Risking the Corporation

Previous page
Table of content
Next page

The security assessment I conducted in 2000 showed that a new kind of risk to the organization had arisen, which could land this company in serious trouble, because management had overlooked some basic controls. Two big mistakes that Costa Corp made were (1) not enforcing its policies, and (2) allowing management to bypass security polices without understanding the risk to the corporation.

Costa Corp had developed an exception policy that allowed management to bypass security controls for the sake of doing business. There was no assurance, however, that a manager who signed off on an exception understood security. Giving management the authority to bypass controls without understanding security was a risk in itself. Under such circumstances, some managers authorize exceptions without understanding what damage could result.

Costa Corp had also developed an Internet connection policy, which stated that any system connected to the Internet needed executive approval and must comply with the installation guidelines developed by the security team. The policy was well written, and the guidelines for securing the system and testing the system before it was connected to the Internet were excellent. Whoever developed the policy and guidelines understood security. In the rush to do business, however, some departments completely bypassed the Internet connection policy. They set up Web servers on the Internet without getting executive approval or installing security controls.

Management became aware that this was an issue because one of the international Web servers owned by the company was broken into. The hacker defaced the Web site, bruising Costa Corp's reputation in the eye of the public. It turned out that the problem was far bigger than just a Web server connected to the Internet. Research conducted by Costa Corp's security team showed that over 400 systems were connected to the Internet in the company's name space. The security team did not know who connected or owned all these systems. Many did not have security configured, so it was easy to break into them over the Internet.

Even though the employees bypassed company policies in connecting unsecured Web servers to the Internet, the company was still responsible for those systems systems that could be used to launch attacks against other companies. Attacks are being launched from unsuspecting systems owners every day. Hackers use hundreds, sometimes thousands, of compromised systems to launch assaults against systems and networks. Not long ago, several high-profile sites, such as Yahoo, Inc. and eBay, Inc., were brought down by denial of service attacks (DOS), which flood servers or networks with useless traffic so that legitimate users can no longer gain access to the resources. Such attacks still present a significant security threat. These attacks demonstrate how hackers used machines to launch assaults against other systems and networks.

An attack two years ago that was not so widely publicized involved a teenager living in Modesto, California, who gained access to the flood controls for a dam in Canada. Law enforcement caught him before anything bad happened, but what if they had not?

Suppose the teenager broke into an unsecured Web server owned by a Fortune 500 company, gained access to and opened the Canadian dam's flood controls, and flooded the community near the dam, causing millions of dollars in damage and 300 deaths. Let us say that law enforcement was not able to track back the trail to the teenager, but could track back to the Fortune 500 company that owned the Web server used to launch the attack. Some questions might be asked:

  1. Why was the Fortune 500 company's system left unsecured and unmonitored so that it could be used to launch an attack against the Canadian dam?

  2. Why was the Canadian dam connected to the Internet, so that an intruder could ultimately gain unauthorized access to the flood controls?

  3. Who will be held responsible for the damages?

  4. Are you a board member or an executive of the Fortune 500 company?

  5. Does your legal team understand security?

Unsecured systems today are being used to launch attacks against targets elsewhere. Your concerns as an executive are to make sure they are not your systems, or attacks coming from your partner's network that appear to be you, and to make sure that adequate controls are in place to detect and defend the network. Directors and officers are required by law to protect the corporation's information assets. When a network security failure causes harm, the organization and its officers can be faced with lawsuits. Real cases exist today.

In the next section Dan J. Langin, an attorney in Kansas, discusses the reality of legal actions that focus on executive responsibility and network security failure.


Previous page
Table of content
Next page
IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73
Authors: Linda McCarthy
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Certified Ethical Hacker Exam Prep
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy