A day of doom and gloom - how marvelous!
Our new business continuity planning consultant is asking managers to devise disaster scenarios. After all, we've got to have a good idea how things might go wrong if we're to have any hope of planning what to do about them when they do.
He explained it to me in person, using what seemed to be a well-rehearsed line explaining how necessary it was, how it wasn't as much work as it sounded and how we have only two weeks to complete it.
The consultant certainly wasn't expecting me to embrace the idea enthusiastically.
It may seem strange, but this is a part of the job I enjoy. It's partly because the work involved is a bit more challenging - what IT security professional wouldn't prefer to work on a cutting-edge distributed denial-of-service attack rather than just respond to the latest macro virus infection? But the main reason is that disaster planning helps me make some sense out of the mountain of work that's out there. For IT security, doom and gloom is strategic planning.
Of Trade-Offs and Judgment Calls
One of the long-standing principles of security is the constant trade-off between security and functionality. Most security mechanisms make computers more difficult to use, and most new functionality raises new risks. Somewhere in between there is, I hope, a happy medium.
In every security department, there's always more work required than there are resources available. Somehow, you've got to make that judgment call on every piece of work: It'll never be fully secure, but is it secure enough yet? Rather than making those calls by the seat of your pants, you stand a much better chance of achieving something in the long run if you've got an underlying plan. And the best way to make a security plan is to work out all the things that could go wrong and be prepared to deal with them.
So here's a list that reflects my current thinking on the most likely ways that security breaches could have a big effect on my company. Are there any readers who care to suggest other scenarios that I've missed?
-Denial-of-service attacks: This is a common scenario, on record in many forms, from the Internet Worm in 1988 to the latest attack on Microsoft.
Technically, these types of attacks are easy to mount, but their consequences are limited to denials of service on network connections sharing a company's Internet gateway.
-Hacker blackmail: An unknown third party could claim to be able to disrupt or destroy your internal IT systems and demand to be paid off. This is difficult to prevent because it can be difficult to prove or disprove vague claims.
Hacker blackmail is becoming more common, and it's reputed to occur much more frequently than is reported publicly.
-Industrial espionage: A direct competitor could obtain details of your business plans via your IT systems and take advantage of that knowledge to out-compete you in the marketplace.
This is often reported to occur with internal collusion, which makes it all the more difficult for companies to defend against.
-Computer misuse decimates staff: In this scenario, significant numbers of staffers who have been misusing IT resources - disseminating pornography or hate material, for example - are dismissed. Since these situations often involve transmitting material via e-mail, dismissing all concerned can decimate an entire department, severely affecting its ability to operate effectively.
This has been happening more and more often. A recent high-profile incident took place at London-based Royal & Sun Alliance Insurance Group PLC.
-Fire in the hole: Fire, flood, explosion or some other disaster can render your central data center or computer rooms unusable. This occurs more frequently and for more bizarre reasons than you'd expect.
Anecdotal evidence tells of a disaster recovery consultant who boasted that he'd planned for every possible disaster that could strike his unmanned data center short of something falling out of the sky; the data center was hit by a low-flying aircraft shortly afterward. In another legendary incident, a consultant discounted the possibility of flood damage because the data center was halfway up a hill. The valley duly flooded and the waters rose - and stopped just before the data center. Unfortunately, the sewer system underneath it also flooded, and no member of the staff could stomach the resulting smell.
-Financial or reputational damage: The frequency of attacks that hurt companies financially or tarnish their reputations is increasing. Well-documented cases include a hack at Citibank in 1995 and the recent spate of exposures of credit card information at dot-coms such as Egghead.com Inc.
At Citibank and Egghead, small-scale, targeted security breaches exposed individual weaknesses. In the Citibank case, US$10.4 million was stolen; in the Egghead case, the credit card database was compromised.
The damage to the two companies' reputations seems to have far outweighed the financial loss. For example, Citibank recovered almost all of the stolen funds but reported a noticeable loss of business that it attributed to the negative publicity.
Well, that's six risks. That's far from being everything that could go wrong, but I think they're the six most worrisome. They certainly give me something to concentrate on.
Now, the next time I have to make a judgment call, I can check whether the proposed changes make those scenarios more likely or less likely.
In fact, if I really wanted to take a strategic approach to my job, I could work out how to deal with those scenarios and work out a plan to implement security measures to prevent them.
A Sad Goodbye
I've been writing this journal for about eight months now, and I've decided that it's time to pass the baton on to another security professional. I'd hoped to be able to write a neat wrap-up column this week that closed off all the issues I've raised: the smart cards, the antivirus problems, the legal quagmire and so on. Of course, life's not like that, and I'm still struggling with those very issues. If you want neat answers, ask a consultant!
Before I go, I'd like to thank everyone who's taken the trouble to send me e-mail or contribute to the discussion at the Security Watch forum at Computerworld.com. Your comments have been invaluable, not just because it lifts my spirits to know that other people face the same problems that I do, but also because some very knowledgeable people have taken the time to offer advice and help.
Sidebar: This Week's Glossary
Business continuity planning: The process of planning to ensure that a business keeps functioning in extreme circumstances. It's sometimes confused with disaster recovery planning, which is the process of recovering a system from an unexpected, serious fault. Disaster recovery planning is generally seen as a technical subset of business continuity planning.http://catless.ncl.ac.uk/risks: "The Risks Digest" Web site, which describes itself as a "forum on risks to the public in computers and related systems," includes regular news and a discussion forum concentrating on things that go wrong with computers, from malfunctioning Japanese toilets to the space shuttle Challenger disaster.
It's an invaluable resource for anyone involved in risk management - or anyone who likes to laugh at other peoples' misfortunes.
I'd like to mention all of you individually by name, but so many people have requested anonymity for themselves or their companies that I'd better not.
Ah well, I guess we've still got a ways to go before we can all talk openly about security.
Editor's note: Computerworld would like to thank Jude for his contributions and insights into the day-to-day issues of security management. Look for a fresh face - and a new perspective - next week.
This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager - let's call him Jude Thaddeus - better solve security problems. Contact Jude at firstname.lastname@example.org or click on Computerworld.com's Security Watch community forum to participate in discussion topics.