Six top security issues for executives

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,77132,00.html

[The Art of War by: Sun Tzu 
http://www.amazon.com/exec/obidos/ASIN/0195015401/c4iorg  - WK]


By Yona Hollander
DECEMBER 30, 2002

Sun Tzu, a legendary Chinese strategist born more than 2,000 years 
ago, taught the importance of knowing both your enemy and yourself: 
If you know the enemy and know yourself, you need not fear the result 
of a hundred battles. If you know yourself but not the enemy, for 
every victory gained you will also suffer a defeat. If you know 
neither the enemy nor yourself, you will succumb in every battle. 

-- Sun Tzu, in The Art of War, Chapter 3, Verse 18 

Truer words were never spoken when it comes to information security. 
To succeed, you must know your enemy as well as your own strengths and 
weaknesses. The following are six issues of which executives should be 
aware to protect their systems. 


1. Know Your Enemy 

The faceless external attacker often plays the villain role in the 
traditional information-security drama. While such external attackers 
exist and are a real threat, internal misuse presents a much greater 
risk and must not be ignored. To truly know your enemy, you must 
consider and understand both external and internal threats. 


2. Understand External Enemies 

By definition, external enemies attempt to attack you from outside 
your corporate boundaries. These attackers may be teenagers in their 
parents' basements, miscreants in other countries or credit card 
thieves, among others. External enemies attack your enterprise for 
various reasons; some are more malicious than others. 

Many external attackers resemble joy riders who steal cars for the fun 
of it. These attackers target your network to show off their skills 
and expertise to their peers. While they often have little malicious 
intent, they can cause vast amounts of damage to your systems. 

Politics motivate other external attackers. They may want to deface 
your public Web site and use it as a venue for their political 
messages. Such political defacements occur relatively frequently, 
numbering in the hundreds per year. 

Other motivations include theft, fraud, corporate espionage and even 
cyberterrorism. External attackers must be clever to infiltrate your 
perimeter defenses, but experience has shown that such infiltration is 
possible and, in some cases, even easy. 

The external threat includes individual attackers manually probing and 
penetrating your networks, as well as highly automated attacks such as 
worm programs. For example, the Code Red worm attacked and compromised 
hundreds of thousands of hosts around the world in a matter of hours. 
Skilled attackers can create such worm programs with little effort. 
The threat from worms continues to grow, and protecting your systems 
against them is crucial. 


3. Defend Against Internal Enemies 

Many traditional security approaches concentrate on building and 
protecting a hardened perimeter to protect against the external 
threat. This approach would be sufficient if all enemies were 
external. In reality, concentrating on the perimeter only builds a 
false sense of security while leaving your organization vulnerable to 
attack and misuse by those who can hurt you most: insiders. 

Insiders know what your most valuable information assets are, where 
they're stored and how to access them. An insider at a credit bureau 
drove the success of the recently apprehended identity theft ring that 
stole millions of dollars from individuals around the country. 

Not all inside enemies are full-time employees of your company. 
Contractors, temporary workers and former employees may have 
privileged access to your systems with little control over or 
oversight of their activities. 


4. Know Yourself 

In the context of information security, knowing yourself implies 
understanding your systems and staff as well as the security risks 
associated with both. If you don't know your own points of 
vulnerability and risk, it's difficult to protect yourself. Again, too 
frequently information security initiatives focus on external forces 
and neglect internal systems, vulnerabilities and threats. Judicious 
use of risk analysis tools and background checks can significantly 
improve your knowledge of your company. 


5. Be Aware of Regulations and Consequences 

Serious consequences exist for ignoring security. The regulatory 
climate for information security and privacy is increasing. The 
Gramm-Leach-Bliley Act, the Health Insurance Portability and 
Accountability Act and various other federal and state regulations are 
raising the security bar for corporations by requiring minimum 
security standards to be in place. Companies that don't comply will 
face significant penalties in the future. 

For example, a new law in California (effective July 1, 2003) requires 
businesses that own databases to disclose security breaches if certain 
personal information was or may have been compromised. Californians 
can bring civil actions for actual damages and injunctive relief 
against entities that fail to comply with the law. 

Businesses also face the possible loss of customer confidence and 
revenue in the face of a successful attack against their systems. 
Egghead Software's widely publicized security breach led to a 
precipitous drop in its stock price and revenue; the business never 
recovered, and Egghead closed its doors not long thereafter. Customers 
will not buy from companies that they do not trust. 


6. Protect Yourself 

Rather than solely relying on perimeter defenses, such as firewalls, 
to safeguard your enterprise, protect each critical server and data 
store against misuse. By protecting valuable information assets 
directly, you achieve protection against both internal and external 
threats. Proper protection includes using technology products (such as 
intrusion prevention, antivirus and access control software) as well 
as sound security processes (such as security policies and risk 
analyses). Using products and processes together to secure each 
critical asset yields the best protection. 

Referring to warfare, Sun Tzu taught long ago the importance of 
knowing your enemy as well as knowing yourself. Information security 
is no different. Failure to understand the threats to your business 
and your ability to counter those threats could be catastrophic to 
your organization. 


Yona Hollander is vice president of security management at Entercept 
Security Technologies, an intrusion-prevention software company in San 
Jose. He is part of Entercept's Ricochet Team, a specialized group of 
security researchers dedicated to identifying, assessing and 
evaluating intelligence related to server threats. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.