Before the explosion of the Internet, a company’s intranet security did not involve much more than changing passwords periodically. Only banks and financial institutions needed to be more rigorous in their network security applications. Now, with companies increasingly venturing into e-commerce and opening their information systems to suppliers and customers, it is imperative that they secure their systems from malicious intrusions.
A new survey from PricewaterhouseCoopers [http://www.pwcglobal.com] and Information Week [http://www.informationweek.com] finds that while 56 percent of the companies surveyed say that information security is a high priority for their business, only 19 percent have a complete descriptive policy to monitor security practices and solutions. The survey found that information loss, theft of data and trade secrets, and revenue loss are the main risks of a security breach.
The 1998 survey of computer crimes and security by Computer Security Institute [http://www.gocsi.com] shows that 60 percent of companies experienced a security breach compared to 50 percent the previous year. The incidence of Internet-originated attacks rose to 54 percent — up from 38 percent in 1996.
Hacking incidents are expensive – not just because of the cost of what’s taken but because of the costs associated with cleaning up the mess. A Forrester research [http://www.forrester.com] study projected the cost of a hypothetical theft of one million dollars from a small online bank. It cost a whopping $111 million; the major expense — $96 million — was network downtime and security upgrading.
All this only serves to emphasize the obvious imperative: protect a network’s entry points so outside hackers and disgruntled employees can’t access a company’s critical data.
Expert advice revolves around basic business practices. The first step is to understand the business and its vulnerabilities. Step two is to develop policies. Insist on a unique password for access to any computing resources, and specify a time-bound expiration of these passwords. The final step is to understand the infrastructure of the system in its entirety. The innumerable physical devices on a network compound the security problem. Without mapping the network, it’s difficult to know where to begin.
Developing a formal policy is the basis for an enterprise-wide security strategy, says Robert Clyde, chief technology officer at Axent [http://www.axent.com], a supplier of enterprise security systems. Clyde says companies should define “best practice” guidelines suited for the businesses they’re in. Others recommend establishing an enterprise-wide security policy, applying it to different components and then using the latest technology to fine tune it.
To help companies establish and implement enterprise security policies, the International Computer Security Association [http://www.icsa.net], formerly the National Computer Security Association, developed a list of guidelines. According to the ICSA, five areas need to be addressed: privacy, Internet access, application development, physical access, and emergency and recovery.
A good privacy policy should cover data confidentiality, computer network security, access control privileges, log monitoring and equipment auditing. An Internet access policy identifies risks and explains how to handle security breaches. Application development covers the design, development, testing, deployment and correction of applications. Physical access and emergency policies encompass a wide range of issues, from storage of documents and disks to control of physical access to computing resources.
Limiting the risks of connectivity means determining which network devices — primarily HTTP servers and routers — are visible to the Internet. ICSA offers a perimeter checking service in which ICSA officials remotely assess the visibility of such devices. After monitoring the activity logs of routers and servers, ICSA submits quarterly or monthly reports to companies.
Businesses are increasingly looking to their platform providers for many of their security needs. Companies such as Cisco [http://www.cisco.com], Microsoft [http://home.microsoft.com] and Sun Microsystems [http://www.sun.com] are embedding security features like encryption and authentication into their hardware and operating systems.
However, until such features become the norm it remains a network manager’s job to ensure that his company’s network systems are protected from malicious intrusions. The first step is to recognize the importance of network security and give it the weight and attention it deserves.
