[ISN] Hiring hackers to protect systems

From: mea culpa (jerichoat_private)
Date: Wed Jan 27 1999 - 12:54:00 PST

  • Next message: mea culpa: "[ISN] HERT Advisory #001 Buffer overflow in Solaris /usr/bin/lpstat"

    Forwarded From: Stuart Sabel <stuartsat_private>
    
    Hiring hackers to protect systems
    By P. Vikram Reddy, The Hindu
    HYDERABAD, Jan. 24.
    
    The statement that ``People are hiring hackers to protect themselves from
    hackers", perhaps reflects best the extent to which IT companies as also
    other organisations, for whom information is the most valuable asset, are
    forced to go, to protect their systems. 
    
    With focus shifting to India, the next question one needs to ask is how
    strong are the information security systems here. Or for that matter what
    is the level of awareness of the information security systems? It is
    against this background that the KPMG Peat Marwick (KPMG), the global
    professional advisory firm, has decided to launch India's first
    Information Security Survey (ISS). It is perhaps appropriate that it was
    launched in Hyderabad, which is attracting a lot of IT activity. 
    
    With 92,000 people collaborating worldwide, the firm provides consulting,
    tax and audit services from over 825 locations in 157 countries. It has
    been conducting Information Security Surveys in the U.S. and the U.K. 
    periodically. India happens to be only the third country where the
    organisation has taken up such a survey. 
    
    About 3,100 Indian corporates will be covered by the survey, based a
    detailed postal questionnaire. Of them 146 are from Andhra Pradesh and 88
    from Hyderabad. The ISS is conducted by Information Risk Management (IRM) 
    practice, a specialist within the KPMG. 
    
    `` Looking at the imminent growth of India on the world technology map,
    KPMG has targeted it as the next most important location to conduct the
    survey'', says Mr. Sridar A. Iyengar, CEO. And as Mr. Sanjay Dhawan,
    Director, says ``With business getting so globalised, risks and procedures
    and policies do not change from country to country''. 
    
    The IRM practice has been conducting a biennial ISS of the U.K. and
    Ireland since 1996, to investigate the state of security. The 1998 U.K.
    survey has been an eye opener. It shows that electronic commerce
    represents a major security threat, the year 2000 date format problem and
    economic and monetary union in Europe are highlighting security issues. Of
    more concern is the finding that security offences are going undetected,
    recovery plans remain untested and security policies are inadequate. 
    
    The single most important business issue in terms of its likely impact on
    security was considered to be electronic commerce followed by mobile
    computing. Almost two-thirds of the organisations used Internets. But over
    three quarters of them had not tested the security of their internet site,
    and less than half had procedures covering internet use. A third of
    Internet users had systems which do not provide security violation
    reporting or did not review it, and half of those using mobile computing
    did not have procedures covering this. 
    
    It was found that only half of the organisations carry out formal
    reporting of security incidents and only half of these take action against
    offenders.  Only a half had an approved computer security policy. What
    could be the consequences? Inherent risks might result in disruption of
    business operations and loss of management control. It found users were
    least aware of the information security. Awareness of a formal disaster
    recovery/ business continuity plan is still considered low in India. 
    
    An interesting finding was that ``Security saves money". Organisations
    were incurrring losses to the tune of two to three times the cost they
    would have incurred for setting up a secure IT environment at the initial
    stage. And 20 per cent of respondents said that their risk management
    programmes enabled them to obtain a discount on cost of insurance. 
    
    A matter of concern is the response level. A 11 per cent response is
    considered good. Even in the U.K. where the survey covered 15,000
    companies, only 1,000 responded. About 52 per cent were from IT companies,
    33 per cent finance and 15 per cent others. ``If companies do not respond
    and we alert them to their problem (through questionnaire) - our objective
    would have been met (of creating awareness)", says Mr. Dhawan. 
    
    What about the post survey scenario? The KPMG has been instrumental in
    designing IT security, IT risk management, system reviews and IT control
    environment review. But how many surveyed companies come back for
    consultancy? ``We do not monitor how many seek consultancy", says Mr. 
    Dhawan, reflecting the veil of secrecy around such information. 
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:29 PDT