in the Internet economy has become too complex and dynamic for Great Catalogs Inc. to deal with, and traditional approaches to security aren’t helping. A handful of products and an occasional audit can’t address a fast-changing security environment and provide the protection that organizations need. The advantages of cost, speed, and access demand that companies leverage the Internet and open their networks to partners, customers, suppliers (and sometimes even competitors). In this interconnected environment, new and unfamiliar security risks are a daily reality. (Richardson, p. 64)
The Internet is enormously complex, with operating systems, applications and gateways driven by tens of millions of lines of code. Every day dozens of new vulnerabilities are posted to legitimate and underground web sites. Many pose little risk, but some are quite significant and have led to embarrassing data loss and web site vandalism. (Chittister, p. 118)
These posted vulnerabilities represent only a small fraction of the potential vulnerabilities that lurk within a mosaic of such hugely complex components. While many issues have been addressed, many more lay undiscovered, more than could ever be addressed by an army of quality assurance specialists.
Internet use continues to increase dramatically, making it the fastest growing medium in history. The number of Internet abusers is growing proportionately. For them, the Internet is a tool for mischief, larceny and espionage. Employees and contractors with Internet access from within your firewall makes internal abuse a significant concern.
Internet use continues to increase dramatically, making it the fastest growing medium in history. The number of Internet abusers is growing proportionately. For them, the Internet is a tool for mischief, larceny and espionage. Employees and contractors with Internet access from within your firewall makes internal abuse a significant concern. ((Chittister, p. 133)
Democratization of the Internet empowers abusers. The Internet and related technology have revolutionized industries by bringing access, power, and control to millions. Malicious abusers of the Internet also have enjoyed this same access to greater computing power, high-speed access, and mass forums for sharing information and attack tools. “A bored teenager today has access to everything he needs to launch a devastating attack on a remote commercial network.” (Richardson, p. 101)
Effective security involves more than obtaining the right technology. The real challenge is assuring its effectiveness, surrounding it with policies and practices that reduce risk, and addressing a changing environment. Traditional approaches to information security offer little help.
The fundamentalist approach seeks to attain effective security with better technology, stronger controls, a more secure architecture. Fundamental security is no more possible in the digital world than it is in the real world. Is there any such thing as a fundamentally safe airplane that can’t crash? Of course not and neither is there a network that can be “fundamentally” secured from risk. Chasing such an impossible goal leads companies to invest too many resources in the wrong places without establishing a truly effective security posture.
If information security has become this complex and challenging, how should organizations approach the new challenges operating safely in the Internet economy? We believe that the only way for organizations to ensure the integrity of their systems and data is to adopt a security program that is risk-based, holistic, dynamic and pragmatic.
- Risk-based. If protecting against every known threat is physically and economically impossible, organizations must acknowledge that not all risks are created equal and focus resources on the most significant ones. This requires them to understand the components of risk-vulnerability, threat and event costs — and how they interact. For example, a published vulnerability in a system is only significant if a threat is aimed at it and there is a significant cost to a successfully attack. (Fairley, p. 60) Such an approach enables organizations to maximize the effectiveness of their security resources by concentrating on areas that will deliver the greatest reduction in overall risk. For remaining exposures, prudent organizations could transfer the risk through mechanisms such as insurance.
- Holistic. Organizations are extended and multi-faceted, and so are the risks to their critical data and systems. A strong security program must be multi-disciplined, addressing the key categories of risks: electronic threats (e.g., hacking, sniffing and spoofing); malicious code (e.g., viruses, worms and Trojans); physical security (e.g., theft and terminal hijack); human threats (e.g., social engineering, disgruntled employees, and sloppy security compliance); privacy risk (e.g., for company data, customer data and third party data); and downtime (e.g., denial of service attacks, power outages and natural disasters). (Richardson, p. 129) To address these, the security program should employ a multi-disciplined set of tools: electronic assessments, policy establishment and enforcement, standard practices and operating procedures, and ongoing vulnerability assessments. The security program must extend beyond an organization’s own borders to its extended network of customers, suppliers and partners. (Chittister, p. 190) In an interconnected world, corporate security is only as strong as the weakest link and companies are increasingly insisting that their partners apply verifiable security programs to their networks.
- Dynamic. Good security must be a dynamic process that addresses a constantly changing environment. This requires a steady flow of information and analysis around emerging security issues, to protect against new threats before it’s too late. Even risk transfer mechanisms must be examined regularly to ensure that new threats are covered. Policies, practices, configurations must be updated dynamically to remain relevant.
- Pragmatic. An effective security program must support the needs of the business without imposing excessive cost or inconvenience to users. Overly stringent security controls can lead to productivity loss among workers who wrestle with time-consuming processes. Overly restrictive controls undermine efficacy, as in the example of a demanding password policy that leads users to write passwords on sticky notes pasted to their monitors. Unnecessarily stringent controls increase costs of technical support while delivering little incremental risk reduction.
If you are in search of custom written essays on Risk Analysis and Management topics, you can try this affordable writing service.
Bibliography Chittister, C., Kirkpatrick, R., and Van Scoy, R. (2002). Risk management in practice. New York: Harper Collins. Fairley, R. (1999). Risk management for software projects. IEEE Software, 11(3):57-67. Richardson, D. (2001) Risk Analysis. London: Pluto Press.