eBook - ePub
Surviving Security
How to Integrate People, Process, and Technology
Amanda Andress
This is a test
Share book
- 528 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Surviving Security
How to Integrate People, Process, and Technology
Amanda Andress
Book details
Book preview
Table of contents
Citations
About This Book
Previous information security references do not address the gulf between general security awareness and the specific technical steps that need to be taken to protect information assets. Surviving Security: How to Integrate People, Process, and Technology, Second Edition fills this void by explaining security through a holistic approach that conside
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Surviving Security an online PDF/ePUB?
Yes, you can access Surviving Security by Amanda Andress in PDF and/or ePUB format, as well as other popular books in Business & Business generale. We have over one million books available in our catalogue for you to explore.
Information
1
WHY DO I NEED SECURITY?
INTRODUCTION
The need for security has existed since the introduction of the first computer. The paradigm has shifted in recent years, though, from terminal server mainframe systems, to client/server systems, to the widely distributed Internet. Although security is important, it has not always been critical to a company’s success. With a mainframe system, you were mainly protecting your systems from resource abuse — either authorized users hogging resources or unauthorized users gaining access and using spare resources. Such abuse was damaging because system resources were costly in the early days of mainframes. As technology developed and the cost of system resources decreased, this issue became less important. Remote access to systems outside a company’s network was almost nonexistent. Additionally, only the underground community had the knowledge and tools necessary to compromise a mainframe system.
The development of client/server technology led to a myriad of new security problems. Processor utilization was not a priority, but access to networks, systems, and files grew in importance. Access control became a priority as sensitive information, such as human resources and payroll, was being stored on public file servers. Companies did not want this type of data to be public knowledge, even to their employees, so new technologies such as granular access control, single sign-on, and data encryption were developed. As always, methods of circumventing and exploiting these new applications and security products quickly arose. Windows NT and UNIX became the operating systems of choice during this period.
During the client/server era, access into the corporate network was usually limited to a few dial-up accounts. This did open some security holes, but the risk to these accounts could be easily mitigated with procedures such as dial-back and access lists. Branch offices communicated with one another over dedicated leased lines.
Then came the Internet — the open access worldwide network — and everything changed. Soon, the Internet was everywhere. The growth of e-mail and the World Wide Web soon led companies to provide Internet access to their employees. It wasn’t long before developing an e-business initiative for your company was critical in order to stay competitive in the new marketplace.
With the increased use of the Internet, information, including security information, became accessible to the masses. Because the Internet is a public network, anyone on the Net can “see” any other system on it. In the beginning, this was not a huge issue because sensitive information was not easily accessible, but, as use of the Internet grew, companies began allowing increased access to information and networks over the Internet. This approach is great for business, but also very inviting to attackers.
According to alldas (http://www.alldas.org), an organization that tracks Web-site defacements, 1111 sites were defaced in May 2002 and 1126 sites in April 2002. On June 1, 2002, a total of 28 sites were listed, with another 32 showing up on June 2. As of June 25, 2002, some 58 percent of the defacements recorded by alldas.org have occurred on Microsoft Windows systems and 22 percent on Linux. The remaining 20 percent includes Sun Solaris, Novell NetWare, and open-source systems such as FreeBSD and OpenBSD. You can find the details at http://defaced.alldas.org/?archives = os. Although Web-site defacement is annoying, some people do not view it as a true security breach. Remember this, though: When an attacker has the means to modify your Web site, it is usually a trivial process to gain control of your entire network (unless, of course, you have taken these types of attacks into account when developing your security infrastructure).
The Computer Security Institute (http://www.gocsi.com) in San Francisco releases an annual study called the Computer Crime and Security Survey (see Exhibit 1). Highlights of the 2002 survey include the following:
▪ Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months.
▪ Seventy percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft, or employee “Net abuse” — for example, theft of proprietary information, financial fraud, system penetration from outsiders, denial-of-service attacks, and sabotage of data or networks.
▪ Eighty percent acknowledged financial losses due to computer breaches.
▪ Forty-four percent were willing and/or able to quantify their financial losses. The losses from these 223 respondents totaled $455,848,000.
▪ As in previous years, the most serious financial losses of 2002 occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000).
▪ For the fifth year in a row, more respondents (74 percent) cited their Internet connection as a frequent point of attack than those who cited their internal systems as a frequent point of attack (33 percent).
▪ Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16 percent acknowledged reporting intrusions to law enforcement.)
