Security is a Winless Game

When nothing happens, it is a good thing from the security perspective. However, justifying nothing is a difficult proposition to sell to upper management, executives, members of the board, and shareholders. Traditionally, we have been taught that success usually means that something has happened . Retooling our measurement toolkit to incorporate nothing as being a good thing is difficult at best. The Department of Homeland Security (DHS) faces a similar measurement obstacle . If nothing happens, DHS is successful. This mindset is difficult to visualize because success in the traditional sense is usually defined as improvement through quantifiable financial measures.

Quantifiable measures can be obtained in a robust security posture , however. Although the quantifiable measures are not in financial terms, the number of potential attacks that have been successfully defended can explain them. A good security mechanism is capable of collecting information on these potential attacks. Security status reports should focus on both the successes of these defenses and the failures.

Maintaining a robust security posture is also never-ending . The technological environment is dynamic, and thus, the security mechanism must change with emerging technologies. Executives and board members alike will fret over the endless investment in securing the infrastructure. This is security, however, and that is just the name of the game.

Technological change has transformed the face of the marketplace . It has enabled firms to compete in markets that never before existed, in ways that were never even imagined a decade ago. Employees can now work by telecommuting , never needing an office at a downtown location. They can also work from virtually anywhere in the world from a portable computer the size of a laptop or even a personal digital assistant (PDA) that can fit in the palm of your hand. With this flexibility also come vulnerability and an increase in threats.

The security infrastructure is only as good as its trusted agents . In other words, imagine that you have a laptop that has an encryption enabled virtual private network (VPN) client that allows you to establish a secure tunnel connection to your businesses network, and security certificates or tokens unique to the specific computer. While this security mechanism is robust by most standards, imagine utilizing the laptop while in a different country, using telecommunication lines that may be subject to monitoring by interested parties. Transactions over those lines are subject to monitoring and possibly even exploitation. The potential for a security breach is self-explanatory.

Imagine once again the same laptop with the same security mechanisms being pilfered by a thief. If the thief has malicious intent and is computer savvy, it is also possible that the security mechanism could be breached. The trusted agent, the laptop computer in this case, represents a serious threat to the seemingly robust security infrastructure.

Expanding this subject even further, imagine a customer conducting business with your firm. In this case, the customer is not overly computer savvy, but knows enough to perform a business transaction over the Internet. However, the customer does not have a firewall enabled on their computer. The customer utilizes a broadband connection, so they are continuously connected to the Internet and have become accustomed to leaving their computer on except during thunderstorms. Little do they know that a hacker has been sniffing packets on their computer and has loaded a program onto their operating system allowing the hacker to hijack a session at their whim. Since the customer has established a session with your network, a clear path to your sensitive data is open for the taking. The hacker hijacks the customer s session and begins to exploit your computer systems. Depending on the security mechanisms in place at your firm, you may or may not even notice the attack and may or may not be able to defend against it.

The low cost of installing wireless local area networks (WLANs) makes it an attractive alternative to firms. Considering that many firms utilize leased office spaces and are accustomed to moving to new spaces every couple of years , WLAN infrastructures are a convenient , cost effective, and flexible alternative to the costly, installation intrusive , and permanent Ethernet wired local area network (LAN) infrastructure. Wireless networks, however, are extremely vulnerable. No longer is the firm simply able to protect unauthorized use of the network by utilizing physical security mechanisms like security guards and locked doors. Now, the firm must secure the radio waves that have replaced the wired network infrastructure. It is similar to installing an Ethernet jack in the parking lot (Reid & Seide, 2003). WLAN infrastructure must be protected with the same resolve as that taken with any network.

Securing information on computer networks has many pitfalls. Sometimes organizations suffer from knee-jerk reactions after they have been exploited by an attack. Firms may fall into the trap of over-expenditure in computer security. Inexperienced firms may invest heavily in security measures that, for the immediate threat are top-of-the-line, but find that six months down the road the security mechanism is incapable of defending against new attacks. They have so crippled their resource budgets that it is impossible to invest in newer security technologies to improve defenses. They begin to feel as though they have purchased a boat; nothing more than a hole in the water into which you pour money. Even if fiscal resources were not a constraint, without a long- term security strategy, all the money in the world may not render the desired results.

Yet another pitfall that firms often fall into is that of a false sense of security. This pitfall is known as the September 11 ^th Syndrome . In this pitfall, firms assume that since they have never suffered from an attack in the past that they are protected from attacks in the future. They may also believe that their computer systems do not have sensitive customer and operational data residing on them, yet in reality, they have many data records that are now entrenched in their day-to-day operational business processes but do not realize it. Many Mom and Pop s are just as vulnerable as Fortune 500 companies are.

Keep in mind: some of the most damaging attacks are those that go unnoticed. Malicious hackers may be exploiting networked systems collecting sensitive customer data on a continuous basis. The repercussions of such an attack can be exponential and irreversible. Depending on the scope and nature of the attack, a firm could potentially be brought to its knees in a single day.

Vulnerabilities and threats are constantly growing and evolving. Keeping up with emerging technologies is challenging enough, but also keeping up with threats that are not even known is even more difficult. Hackers come in many forms, from the mischievous 12-year-old, known as a kiddy, to the educated and refined professional hacker or terrorist that has malicious intent; the range of sophistication is near infinite. Yet, there is also a common distinction amongst threats: whether they are internal or external threats.

The common assumption of most is that external threats are the most pervasive. However, that assumption is severely flawed. The most common threats are from internal sources. Everyone within your organization, including the top executives, network administrators, customer service personnel, administrative staff, physical plant maintenance crews, and cleaning personnel, represents internal threats. Many of these personnel have unimpeded access to customer information sources. While access control mechanisms can eliminate many of the internal threats, ultimately, some personnel will have complete access to data stored on the firm s computer systems. While this may be undesirable, it may be unavoidable. For example, the network administrators at many firms have complete access to all data repositories. They often need this access by task necessity to ensure that the day-today operations of the firm are possible. How trustworthy is your firm s network administrator?

The thought of an internal threat is detestable and distasteful in any light. The implication of such a threat affects the organizational culture, climate, and value system to its very foundation. Employees will not look favorably upon the constant monitoring of their day-to-day activities. Employees are often left feeling as if they owe the firm no allegiance if the firm itself does not even trust them enough to do their work in privacy and confidence. Yet, the firm is caught between a rock and a hard place because failure to monitor the activities of their employees is a huge liability.

External sources pose a smaller yet no less detestable threat. External threats face significant challenges in successfully gaining access to computer systems because they do not have the benefit of being insiders. Any security mechanism that is enabled on a computer system requires time to overcome . Sometimes hackers will simply avoid systems that require significant contributions of their time to penetrate . It is much easier to wreak havoc on systems with lackadaisical security. In reality, the path of least resistance renders the most economy to the malicious hacker.

Just as there are distinctions between internal and external threats, there are also distinctions between the objectives of the threats. Some hackers only intend to disrupt the ability of the firm to conduct business. An example of such an attack would be a distributed denial-of-service attack, which clogs the computer s ability to process instructions, thus limiting its ability to perform critical operations and potentially bringing the network to a standstill. Others simply seek to crack into the network to browse the resources to gain recognition from other hackers through bragging rights. Still other hackers maliciously attack computer systems to access sensitive company or customer data such as financial records and credit card information or seek to cause serious damage. Obviously, the malicious attacker poses the most significant threat to the business.