Security is steadily rising in perceived importance on IT managers’ lists of priorities, says security specialist Tony Krzyzewski, managing director of Kaon Technologies.
Ten years ago, when he was doing early security work on Ethernet, it was running around 14th, according to surveys, he says. “After [the US terrorist attacks of] 9/11 it rose to sixth and now it’s number four.” Heading the list is still “customer satisfaction”.
Krzyzewski was speaking at an IT Security 2003 conference, organised by BrightStar (formerly IIR) in New Zealand this week. He notes that despite the rise in perceived importance to IT management, ICT security is still not easy to sell to top managers, because they perceive no payback.
The sell has to be in terms of an “insurance policy”, he said, and management should have the consequences of a security breach spelt out to them. One of the possible outcomes is loss of reputation: “Your company might end up [in a negative story] on the front page of Computerworld. Or you might lose large amounts of money,” he added.
Other speakers talked about the danger of customers’ credit card numbers, passwords, or more extensive identity information being stolen, with resulting material loss of money and reputation to the business.
Graeme McLellan a security and technology specialist with PricewaterhouseCoopers, spelt out the steps of formulating a good security policy, which dealt with both “enablement” (letting employees access the power of the computing system and appropriate data) and “protection” (keeping unauthorised intruders out).
The “security value chain” consists first of identifying needs, in an “envisioning” phase, then building, operating with careful observation and capture of information on any intrusions or vulnerabilties, and finally response and feedback to the first phase of the cycle.
There are particular issues for today’s “extended enterprise” McLellan said, with information being opened to customers, partners and suppliers.
Employees too are a danger, he said, but he has seen their misbehaviour punished with the full weight of the law. McLellan alluded to a British case where a staffer was emailing confidential company documents to his home. Despite similar legal exceptions in the UK for internal hacking, the business was able to get a search warrant served at the culprit’s home and found confidential material on his computer.
This seems to support Goff’s view that in a case of serious offence by an employee, other laws can be brought into play.
However, McLellan noted, employees can weaken security in a more subtle way by talking too eagerly outside work, even to journalists about the detailed structure of their computer systems.
Brett Moore, described as a “network intrusion specialist” from Security-Assessment.com, gave a frightening account of the various species of hacker and their activities, warning that firewalls and virus-checkers could be compromised unknown to the user, and it was unwise to rely on only one level of protection.
He repeated an often-cited warning to turn off all services that a business will never use, because of possible vulnerabilties in forgotten software. It is surprising how often webservers are left linked to the main LAN, or ports left open for functions that will never be used.