Monday, September 1, 2014

Rethinking Security



Despite more and more being spent on securing information systems, the number of security breaches continues to increase dramatically.

In addition, it has become a laborious task to keep up with product vulnerabilities, tell system administrators to apply the security patches and then test that the patches are properly applied.

Eventually it will become very difficult to keep up with all the latest security fixes and inevitably some will be missed, causing security breaches or heightening the risks.

One of my clients in the Far East has 50,000 attempted attacks on its network a week - or more than 7,000 a day - and the numbers are increasing. The operator monitoring the logs can easily be dazzled by the sheer number. If the trend continues it is likely that some crucial alerts will be missed. The number of attempts is getting so high that the intrusion detection systems are falling over due to overload.

Clearly, more needs to be done. We need to rethink the entire way of protecting our systems and information from unauthorised access, tampering and other malicious acts.

Security needs to be approached with a comprehensive view of the problem. We need to extend the scope beyond computers, networks and other technologies to include human procedures, hiring processes, personnel reporting structures, legal implications, security awareness and physical security. Any failure in any of these is likely to mean security breaches, for security is only as good as its weakest link.

Too often network security dominates, because the network brings together the hardware, software and data. This implies that security is approached on the fly without top-down analysis and happens as an afterthought rather than getting designed in.

In addition, network managers are kept busy keeping up with requirements for more servers, better performance and longer trading hours. Over-stretched network managers often consider the security work done once they have installed the firewalls, intrusion detection systems and encryption processes.

Despite all the advance in operating systems technology, network and system administration is still a laborious task.

The security team is likely to be kept very busy. It is important to prepare them so they know they may have to work unsociable hours troubleshooting obscure bugs, data mining forensics, or poring over manuals. Often financial compensation will not be enough as the sole motivation. These people want training programmes and a working culture that allows them to experiment with their creative energies.

Besides attending to operational security problems, organisations must allocate time and resources to looking at new technologies that are likely to make an impact on the security implementation.

The skills and experience of the security team members must likewise be multifaceted to correspond to the scope of the problems they have to face.

Security solutions differ depending on issues ranging from an organisation's mode of business to the socio-political situation of particular countries. In some African countries for example the security designer cannot rely on communication lines for online authentication, because the cables often get stolen. However, it is probably fine to rely on human labour to painstakingly countercheck security parameters - something affordable in low-wage Africa and an added advantage not affordable in many developed countries. In heavily unionised Australia the practicality of using labour for such tedious work enters a different sphere.

Beyond the security team, the IT, audit, legal, marketing and human resource departments all need to be well informed of information security, because it forms the basis for a business to implement new products and services swiftly.

Security awareness needs to be inculcated regularly in the rank and file. The legal department needs to be made IT literate and to understand emerging cyberlaws and issues like the effectiveness of digital signatures. The audit department must check if its processes are still effective in combating cyberfraud or internal sabotage on computer networks.

The marketing department needs to be more IT savvy to choose business tools without compromising security. The IT department has to know how to evaluate software packages from the security perspective, developers must know how to follow secure coding standards, and data architects must prevent users from arbitrarily accessing data that they are not supposed to see. All this requires training and time that should be built into the human resource department's training or induction programmes.

So security should not be confined to specialist or elite groups in an organisation. Security practice must be pervasive throughout the organisation and everyone has to play a part for it to be effective.

Beyond the organisation, alliances have to extend to external organisations: once connected to the Internet, one's information systems cannot be perceived to be isolated. Other desktops and servers connected to the Internet could well end up advertently or inadvertently attacking your network. There are cases where I have detected servers from friendly companies attacking the servers I was protecting. We found their servers were infected by a worm that in turn was crawling all over cyberspace, in the process attempting to attack our servers. After discussion with their system managers, the friendly companies shut down their servers and had them rebuilt, saving us from having to defend ourselves from their persistent onslaught. So in general, close liaison amongst organisations keeps cyberspace a little more secure, benefiting all.

These activities will result in changes to an organisation, which must be supported by senior management and carefully managed. The security manager's major task is to get buy-in from the board and senior management on such organisational and cultural transformation. Some readers may be amused by this naive suggestion that the security manager is in the position to sell such a major transformation to senior management. I empathise: many security managers report to the head of IT - many layers away from the top management. Often, these managers live a frustrating life, having to answer to the very people they ought to be checking on. This is a result of the myth that considers information security as a technical problem, to be handled by the IT department.

To be effective, the security manager must be independent from system implementers and operators, and have a direct reporting line to the board or senior management. This will ensure a healthy check and balance in the system, with security weaknesses constantly checked and eliminated.

Senior management decisions here have to be based on the return on investment in keeping a high standard of information security. During economic downturns it is tempting for management to freeze or reduce security spending and concentrate on core business spending. This is dangerous, as it is during such times that security risks are at their highest, with staff morale at a low because of lay-offs.

The return on investment must consider the positive cultural transformation that results from a security overhaul. Source code inspected for security not only becomes more secure but also better quality and more stable. Incident response procedures and rehearsals not only make staff fix technical problems more competently but also develop a sense of urgency and attention to detail.

In the long term, security will have to be considered as a foundation for information system infrastructure. More and more business will be conducted over the Internet, and customers will demand ever more reliable and secure transactions. Inevitably, businesses will have to make security a top concern: ignoring or bypassing it will have perilous consequences.