Reaction

Reaction

While a variety of preventative measures can be employed in order to minimize the risk of attack, no business or organization can be completely safe. No matter how much is invested in security, there will always be vulnerabilities that can be exploited either purposefully or accidentally. While increased investment can close the most apparent vulnerabilities, there is a law of diminishing returns. There is no investment amount that can guarantee absolute security. The challenge is in determining the right amount of investment that is required in order to reduce the possibility of attacks to an acceptable level from a risk-management perspective. As security measures are scaled up, there is an ease-of-use cost to pay in addition to a financial cost. End users within a business like to have easy access to their applications and data and often complain if security measures become what is seen as too much of an obstacle. In this respect, an education process is necessary. End users may need to sacrifice some convenience to keep their applications and data more secure and more resilient from corruption, either intentionally or unintentionally. Education can help them better understand the importance of both physical and computer-based security and the consequences when this is incorrectly applied or omitted.

The good news is that alternative techniques that allow increased computing security with improved ease of use for end users are becoming available. These techniques include a number of authentication mechanisms such as handwriting recognition, facial recognition, smartcards, and image-based passwords as opposed to character-based passwords. Image-based passwords use a person's ability to remember visual patterns instead of strings of characters. Since most people choose very obvious text-based characters that can easily be cracked by publicly available software, the image-based password approach can aid in making authentication more effective and easier to use at the same time. However, each technique has its advantages and disadvantages, so authentication techniques need to be evaluated on a case-by-case basis. These cost and ease-of-use factors typically limit the level of security measures that can be put into place by a typical business. Education can play a strong role, but most businesses will never get close to having absolute security due to these financial and acceptance issues.

Breaches to security can occur in a variety of situations that are often unrelated to deliberate attacks. Even poorly tested or configured software can be a major issue and source of vulnerability. Since Web applications are, for the most part, stateless, information about the current users and their current activity often has to be passed along from one Web page to the next in order to maintain the users' "session." This session is their context of activity and, in e-commerce scenarios, is thought of as their electronic shopping cart. Often, the users' session is maintained by passing codes in the request to the next Web page and is visible to end users as extra characters on the address line within the browser. If this address line is left unencrypted, curious end users can experiment with these codes and can pull up other people's information by changing the values within the codes. This is a very simple example of a vulnerability, but one that occurs frequently. If this happens to a financial institution and the matter gets reported to the media, it can be a major incident that is costly in terms of customer and shareholder relations. It is therefore important to ensure that security best practices are put into place not only within the run-time computing environment, but also in the development environment. Business analysts and developers need to think about security from the requirements and design stage onward. Too often, security is considered as an afterthought after bugs have been found or after breaches have occurred. The software problem extends to poorly configured or poorly updated security policies and patches as well. The fact is that fixes to vulnerabilities are often readily available before the attacks. Businesses need to ensure that access policies are maintained and that the most recent patches are installed on their systems. Without ongoing updates, a system is open to exposure on a daily basis.

When computer security breaches do occur, a response plan can be used to minimize the damage. These types of responses can be prepared at the business level, the industry level, or even at the national or global level. For example, the G7 has prepared joint exercises in order to test the international level response to biological, chemical, or nuclear terrorist attacks. Whether it is at the international level or the corporate level, responses are most effective when there is a clear plan in place. A plan should incorporate people, process, and technology. It should be clear who needs to be involved, which outside parties such as law enforcement need to be contacted, when they need to be contacted, and what steps can be taken to immediately counter the attack and to minimize the damage. Depending upon the level of attack, damage control can be both an IT exercise and a business and public relations exercise. Since notice of an attack in progress or of a severe vulnerability may come from a variety of sources, response plans need to incorporate the appropriate steps to be taken by all user constituencies who could first gain notice of a problem. Customer support staff must be aware of how to handle incoming calls from customers who may first discover an issue and know who to contact for the next level of support.

In addition to closing the vulnerability, businesses need to be aware of how they should document and track an attack in progress or one that has recently taken place. Accurate human and computer-based logging, event tracking, reporting, and documentation of the nature and sequence of the occurrences can help identify the perpetrators or the originating systems. One of the problems today is that attacks often come from innocent servers that have been compromised by malicious software themselves. These types of attacks are usually blocked by the firewall, however, which can intercept an incoming attempt to access a machine or communications port on the network. A well-prepared and well-rehearsed incident response plan can help minimize the damage caused by attacks. During an attack is no time to be determining who to call for help, and if they are outside security specialists, it is no time to be determining the rules of engagement. Security specialists need to be able to perform their tasks and have ready access to applications and data as required. Upfront planning is therefore critical to business continuity and disaster recovery efforts.

 



Business Innovation and Disruptive Technology. Harnessing the Power of Breakthrough Technology. for Competitive Advantage
Business Innovation and Disruptive Technology: Harnessing the Power of Breakthrough Technology ...for Competitive Advantage
ISBN: 0130473979
EAN: 2147483647
Year: 2002
Pages: 81

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net