Exhibit 1. Computer Security Institute Figures Showing Business Financial Loss Due to Computer Attacks
Attack | Total Annual Losses ($ millions) | |||
1997 | 1998 | 1999 | 2000 | |
Theft of proprietary information | 20,048,000 | 33,545,000 | 42,496,000 | 66,708,000 |
Sabotage of data or networks | 4,285,850 | 2,142,000 | 4,421,000 | 27,148,000 |
Telecom eavesdropping | 1,181,000 | 562,000 | 765,000 | 991,200 |
System penetration by outsider | 2,911,700 | 1,637,000 | 2,885,000 | 7,104,000 |
Insider abuse of Net access | 1,006,750 | 3,720,000 | 7,576,000 | 27,984,740 |
Financial fraud | 24,892,000 | 11,239,000 | 39,706,000 | 55,996,000 |
Denial of service | n/a | 2,787,000 | 3,255,000 | 8,247,500 |
Spoofing | 512,000 | n/a | n/a | n/a |
Virus | 12,498,150 | 7,874,000 | 5,274,000 | 29,171,700 |
Unauthorized insider access | 3,991,605 | 5,056,500 | 3,567,000 | 22,554,500 |
Telecom fraud | 22,660,300 | 17,256,000 | 773,000 | 4,028,000 |
Active wiretapping | n/a | 245,000 | 20,000 | 5,000,000 |
Laptop theft | 6,132,200 | 5,250,000 | 13,038,000 | 10,404,300 |
Note: n/a = not available.
The survey information can be found at http://www.gocsi.com. You can also request a copy of the full report at this direct link: http://www.gocsi.com/forms/fbi/pdf.jhtml.
The growth of e-business has made security a must-have for many companies. IDC, a leader in technology research, predicts that the market for security products will grow to $14 billion by 2005, more than doubling its current size, estimated at $5.1 billion. Even though businesses are spending billions of dollars on security products, they are not all implementing them well. A misconfigured security solution is almost as bad as not having one at all. Additionally, many companies completely ignore the most important aspects of security — people and processes.
FOR MORE INFORMATION …
If you’d like to know more, here are two sources:
▪ Secrets & Lies: Digital Security in a Networked World, by Bruce Schneier, renowned cryptographer and security expert. Published by John Wiley & Sons, this book discusses, in a very readable, nontechnical way, the security issues we face in today’s business environment.
▪ http://www.securitystats.com/ — A Web site devoted to computer security statistics.
THE IMPORTANCE OF AN EFFECTIVE SECURITY INFRASTRUCTURE
Security is critical in today’s business environment. In addition to protecting hard assets such as servers, workstations, network components, and data, you need to protect the intangible assets of your company. Security breaches can have a profound effect on a company’s reputation, branding, and general corporate image.
With e-business, securing these intangible assets is critical and may be more important than protecting physical assets. You can replace and rebuild physical assets, but it is difficult, if not impossible, to rebuild a brand and corporate image. For example, the compromise of Egghead.com’s systems and customer database in December 1999 might have jeopardized 3.7 million credit cards. Egghead did not respond well, neither confirming nor denying the compromise of customer credit card numbers. Customers were vocal, though, expressing concerns about the company’s storage of credit card numbers on unsecured servers and claiming that they would never shop at Egghead again. If these customers had all followed through with their claims, Egghead might have suffered financially from an issue that easily could have been avoided with security vigilance.
Protecting your physical assets can also provide some protection for your intangible assets, but risks still exist. What happens if a disgruntled employee sends off a rogue press release claiming that your network was attacked and that customer information was compromised? The highest levels of security on your physical assets would not protect you from this type of assault, which Bruce Schneier calls a semantic attack.
Even though security is important and many technologies are being developed to help with the process of securing systems, security and its underlying technology should never overshadow the business reason for implementing security. You never want to spend more money on a security solution than the cost of what you are protecting. For example, if you calculate that the cost to replace compromised data is $200,000, you do not want to spend $1 million on a system to protect that data.
PEOPLE, PROCESS, AND TECHNOLOGY
Security is not a single solution. Security is a pervasive, ongoing process of reviewing and revising based on changes to the business and corporate environment. It is the culmination of interaction between people, process, and technology. Schneier suggests this mantra: “Security is a process, not a product.” This statement reflects how every company should approach security. Security products are only one piece of the puzzle, and implementing those products is not a one-step process. As the corporate environment changes, these products should be analyzed and reconfigured.
Overall, security is not something you can “get.” There are no out-of-the-box, plug-and-play solutions that provide you with an adequate security infrastructure. Building an effective security infrastructure requires analysis and planning along with the development of policies and procedures — and a little help from security products.
Policies form the foundation of your security infrastructure. (Chapter 3, “Security Policies and Procedures,” discusses this topic in detail.) Policies define how a company approaches security, how employees should handle security, and how certain situations will be addressed. Without strong policies implemented in the company and reviewed on a regu...