The downside is that the concentrated nature of large, multi-corporate storage systems has dramatically increased the potential exposure of sensitive customer data to intrusion--a single internal or external breach can compromise millions of private records, and terabytes of data. In some cases, computers or disks themselves have been physically stolen, completely bypassing network security. Any effective security solution must therefore start with an holistic approach holistic approach A term used in alternative health for a philosophical approach to health care, in which the entire Pt is evaluated and treated. See Alternative medicine, Holistic medicine. to prevent both internal and external intrusion, coupled with straightforward asset control procedures and disiplines. Viruses Viruses Computer viruses and worms, macro-programs or scripts that perform an unauthorised task on your computer systems, have been around for about ten years. Early viruses were designed to create a nuisance, or corporate embarrassment often by disgruntled programmers as a way of seeking revenge for some real, or perceived wrongdoing wrong·do·er n. One who does wrong, especially morally or ethically. wrong  do . Some recent
virus writers have used the Bagle, NetSky and MyDoom worms to attempt to
gain control of large numbers of PCs. Researchers have round comments in
some of the programs indicating that the authors of at least two of the
worms are competing against each other in some sort of weird
intellectual challenge, trying to prove technical superiority. However,
many viruses now have far more sinister purposes, which points to a
shift in motivation and authorship. New virus strains have been written
by highly skilled programmers, paid by criminals who have recognised a
huge opportunity for fraudulent gain and other illegal activity. Many
companies, large and small alike, can lack IT security expertise, and
are consequently unaware of the latest threats: Research has shown that
20 per cent of IT users in a survey didn't know that viruses could
send emails to every contact in their address book, and 48 per cent
didn't know viruses could store pornographic content on their PCs
without their knowledge. With a new virus variant seeming to appear
every few days, it's little wonder that many businesses are feeling
concerned and worried about the virus situation. Viruses are becoming
more dangerous. Virus generated communication traffic is growing, and
viruses aren't just a nuisance any more, they actually cost
businesses serious amounts of money. According to some recent research,
the cost of picking up the pieces after a virus attack is now 55,000 per
organisation per event. Whilst many commentators believe that there was
only a two per cent increase in the number of new vulnerabilities
reported during 2002 and 2003 they also stress that virus attacks are
now more severe than in the past, and consequently becoming more
difficult to clean up.
Spam Spam is the term given to unsolicited and unwanted emails that increasingly appear in your inbox. At first, spam was an irritant ir·ri·tant adj. Causing irritation, especially physical irritation. n. A source of irritation. irritant, n 1. an agent that causes an irritation or stimulation. 2. , easily identified and dealt with by liberal use of the 'delete' key. However, in 2003 following a spam explosion most attitudes changed, and dealing with spam suddenly started appearing at the top of most IT departments' 'To Do' lists. In many respects Spam is the Internet's version of junk mail See spam and junk faxes. , but there's no Mailing Preference Organisation that polices mailing lists An automated e-mail system on the Internet, which is maintained by subject matter. There are thousands of such lists that reach millions of individuals and businesses. New users generally subscribe by sending an e-mail with the word "subscribe" in it and subsequently receive all new , and allows you opt out by asking for your name to be removed from the database. The UK government's All Party Internet Group organised its first ever Spam Summit once enough of their constituents and fund contributing corporates had complained about the often obscene emails and unsolicited advertising emails in their AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. , Hotmail, and other email accounts email account email n → compte m (e-)mail . While politicians may need to be seen to be doing something to keep their voters happy, it's questionable whether they can actually have any major impact on the problem. The major difficulty comes in identifying what is spam, and what isn't. An unwanted advert to some may be of relevance and interest to others, so this is a threat which can only be countered by the use of filtering technology preset preset Cardiac pacing A parameter of a pacemaker that is programmed permanently when manufactured to include or exclude items to an individual's or corporate defined standards. This very grey area hasn't stopped some high-profile policy drafting by many well-intentioned politicians. EU laws are now in place to regulate what businesses can and cannot do with email marketing campaigns within their jurisdiction, but they are powerless to prevent spam being broadcasted from any countries with less restrictive legislation. One particular criticism is that companies are free to contact anybody with whom they have an existing business relationship with related product offers. Impose tight restrictions and be accused of preventing trade, or take a liberal view and be accused of ignoring the issue--a delicate balance is required. Rather than waiting for the politicians to find an answer, an organisation can define it's own definition of what constitutes spam, and what doesn't and then set it's email filters as tight or as open as it's security policy requires. In recent months a few test convictions against organised 'spammers' have been successful in both the UK and the US, but by defining and implementing your own anti-spam policies now, you can prevent the problem from getting out-of-control before the law catches up with the technology. Phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. Although 'phishing' isn't a technically based information security threat it's worth while including as it represents yet another concern which can be prevented if you know what to look out for. Phishing attacks have increased in both quantity and sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. over the past year, and look