The New Security Paradigm

It is any CIO’s worst nightmare a malicious attack on your organization’s critical data, resulting in the loss of millions of dollars in customer assets and proprietary information not to mention irreparable damage to your company’s hard-won reputation.

The attack can come from competitors, independent hackers, or even disgruntled employees. But whatever the source, one thing is clear those determined to infiltrate an organization’s security infrastructure are becoming more resourceful, and they are succeeding more often than ever before.

To demonstrate how easily an organization’s valuable data and systems can be penetrated, PSINet Europe, a European network and hosting infrastructure provider, decided to find out how susceptible an unprotected server connected to the Internet might be by setting up an anonymous dummy test server. The company quickly proved its point when the server was attacked more than 600 times within a three week period.

Security attacks like these are more common than one might think. According to the Computer Security Institute’s 2003 Computer Crime and Security Survey, 82 percent of organizations have experienced a virus-related attack, while 45 percent reported unauthorized access by insiders, 35 percent reported system penetration, and 21 percent have experienced sabotage and theft of proprietary information. The survey also found that theft of proprietary information causes the greatest financial loss an average of $2.7 million for each of the organizations surveyed.

In another example, hackers earlier this year stole the credit card numbers of more than five million customers by breaking into a system that processes credit card transactions for merchants. Existing and potential customers learning of an attack like that might understandably be reticent to use their credit cards online, translating into lost revenues for both credit card companies and merchants.

Although tales like these may cause many to believe the situation is futile, it is far from hopeless. Corporations can make great headway in preventing security breaches by keeping up with changing threats and solutions, implementing enforceable governance policies, making all organizational leaders accountable for security, and using simple common sense.

Sophisticated threats, sophisticated measures

Corporate executives, realizing the growing threat of security attacks, have taken significant steps to shore up their security infrastructures. The majority of mid-sized and large companies today have effective perimeter security solutions, typically consisting of a firewall, intrusion detection system and antivirus software.

While this tried-and-true strategy works well and should still be a priority security investment, it is not enough. The security landscape evolves so rapidly that each year is vastly different from the prior; not only do methods of attack become more sophisticated year after year, but the corporate wall has become more porous and insider attacks are on the rise. These new realities call for a new security strategy.

As organizations have invested heavily in extending the enterprise via extranets, customer Web sites, Internet-based portals, and VPN access, they have weakened the traditional security perimeter-a necessary step that allows partners, suppliers, and customers to access vital applications and data. But without barriers to protect these key corporate assets, companies are much more vulnerable to cyberattacks this time, on critical customer and corporate data, as well as on proprietary applications-than ever before.

A new approach to security one that significantly reduces risk while instilling customer confidence and ensuring protection is required. Organizations can meet these goals by complementing their perimeter security solutions with a comprehensive, application-based “inside out” approach to security. This application-centric approach protects core applications and data first, and then layers security outward to the host and network.

Failure to implement an application-based security infrastructure can have dire consequences. Not only will your organization’s most valuable assets will be exposed, but they will be vulnerable to theft and manipulation if the perimeter wall is penetrated or if an attack begins with an insider.

Combining technology and governance

Ideally, security strategies today should combine the best of technology and governance. This strategy combines the best perimeter and application security technologies with strong policies and governance along with best practices. The result is a top-down business approach that balances risk with costs, creating a comprehensive, cost-effective security management process.

By combining technology and governance, you’ll create a system that allows for quick reaction when security breaches are detected. This approach allows organizations to plan for the next virus or worm while enabling the organization to react quickly when the inevitable occurs. Once your security team has completed a series of worst-case scenarios, they will know exactly how to segment your network so infected machines don’t propagate themselves and begin impacting mission-critical applications.

The governance part of the equation, although given short shrift in many organizations, is just as important as technology in fighting security breaches. Without appropriate governance, oversight and policies, organizations are more likely to fail in protecting their assets in the case of an attack.

If anything, security governance has grown in importance in recent years, fueled by the introduction of a series of privacy regulations, such as the Gramm-Leach-Bliley Act, the Patriot Act of 2001 and the Health Insurance Portability and Accountability Act (HIPAA). These regulations now impose penalties when customer data and the financial integrity of the organization are compromised, giving CEOs and CIOs a vested interest in maintaining a strong security infrastructure.

Governance may vary, given the type of organization and its values, but some tenets are universal. Security management objectives, for example, should always be tied to enterprise risk management objectives. This is especially important for organizations in which security investments are driven by a company’s response to a security breach something Meta Group notes happens more than 70 percent of the time. By implementing appropriate strategies, organizations can avoid such knee-jerk reactions and increase control of complex infrastructures.

The policies tied to a company’s governance strategy can be as simple as stipulating that antivirus software be installed on every desktop or as comprehensive as mapping out the chain of events that should occur when a specific type of attack is encountered. Most importantly, policies must be understood by all employees and enforced by corporate leadership.

Here are some tips organizations can follow when developing security governance, policies and infrastructure:

• Make sure all business units are on board with the concept of developing a strong security program and strategy.
• Develop a written information security charter that demonstrates executive commitment to information security and customer privacy. Such a document helps organize support throughout the organization for reinforcing the importance of each employee’s role in maintaining security.
• Make sure every manager accepts responsibility for security-so strong that if, at a management meeting, the CEO asks who is responsible for security, everyone would raise his hand.
• Make sure your information security and acceptable use policies are tied to your organization’s risk management objectives. Specific risk, legal and regulatory requirements should drive the number of policies you need, the subjects they cover, and the ways they are enforced. Also document each measure for each policy, to include reviews of standards and processes, as well as general compliance.
• Make sure all users, managers and administrators understand what is expected of them and how they should comply. For example, a vulnerability management policy that simply states that all known vulnerabilities will be patched within 60 days of discovery is open to interpretation and doesn’t acknowledge that some vulnerabilities can’t be patched.
• Allocate enough resources money and people to security.
• Don’t be complacent. Keep monitoring threats, and stay current on technology available to protect your business.
• Don’t forget the obvious. For example, every desktop should run and update antivirus software consistently. That seemingly unimportant policy could make all the difference.

But before organizations can begin the process of reworking their security infrastructures and policies, they should carefully consider whether to undertake the tasks internally or hire an expert to develop and implement their security plans.

Smaller companies, as well as those in some industries, such as retail and manufacturing, can sometimes handle the job internally. To do so effectively, take a step back and decide what’s important to your business and how you are currently protecting those assets. Following that assessment, develop a strategy for threats entering your business through the Internet. Companies today have a variety of affordable antivirus software and personal firewalls to choose from.

For companies in heavily regulated industries, such as the financial sector, as well as those with highly complex infrastructures and disparate locations, turning to a security consultant may make sense. By engaging an expert to examine your operations, you will gain the benefits of a fresh and objective look at your current security set-up. Often, you can experience “quick hits” significant changes without expending large sums of money, and over time, security experts often find problems that have been overlooked by your overworked staff.

Ross Magee is senior vice president, Enterprise Solutions, at American Management Systems, Incorporated in Fairfax, Va.