Software vendors will always favor speed to market over the need to test their products to the n'th degree, and IT directors do not have endless budgets to spend on paying for every upgrade and patch. No longer is it the case that 'good security' is an impenetrable network that lets nothing in, monitors everything that's going out and costs a fortune. Even if companies could afford security software to fix every flaw and gap, the result would be a network so impregnable that it would be slowed down to the point of being useless.
The obsession around security is well-founded but it has now gone beyond the realms of usefulness. The media focuses its attention on companies needing to be 100 percent secure 100 percent of the time. But that simply won't happen; it can't be guaranteed, nor need it be.
The problem for today's security professionals and the board of any self-respecting company, is risk management - a well-established concept in financial terms that is now being extended to include IT infrastructure. Companies in all industries face different types of risks in every part of their businesses. Whether it is a risk of falling profits, poor production, bad weather or product liability, businesses must protect themselves and their shareholders in creative ways. The threat of security breaches is not a new risk but is more high profile than it's ever been, both at a board level and among shareholders.
A dictionary definition of risk is "the chance or possibility of suffering loss, damage or danger." By definition, chance or possibility themselves evoke a sense of the unplanned and unknown, so even the best security program in the world cannot eliminate risk - therefore risk must be managed. The investment made in protecting assets must consequently be linked to their business value and to the degree of risk willing to be tolerated.
Reality dictates that companies must fully assess and understand the value of their information and their vulnerability to risk in order to direct their IT security resources accordingly. Why spend thousands of pounds protecting something that isn't valuable in the first place? Additionally, the security technology on offer in today's market is so varied and complex that choosing the right products becomes an absolute minefield. The key factor is to avoid conflicting or dueling technologies. This means standards for adopting security technology must be in place.
The biggest risk for today's companies is related to the pace at which we all want to work and what we demand and expect from whatever tools we use. This instigates a battle between functionality and security. Security is not about simply ticking a box and moving on - in the dynamic environment of a network, circumstances are continually changing. The larger the company, the larger the challenge to manage all the devices and constituents connecting and disconnecting to that network. Following on from that is the fact that the way to do business has fundamentally changed and therefore, so has the way we address security. With the need to allow third parties such as partners, customers and suppliers access to a network, it's not feasible to produce a blanket list of risks for all scenarios, rather it's about assessing the value of the data and the level of confidentiality it requires.
With all this in mind companies must develop security policy and practices. The first element should be the risk management model, in order to develop and enforce security polices, and the second should be recognizing that breaches will happen. The key to immediate and effective response is to have a well-thought-out strategy.
Developing a security policy
One of the most widely used security models has four key aspects:
- Protect. This is about assessing vulnerabilities right from the most basic, such as the failure to apply readily available fixes to well known software weaknesses; poor configuration or implementation errors for systems and perimeter defense products.
- Detect. Following on from initial assessments it is vital to continue monitoring system activity on a regular basis to see if and where vulnerabilities are being exploited. While some incidents are clearly malicious it's often the case that employees can make mistakes, or accidents can simply be caused by poor system configuration.
- React. Once incidents have been detected, their severity can be assessed and therefore any impact mitigated. Reacting to a fast spreading virus, halting a denial-of-service attack or tracking down the poor configuration of a file server all require different levels of response.
- Recover and revise. After mitigating the impact of an incident and restoring the system (should that be required), it is vital that the security policy is revised so that similar incidents are prevented from occurring again.
Developing a security program around these four key aspects needs to involve three factors - people, process and technology. If a program is to be more than just a token gesture, compliance from people will be paramount. Everyone needs to buy into the program, understand their roles and responsibilities, be prepared to respond to unanticipated situations, and be the vanguards of good security policy.
The British Standards Institution (BSI) is one of the key forces in the U.K. driving the adoption of an industry-wide security standard. Their ISO 17799 code of practice on information security management is also being adopted worldwide.
The basic elements of the standard are:
- Security policy: this provides management direction and support for information security.
- Organization of assets and resources: to help you manage information security within the organization.
- Asset classification and control: to help you identify your assets and protect them appropriately.
- Personnel security: to reduce the risks of human error, theft, fraud or misuse of facilities.
- Physical and environmental security: to prevent unauthorized access, damage and interference to business premises and information.
- Communications and operations management: to ensure the correct and secure operation of information processing facilities.
- Access control: to control access to information.
- Systems development and maintenance: to ensure that security is built into information systems.
- Business continuity management: to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
- Compliance: to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.
While policy may sound boring and is often the item at the bottom of the pile of any organization busy trying to get on with business, it is the one thing that companies globally cannot ignore. As more and more of our business processes and communication (internally and externally) are done electronically, the stakes for poor security policy are higher than ever before. Security issues are here to stay - all companies must be prepared to suffer some losses in the low-risk areas of their business in order to benefit from being more secure in other, more important divisions. This compromise alongside company-wide awareness of security will ensure that a business, if not quite attaining Fort Knox status, is at least as secure as it can realistically be.
Tony Anscombe is regional director, Northern Europe, for security, firewall and VPN specialist Stonesoft (www.stonesoft.com).