A need to circle the wagons: Security breaches high: Easy computer access mean theft is easy, too

[InfoSec News <isn () C4I ORG>]

Forwarded By: jeradonah () hushmail com

http://web.lexis-nexis.com/more/cahners-chicago/11407/6392333/8

October 03, 2000 Tuesday TORONTO EDITIONS
By: Sandra Mingail

Network security breaches are real, and they are on the rise. The
fifth annual Computer Crime and Security Survey, released by the San
Francisco- based Computer Security Institute, contains some sobering
numbers.

In a survey of almost 300 corporations and government agencies, 90% of
them reported computer security breaches within the past 12 months.
Financial losses were estimated at more than $365-million.

Where do security threats originate? More than 70% of respondents
detected unauthorized access by insiders. Yet, for the third year in a
row, more companies (59%) claim that their Internet connections were
more susceptible to attack than their internal systems.

As more and more corporations open their doors to online business
initiatives, inadequate attention to network security issues holds the
potential for dramatic losses. The denial of service attacks that shut
down popular Web sites such as Yahoo last spring are just the tip of
the iceberg. Breaches such as Web site tampering, access to personal
customer information and unauthorized cash withdrawals can quickly
bring any corporation to its knees.

'Unless senior people are assessing the risks, then they are exposed,'
says James Hunter, a partner with consulting firm KPMG in Toronto.
'And it's not just the embarrassment of fraud or a petty cash issue.
In some cases, it can be survival.'

KPMG recently conducted their own security survey with a focus on
Canadian companies involved in online commerce. The survey found that
basic preventive measures within corporations still require
significant improvement. Only 28% of those surveyed conducted external
physical security reviews of their Web site, and 55% of e-commerce
systems have no regular security audit.

Assessing the risk associated with a company's systems is a key
component of coping with potential security breaches. But the issues
remain complex.

'There is no panacea. The requirement is to be vigilant on all
fronts,' says Mr. Hunter. 'I think it's a combination of new things
and old things.  New things are things like encryption and
technological firewalls. But the old things are knowing who you're
doing business with.'

Before signing partnership agreements or setting up virtual private
networks to outside suppliers, it is imperative to conduct due
diligence, so companies can rest assured that the safety of their
electronic systems will not be compromised. Today's leaner
organizations have, in many cases, cut out middle management. Those
people used to take younger employees under their wings and guide them
through issues of conflict of interest and business ethics.

In today's business world, many employees assume greater
responsibility with less supervision. This, says Mr. Hunter, can lead
to complacency when it comes to network security. Employees, for
instance, may consider security glitches as par for the course. The
result is that upstream communication is impeded, and senior people
are not alerted to potentially hazardous situations.

'Canadian corporations have given security issues a very low level of
priority, ' says Dan McLean, an analyst with International Data Corp.
Canada. 'It's a mindset thing security is still viewed by a lot of
companies as not a priority in terms of an investment area.'

IDC Canada reports that only 10% of total IT budgets is spent on
security issues. 'Given the magnitude and importance of security,'
says Mr. McLean, 'I would suggest that's a fairly low figure.'

Computer security is a multidimensional problem. Vulnerability occurs
at the desktop, on internal networks and servers and on the Internet.

At the desktop level, there is the constant risk of computer viruses
that wreak havoc with data files. Sensitive or confidential files need
protection.  Encryption software is employed to effectively 'lock'
information from curious eyes. Authentication solutions allow access
to corporate networks via specific identification processes. Biometric
devices will, in the future, authenticate users through thumbprint or
eye characteristics.

Files on corporate servers -- where many users have potential access
to sensitive information -- also vie for adequate protection. In this
security domain, intrusion detection software can be used to detect
unauthorized or unusual actions -- similar to an alarm system's motion
detectors. Scanning software, a less elaborate form of detection
software, can run a systems check on a server.

The network security perimeter protects a corporate network from
intruders while giving access to the Internet from the internal
network.

Firewalls, highly popular technology solutions, act as electronic
security guards to a corporation's internal network. Sitting between
an internal network and an external network, such as the Internet,
firewalls are configured to allow or deny specific electronic traffic.

The availability of security solutions is not the problem, says Mr.
McLean.  More often then not, companies will buy a firewall solution
or an authentication solution. But they will not consider buying a
total solution.

'Corporations must look at the risks,' says Mr. McLean, 'and then try
to gain as much mileage as they can from individual pieces.'

Symantec Corp. recently released Symantec Enterprise Security. The
product collection includes virus protection, content filtering and
intrusion protection.  The whole approach, says Michael Murphy,
Symantec's Canadian general manager, is to assist corporations in
being proactive in preventing security breaches.

But before any products are purchased, a thorough security analysis
must be undertaken, followed by a business needs analysis and a risk
analysis.  This approach sets the foundation for a sound security
investment. When starting out, companies need to ask themselves
questions such as 'What are we trying to protect and how much is it
worth?' and 'What are the system's weak points?'

By defining security risks, a corporation can better determine how
much security is required. The inherent danger is that overreacting to
security threats can create a system that is too secure, and
frustrating to use, for both employees and customers. Ultimately, it
is a question of balancing security and usability.

As with most decisions in the fast-paced business world of today, the
development of a company-wide security system is a calculated risk.

There is no guarantee that an effective security solution this quarter
will guard against malicious events next quarter. Regular security
audits are essential, as is an awareness of new threats and potential
solutions. And the human element is always a key component.

'I think this [security] is all new to us,' says Mr. McLean. 'Where
corporations will be in real trouble is where the outside hacker
colludes with an insider who essentially helps the outside hacker to
navigate the system. Then you're going to run into the potential for
severe economic loss.'

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".