 |
 |
 |
 |
 |
 |
Leading Edge Focus: Information Security In An Insecure World
By J. Eric Smith
Information security is on everyone's mind these days. Almost daily, news reports tell of a new virus, a company being hacked or secrets being stolen. The Internet has opened up an entirely new way of doing business, and along with it has come an array of technically savvy people willing to use their skills for malice. Corporations spend billions of dollars annually trying to stop this activity, but is it doing any good?
THE MYTH OF PERFECT SECURITY
One of the most difficult concepts any business has to grasp is that no security system is perfect. Any system that can be used can be abused. No matter what measures are taken, a skilled hacker with the right information will eventually penetrate the best security.
However, the key word here is "eventually." Hacking secured systems takes time and effort. Hackers hope to get something valuable from a system that makes the effort worth their time. They break into secure systems for many reasons - some for notoriety, some for vengeance, while others break in to steal credit card information.
The key to defeating hackers is startlingly simple and effective. Security systems need to make the effort of getting in outweigh the reward of succeeding. The Internet is rife with Web sites that haven't the slightest bit of security, so a hacker has no shortage of targets from which to choose. Spending just a few hours analyzing and securing systems can deflect virtually all attacks, assuming the correct information is secured in the proper manner.
THE COMPROMISE BETWEEN SECURITY AND USABILITY
Security, by definition, restricts usage. Security applied haphazardly is worse than no security at all. It gives a false sense of security and, perhaps more damaging, it inconveniences legitimate users of the system. Studies have shown that the average user of a Web site will, at most, try twice to accomplish a task before going elsewhere. Lost sales and missed opportunities are the result. If security runs customers away, it does more harm than good.
Similarly, internal company users can be frustrated by overbearing, pointless security and will find ways around it despite the most stringent regulations and procedures. Studies have shown that the vast majority of successful attacks begin from inside the company. Whether these breaches happen due to disgruntled or misguided employees, or due to bypassed security that allows an outsider to gain privileged access, the results are harmful.
BUT NOBODY WOULD ATTACK US, WOULD THEY?
Nearly every company or organization has something of value on some level that will be of interest to others. Many organizations have relied on what security experts call "security through obscurity." The thinking is if a company is small or not very technologically advanced, hackers will think that it has nothing of value – the converse is true.
In a day where technology allows a hacker to scan millions of companies for vulnerabilities at the push of a button, relying on obscurity is no longer an option. Hackers find value in everything. Hackers find value in stealing information, money or simply corrupting files. Companies that possess private information on customers or patients risk embarrassment and legal trouble if any records are exposed. Recent changes in federal regulations can result in fines, penalties or lawsuits by aggrieved customers. The cost of security can no longer be considered optional when the cost of a potential breach far outweighs that of creating and maintaining a secure system.
FINDING A BALANCE
Creating the proper level of security for a system should begin with a vulnerability analysis and security needs assessment. The old adage, "work smarter, not harder," applies to modern information security. After determining the need, a security plan can be developed that includes:
- Budgeting
- Implementation (in-house security team or outside vendor)
- Flexibility (varying security levels depending on need)
- Attack response (recognizing and recovering from security breaches)
- Ongoing maintenance
Security must be considered an ongoing effort. Secure systems today may become insecure tomorrow as threats change. News of vulnerabilities within systems spread quickly among hackers. Security administrators have a small window of time to patch new holes. The price of a breached system could be an entire business. Are you willing to roll the dice?
|
|
