SUMMARY

 < Day Day Up > 



It can be seen that the development of the Internet presents serious threats to the security of private companies, in addition to the much-touted opportunities it provides. It may also be that the more extreme scenarios discussed in this chapter may never eventuate-the possibility that they may, however, must be appreciated. It is not advisable for any risk-management approach to merely disregard the threats previously discussed on the basis that they are far-fetched and fanciful. In addition to the threats being technically feasible, either now or in the next two decades or so, the ability of intruders to gain entry to computer systems and disguise the very fact of entry makes this a peculiarly difficult threat to appreciate. Undetectability of many attacks per se may lead private companies to a false sense of security, and leave the companies vulnerable to serious disruption of total disablement in the event of an attack.

The possibility of means of attack this presents to aggressors, can help realistically guide the process of moving forward in dealing with the information warfare arsenal and tactics of private companies. The conclusions drawn from this follow next.

Conclusions Drawn from The Information Warfare Arsenal and Tactics of Private Corporations

  • As competition between corporations for profit increase, and consumer expectations grow, there may soon be a time that, for some private companies, even a limited disablement may be fatal, or nearly fatal, to its continued existence, surely one of the most important post-threat outcomes of any risk-management plan.

  • The growth in the number of aggressors must also be appreciated.

  • Added to the traditional aggressors identified by private companies, are the additional ones that may now see the companies as a visible surrogate of an entity that is either impregnable from attack or that it is inadvisable to attack.

  • Some private companies have always been the target of aggression, and the identity and number of aggressors may stay the same.

  • It must be appreciated, however, that new, and very powerful, tools of aggression may now be available to those traditional aggressors.

  • Traditional forms of risk management are, it is argued, not particularly suitable to the dynamic, desegregated forms of aggression that will now be presented.

  • The approach to determining risk and how to protect against and prevent network attacks must be revised; A fundamental rethinking of the way private companies organize themselves, and the way they leave themselves at risk will also be necessary.

  • Traditional forms of risk management represent an approach positioned in a hierarchical paradigm, which may not deal adequately or at all with new forms of threat posed to a dynamic network.

  • Until these fundamental issues are addressed, no private company can truly say that it has identified all forms of risk that are or will be relevant to that organization. Nor will it be able to say that it has treated them. These must be imperatives in an environment where any single risk could conceivably threaten the entity's very survival.

An Agenda for Action in Preparing for the Information Warfare Arsenal and Tactics of Private Corporations

Management of cyberterrorism risk must be considered an important issue for all aspects of society, not only for private companies. However, in view of the way in which the information network has developed, and the almost complete immersion of much of private enterprise in it, a company should analyze its vulnerabilities regardless of societal views.

The dangers in failing to recognize the risk could be serious. The dangers in recognizing the risk but not treating it, could be equally serious.

The United States government needs to set an agenda for action that goes beyond the work already done in preparation for protecting the information warfare arsenal and tactics of private companies. Action steps should include, but not be limited to the following 10 areas:

  1. It is recommended that, traditionally, private companies be organized in a hierarchical way and also viewed as such. Much like a Norman mote and bailey castle, where a keep on a central raised mound was encircled by a ditch and a picket, private companies are viewed as entities that are, or should be, impervious to the outside world, allowing entry only at designated, protected points. Once within the structure, movement up to the pinnacle of command is meant to be within certain set parameters, and deviation from these parameters is not encouraged.

  2. Flat management structures, it is recommended, should make the internal passage within the corporate entity somewhat less linear. Flat management does not allow for free ingress from the outside as one of its goals-it may allow for more points of contact between points inside the structure and outside, but these are monitored and controlled.

  3. Over the years, layers of protection have accreted around the structure, much like the walls that were thrown up around the keeps of concentric castles. All of these concentric defenses should repeat the pattern of controlled and protected points of ingress and egress.

  4. The growth of the information network and the increasing porosity of corporate entities should lead to a rethinking of the reliance on concentricity and control of entrances.

  5. Corporate entities should have new points of ingress (such as telephony and internet access points)-consumers demand it. Added to this intentional accumulation of entry-points must be those that are either unwittingly left open by a corporate entity, because the advances of technology are not understood, or those that are left open through intention or negligence, where the possibility of unwanted or uncontrolled ingress is appreciated, but nothing is done about it.

  6. Attention should also be paid to points of egress-much damage can be done by an information outflow caused by a disgruntled employee.

  7. A hierarchical corporation, based on a fortress structure, may be vulnerable if an information flow is disrupted. This may be so even where a flat management structure exists within the fortress. The entity may be hard put to regroup and function without great delay.

  8. A corporate entity based on a network may be much better placed to respond to a potentially disabling attack. Diversified information and command lines should be called into action and utilized should one line be cut. Such a corporation would be able to continue its core operations in a much shorter timeframe than a defensive-fortress structure. This does not mean to say that a corporation should abandon all controls of ingress and egress, and 'open its doors' to the world. Defenses from cyberterrorism should be put in place. This discussion highlights the first primary step in risk management-identification.

  9. Potential threats should be identified and provided for. A simple treatment of defensive structures may not be wise, because the chaotic nature of the information network and the development of new technologies will inevitably mean that new forms of attacks and new holes in the armor will always open, often in unexpected places.

  10. A diversified command-and-control structure, and the duplication of information supplies should go some way in both treating current risk, and coping with problems when unforeseen or currently nonexistent risks appear.



 < Day Day Up > 



Computer Forensics. Computer Crime Scene Investigation
Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
ISBN: 1584500182
EAN: 2147483647
Year: 2002
Pages: 263
Authors: John R. Vacca

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net