Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Step 5: Vigilance

    Written by

    Peter Coffee
    Published December 10, 2001
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In this series on enterprise security, eWeek Labs has so far explored the elements of assessment, prevention, detection and response, each of which requires a variety of tools, products and services. In this concluding segment, we focus on the strategies that can quietly prevent a world of security threats from becoming costly and disruptive breaches.

      When driven by top-down commitment from enterprise management, the resulting culture of vigilance will leave fewer vulnerabilities to find, repair and monitor and will drastically reduce the costs that arise during and after successful attacks. Vigilance is the longest-term—but highest-payback—element in an IT security strategy, propelled by consistent attention to the principles explored below.

      Risk Assessment

      Risks differ greatly in how and where they arise, what they affect, and how they can be reduced. Its therefore important to differentiate the types of risk and the types of consequence likely to occur. That same diversity complicates the challenge of coordinating an enterprise security posture, as noted in the creation of the federal Office of Homeland Security after the attacks of Sept. 11.

      “The Computer Security Handbook,” by Arthur Hutt et al., categorizes risks as: physical hazard, equipment malfunction, software malfunction, human error, data misuse and data loss.

      Responsibility for these varied risks may be given to physical plant management, IT support staff, application developers, human resources and training staff, and forensic accountants, respectively. Rare is the enterprise in which any single executive, even at the CxO level, has integrated knowledge—let alone expertise—in all these domains, but failure in any neutralizes efforts in all.

      Charles Pfleeger, master security architect at Exodus Communications Inc., in Santa Clara, Calif., classifies possible consequences of an IT breach as: interruption (loss of access to an asset), interception (unauthorized access to an asset), modification (alteration of an asset) and fabrication (creation of spurious “assets” such as false transactions).

      Hutt and his co-authors suggest a further breakdown among disaster (prolonged consequence), solid failure (requiring temporary cessation of use to repair) and transient failure (temporary and/or irregular in occurrence).

      These labels are not academic exercises but rather identify different situations that call for different preparations. For example, depending on the business situation, the threshold of “disaster” may be days or merely hours, and business arrangements—such as network monitoring contracts, backup and restoration response times, quality-of-service agreements, and contingency staffing plans—must all reflect these specifics. Insurance policies should also delineate precisely the kinds of coverage given for various types of damage or disruption.

      No Rest

      The sad truth is, the task of securing an IT system can never be complete. As Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., warned in his book, “Secrets and Lies,” IT systems have four devastating properties that combine to make vigilance a permanent concern: Enterprise-scale systems are complex, interactive, emergent with unpredictable behaviors and, unfortunately, bug-ridden. eWeek Labs would add to Schneiers list a fifth horseman, so to speak, which is that systems today are actively threatened, compounding the hazards created by the other four characteristics.

      But one of the strongest weapons against many IT threats is the growing awareness of security issues among even casual IT users. “When a cab driver asks me what I do and I say Internet security, we can have a meaningful conversation,” said Alex van Someren, CEO at nCipher Corp. Ltd., in Woburn, Mass. “Its gone mainstream.”

      At the same time, however, van Someren warns that users awareness does not translate into comprehension—or even interest—in technical details. Therefore, the challenge for security service providers, for security product vendors and for enterprise general managers is to translate users awareness into meaningful behavior change. This can best be done by positive methods, rather than relying solely on penalties for policy violations.

      Ed Glover, director of enterprise security and customer engineering for Sun Professional Services, which is also in Santa Clara, offers the example of his own companys measures for promoting physical site security: “We would have security people try to piggyback in through the doors, without their badges, to see if people would try to stop them; if you did, you got a gift certificate for dinner.”

      Glover added, “We have fun, but were all responsible for the assets of this company from both a physical and a logical standpoint. Were constantly being reinforced on what our responsibilities are to protect Suns assets.”

      The combined effects of clear communication and positive reinforcement of good security performance will go much further than draconian threats and security measures that actually impede peoples work.

      In the long run, Glover said, shared responsibility for security has to be “built into the DNA of the company.”

      Vigilance From Day One

      When security is added as an afterthought, weaknesses remain that would not have been there in the first place if security had been a more pervasive concern.

      For example, a networked application might use certain communication parameters based on the size of application data structures without considering the desirability of encrypting those data streams between widely separated nodes. Adding encryption overheads later might require costly redesign and delay the deployment of a business-critical application.

      When choices such as this arise, deployment of insecure systems is the likely result. The point is this: Security orientation should be present at every stage of project development. A life cycle approach, rather than a reactive response, is needed.

      Adaptive Design

      When security is perceived as the job of auxiliary subsystems, wrapping around the IT core, the result can perversely reduce the business contribution of IT by inhibiting system availability. “Complexity has created what are now, overall, more brittle systems, because they werent designed to work together,” said Robert Morris, director of the IBM Almaden Research Center, in San Jose, Calif.

      The resulting risks can be astonishingly obvious, after the fact: “For example, your admin has the only password for the key file—and falls under a bus,” said nCiphers van Someren. “The problem is severe unless the admin has been bad and written down the password. Instead, you should be using a system that shares responsibility.”

      Algorithms that let any three of five trusted people agree to access a resource, for example, are well-known by the name of “threshold schemes” (as described by Adi Shamirs 1979 paper “How to Share a Secret”). However, these methods require analysis of the business value of the asset and the process implications of authorization sharing before they can be properly used.

      Direct security issues aside, said IBMs Morris, “operator errors are a significant proportion of all failures, so its essential to make the system communicate with the user and make it easy for the human to impose priorities on the system.”

      When a security breach is handled by isolating a system from the network, as recommended in our previous segment on response, the business needs to go on. If fault-tolerance actions, such as delegation of critical tasks to other servers, are easy to identify and command, operators will be less tempted to keep a corrupted system online while they try to fix the problem on the fly.

      System management tools, therefore, can be important points of enterprise security leverage if they make it easier for operators to understand their options and to choose the actions that least disrupt operations.

      “When a set of alerts begins to occur,” Morris said, “it doesnt help if I start getting messages saying that processor 33 in branch office 7 is having errors. I need a message saying what application is in trouble: check printing may be delayed. I need to be able to say, A purchase transaction should always take priority over a routine report.”

      Error-Prone Environments

      System administrators can achieve deniability for incidents by installing layer after layer of protection, but theyre not really doing their jobs if the result is an error-prone environment.

      Indeed, its not the job of IT administrators to deploy every available security tool; its their job to assess the balance between degree of protection on the one hand and likelihood of consistent and correct use of systems on the other.

      “Isnt that the important message about security?” asked nCiphers van Someren. “Practical rollout of appropriate security is what the world really needs—not better/faster/stronger algorithms but better ways of ensuring that what we have is made more usable.”

      Technology Editor Peter Coffee can be reached at [email protected].

      Peter Coffee
      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×