[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Six top security issues for executives
[The Art of War by: Sun Tzu
http://www.amazon.com/exec/obidos/ASIN/0195015401/c4iorg - WK]
By Yona Hollander
DECEMBER 30, 2002
Sun Tzu, a legendary Chinese strategist born more than 2,000 years
ago, taught the importance of knowing both your enemy and yourself:
If you know the enemy and know yourself, you need not fear the result
of a hundred battles. If you know yourself but not the enemy, for
every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle.
-- Sun Tzu, in The Art of War, Chapter 3, Verse 18
Truer words were never spoken when it comes to information security.
To succeed, you must know your enemy as well as your own strengths and
weaknesses. The following are six issues of which executives should be
aware to protect their systems.
1. Know Your Enemy
The faceless external attacker often plays the villain role in the
traditional information-security drama. While such external attackers
exist and are a real threat, internal misuse presents a much greater
risk and must not be ignored. To truly know your enemy, you must
consider and understand both external and internal threats.
2. Understand External Enemies
By definition, external enemies attempt to attack you from outside
your corporate boundaries. These attackers may be teenagers in their
parents' basements, miscreants in other countries or credit card
thieves, among others. External enemies attack your enterprise for
various reasons; some are more malicious than others.
Many external attackers resemble joy riders who steal cars for the fun
of it. These attackers target your network to show off their skills
and expertise to their peers. While they often have little malicious
intent, they can cause vast amounts of damage to your systems.
Politics motivate other external attackers. They may want to deface
your public Web site and use it as a venue for their political
messages. Such political defacements occur relatively frequently,
numbering in the hundreds per year.
Other motivations include theft, fraud, corporate espionage and even
cyberterrorism. External attackers must be clever to infiltrate your
perimeter defenses, but experience has shown that such infiltration is
possible and, in some cases, even easy.
The external threat includes individual attackers manually probing and
penetrating your networks, as well as highly automated attacks such as
worm programs. For example, the Code Red worm attacked and compromised
hundreds of thousands of hosts around the world in a matter of hours.
Skilled attackers can create such worm programs with little effort.
The threat from worms continues to grow, and protecting your systems
against them is crucial.
3. Defend Against Internal Enemies
Many traditional security approaches concentrate on building and
protecting a hardened perimeter to protect against the external
threat. This approach would be sufficient if all enemies were
external. In reality, concentrating on the perimeter only builds a
false sense of security while leaving your organization vulnerable to
attack and misuse by those who can hurt you most: insiders.
Insiders know what your most valuable information assets are, where
they're stored and how to access them. An insider at a credit bureau
drove the success of the recently apprehended identity theft ring that
stole millions of dollars from individuals around the country.
Not all inside enemies are full-time employees of your company.
Contractors, temporary workers and former employees may have
privileged access to your systems with little control over or
oversight of their activities.
4. Know Yourself
In the context of information security, knowing yourself implies
understanding your systems and staff as well as the security risks
associated with both. If you don't know your own points of
vulnerability and risk, it's difficult to protect yourself. Again, too
frequently information security initiatives focus on external forces
and neglect internal systems, vulnerabilities and threats. Judicious
use of risk analysis tools and background checks can significantly
improve your knowledge of your company.
5. Be Aware of Regulations and Consequences
Serious consequences exist for ignoring security. The regulatory
climate for information security and privacy is increasing. The
Gramm-Leach-Bliley Act, the Health Insurance Portability and
Accountability Act and various other federal and state regulations are
raising the security bar for corporations by requiring minimum
security standards to be in place. Companies that don't comply will
face significant penalties in the future.
For example, a new law in California (effective July 1, 2003) requires
businesses that own databases to disclose security breaches if certain
personal information was or may have been compromised. Californians
can bring civil actions for actual damages and injunctive relief
against entities that fail to comply with the law.
Businesses also face the possible loss of customer confidence and
revenue in the face of a successful attack against their systems.
Egghead Software's widely publicized security breach led to a
precipitous drop in its stock price and revenue; the business never
recovered, and Egghead closed its doors not long thereafter. Customers
will not buy from companies that they do not trust.
6. Protect Yourself
Rather than solely relying on perimeter defenses, such as firewalls,
to safeguard your enterprise, protect each critical server and data
store against misuse. By protecting valuable information assets
directly, you achieve protection against both internal and external
threats. Proper protection includes using technology products (such as
intrusion prevention, antivirus and access control software) as well
as sound security processes (such as security policies and risk
analyses). Using products and processes together to secure each
critical asset yields the best protection.
Referring to warfare, Sun Tzu taught long ago the importance of
knowing your enemy as well as knowing yourself. Information security
is no different. Failure to understand the threats to your business
and your ability to counter those threats could be catastrophic to
Yona Hollander is vice president of security management at Entercept
Security Technologies, an intrusion-prevention software company in San
Jose. He is part of Entercept's Ricochet Team, a specialized group of
security researchers dedicated to identifying, assessing and
evaluating intelligence related to server threats.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.