set to continue in the future. Phishing is an internet scam (SCSI Configured AutoMatically) A subset of Plug and Play that allows SCSI IDs to be changed by software rather than by flipping switches or changing jumpers. Both the SCSI host adapter and peripheral must support SCAM. See SCSI. where unsuspecting users receive official looking emails that attempt to fool you into disclosing sensitive online passwords, user names and other personal information such as bank account, or credit card numbers. Once your personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details have been gained in this manner, they can then be used for all kinds of unauthorised activity. Unsuspecting victims are usually persuaded to click on a link in an email that directs them to a legitimate looking version of a familar website that collects data in a bogus manner, leaving the innocent victim in a very exposed position. The 'technical' damage to your systems, and data resulting from these security threats isn't the only issue--that's mostly repairable given suitable and adequate resources, but the potential damage to your company's reputation can have a much greater consequence, and can be more difficult to put right. Financial Institutions and many other commercial organisations trade on trust. If your 'virtual' integrity is compromised the loss of trust can take years to recover, and create other far--reaching implications. It's for that reason alone that many information security breaches are quietly brushed under the corporate carpet. What to do Virus software and hacking techniques have reached highly sophisticated levels. Despite the popular image of nerdy hackers writing vile code in back bedrooms, there's a lot many professional IT departments can learn from cutting edge virus techniques. Using established software performance criteria virus software scores highly; low maintenance; rapid deployment; maximum impact; flexible; low-cost; minimum system footprint. Deployment speed can be incredible, a new virus released in Asia can be infecting systems in the US and Europe within minutes. New anti-virus patches are released almost daily by software suppliers, and should be tested and installed within hours of receipt to avoid problems, sometimes even then it's too late, so recovery procedures See: explosive ordnance disposal procedures. are required if the worst happens. Keeping pace with these critical security software patches and updates is becoming a major and costly issue. When you calculate how long it takes to rollout security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. in a large company environment, the numbers are staggering. Lets say it takes a couple of hours at least to install each patch, and then make sure everything still works. Lets say that you're paying 35 [pounds sterling] per hour for your software engineers, so that's 70 [pounds sterling] per machine and you've got 100 servers in your environment. That's now 7k [pounds sterling] for a single patch upgrade. Multiply again by a very conservative two upgrade requirements a month, and again by twelve, and suddenly you're looking a very serious number approaching 170k [pounds sterling] per annum Per annum Yearly. . Ouch! I appreciate it's a wooden dollar scenario, but that's why according to a number of recent surveys, many system administrators don't install all the issued and available patches--they simply don't have the resources, and their users wouldn't allow the downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. required. Maybe this situation is understandable, but potentially your systems are let open to attack, leading to a very tricky conversation with the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. if and when something nasty happens. What to do? It requires an intelligent approach. A good first step is to stop treating information security as just a line item on the IT budget, and take a look at how security can be used in a positive way from the outset. Perhaps it's an overused cliche, but should we re-engineer business processes to include security? It's a cultural as well as a technical issue. It's a top-down management issue that encompasses staff recruitment, training, business procedures, and above all an attitude shift. People have to treat their information with some caution and responsibility, just as they do with physical assets. You wouldn't leave your front door open if you weren't at home--would you? Creating the cost justification without being seen to find yet another scary IT expenditure area won't be easy. Benchmarking can help, along with independent risk assessment to better exposure. SS7799, the British Standard for information security management is rapidly becoming an accepted industry benchmark in this respect. But there's another aspect to consider. In the US the Sarbanes-Oxley Act See SOX. is the latest of many hard-hitting pieces of legislation driving IT direction and spending, and may influence US subsidiaries in the UK. The UK has at least nine Acts of Parliament and various industry specific regulations impacting information security including The Data Protection Act, The Turnbull Report, Basel 11, and The Computer Misuse Act. Some of these statutory requirements have real teeth, and shouldn't be dismissed. Directors are increasingly been held personally responsible for corporate actions, including information security. Large fines and, in extremis [Latin, In extremity.] A term used in reference to the last illness prior to death. A causa mortis gift is made by an individual who is in extremis. in extremis (in ex-tree-miss) adj. facing imminent death. IN EXTREMIS. , custodial sentences custodial sentence n → pena de prisión custodial sentence n → peine f de prison custodial sentence n → await those Directors who are found lacking by the Courts seeking to enforce information security laws. Company Directors face a simple choice--defensively sit still and react only once something happens, or pro-actively plan to implement new IT security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that can deliver demonstrable de·mon·stra·ble adj. 1. Capable of being demonstrated or proved: demonstrable truths. 2. Obvious or apparent: demonstrable lies. bottom line benefits. It's the ones that do something that will still be appearing in the pages of business magazines in a few years time, whilst the 'do nothings' may instead be appearing in court. www.realsolutions.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion