The Case for Technical Testing.
It's a typical business: 175 employees; reliably profitable. There's a small Web storefront and an informational Web site, but both are hosted externally by an Internet service provider. Internally, there's a network linking various departments and operations. The IT department has installed a firewall to control access to and from the Internet.
The owner unlocks the door early one morning. Everything looks normal. He logs on to the network and fires up his e-mail. Suddenly, he realizes he has a major problem on his hands. The first 15 e-mails are from irate customers and partners. It turns out that the company's systems have been compromised, and an attacker has posted sales forecasts, customer credit card numbers, and several proprietary trade secrets on the Internet.
The owner reasonably assumes that, since his company passed a written insurability audit to obtain coverage, his systems were well-defended against attack. He calls his insurance company to file a claim.
And that is when the nightmare really begins.
The insurance company insists on conducting an extensive IT forensic analysis on the attack. Then they want to compare the results against the application to see if the company had actually implemented the security measures claimed on the form. The process drags on and on.
Finally, the insurance company denies the claim because it uncovered vulnerabilities unknown to anyone on the company's IT staff and new holes introduced through software upgrades after the application was first submitted. Since the company never performed a test to determine what technical vulnerabilities existed prior to obtaining insurance, the owner worries that he's liable for the full damages from the attack. He has been paying for insurance coverage that provided no assistance whatsoever when he needed it the most.
Technical testing presents an easily available methodology to prevent this scenario. Technical testing identifies potential risks and initiates remediation for the most critical problems. It offers continuous monitoring to ensure that the constant change of any organization's hardware and software doesn't introduce new vulnerabilities into previously secured environments. It works with underwriting procedures to establish insurability at reasonable rates. And it is easily affordable for businesses of any size or market.
Many organizations regard risk management for online information resources as relevant only to technology companies or e-commerce firms. In fact, any organization that stores critical business information on a network is at risk from external attack or internal misuse. In addition to operating any business in a global economy, regulations, legal and shareholder liability, mergers and acquisitions, and insurability issues drive this need, and the process is no different from traditional, physical businesses.
For example, it's a relatively simple process to identify and determine value inventory in a warehouse. The most expensive stock gets stored in a vault. Lesser items sit out on shelves. Burglar alarms and after-hour patrols safeguard against theft. Smoke alarms and sprinklers protect against fire or arson. The business owners use these reasonable and cost-effective measures to qualify for insurance, securing coverage against financial loss or liability for situations that exceed the physical protections already in place.
Online asset protection should follow a nearly identical risk management process. In fact, online assets are currency in today's global economies. Trade secrets, customer profiles, sales forecasts and accounting information need significant protection. To a growing number of companies, it's the opening up of their supply chains, inventory systems or shared digital marketplaces, and they must be protected. To others, their Web presence is the company face to the world.
These different business types may have different valuations, but any security lapse can prove extremely harmful if information is damaged, stolen, altered or destroyed; if trading partners cannot access your systems; or worse, they pass along a virus or enable a hacker to enter other's systems by compromising and using your computers. These are real-world scenarios that information security professionals deal with. These are also scenarios that can be dramatically reduced--but not by simply filling out a written inquiry or by answering a few questions on an insurance application. It requires security due diligence and technical testing--the kind that seeks to exploit vulnerabilities and then correct them before an attacker finds them.
According to a recent survey by The St. Paul, only 25 percent of U.S. businesses and 30 percent of European businesses use formal risk management policies for protecting online information and technology resources. Even more alarming, only 13 percent of this already small percentage feel that policies are effective.
If only 13 percent of the biggest and most security aware businesses in the United States and Europe feel confident that policy can drive an effective information security management practice, then something is obviously missing. If developing and implementing a security policy were a good deterrent against cyber-related attacks, then internal threats would not have risen from 58 percent to more than 71 percent in just a year, according to the CSI/FBI computer crime and security survey.
Companies that rely solely on policy reviews may not realize that the time lag between sequential reviews means that, in all likelihood, new vulnerabilities have been introduced to their system networks and computer systems. These undiscovered security weaknesses are significant and dangerous. If customers and partners can't find a business online, you can't be sure the information they receive is accurate or can't trust that organization to properly protect information secrets, then that organization won't be in business for long.
Security due diligence through technical testing is the key to selecting a reliable and comprehensive insurance policy that adequately protects online business operations. Any process that allows underwriters to bind policies without technical testing by definition opens that business to unnecessary risk.
Assume a company has successfully completed a security policy review and that the findings have led to a number of changes in security policy. Even if these policy changes have been successfully communicated throughout the organization, and even if all security policies and procedures are being enforced, each upgrade in software or new system installation introduces the potential for new risks that will not be found through traditional paper audits. In many documented cases, companies have been given passing grades on their policy reviews, only to suffer a successful attack because the audit process did not include technical vulnerability testing.
