Six top security issues for executives

Sun Tzu, a legendary Chinese strategist born more than 2,000 years ago, taught the importance of knowing both your enemy and yourself:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

-- Sun Tzu, in The Art of War, Chapter 3, Verse 18

Truer words were never spoken when it comes to information security. To succeed, you must know your enemy as well as your own strengths and weaknesses. The following are six issues of which executives should be aware to protect their systems.

1. Know Your Enemy

The faceless external attacker often plays the villain role in the traditional information-security drama. While such external attackers exist and are a real threat, internal misuse presents a much greater risk and must not be ignored. To truly know your enemy, you must consider and understand both external and internal threats.

2. Understand External Enemies

By definition, external enemies attempt to attack you from outside your corporate boundaries. These attackers may be teenagers in their parents' basements, miscreants in other countries or credit card thieves, among others. External enemies attack your enterprise for various reasons; some are more malicious than others.

Many external attackers resemble joy riders who steal cars for the fun of it. These attackers target your network to show off their skills and expertise to their peers. While they often have little malicious intent, they can cause vast amounts of damage to your systems.

Politics motivate other external attackers. They may want to deface your public Web site and use it as a venue for their political messages. Such political defacements occur relatively frequently, numbering in the hundreds per year.

Other motivations include theft, fraud, corporate espionage and even cyberterrorism. External attackers must be clever to infiltrate your perimeter defenses, but experience has shown that such infiltration is possible and, in some cases, even easy.

The external threat includes individual attackers manually probing and penetrating your networks, as well as highly automated attacks such as worm programs. For example, the Code Red worm attacked and compromised hundreds of thousands of hosts around the world in a matter of hours. Skilled attackers can create such worm programs with little effort. The threat from worms continues to grow, and protecting your systems against them is crucial.

3. Defend Against Internal Enemies

Many traditional security approaches concentrate on building and protecting a hardened perimeter to protect against the external threat. This approach would be sufficient if all enemies were external. In reality, concentrating on the perimeter only builds a false sense of security while leaving your organization vulnerable to attack and misuse by those who can hurt you most: insiders.

Insiders know what your most valuable information assets are, where they're stored and how to access them. An insider at a credit bureau drove the success of the recently apprehended identity theft ring that stole millions of dollars from individuals around the country (see story).

Not all inside enemies are full-time employees of your company. Contractors, temporary workers and former employees may have privileged access to your systems with little control over or oversight of their activities.

4. Know Yourself

In the context of information security, knowing yourself implies understanding your systems and staff as well as the security risks associated with both. If you don't know your own points of vulnerability and risk, it's difficult to protect yourself. Again, too frequently information security initiatives focus on external forces and neglect internal systems, vulnerabilities and threats. Judicious use of risk analysis tools and background checks can significantly improve your knowledge of your company.

5. Be Aware of Regulations and Consequences

Serious consequences exist for ignoring security. The regulatory climate for information security and privacy is increasing. The Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and various other federal and state regulations are raising the security bar for corporations by requiring minimum security standards to be in place. Companies that don't comply will face significant penalties in the future.

For example, a new law in California (effective July 1, 2003) requires businesses that own databases to disclose security breaches if certain personal information was or may have been compromised. Californians can bring civil actions for actual damages and injunctive relief against entities that fail to comply with the law (see story).

Businesses also face the possible loss of customer confidence and revenue in the face of a successful attack against their systems. Egghead Software's widely publicized security breach led to a precipitous drop in its stock price and revenue; the business never recovered, and Egghead closed its doors not long thereafter. Customers will not buy from companies that they do not trust.

6. Protect Yourself

Rather than solely relying on perimeter defenses, such as firewalls, to safeguard your enterprise, protect each critical server and data store against misuse. By protecting valuable information assets directly, you achieve protection against both internal and external threats. Proper protection includes using technology products (such as intrusion prevention, antivirus and access control software) as well as sound security processes (such as security policies and risk analyses). Using products and processes together to secure each critical asset yields the best protection.

Referring to warfare, Sun Tzu taught long ago the importance of knowing your enemy as well as knowing yourself. Information security is no different. Failure to understand the threats to your business and your ability to counter those threats could be catastrophic to your organization.

Yona Hollander is vice president of security management at Entercept Security Technologies, an intrusion-prevention software company in San Jose. He is part of Entercept's Ricochet Team, a specialized group of security researchers dedicated to identifying, assessing and evaluating intelligence related to server threats.

Related:

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon