Security Aspects - IT Security from a Birds Eye View
Computers are heavily used absolutely everywhere, from NASA and the military defence systems to the retail outlets throughout the world.
Whatever process we take and every step we take, whether it is a financial transaction, dealing with medical information or just dealing with any sort of confidential data, computers and databases as well as other applications are involved. We use technology for electronic banking, water supplies, emergency services and many other things.
When anyone thinks about security, the first thing that comes to mind is anti-virus and a firewall.
Then for the more advanced users there are other aspects such as IDS/IPS, VPN’s, authentication servers, wireless security, and general hardening of operating systems such as closing down unused services and ports.
However these are just a subset of the bigger problem in the world of security. We can not forget issues with physical security, business processes, employee management, etc.
It’s a bit of a concern really that hacker’s get most of the publicity, as most consider this an interesting part of security. However security officers and network admin's concentrate so much time and effort protecting their network from hackers that they forget the basics, and other areas of security.
The scary part to all this is more security breeches happen from within the company, it’s usually the disgruntled employees, or just employee errors and bad management.
IT today plays a massive part, and without Information Technology many businesses will be unable to continue. Therefore business process very much involves the use of IT, and so is very much tied into how we secure these processes.
As we are so dependent on computer systems and the interconnecting world via our computers and networks then there should be a protective measure in place.
One way to look at this is how does information flow from one part of the business to the other? And to look at ways this flow can be compromised, looking for weak points within this data flow. So how is it sent, received, what hops does the information take, who handles this information, who has access to this data from a physical and logical perspective, where is it stored, etc.
Another example would be does one person have the ability to handle this information flow from one end of the business right through to the other end, because this could potentially lead to internal fraud very easily? That’s why we need measures in place like rotation of duties, separation of duties and dual control.
Security covers number different areas. The obvious are the technical security technologies we place in front of our gateways and on our endpoint system. However there’s other area’s such as physical security such as how security guards and physical IDS systems like CCTV cameras are used. There’s business processes, how transactions are handled within the business, how everyday operations are carried out like backups, configuration and change management, how employees are handled in different situations. So security does expand right through the organisations, whether it is technical or not.
Also what is your business primary requirement in terms of security? For example in the military privacy is the primary importance, but for a financial business integrity is the primary importance. For example DOD (Department of Defence) would not want anyone to see their latest defence strategies, though the need for privacy. A bank would not want their figures fiddled with, though the need to maintain a high level of integrity.
Also other aspects play a role in security, such as have you done any risk analysis on your tangible and intangible assets? This will help an organisation know what to protect, or prioritise their assets, spending more on the important assets. Have you polices, standards, procedures and guidelines in place. These can explain situations such as how a company protects against trade secrets and intellectual properties from employees leaving to go work for a competitor. These will help assist staff when they don’t know what to do in many different situations, and help in many other situations.
Have you outlined who is responsible for what assets? What access control strategies you have in place? Who does the auditing for the company?
It’s all about a layered approach. You need to really understand your network infrastructure, the environment around it, and the process that you place within your business, the information flow, and just about every aspect of your company before you really have a good idea on how to put security measures into place.
Today almost all hackers are out there for one primary intention only, to make money, or should I say steal money. There are other intentions as well such as script kiddies and hackers who just feel good about bringing websites and services down. Then there are attacks such as attacking competitors, stealing trade secrets, or attacking the enemy’s military system to find vital information.
The problem is we don’t hear of many of these attacks. Organisation's and governments like to keep these things quiet due to reputation, loss of business, etc.
The only one’s that make it to the public are when it is affecting a large amount of people or it is a big hit to the organisation. Also they don’t want the world to know they have vulnerabilities and holes all over their network.
Organisation's only inform customers they are being affected because of privacy laws introduced mainly in America.
Identity theft is the most popular crime today and still growing. These are used in some way or the other to commit a crime using an individual’s identity. Accidents do happen and when USB’s with confidential data is lost, or a computer sold which has been used for confidential data, or many other similar activities, these can have detrimental outcomes for individuals and organisation's.
For more information on ID theft visit www.idtheftcenter.org.
Phishing and Pharming are ways to commit identity theft. A hacker will send thousand of emails asking users to login to their banks website, EBay, or any other website, and update their personal information. The link provided within the email really sends the victim to the hackers own built website which mirrors a real site such as EBay or Barclays. When the end user updates their info, this information is really given to the hacker, and from here the hacker can attempt to use their confidential information to either login to the real website, or use their information for other fraudulent activities.
It is not just individuals; organised criminal groups are carefully crafting more organised crime.
It’s scary that there are so many tools available to hackers depending on how an individual would use them. It’s not like the old times where hackers needed a level of programming skills in order to succeed in an attack. With today’s tools, the ease of use of these tools, the amount of information on websites how to execute such attacks, anyone has the potential to do damage.
To see fact and figures for yourself you can visit www.cybercrime.gov.
Now there are a number of privacy and confidentiality laws been put into place ensuring companies are responsible for compliance within the organisation. Some common regulations are HIPAA (Health Insurance Portability and Accountability Act), Gramm-Leach-Biley Act, Sarbanes Oxley Act of 2002, PCI DSS and a number of others.
What makes these laws even more crucial and of more importance is that CEO’s and CFO’s themselves are being held responsible. There have been a number of incidents where CEO’s and CFO’s have been either charged a huge lump sum of cash or given a prison sentence. This really does stress the seriousness of deploying and following these laws and regulations to the dot. Management have to decide what data is valuable and what to protect within the organisation. Management will be held liable if things go wrong.
Other things to think about are what frameworks, standards can we use that would help us secure our organisations and make us compliant, such as using ITIL, 27001. What security models and practices can we follow? ISO 27001 is a standard. Organisation that meet the ISO 27001 standard are formally audited and certified if they meet the requirements, therefore showing they are ISO 27001 compliant. ITIL is a framework of best practices.
This section of the website will cover the remaining technical aspects such as endpoint protection, data leakage protection, web protection for end users, web protection for web servers, hosted security, common hacking tools, security laws, standards and regulations and more. You can find information on these topics on the left hand side menu.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com