The Case for Technical Testing.An effective information security risk management program should include assessment tests for potential vulnerabilities. The results of these ongoing assessments can lead to immediate remediation of risks, as well as be the key to selecting a comprehensive insurance policy.
It's a typical business: 175 employees; reliably profitable. There's a small Web storefront and an informational Web site, but both are hosted externally by an Internet service provider Internet service provider (ISP)
Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. . Internally, there's a network linking various departments and operations. The IT department has installed a firewall to control access to and from the Internet.
The owner unlocks the door early one morning. Everything looks normal. He logs on to the network and fires up his e-mail. Suddenly, he realizes he has a major problem on his hands. The first 15 e-mails are from irate i·rate
1. Extremely angry; enraged. See Synonyms at angry.
2. Characterized or occasioned by anger: an irate phone call. customers and partners. It turns out that the company's systems have been compromised, and an attacker has posted sales forecasts Sales forecast
A key input to a firm's financial planning process. External sales forecasts are based on historical experience, statistical analysis, and consideration of various macroeconomic factors. , customer credit card numbers, and several proprietary trade secrets on the Internet.
The owner reasonably assumes that, since his company passed a written insurability audit to obtain coverage, his systems were well-defended against attack. He calls his insurance company to file a claim.
And that is when the nightmare really begins.
The insurance company insists on conducting an extensive IT forensic analysis on the attack. Then they want to compare the results against the application to see if the company had actually implemented the security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security claimed on the form. The process drags on and on.
Finally, the insurance company denies the claim because it uncovered vulnerabilities unknown to anyone on the company's IT staff and new holes introduced through software upgrades after the application was first submitted. Since the company never performed a test to determine what technical vulnerabilities existed prior to obtaining insurance, the owner worries that he's liable for the full damages from the attack. He has been paying for insurance coverage that provided no assistance whatsoever when he needed it the most.
Technical testing presents an easily available methodology to prevent this scenario. Technical testing identifies potential risks and initiates remediation for the most critical problems. It offers continuous monitoring to ensure that the constant change of any organization's hardware and software doesn't introduce new vulnerabilities into previously secured environments. It works with underwriting Underwriting
1. The process by which investment bankers raise investment capital from investors on behalf of corporations and governments that are issuing securities (both equity and debt).
2. The process of issuing insurance policies. procedures to establish insurability at reasonable rates. And it is easily affordable for businesses of any size or market.
Many organizations regard risk management for online information resources (1) The data and information assets of an organization, department or unit. See data administration.
(2) Another name for the Information Systems (IS) or Information Technology (IT) department. See IT. as relevant only to technology companies or e-commerce firms. In fact, any organization that stores critical business information on a network is at risk from external attack or internal misuse. In addition to operating any business in a global economy, regulations, legal and shareholder liability, mergers and acquisitions, and insurability issues drive this need, and the process is no different from traditional, physical businesses.
For example, it's a relatively simple process to identify and determine value inventory in a warehouse. The most expensive stock gets stored in a vault. Lesser items sit out on shelves. Burglar BURGLAR. One who commits a burglary. (q. v.) alarms and after-hour patrols safeguard against theft. Smoke alarms and sprinklers protect against fire or arson arson, at common law, the malicious and willful burning of the house of another. Originally, it was an offense against the security of habitation rather than against property rights. . The business owners use these reasonable and cost-effective measures to qualify for insurance, securing coverage against financial loss or liability for situations that exceed the physical protections already in place.
Online asset protection should follow a nearly identical risk management process. In fact, online assets are currency in today's global economies. Trade secrets, customer profiles, sales forecasts and accounting information need significant protection. To a growing number of companies, it's the opening up of their supply chains, inventory systems or shared digital marketplaces, and they must be protected. To others, their Web presence is the company face to the world.
These different business types may have different valuations, but any security lapse (language) LAPSE - A single assignment language for the Manchester dataflow machine.
