Despite more and more being spent on securing information systems, the
number of security breaches continues to increase dramatically.
In addition, it has become a laborious task to keep up
with product vulnerabilities, tell system administrators to apply the
security patches and then test that the patches are properly applied.
Eventually it will become very difficult to keep up with all the latest
security fixes and inevitably some will be missed, causing security
breaches or heightening the risks.
One of my clients in the Far East has 50,000 attempted
attacks on its network a week - or more than 7,000 a day - and the
numbers are increasing. The operator monitoring the logs can easily be
dazzled by the sheer number. If the trend continues it is likely
that some crucial alerts will be missed. The number of attempts is
getting so high that the intrusion detection systems are falling over
due to overload.
Clearly, more needs to be done. We need to rethink the
entire way of protecting our systems and information from unauthorised access, tampering and other malicious acts.
Security needs to be approached with a comprehensive view of the
problem. We need to extend the scope beyond computers, networks and
other technologies to include human procedures, hiring processes,
personnel reporting structures, legal implications, security awareness
and physical security. Any failure in any of these is likely to mean
security breaches, for security is only as good as its weakest
link.
Too often network security dominates, because the network brings
together the hardware, software and data. This implies that security is
approached on the fly without top-down analysis and happens as an
afterthought rather than getting designed in.
In addition, network managers are kept busy keeping up
with requirements for more servers, better performance and longer
trading hours. Over-stretched network managers often consider the
security work done once they have installed the firewalls, intrusion
detection systems and encryption processes.
Despite all the advance in operating systems technology, network and system administration is still a laborious task.
The security team is likely to be kept very busy. It is
important to prepare them so they know they may have to work unsociable
hours troubleshooting obscure bugs, data mining forensics, or poring
over manuals. Often financial compensation will not be enough as the
sole motivation. These people want training programmes and a working
culture that allows them to experiment with their creative energies.
Besides attending to operational security problems, organisations must
allocate time and resources to looking at new technologies that are
likely to make an impact on the security implementation.
The skills and experience of the security team members must likewise be
multifaceted to correspond to the scope of the problems they have to
face.
Security solutions differ depending on issues ranging
from an organisation's mode of business to the socio-political situation
of particular countries. In some African countries for example the
security designer cannot rely on communication lines for online
authentication, because the cables often get stolen. However, it is
probably fine to rely on human labour to painstakingly countercheck
security parameters
- something affordable in low-wage Africa and an added advantage not
affordable in many developed countries. In heavily unionised Australia
the practicality of using labour for such tedious work enters a
different
sphere.
Beyond the security team, the IT, audit, legal, marketing and human
resource departments all need to be well informed of information
security, because it forms the basis for a business to implement new
products
and services swiftly.
Security awareness needs to be inculcated regularly in
the rank and file. The legal department needs to be made IT literate and
to understand emerging cyberlaws and issues like the effectiveness of
digital signatures. The audit department must check if its processes are
still effective in combating cyberfraud or internal sabotage on
computer networks.
The marketing department needs to be more IT savvy to choose business
tools without compromising security. The IT department has to know how
to evaluate software packages from the security perspective, developers
must
know how to follow secure coding standards, and data architects must
prevent users from arbitrarily accessing data that they are not supposed
to see. All this requires training and time that should be built into
the human resource department's training or induction programmes.
So security should not be confined to specialist or
elite groups in an organisation. Security practice must be pervasive
throughout the organisation and everyone has to play a part for it to be
effective.
Beyond the organisation, alliances have to extend to
external organisations: once connected to the Internet, one's
information systems cannot be perceived to be isolated. Other desktops
and servers connected to the Internet could well end up advertently or
inadvertently
attacking your network. There are cases where I have detected servers
from friendly companies attacking the servers I was protecting. We found
their servers were infected by a worm that in turn was crawling all
over cyberspace, in the process attempting to attack
our servers. After discussion with their system managers, the friendly
companies shut down their servers and had them rebuilt, saving us from
having to defend ourselves from their persistent onslaught.
So in general, close liaison amongst organisations keeps cyberspace a
little more secure, benefiting all.
These activities will result in changes to an organisation, which must
be supported by senior management and carefully managed. The security
manager's major task is to get buy-in from the board
and senior management on such organisational and cultural
transformation. Some readers may be amused by this naive suggestion that
the security manager is in the position to sell such a major
transformation to
senior management. I empathise: many security managers report to the
head of IT - many layers away from the top management. Often, these
managers live a frustrating life, having to answer to the very people
they ought to be checking on. This is a result of the myth that
considers information security as a technical problem, to be handled by
the IT department.
To be effective, the security manager must be independent from system
implementers and operators, and have a direct reporting line to the
board or senior management. This will ensure a healthy check and balance
in the system, with security weaknesses constantly checked and
eliminated.
Senior management decisions here have to be based on
the return on investment in keeping a high standard of information
security. During economic downturns it is tempting for management to
freeze or reduce security spending and concentrate on core business
spending. This is dangerous, as it is during such times that security
risks are at their highest, with staff morale at a low because of
lay-offs.
The return on investment must consider the positive
cultural transformation that results from a security overhaul. Source
code inspected for security not only becomes more secure but also better
quality and more stable. Incident response procedures and rehearsals
not only make staff fix technical problems more competently
but also develop a sense of urgency and attention to detail.
In the long term, security will have to be considered
as a foundation for information system infrastructure. More and more
business will be conducted over the Internet, and customers will demand
ever more reliable and secure transactions. Inevitably, businesses will
have to make security a top concern: ignoring or
bypassing it will have perilous consequences.
