[ISN] Six top security issues for executives

From: InfoSec News (isnat_private)
Date: Tue Dec 31 2002 - 01:02:37 PST

  • Next message: InfoSec News: "[ISN] RIAA invites comments"

    [The Art of War by: Sun Tzu 
    http://www.amazon.com/exec/obidos/ASIN/0195015401/c4iorg  - WK]
    By Yona Hollander
    DECEMBER 30, 2002
    Sun Tzu, a legendary Chinese strategist born more than 2,000 years 
    ago, taught the importance of knowing both your enemy and yourself: 
    If you know the enemy and know yourself, you need not fear the result 
    of a hundred battles. If you know yourself but not the enemy, for 
    every victory gained you will also suffer a defeat. If you know 
    neither the enemy nor yourself, you will succumb in every battle. 
    -- Sun Tzu, in The Art of War, Chapter 3, Verse 18 
    Truer words were never spoken when it comes to information security. 
    To succeed, you must know your enemy as well as your own strengths and 
    weaknesses. The following are six issues of which executives should be 
    aware to protect their systems. 
    1. Know Your Enemy 
    The faceless external attacker often plays the villain role in the 
    traditional information-security drama. While such external attackers 
    exist and are a real threat, internal misuse presents a much greater 
    risk and must not be ignored. To truly know your enemy, you must 
    consider and understand both external and internal threats. 
    2. Understand External Enemies 
    By definition, external enemies attempt to attack you from outside 
    your corporate boundaries. These attackers may be teenagers in their 
    parents' basements, miscreants in other countries or credit card 
    thieves, among others. External enemies attack your enterprise for 
    various reasons; some are more malicious than others. 
    Many external attackers resemble joy riders who steal cars for the fun 
    of it. These attackers target your network to show off their skills 
    and expertise to their peers. While they often have little malicious 
    intent, they can cause vast amounts of damage to your systems. 
    Politics motivate other external attackers. They may want to deface 
    your public Web site and use it as a venue for their political 
    messages. Such political defacements occur relatively frequently, 
    numbering in the hundreds per year. 
    Other motivations include theft, fraud, corporate espionage and even 
    cyberterrorism. External attackers must be clever to infiltrate your 
    perimeter defenses, but experience has shown that such infiltration is 
    possible and, in some cases, even easy. 
    The external threat includes individual attackers manually probing and 
    penetrating your networks, as well as highly automated attacks such as 
    worm programs. For example, the Code Red worm attacked and compromised 
    hundreds of thousands of hosts around the world in a matter of hours. 
    Skilled attackers can create such worm programs with little effort. 
    The threat from worms continues to grow, and protecting your systems 
    against them is crucial. 
    3. Defend Against Internal Enemies 
    Many traditional security approaches concentrate on building and 
    protecting a hardened perimeter to protect against the external 
    threat. This approach would be sufficient if all enemies were 
    external. In reality, concentrating on the perimeter only builds a 
    false sense of security while leaving your organization vulnerable to 
    attack and misuse by those who can hurt you most: insiders. 
    Insiders know what your most valuable information assets are, where 
    they're stored and how to access them. An insider at a credit bureau 
    drove the success of the recently apprehended identity theft ring that 
    stole millions of dollars from individuals around the country. 
    Not all inside enemies are full-time employees of your company. 
    Contractors, temporary workers and former employees may have 
    privileged access to your systems with little control over or 
    oversight of their activities. 
    4. Know Yourself 
    In the context of information security, knowing yourself implies 
    understanding your systems and staff as well as the security risks 
    associated with both. If you don't know your own points of 
    vulnerability and risk, it's difficult to protect yourself. Again, too 
    frequently information security initiatives focus on external forces 
    and neglect internal systems, vulnerabilities and threats. Judicious 
    use of risk analysis tools and background checks can significantly 
    improve your knowledge of your company. 
    5. Be Aware of Regulations and Consequences 
    Serious consequences exist for ignoring security. The regulatory 
    climate for information security and privacy is increasing. The 
    Gramm-Leach-Bliley Act, the Health Insurance Portability and 
    Accountability Act and various other federal and state regulations are 
    raising the security bar for corporations by requiring minimum 
    security standards to be in place. Companies that don't comply will 
    face significant penalties in the future. 
    For example, a new law in California (effective July 1, 2003) requires 
    businesses that own databases to disclose security breaches if certain 
    personal information was or may have been compromised. Californians 
    can bring civil actions for actual damages and injunctive relief 
    against entities that fail to comply with the law. 
    Businesses also face the possible loss of customer confidence and 
    revenue in the face of a successful attack against their systems. 
    Egghead Software's widely publicized security breach led to a 
    precipitous drop in its stock price and revenue; the business never 
    recovered, and Egghead closed its doors not long thereafter. Customers 
    will not buy from companies that they do not trust. 
    6. Protect Yourself 
    Rather than solely relying on perimeter defenses, such as firewalls, 
    to safeguard your enterprise, protect each critical server and data 
    store against misuse. By protecting valuable information assets 
    directly, you achieve protection against both internal and external 
    threats. Proper protection includes using technology products (such as 
    intrusion prevention, antivirus and access control software) as well 
    as sound security processes (such as security policies and risk 
    analyses). Using products and processes together to secure each 
    critical asset yields the best protection. 
    Referring to warfare, Sun Tzu taught long ago the importance of 
    knowing your enemy as well as knowing yourself. Information security 
    is no different. Failure to understand the threats to your business 
    and your ability to counter those threats could be catastrophic to 
    your organization. 
    Yona Hollander is vice president of security management at Entercept 
    Security Technologies, an intrusion-prevention software company in San 
    Jose. He is part of Entercept's Ricochet Team, a specialized group of 
    security researchers dedicated to identifying, assessing and 
    evaluating intelligence related to server threats. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:00:40 PST