This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimet_private for more info. --------------0890EE54604D4ED5C7932175 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: <Pine.SUN.3.96.980922131703.25893Tt_private> Forwarded From: darek milewski <darekmt_private> http://www.computerworld.com/home/features.nsf/CWFlashWeekly/980921mgt Lotsa Talk, Little Walk There's no shortage of statements supporting information security, but a CW/Ernst & Young survey finds little action to back up the words.=20 By Gary H. Anthes Despite statements of strong support for information security by top management, an astonishing number of companies fail to take the most basic steps to protect themselves from hackers, disgruntled employees and industrial spies.=20 And the gap between words and actions seems to be widening as scarce information technology funds get sucked into the black hole of year 2000 repairs.=20 Those are some of the conclusions from the Ernst & Young/Computerworld Global Information Security Survey of 4,255 IT and information security managers. This is the sixth year Ernst & Young has conducted the survey.=20 Of those surveyed, 84% said their senior management believes that information security is "important" or "extremely important." But the following results indicate that that concern isn't translating into action:=20 * Forty-one percent said they don't have =20 formal security policies. =20 * Three-quarters said they have no incident response plans. =20 * More than half said they lack disaster =20 recovery plans. =20 * More than a third said they don't =20 monitor their networks for suspicious =20 activity. =20 * Fewer than one in five use encryption =20 technology to safeguard sensitive =20 information. =20 =20 The survey also spotlights a basic misunderstanding of information security dangers. Asked to identify threats, respondents were almost twice as likely to cite hackers as employees, but studies have shown that the overwhelming majority of security breaches come from inside the company.=20 Thirty-two percent of the managers surveyed said security is the biggest barrier to electronic commerce. (Inadequate technology was cited by 26%, and unfavorable economics was mentioned by 25%.) But there were encouraging signs that the security barrier is beginning to yield: The survey showed a sharp reduction in just a year in the number of complaints about the adequacy of security products.=20 "Over the past two years, security awareness has definitely increased," says John Darbyshire, a partner at Ernst & Young LLP and head of the firm's security practice. "But many people are still not acting on it, and senior management isn't putting its checkbook where it needs to be just yet."=20 Friendly Attacks One way to get management to take information security seriously is to perform penetration testing, in which a company uses automated tools to probe its own systems for security holes. That shows management the vulnerabilities that are found and their implications, Darbyshire says. "There's shock value in attack and penetration work," he notes. John Wylder, a senior vice president at SunTrust Banks, Inc. in Atlanta, agrees that showing management the results of penetration tests can be effective, provided security vulnerabilities are related clearly to business concepts. "You can say that they could have downloaded the customer list for your Jacksonville office =97 that will get their attention," he says. But at least one security professional advises security managers to deliver a positive message whenever possible. Management becomes weary and skeptical of gloom-and-doom scenarios, particularly if the company has never suffered a loss, says Paul Jansen, manager of information security at USA Group, Inc. in Indianapolis.=20 For example, USA Group used a firewall for Internet access, but Jansen wanted to add another to tighten security on the company's extranet, which was used by customers. Instead of telling management all the terrible things customers might do to the company's systems, he showed that dedicating a gateway to customers could improve security and provide better service. His request was approved.=20 Another Reason To Hate Year 2000 "Y2K is the latest reason not to fund information security," Wylder says. He should know; he previously headed information security at SunTrust but now leads the bank's year 2000 project.=20 According to Wylder, it's easy for management to shortchange security in favor of projects such as year 2000 because, despite much media coverage of hackers, most companies just aren't getting hacked. Indeed, only 4% of those surveyed said they'd been broken in to from the Internet.=20 Instead, companies are suffering losses "the old-fashioned way" - through fraud unrelated to computer attacks, Wylder contends. "Management is disappointed to have invested all this money in information security, and then the accountant runs off with the books," he says.=20 Darbyshire says he isn't surprised by the high percentage of survey respondents without formal security policies and procedures. "Time and time again we see organizations where they are either not there or they've been developed for the mainframe and have not been modified for the client/server environment," he says.=20 But policies and procedures are the cornerstone of a security architecture, and they require a relatively modest investment - perhaps $150,000 for a $50 million company - to develop, Darbyshire says.=20 The primary impetus for information security shouldn't come from information systems managers, information security professionals or even top corporate management, says Patricia Gilmore, managing director for information security risk management at Charles Schwab & Co. in San Francisco. Rather, it should come from the business unit managers who own the company's products and services, she says.=20 "In the past, IS owned the data, but we're trying to change that," Gilmore says. "We're trying to get the businesspeople to understand they have that responsibility."=20 Gilmore, who is also president of the Information Systems Security Association, says no organization can afford to build risk-free systems, but it can build them with "manageable" risks. IS managers at Schwab are beginning to ask business unit managers to sign off on what are acceptable levels of risk in the applications built for them, she says.=20 Jansen says too many people think technology - firewalls, intrusion detection tools and the like - will solve their security problems. "But if you put a firewall out there and an employee calls an ex-employee and says, 'Here's my password,' what good does your firewall do?" he says.=20 Another protective measure too often absent is the computer security incident response plan, says Dan Woolley, a marketing manager in Ernst & Young's security practice. Effective response plans require the use of intrusion detection software, he says.=20 Intrusion detection systems can monitor networks for suspicious activities, such as repeated failed log-on attempts, and can trip alarms when certain kinds of events occur. The survey seemed to suggest a sharp increase in the use of alarms. Only 19% of companies surveyed didn't know if they had been successfully attacked via the Internet, down from 42% the prior year.=20 Better Tools Survey results show that IT professionals are becoming more satisfied with security products, with just 18% saying tools are "the greatest obstacle to addressing security concerns." Last year, 31% made that assertion.=20 Enterprise systems management tools integrated with intrusion detection and firewall products are giving the information security specialist unprecedented capabilities, Woolley says. "You get them all talking together, and if there is an attack, you can turn off a connection or backtrack the attack to get additional information," he says.=20 "We've seen just over the past year a significant number of new tools on the market filling gaps, particularly in the management and monitoring of the environ-ment," says John Pastore, chief scientist at Capital One Financial Services Corp. in Falls Church, Va. Better integration is still needed among tools and products for centralized management of security services such as password control, he says.=20 Cryptography is one area not much exploited by users so far, the survey found. Just 17% use data encryption for Internet security, 4% use digital signatures, and 5% use digital certificates. One reason is that the technology isn't easily layered on top of packaged applications for which source code isn't available, Pastore says.=20 Another Reason: Users often take a "hard-shell" approach to security based on the assumption that if things such as firewalls and passwords can keep intruders out of systems, encryption need not further protect the data inside. "That's a predominant attitude, and it's kind of scary because the average firewall doesn't take that long to get through," Pastore says.=20 Cryptography "is the wave of the future," Darbyshire says. "But it's a new technology, a complex technology, and a lot of training and awareness needs to go on at the corporate level to understand the kind of architecture to put in place with it."=20 But security-savvy IT professionals caution against seeing cryptography - or indeed, any technology - as a silver bullet. "You need to take a step back and realize that you can put in technology, but if you don't do the basics, like awareness programs, policies and procedures and training, it won't do you any good," Jansen says.=20 --------------0890EE54604D4ED5C7932175-- -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:12 PDT