How to protect your company’s computer systems against penetration and attack; the dangers of security lapses in corporate computer
systems and Internet architecture, and specific methodologies for evaluating your company’s security, detecting intrusions and responding effectively.
1. security transformation – A book summary Book written: by Mary Pat McCarthy and Stuart Campbell Summarized by: Faisal Yahya, MM CISSP
2. Computer and internet security Computer and Internet security issues are a fact of modern business life. The question isn’t whether the Internet is safe; the question is whether your enterprise and its Web presence are safe. Like any other neighborhood, the Internet has its risks, including vandals and thieves.
4. Every company is unique But how much Internet security do you need? What kind should you have? Some businesses, such as medical institutions, need to protect their customers’ privacy. Others, such as financial networks, must guard against theft, while others must protect their intellectual property.
5. New ways of doing business Internet security is even more essential when you use any of the new business models that are emerging on the Web. Security is a matter of earning and keeping trust. Smart executives understand that no one can promise that ATM security will never be breached, just as no one can promise that a bank branch will never be robbed. But if customers know they’re protected, they’ll trust their bank. The key is managing perceptions.
6. “Security is a form of enlightened self-interest. It’s a means of warding off the three dreaded L’s of the digital age: Liability, Lawsuits, and Losses.”
7. The Security – conscious employee No security system, no matter how well intended, will work if your people don’t support it. Remember, too, that most computer attacks are actually inside jobs. Start your security campaign at the top and present it with professional-looking manuals and materials. Teach your people to spot it when something is wrong and to know what to do when they spot a problem.
8. …[continued] Intrusion Detection Systems (IDS) and Network Intrusion Detection Systems (NIDS) work at different levels to detect intrusion, but they can’t tell you what the intruder did while inside. Checksums let you determine if the programs on your system have been tampered with at all. Even a single alteration in a character or space changes the checksum for a line of code, so tampering becomes apparent.
9. “Like a good marketing campaign, the security campaign needs to be rolled out, accompanied by well-crafted materials and training programs.”
10. Changing security systems over time Both technology and your business will change. Systems will grow more complex. To create a moving defense against changing threats, choose security measures that can grow with your systems. Most attention focuses on prevention, but you also need detection, response and prevention, such as strong passwords.
11. … [continued] As you audit your security system, close any holes. Disable services you don’t need. If data doesn’t need to be distributed, don’t put it on a networked computer. Lock it up. Apply your prevention, detection and response plan to all secured data. Because no security system is perfect, be prepared for the day that your defenses are penetrated. Be ready to discover the attack and respond. Even though you can’t prevent or detect every intrusion, you can increase the odds of detection by using logging to record who gains access. Many systems have built-in logging.
12. Responding to a security breach When it’s time to respond to a security problem, you may have to decide if the situation is grave enough to pull the plug on your system. Make sure that an appropriate executive makes that call. Set up guidelines for response. Have a well-drilled team ready to go at the first sign of trouble, including the executive who will decide whether to shutdown the system, as well as your security staff and, in the case of an inside attack, someone from human resources. Alert them by phone or pager, not e-mail, which may be compromised.
13. Assesing your risk Start with a security risk assessment, defining risk with the equation: Risk = asset value x threat x vulnerability. The elements of this formula are: Asset value is the importance of an information asset to the firm’s strategy — What is your information worth? Threats are events that could have a negative impact on the accessibility, integrity or confidentiality of your information assets — These include hackers, competitors, extortionists and thieves, as well as disgruntled employees and other insiders. Vulnerabilitiesare the absence, inadequacy or inconsistency of defenses against threats — They may include weak locks, unshredded documents in your trashcans or careless storage of laptop computers.
14. “A security solution that forces your company to change its behavior to fit the solution’s characteristics simply will not work.”
15. Privacy is a separate security issue, a matter of ethics and culture. Privacy pertains to how information is used, not to access or safety. Like security, privacy has a huge impact on customer trust.
16. What’s on the future In the future, issues of security will become more difficult, since computers will become faster, smaller and smarter. In time, wireless devices will proliferate. Chips will become small enough to embed in the human body. Imagine the risks of a hacker getting computer access to reprogram someone’s pacemaker. Hackers already have broken some of the most difficult codes. Some analysts believe we are rapidly approaching the limits of our ability to deliver secure data. Soon programming and architecture issues will emerge too quickly for humans to handle, so computers will do those jobs, while people handle policy and administration.
17. Somethin’ about me Faisal Yahya, MM, CISSP Project Manager and Security Practitioner with more than 15 years experienced in IT industry. email: faisal.yahya@gmail.com