|
|
| |
|
| |
|
|
|
Computer Systems Security in an Internet Age: Part One During the 1980s and 1990s, the very nature of computing changed markedly with the advent of the Personal Computer. Business workflows were revolutionized, competitive advantages and tremendous new opportunities were created, and computer use spread through businesses and into many of our homes. New industries rose and empowered savvy businesses to success. Moore’s Law was fulfilled as processing power continuously doubled and more and more computing power became available to the average person. But rewards are not without their risks… In 2000, depending on the source, between $7 and $9 billion in damage was done by the “I Love You” virus. According to the 2001 Computer Security Institute (CSI) and FBI "Computer Crime and Security Survey," 38 percent of respondents detected Denial of Service attacks, compared with 11 percent in 2000. And the recent Code Red worm is estimated to have infected somewhere between 300,000 and 450,000 web servers and caused over $2 billion in damage. These incidents represent but the “tip of the iceberg” since most security breaches are never reported, due to fear of negative publicity and future attacks. It is noteworthy that one of the most publicized aspects of the forthcoming Windows XP operating system has become concern over security vulnerabilities. Not only has the nature of computing changed, but so too have its risks and dangers. The silver lining to these dark clouds is that these issues are addressable. Technologies are available and affordable that can help protect networks of all sizes and configurations from the dangers of the Internet, and from the equally significant threats of internal security breaches. In this column, I will break down the issues, and examples of the available options and solutions, in such a way that you can clearly understand how to go about protecting your computer network and your business resources. In terms of information security, starting with a definition of terms is a good starting point. William Cheswick and Steven Bellovin are noted security experts, and in their book “Firewalls and Internet Security” (Addison-Wesley, 1994) they suggest that “security is keeping anyone from doing things you do not want them to do, with, on, or from your computers or any peripheral devices.” The key here is breaking down this definition further, by defining what you want to protect, then all of the potential “whos” and the potential actions those entities can take, and then determining which actions you want to allow, and which actions you want to disallow. The result, when documented, is called a Security Policy, and your computer systems should then be configured to implement that policy. Sounds simple – actually, that part is - and in fact these are business decisions, not technical ones. The process actually requires upper management involvement to approve the decisions, to ensure they are supported when necessary. Furthermore, an important element of planning a security strategy is defining the various risks to your business, intelligently assessing them and the business and financial impact or exposure from each area, and determining the appropriate investment in each area of exposure to protect the business against that risk. A $10,000 risk does not justify a $20,000 security system, but a $200,000 risk probably does. Risk can be defined many ways, including downtime/business disruption, loss of business secrets and information, bad press/publicity, or loss of competitive advantage. All of these factors, and the weight to place on them in your environment, are unique to your business, which underscores how this area requires both technical and management personnel to properly address the issues. Your Security Policy is therefore a reflection of your business goals and objectives, and how you want technology used to achieve them. Once it is defined, you will need to select appropriate technology components to achieve those goals. Some of these elements could include items such as Firewalls, Virtual Private Networks, Intrusion Detection Systems, Authentication Systems and Digital Certificates. We will explore the various threats, and potential elements of a complete system to properly secure a business (from small to large), in future columns, and will close out the series with some high-level issues and considerations in implementing and managing a security system. Not all components will be necessary for all networks – remember that the security technologies are based on your business goals, which will be different for each organization. Our goal in this column will be to make the options and decision criteria understandable for business decision-makers.
|
|
This site last updated 01/05/03 |
|
