[ISN] Security: Lotsa Talk, Little Walk

From: mea culpa (jerichot_private)
Date: Tue Sep 22 1998 - 12:41:50 PDT

  • Next message: mea culpa: "[ISN] Golden Age of Hacktivism (hack with political agenda)"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    
    --------------0890EE54604D4ED5C7932175
    Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
    Content-Transfer-Encoding: QUOTED-PRINTABLE
    Content-ID: <Pine.SUN.3.96.980922131703.25893Tt_private>
    
    
    Forwarded From: darek milewski <darekmt_private>
    
    http://www.computerworld.com/home/features.nsf/CWFlashWeekly/980921mgt
    
    Lotsa Talk, Little Walk
    
    There's no shortage of statements supporting information security, but a
    CW/Ernst & Young survey finds little action to back up the words.=20
    
    By Gary H. Anthes
    
    Despite statements of strong support for information security by top
    management, an astonishing number of companies fail to take the most basic
    steps to protect themselves from hackers, disgruntled employees and
    industrial spies.=20
    
    And the gap between words and actions seems to be widening as scarce
    information technology funds get sucked into the black hole of year 2000
    repairs.=20
    
    Those are some of the conclusions from the Ernst & Young/Computerworld
    Global Information Security Survey of 4,255 IT and information security
    managers. This is the sixth year Ernst & Young has conducted the survey.=20
    
    Of those surveyed, 84% said their senior management believes that
    information security is "important" or "extremely important." But the
    following results indicate that that concern isn't translating into
    action:=20
    
       * Forty-one percent said they don't have  =20
         formal security policies.               =20
       * Three-quarters said they have no
         incident response plans.                =20
       * More than half said they lack disaster  =20
         recovery plans.                         =20
       * More than a third said they don't       =20
         monitor their networks for suspicious   =20
         activity.                               =20
       * Fewer than one in five use encryption   =20
         technology to safeguard sensitive       =20
         information.                            =20
                                               =20
    The survey also spotlights a basic misunderstanding of information
    security dangers. Asked to identify threats, respondents were almost twice
    as likely to cite hackers as employees, but studies have shown that the
    overwhelming majority of security breaches come from inside the company.=20
    
    Thirty-two percent of the managers surveyed said security is the biggest
    barrier to electronic commerce. (Inadequate technology was cited by 26%,
    and unfavorable economics was mentioned by 25%.) But there were
    encouraging signs that the security barrier is beginning to yield: The
    survey showed a sharp reduction in just a year in the number of complaints
    about the adequacy of security products.=20
    
    "Over the past two years, security awareness has definitely increased,"
    says John Darbyshire, a partner at Ernst & Young LLP and head of the
    firm's security practice. "But many people are still not acting on it, and
    senior management isn't putting its checkbook where it needs to be just
    yet."=20
    
    Friendly Attacks
    
    One way to get management to take information security seriously is to
    perform penetration testing, in which a company uses automated tools to
    probe its own systems for security holes. That shows management the
    vulnerabilities that are found and their implications, Darbyshire says.
    "There's shock value in attack and penetration work," he notes.  John
    Wylder, a senior vice president at SunTrust Banks, Inc. in Atlanta, agrees
    that showing management the results of penetration tests can be effective,
    provided security vulnerabilities are related clearly to business
    concepts. "You can say that they could have downloaded the customer list
    for your Jacksonville office =97 that will get their attention," he says.
    But at least one security professional advises security managers to
    deliver a positive message whenever possible. Management becomes weary and
    skeptical of gloom-and-doom scenarios, particularly if the company has
    never suffered a loss, says Paul Jansen, manager of information security
    at USA Group, Inc. in Indianapolis.=20
    
    For example, USA Group used a firewall for Internet access, but Jansen
    wanted to add another to tighten security on the company's extranet, which
    was used by customers. Instead of telling management all the terrible
    things customers might do to the company's systems, he showed that
    dedicating a gateway to customers could improve security and provide
    better service. His request was approved.=20
    
    Another Reason To Hate Year 2000
    
    "Y2K is the latest reason not to fund information security," Wylder says.
    He should know; he previously headed information security at SunTrust but
    now leads the bank's year 2000 project.=20
    