In addition, users may revert to using easily guessed passwords, expired accounts may still be left active on the system and/or new vulnerabilities in previously installed software may be discovered. External attackers count on these unavoidable breaches of policy. Internal attackers have access to security policy guidelines and can easily determine the best means to subvert them. Although security policy--or at least solid security procedures and practices--is the best means for establishing and enforcing security management throughout an organization, only technical testing provides the ongoing feedback necessary to ensure that baselines are in place and that security policy is having the intended effect.
At its simplest, technical testing searches for potential vulnerabilities in actual production environment hosts, networks, databases and applications, from both inside and outside an organization's networks. But technical testing conducted on a routine basis goes a significant step beyond policy review by maintaining the security assessment process as an ongoing, dynamic process. The effectiveness of audits is greatly enhanced through remediation of identified technical risks and regular technical scanning of affected systems. This proactive, cyclical process provides a consistent view of the organization's security posture and enables a consistent and effective approach to preventing attack and misuse.
The Testing Program
One of the myths of technical testing is that it is expensive, complicated or potentially destructive. In reality, powerful automated software tools and outsourced testing services make sophisticated testing a reasonably priced alternative for any business. And, as a risk manager looking at binding a cyber-risk policy, you should demand it.
But be cautious. Quality of service is a serious consideration in controlling the accuracy of the technical testing process. Although current offerings range from the hideously expensive to the free, caveat emptor definitely applies. Free scans generally skimp on the breadth of tests being offered. More seriously, they do not contain the expert analysis required to determine the difference between true peace of mind and a disastrous false sense of security.
Security management is a complex, often confusing process. It takes an experienced security professional--not an IT manager--to generate the best results. For example, three seemingly unrelated vulnerabilities are actually a common method for disguising a serious, aggressive attempt at hacking into a system. It is unlikely that a free or quick assessment would recognize this pattern or make appropriate recommendations for how to defend against it.
So how should a business go about building a cost-effective information security risk management program? There are three basic options:
* Develop security policy, design/implement a security management system and monitor the security process in-house
* Manage the process in-house, but use best-of-breed products and consulting services from prominent security vendors
* Outsource the security management process
In general, only organizations operating in highly regulated environments or having similar compelling needs are willing to absorb the cost of an in-house solution. This expense must be incurred even though information security is rarely a core competence or revenue opportunity. Experienced security staffs are expensive to recruit and retain, and basic personnel costs can easily exceed $500,000 per year. Monitoring must take place 24x7, leaving little time for staff to keep current on breaking issues in security management. Department-by-department deployments--the usual pattern--are difficult to integrate into a framework for centralized administration.
These challenges collide directly with mainstream businesses' need to protect resources through the risk management process. One response has been the rise of managed security services--outsourced security management that offloads this non-core information technology function and simplifies becoming a good underwriting risk. In effect, managed services move the responsibility of assessing, monitoring and remediating changing security threats squarely on the shoulders of the security provider.
Managed security services provide assessments, remediation, monitoring/response and establish insurability--the four essential steps in any organization's security management program. Managed security can serve as an entire security infrastructure or as a means of filling gaps in existing security infrastructures.
A Risk Essential
An effective information security risk management program covers must do four things: assess, remediate, monitor, and insure. Assess test systems for potential vulnerabilities using technical penetration from both inside and outside the network, plus security policy review where appropriate. The results of these ongoing assessments lead to immediate remediation for all medium and high risks. Each system is monitored on a regular basis to ensure that the security posture is being maintained at a high level. Finally, tightly targeted online intellectual property and liability coverage transfers the remaining risk.
Security is not 100 percent and will not be in the near term. It is subject to immediate change, as attackers are always figuring out ways to break things. Companies must use traditional financial management tools to ensure there are no unfunded risks on the books.
Properly executed, online risk management is not a technology process, but a business process--a natural extension of well-understood best practices from the non-virtual world. Top tier online risk management programs are available from a number of vendors. These programs must cover basic security requirements to be effective, plus synchronize with brokers or underwriters to create a seamless spectrum of risk management services.
This process benefits businesses, underwriters and brokers. Businesses receive cost-effective risk management for online assets. Those organizations able to take advantage of managed security services can then focus limited IT resources on core business operations, rather than having to make an extensive investment in security infrastructure and ongoing management. In return, the underwriting community receives concrete assurance that good risks are being covered at reasonable rates, and that sufficient protections are in place to minimize the potential for bad losses.
Gregory C. Grant is director of risk solution at Internet Security Systems in Atlanta.
|Printer friendly Cite/link Email Feedback|
|Author:||GRANT, GREGORY C.|
|Publication:||Risk & Insurance|
|Date:||Apr 16, 2001|
|Previous Article:||Consider the Options.|
|Next Article:||The Push for Deregulation.|
|QIS UNVEILS QCIT TEST AUTOMATION TOOLS FOR MAINFRAME.|
|NIST ASSESSES REDUCED IGNITION PROPENSITY CIGARETTE FOR FTC.|
|Managing the Test People.|
|DNA: Forensic and Legal Applications.|