["A Single Assignment Language for Data Flow Computing", J.R.W. Glauert, M.Sc Diss, Victoria U Manchester, 1978]. can prove extremely harmful if information is damaged, stolen, altered or destroyed; if trading partners cannot access your systems; or worse, they pass along a virus or enable a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. to enter other's systems by compromising and using your computers. These are real-world scenarios that information security professionals deal with. These are also scenarios that can be dramatically reduced--but not by simply filling out a written inquiry or by answering a few questions on an insurance application. It requires security due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. and technical testing--the kind that seeks to exploit vulnerabilities and then correct them before an attacker finds them.
According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. a recent survey by The St. Paul St. Paul
as a missionary he fearlessly confronts the “perils of waters, of robbers, in the city, in the wilderness.” [N.T.: II Cor. 11:26]
See : Bravery , only 25 percent of U.S. businesses and 30 percent of European businesses use formal risk management policies for protecting online information and technology resources. Even more alarming, only 13 percent of this already small percentage feel that policies are effective.
If only 13 percent of the biggest and most security aware businesses in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and Europe feel confident that policy can drive an effective information security management practice, then something is obviously missing. If developing and implementing a security policy were a good deterrent against cyber-related attacks, then internal threats would not have risen from 58 percent to more than 71 percent in just a year, according to the CSI/FBI computer crime and security survey.
Companies that rely solely on policy reviews may not realize that the time lag between sequential reviews means that, in all likelihood, new vulnerabilities have been introduced to their system networks and computer systems. These undiscovered security weaknesses are significant and dangerous. If customers and partners can't find a business online, you can't be sure the information they receive is accurate or can't trust that organization to properly protect information secrets, then that organization won't be in business for long.
Security due diligence through technical testing is the key to selecting a reliable and comprehensive insurance policy that adequately protects online business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . Any process that allows underwriters to bind policies without technical testing by definition opens that business to unnecessary risk.
Assume a company has successfully completed a security policy review and that the findings have led to a number of changes in security policy. Even if these policy changes have been successfully communicated throughout the organization, and even if all security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental are being enforced, each upgrade in software or new system installation introduces the potential for new risks that will not be found through traditional paper audits. In many documented cases, companies have been given passing grades on their policy reviews, only to suffer a successful attack because the audit process did not include technical vulnerability testing.
In addition, users may revert re·vert
1. To return to a former condition, practice, subject, or belief.
2. To undergo genetic reversion. to using easily guessed passwords, expired accounts may still be left active on the system and/or new vulnerabilities in previously installed software may be discovered. External attackers count on these unavoidable breaches of policy. Internal attackers have access to security policy guidelines guidelines,
n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. and can easily determine the best means to subvert them. Although security policy--or at least solid security procedures and practices--is the best means for establishing and enforcing security management throughout an organization, only technical testing provides the ongoing feedback necessary to ensure that baselines are in place and that security policy is having the intended effect.
At its simplest, technical testing searches for potential vulnerabilities in actual production environment hosts, networks, databases and applications, from both inside and outside an organization's networks. But technical testing conducted on a routine basis goes a significant step beyond policy review by maintaining the security assessment process as an ongoing, dynamic process. The effectiveness of audits is greatly enhanced through remediation of identified technical risks and regular technical scanning of affected systems. This proactive, cyclical cyclical
Of or relating to a variable, such as housing starts, car sales, or the price of a certain stock, that is subject to regular or irregular up-and-down movements. process provides a consistent view of the organization's security posture and enables a consistent and effective approach to preventing attack and misuse.
The Testing Program
One of the myths of technical testing is that it is expensive, complicated or potentially destructive. In reality, powerful automated software tools and outsourced testing services make sophisticated testing a reasonably priced alternative for any business. And, as a risk manager looking at binding a cyber-risk policy, you should demand it.
But be cautious. Quality of service is a serious consideration in controlling the accuracy of the technical testing process. Although current offerings range from the hideously hid·e·ous
1. Repulsive, especially to the sight; revoltingly ugly. See Synonyms at ugly.
2. Offensive to moral sensibilities; despicable. expensive to the free, caveat emptor [Latin, Let the buyer beware.] A warning that notifies a buyer that the goods he or she is buying are "as is," or subject to all defects.