    According to Wylder, it's easy for management to shortchange security in
    favor of projects such as year 2000 because, despite much media coverage
    of hackers, most companies just aren't getting hacked. Indeed, only 4% of
    those surveyed said they'd been broken in to from the Internet.=20
    
    Instead, companies are suffering losses "the old-fashioned way" - through
    fraud unrelated to computer attacks, Wylder contends. "Management is
    disappointed to have invested all this money in information security, and
    then the accountant runs off with the books," he says.=20
    
    Darbyshire says he isn't surprised by the high percentage of survey
    respondents without formal security policies and procedures. "Time and
    time again we see organizations where they are either not there or they've
    been developed for the mainframe and have not been modified for the
    client/server environment," he says.=20
    
    But policies and procedures are the cornerstone of a security
    architecture, and they require a relatively modest investment - perhaps
    $150,000 for a $50 million company - to develop, Darbyshire says.=20
    
    The primary impetus for information security shouldn't come from
    information systems managers, information security professionals or even
    top corporate management, says Patricia Gilmore, managing director for
    information security risk management at Charles Schwab & Co. in San
    Francisco. Rather, it should come from the business unit managers who own
    the company's products and services, she says.=20
    
    "In the past, IS owned the data, but we're trying to change that," Gilmore
    says. "We're trying to get the businesspeople to understand they have that
    responsibility."=20
    
    Gilmore, who is also president of the Information Systems Security
    Association, says no organization can afford to build risk-free systems,
    but it can build them with "manageable" risks. IS managers at Schwab are
    beginning to ask business unit managers to sign off on what are acceptable
    levels of risk in the applications built for them, she says.=20
    
    Jansen says too many people think technology - firewalls, intrusion
    detection tools and the like - will solve their security problems. "But if
    you put a firewall out there and an employee calls an ex-employee and
    says, 'Here's my password,' what good does your firewall do?" he says.=20
    
    Another protective measure too often absent is the computer security
    incident response plan, says Dan Woolley, a marketing manager in Ernst &
    Young's security practice. Effective response plans require the use of
    intrusion detection software, he says.=20
    
    Intrusion detection systems can monitor networks for suspicious
    activities, such as repeated failed log-on attempts, and can trip alarms
    when certain kinds of events occur. The survey seemed to suggest a sharp
    increase in the use of alarms. Only 19% of companies surveyed didn't know
    if they had been successfully attacked via the Internet, down from 42% the
    prior year.=20
    
    Better Tools
    
    Survey results show that IT professionals are becoming more satisfied with
    security products, with just 18% saying tools are "the greatest obstacle
    to addressing security concerns." Last year, 31% made that assertion.=20
    
    Enterprise systems management tools integrated with intrusion detection
    and firewall products are giving the information security specialist
    unprecedented capabilities, Woolley says. "You get them all talking
    together, and if there is an attack, you can turn off a connection or
    backtrack the attack to get additional information," he says.=20
    
    "We've seen just over the past year a significant number of new tools on
    the market filling gaps, particularly in the management and monitoring of
    the environ-ment," says John Pastore, chief scientist at Capital One
    Financial Services Corp. in Falls Church, Va. Better integration is still
    needed among tools and products for centralized management of security
    services such as password control, he says.=20
    
    Cryptography is one area not much exploited by users so far, the survey
    found. Just 17% use data encryption for Internet security, 4% use digital
    signatures, and 5% use digital certificates. One reason is that the
    technology isn't easily layered on top of packaged applications for which
    source code isn't available, Pastore says.=20
    
    Another Reason:
    
    Users often take a "hard-shell" approach to security based on the
    assumption that if things such as firewalls and passwords can keep
    intruders out of systems, encryption need not further protect the data
    inside. "That's a predominant attitude, and it's kind of scary because the
    average firewall doesn't take that long to get through,"  Pastore says.=20
    
    Cryptography "is the wave of the future," Darbyshire says.  "But it's a
    new technology, a complex technology, and a lot of training and awareness
    needs to go on at the corporate level to understand the kind of
    architecture to put in place with it."=20
    
    But security-savvy IT professionals caution against seeing cryptography -
    or indeed, any technology - as a silver bullet. "You need to take a step
    back and realize that you can put in technology, but if you don't do the
    basics, like awareness programs, policies and procedures and training, it
    won't do you any good," Jansen says.=20
    
    
    
    
    --------------0890EE54604D4ED5C7932175--
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:12 PDT