Information Security News mailing list archives
A need to circle the wagons: Security breaches high: Easy computer access mean theft is easy, too
From: InfoSec News <isn () C4I ORG>
Date: Thu, 5 Oct 2000 22:32:21 -0500
Forwarded By: jeradonah () hushmail com http://web.lexis-nexis.com/more/cahners-chicago/11407/6392333/8 October 03, 2000 Tuesday TORONTO EDITIONS By: Sandra Mingail Network security breaches are real, and they are on the rise. The fifth annual Computer Crime and Security Survey, released by the San Francisco- based Computer Security Institute, contains some sobering numbers. In a survey of almost 300 corporations and government agencies, 90% of them reported computer security breaches within the past 12 months. Financial losses were estimated at more than $365-million. Where do security threats originate? More than 70% of respondents detected unauthorized access by insiders. Yet, for the third year in a row, more companies (59%) claim that their Internet connections were more susceptible to attack than their internal systems. As more and more corporations open their doors to online business initiatives, inadequate attention to network security issues holds the potential for dramatic losses. The denial of service attacks that shut down popular Web sites such as Yahoo last spring are just the tip of the iceberg. Breaches such as Web site tampering, access to personal customer information and unauthorized cash withdrawals can quickly bring any corporation to its knees. 'Unless senior people are assessing the risks, then they are exposed,' says James Hunter, a partner with consulting firm KPMG in Toronto. 'And it's not just the embarrassment of fraud or a petty cash issue. In some cases, it can be survival.' KPMG recently conducted their own security survey with a focus on Canadian companies involved in online commerce. The survey found that basic preventive measures within corporations still require significant improvement. Only 28% of those surveyed conducted external physical security reviews of their Web site, and 55% of e-commerce systems have no regular security audit. Assessing the risk associated with a company's systems is a key component of coping with potential security breaches. But the issues remain complex. 'There is no panacea. The requirement is to be vigilant on all fronts,' says Mr. Hunter. 'I think it's a combination of new things and old things. New things are things like encryption and technological firewalls. But the old things are knowing who you're doing business with.' Before signing partnership agreements or setting up virtual private networks to outside suppliers, it is imperative to conduct due diligence, so companies can rest assured that the safety of their electronic systems will not be compromised. Today's leaner organizations have, in many cases, cut out middle management. Those people used to take younger employees under their wings and guide them through issues of conflict of interest and business ethics. In today's business world, many employees assume greater responsibility with less supervision. This, says Mr. Hunter, can lead to complacency when it comes to network security. Employees, for instance, may consider security glitches as par for the course. The result is that upstream communication is impeded, and senior people are not alerted to potentially hazardous situations. 'Canadian corporations have given security issues a very low level of priority, ' says Dan McLean, an analyst with International Data Corp. Canada. 'It's a mindset thing security is still viewed by a lot of companies as not a priority in terms of an investment area.' IDC Canada reports that only 10% of total IT budgets is spent on security issues. 'Given the magnitude and importance of security,' says Mr. McLean, 'I would suggest that's a fairly low figure.' Computer security is a multidimensional problem. Vulnerability occurs at the desktop, on internal networks and servers and on the Internet. At the desktop level, there is the constant risk of computer viruses that wreak havoc with data files. Sensitive or confidential files need protection. Encryption software is employed to effectively 'lock' information from curious eyes. Authentication solutions allow access to corporate networks via specific identification processes. Biometric devices will, in the future, authenticate users through thumbprint or eye characteristics. Files on corporate servers -- where many users have potential access to sensitive information -- also vie for adequate protection. In this security domain, intrusion detection software can be used to detect unauthorized or unusual actions -- similar to an alarm system's motion detectors. Scanning software, a less elaborate form of detection software, can run a systems check on a server. The network security perimeter protects a corporate network from intruders while giving access to the Internet from the internal network. Firewalls, highly popular technology solutions, act as electronic security guards to a corporation's internal network. Sitting between an internal network and an external network, such as the Internet, firewalls are configured to allow or deny specific electronic traffic. The availability of security solutions is not the problem, says Mr. McLean. More often then not, companies will buy a firewall solution or an authentication solution. But they will not consider buying a total solution. 'Corporations must look at the risks,' says Mr. McLean, 'and then try to gain as much mileage as they can from individual pieces.' Symantec Corp. recently released Symantec Enterprise Security. The product collection includes virus protection, content filtering and intrusion protection. The whole approach, says Michael Murphy, Symantec's Canadian general manager, is to assist corporations in being proactive in preventing security breaches. But before any products are purchased, a thorough security analysis must be undertaken, followed by a business needs analysis and a risk analysis. This approach sets the foundation for a sound security investment. When starting out, companies need to ask themselves questions such as 'What are we trying to protect and how much is it worth?' and 'What are the system's weak points?' By defining security risks, a corporation can better determine how much security is required. The inherent danger is that overreacting to security threats can create a system that is too secure, and frustrating to use, for both employees and customers. Ultimately, it is a question of balancing security and usability. As with most decisions in the fast-paced business world of today, the development of a company-wide security system is a calculated risk. There is no guarantee that an effective security solution this quarter will guard against malicious events next quarter. Regular security audits are essential, as is an awareness of new threats and potential solutions. And the human element is always a key component. 'I think this [security] is all new to us,' says Mr. McLean. 'Where corporations will be in real trouble is where the outside hacker colludes with an insider who essentially helps the outside hacker to navigate the system. Then you're going to run into the potential for severe economic loss.' ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- A need to circle the wagons: Security breaches high: Easy computer access mean theft is easy, too InfoSec News (Oct 05)