Are you on top of it?
By Christophe Coindy, April 10, 2002.
With so much information and so many services available at the tips of your fingers, how do you cope with information security management? Every day organisations worldwide face the threat of unscheduled downtime and negative publicity due to successful hacking attacks. Those responsible for the security of the systems are forced to react to new threats and must take appropriate action, sometimes within minutes, if they are to avoid becoming just another statistic.
According to a white paper published by SecurityFocus, the host of the Bugtraq vulnerability list, the number of new vulnerabilities being discovered jumped from 10 per week in 1999 to 25 per week in the year 2000. The same white paper estimates that we could see 50 vulnerabilities per week by 2003. The natural question companies are asking is how do you keep that one step ahead?
Some companies have decided to take the radical approach and dedicate a team just to monitor the busiest mailing lists, such as SANS, Cert and Bugtraq. But most surprisingly, the hardest part is not in keeping up-to-date with security knowledge, but in understanding how the new vulnerabilities affect and impact on the companies' existing environment. For example, once the vendor has released a patch to resolve a vulnerability, it is always possible that its application may interfere with the reliability of the system itself, or indeed with other systems that it might connect to.
So we are left with a difficult choice. On the one hand, failing to apply the patch promptly might lead to unscheduled downtime due to a successful hacking attack. On the other, applying the patch without a reasonable period of testing might lead to downtime due to undiscovered flaws in the patch itself. And to make matters worse, the costs attributed to this choice are not trivial either. Organisations like the Centre for Education and Research in Information Assurance and Security (CERIAS) forecast losses to businesses and governments will exceed US$100 billion this year. With that much money at stake, it is not surprising that information security management has become one of the top priorities for Managers, Directors and Chief Information Officers (CIO).
Unfortunately, the time resource and expense involved in securing corporate assets make this goal difficult to achieve. In response, security vendors have developed a whole suite of products and services which are intended to keep your assets away from intruders.
With IDC projecting sales of Internet security products and services growing to around US$10.4 billion worldwide by 2003, there is no doubt that the security arena is getting crowded. For example, MSPs offer an attractive alternative: For monthly/annual fees, these companies will commission and manage firewalls, virtual private networks (VPNs), intrusion detection systems (IDS) and even PKI.
It should be said though that when it comes down to information security management, this type of service provides very limited value. The main goal (and real benefit) is to reduce the total cost of ownership (TCO), not to secure your assets.
Not to mention that very few managed service providers are offering you any form of choice as to products; in reality they are usually tied to a restrictive partnership with a single security vendor. This means that if you wish to use their services, then the MSP will impose their choice of solution, whether or not it is the most appropriate for your business needs.
All is not lost however, as lately a new type of service provider has emerged: the Managed Security Monitoring (MSM) providers. These companies will commission seasoned security experts to carry out regular vulnerability assessments, penetration tests and more, but if they only analyse the external interfaces of an organisation, then they also only offer limited value.
Most of us will have heard by now that insiders conduct most attacks. Figures vary (between 60% and 80%) but they are there to prove that the risk from insiders should never be overlooked. This type of service also assumes that there has been some kind of risk analysis carried out to determine the most critical systems and that the service provider has built a very strong intimacy with the customer to reduce the level of noise. Furthermore they assume that an event profile has been built which will enable the service provider to distinguish between normal and abnormal patterns.
This is a very laborious process, not so scalable and still missing one of the most important points: Who is monitoring your adherence to the processes, best practises and standards? In other words, who keeps you informed whether or not you are doing the right thing in terms of information security management?
Security consultancy companies are a possible answer. Unfortunately, most consultancy companies provide one-off assignments to their customers such as security audits, vulnerability assessments and penetration tests. This philosophy goes against the very ethos of information security management. Information security management is analogous to a human being: Perfection does not exist in this world. We all have our strengths and weaknesses which we continually try to improve upon.
In short, a security audit does not make your assets secure. It will certainly improve the level of security but it will not keep them safe. It is worth considering that many companies, which have been breached have already been through security audits. So how can you efficiently protect your company's assets? So far a lot of money has been thrown at complex technical solutions, including firewalls, intrusions detection systems, content filtering, authentication and more. Unfortunately this abundance of technology has not addressed one of the basic issues in network security and yet the origin of the majority of breaches and asset thefts is not patching vulnerabilities.
So far system integrators have dominated the infrastructure market. Most of them have very strong partnerships with leading hardware and software vendors and the solutions they propose are articulated around those products. The situation gets worse when system integrators claim that they secure their customer's assets by deploying very complex and expensive solutions focussing purely on technology. Choosing a partner with a consultative approach enables the service provider to understand the business of their customers and provide a bespoke solution that is based on the customer's business requirement, not the service provider's requirement.
So far we have focussed purely on technology; well let's not forget about the human element! A lot of companies have a firewall, intrusion detection systems and are using VPNs to communicate with their customers and partners. And yet they still get defaced or breached!
How come they remain vulnerable with that amount of technology? Although the Microsoft Internet Information Server vulnerability could easily be fixed with a patch that Microsoft posted in June, a malicious worm called Code Red had no trouble propagating itself to 250,000 unpatched IIS servers in 9 hours when it was launched in July. If the human being is the weakest link, security policies and processes must be integrated into the day-to-day operations of any business.
The British Standards Institute (BSI) have created a set of best practice information security recommendations (BS7799) which became a worldwide standard (ISO17799) adopted by the worldwide community. Being certified against these standards will not guaranty that your security cannot be breached. However it will help you build a better business model by integrating information security at the very heart of your business decisions.
To be able to efficiently manage information security, managers and directors should be able to have, at any point in time, a view of the security posture of their business and be able to modify the controls to make sure that they adhere to the information security standards. Companies that are able to offer an on-going gap analysis of the security posture of your company against the standards set by governmental bodies will provide you with the best information security management services.
Information security management is like a puzzle. So far most service providers have offered a little piece of that puzzle without really relating to the bigger picture. Their solutions have often been to provide an unnecessarily complex solution at the expense of their customers. Information security is neither a static certification nor a technology issue. It is a living business process, which has to be managed, monitored and improved permanently.
So finally, how will you find your way in this jungle? By relying on companies providing real value add services and looking at the big picture, information security management will become a business enabler rather than a cost issue.