When a sale is subject to this warning the purchaser assumes the risk that the product might be either defective or definitely applies. Free scans generally skimp skimp
v. skimped, skimp·ing, skimps
1. To deal with hastily, carelessly, or with poor material: concentrated on reelection, skimping other matters.
2. on the breadth of tests being offered. More seriously, they do not contain the expert analysis required to determine the difference between true peace of mind and a disastrous false sense of security.
Security management is a complex, often confusing process. It takes an experienced security professional--not an IT manager--to generate the best results. For example, three seemingly unrelated vulnerabilities are actually a common method for disguising a serious, aggressive attempt at hacking See hack and hacker. into a system. It is unlikely that a free or quick assessment would recognize this pattern or make appropriate recommendations for how to defend against it.
So how should a business go about building a cost-effective information security risk management program? There are three basic options:
* Develop security policy, design/implement a security management system and monitor the security process in-house
* Manage the process in-house, but use best-of-breed products and consulting services Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.)
service - work done by one person or group that benefits another; "budget separately for goods and services" from prominent security vendors
* Outsource the security management process
In general, only organizations operating in highly regulated environments or having similar compelling needs are willing to absorb the cost of an in-house solution. This expense must be incurred even though information security is rarely a core competence Core competence
Primary area of expertise. Narrowly defined fields or tasks at which a company or business excels. Primary areas of specialty. or revenue opportunity. Experienced security staffs are expensive to recruit and retain, and basic personnel costs can easily exceed $500,000 per year. Monitoring must take place 24x7, leaving little time for staff to keep current on breaking issues in security management. Department-by-department deployments--the usual pattern--are difficult to integrate into a framework for centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
These challenges collide col·lide
intr.v. col·lid·ed, col·lid·ing, col·lides
1. To come together with violent, direct impact.
2. directly with mainstream businesses' need to protect resources through the risk management process. One response has been the rise of managed security services--outsourced security management that offloads this non-core information technology function and simplifies becoming a good underwriting risk. In effect, managed services An umbrella term for third-party monitoring and maintaining of computers, networks and software. The actual equipment may be inhouse or at the third-party's facilities, but the "managed" implies an ongoing effort; for example, making sure the equipment is running at a certain quality move the responsibility of assessing, monitoring and remediating changing security threats squarely on the shoulders of the security provider.
Managed security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the provide assessments, remediation, monitoring/response and establish insurability--the four essential steps in any organization's security management program. Managed security can serve as an entire security infrastructure or as a means of filling gaps in existing security infrastructures.
A Risk Essential
An effective information security risk management program covers must do four things: assess, remediate re·me·di·a·tion
The act or process of correcting a fault or deficiency: remediation of a learning disability.
re·me , monitor, and insure. Assess test systems for potential vulnerabilities using technical penetration from both inside and outside the network, plus security policy review where appropriate. The results of these ongoing assessments lead to immediate remediation for all medium and high risks. Each system is monitored on a regular basis to ensure that the security posture is being maintained at a high level. Finally, tightly targeted online intellectual property and liability coverage transfers the remaining risk.
Security is not 100 percent and will not be in the near term. It is subject to immediate change, as attackers are always figuring out ways to break things. Companies must use traditional financial management tools to ensure there are no unfunded risks on the books.
Properly executed, online risk management is not a technology process, but a business process--a natural extension of well-understood best practices from the non-virtual world. Top tier online risk management programs are available from a number of vendors. These programs must cover basic security requirements to be effective, plus synchronize See synchronization. with brokers or underwriters to create a seamless spectrum of risk management services.
This process benefits businesses, underwriters and brokers. Businesses receive cost-effective risk management for online assets. Those organizations able to take advantage of managed security services can then focus limited IT resources on core business operations, rather than having to make an extensive investment in security infrastructure and ongoing management. In return, the underwriting community receives concrete assurance that good risks are being covered at reasonable rates, and that sufficient protections are in place to minimize the potential for bad losses.
Gregory C. Grant is director of risk solution at Internet Security ''This article or section is being rewritten at
Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Systems in Atlanta.