Home arrow Computer Network Securityarrow Thinking Right About Network Security

Thinking Right About Network Security
E-mail
Written by Larry S. Wiggins   
Monday, 09 March 2009
Computer network security is one of those negatives that few spend Time thinking about. Even so, few ever would secure a home the way networks are secured. One would not build a new home and wait until it is completed to think about adding a security system. The security system would be an integral part of the design. One would not buy windows without latches or doors without locks. Yet often this is exactly what is done with networks. Applications, operating systems, and servers are bought with inadequate security. Then after reading a few Internet horror stories, one decides he or she is living in a really bad neighborhood and tries to fit security into the system. A firewall (or some other security device) is purchased with the idea that it resolves the problem -- but it does not! In reality all that has been created is a false sense of security. Sure, the doors are locked, dead bolted and barred, but the windows are still wide open!

Computer security is more than iust putting locks on doors. It is a business process that should be managed and promoted if it is going to be effective and successful. No one would think of using a marginal accounting process or recommend a partial sales program, so why should one settle for marginal or partially effective security? Actually, there is a fairly consistent answer to that question. Although the cost of security can be expressed in real dollars, its benefits are hard to quantify. Most people do not think about security until their network has been breached and the resulting losses in property, productivity, or sales translate into real dollars.

The author recommends instead that security should be addressed proactively as a business process. Begin by identifying what assets are at risk, quantifying the values of these assets, and then determining where the network is vulnerable. Here are three areas to consider:

Denial of service can result from many different factors: a virus, a hacker's attack, sabotage, hardware failure, natural disaster, an accident, or operator error. Whatever the cause, these loss-of-service attacks force one to conduct business without the support of automated systems. The two-day Microsoft Network (MSN) service outage provides a good example. An unknown hacker prevented thousands of MSN users from accessing mail, database, and Internet services by continuously crashing MSN servers until Microsoft programmers could develop a patch that countered the attack.

The cost of denial of service incidents vary from industry to industry and business to business. Begin an analysis by asking some basic questions. What are the critical business processes? How long can the company go without the computer services that support those processes? Take order entry for an example. Phone orders can be taken manually and if necessary fulfilled manually. A company may be able to go days without computer services before sustaining any significant loss. But a company that depends on electronic ordering (e.g., a Web site on the Internet) starts accumulating unrecoverable losses immediately upon system failure.

2. Data loss or theft can result from unauthorized or unintended misuse of computer files. Data loss commonly means the loss of a day or two's work, but poor or inadequate backup procedures can produce weeks 'or months' worth of loss. Data theft, on the other hand, involves unauthorized people getting access to data on business systems. Although this often can be attributed to the improper handling of data by company employees, very highly valued data (e.g., legal documents, confidential research, business plans)may be targeted by competitors or hackers. A Dallas Morning News story containing a purported confession by Oklahoma bombing suspect Timothy McVeigh apparently was based on confidential files stolen from his defense attorney's computer. The theft is being used as part of McVeigh's bid for retrial.

Again, begin a risk assessment by asking a few fundamental questions about the company's computerized data. What is the value of the information stored on the system? What would it cost to replace it? The loss of a day's worth of e-mail might be considered little more than an inconvenience but the loss of a day's worth of orders could cost millions. Having a researcher go back and recover data that accidentally was deleted can cost thousands of dollars, but how much would it cost if the competition got access to that same research?

3. Liability, or collateral losses, also are associated often with denial of service and data loss/theft costs. These liabilities may include fines for violating regulatory directives or civil penalties for failing to exercise due care. Some companies may be more concerned by the loss of customer confidence and its impact on future business. Hacker Carlos Salgado had over 85,000 stolen credit card numbers in his possession at the time of his arrest. Had these numbers fallen into the wrong hands they could have amounted to $1 billion in credit fraud. Faced with these kinds of losses, credit card companies most assuredly would have sought damages from the sites Salgado had hacked. What liability costs is the company likely to incur if the data on the system is disclosed, destroyed, or stolen? What fines might be levied?

What damages might be awarded? How much customer confidence would be lost? Collateral losses are the biggest risk some businesses take with their computer networks. Businesses subject to federal or state regulation (i.e., financial institutions) can be fined for the mishandling of electronic data. Security breaches that result in large financial losses might cause stockholders to bring class action suits against the company. The disclosure of personal or privacy information could result in lawsuits or fines. The ensuing publicity could cause customers to lose confidence in the business and seek services elsewhere.

Computer network security does not have to be expensive or intrusive. Small incremental changes often can reduce dramatically the risks outlined in the areas mentioned without affecting ease-of-use. But it cannot be known until a careful risk assessment has been done. The author's experience has shown that companies that take a business process approach to network security are able to find a sensible balance between risk reduction and cost, security, and usability. Stability, assurance, and a confident future result from thinking right about network security.
Last Updated ( Monday, 09 March 2009 )
Design by RocketTheme - November 2005 JWTC