TIGHTENING YOUR INFORMATION SYSTEMS SECURITY.By Dr. Rachna Kumar, associate professor of Information Systems, United States International University, San Diego, California “San Diego” redirects here. For other uses, see San Diego (disambiguation).
San Diego is a coastal Southern California city located in the southwestern corner of the continental United States. As of 2006, the city has a population of 1,256,951.
Computer viruses and denial of service attacks this year have shown just how vulnerable information systems are to relatively unsophisticated methods of attack. Any server connected to the Internet makes it and the rest of the enterprise network vulnerable to access from unauthorized and malicious users. Indeed, the probability of the occurrence of security breaches has increased phenomenally over the past few years. A 1999 survey by the Computer Security Institute reports system security related losses to the tune of $124 million for the 163 organizations that participated in their survey. Security breaches can come in the form of virus attacks, fraud, or just plain network break-ins. The recent I LOVE YOU virus attack was a resounding re·sound
v. re·sound·ed, re·sound·ing, re·sounds
1. To be filled with sound; reverberate: The schoolyard resounded with the laughter of children.
2. warning to organizations of the potential havoc that can be wrecked on their systems by such hackers and virus attacks.
Organizations take several standard measures to protect their Internets and intranets. Installing firewalls, using updated virus checking programs, and using secure transaction protocols such as Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) are some of these measures. Companies in the business of systems security even hire professional hackers, called "black hats," and give them legitimate jobs to work on hacking, changing them into "white hats." The white hat hacker's discoveries can then be used to build security software that includes protection against these new potential threats.
Clearly, information system professionals should know what measures to take in order to protect their networks. This is particularly important for small and midsize organizations because they cannot hire experienced security professionals with top-notch qualifications. However, there are several developments in the security industry, which enable an organization to protect itself simply and cost effectively. One trend is the introduction of security software that provides "self-service" vulnerability assessments. This software can be executed to conduct an audit and risk assessment of the internal network security as well as of an external penetration. MyCIO.com is one such security vendor. A second development is the existence of certification bodies to certify minimum proficiency of security professionals. The International Systems Security Certification Consortium (ISC (1) (Internet Systems Consortium, Redwood City, CA www.isc.org) An organization founded by Paul Vixie, Carl Malamud and Rick Adams in 1994 and later sponsored by UUNET and other Internet companies. 2) is a non-profit organization that administers the Certified Information Systems Security Professional Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). (CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. ) certification program. The System Administration, Networking and Security organization has established a similar program, certifying professionals for System Network Assurance.
A recent report by the Gartner Group on tightening security for small and midsize enterprises provides advice on how to plug security holes in your organizations. Here are some of their pointers:
* Consider contracting with an outside security company or consultant to conduct a security audit of your networks;
* Ensure proper firewall configurations by focusing on firewall appliances; request quotes for managed firewall and intrusion detection services from your own Internet Service Providers Internet service provider (ISP)
Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. or from security consultant companies;
* Virus scanning of incoming e-mail using server-side antiviral antiviral /an·ti·vi·ral/ (-vi´ral) destroying viruses or suppressing their replication, or an agent that so acts.
adj. protection software; desktop antiviral protection is also good but it is difficult to keep this software current;
* Consider software to detect and guard against Common Gateway Interface (CGI CGI
in full Common Gateway Interface.
Specification by which a Web server passes data between itself and an application program. Typically, a Web user will make a request of the Web server, which in turn passes the request to a CGI application program. ) scripts and active server code security vulnerabilities;
* Consider using consolidated modem pools instead of desktop modems in order to allow remote login/access with strong authentication using hardware tokens such as RCA See RCA connector and video/TV history. Security SecurID;
* Conduct firewall log analysis and e-mail content filtering to detect misuse and alarming usage patterns.
For more information, call (858)635-4562 or visit http://www.usiu.edu.