14
A Practical Guide to Security Assessments
architecture components such as firewalls and intrusion detection systems, which
claim that their products help achieve compliance with these regulations.
The laws have helped develop awareness of information security issues. HIPAA,
for example, receives a decent amount of exposure in the media. As consumers see
that the government is stepping in to force health care companies to properly secure
electronic patient information, consumers are beginning to understand that there are
potential security issues related to the privacy and security of their personal infor-
mation, resulting in greater awareness. This legislation, to some extent, has led
consumers to understand the implications of their personal health information being
compromised.
In most cases, these regulations essentially call for good, solid information
security programs. They call for the key elements of information security programs
such as risk assessments, security policies and procedures, and enforcement. Each has
its particular nuances, but in the end, it is about protecting data, critical systems, etc.
C
YBER
-R
ELATED
T
HREATS
The final major difference today is the cyber-related threat. Before the Internet and
networking became pervasive, the main threats were of a physical nature. Although
physical threats have not disappeared, cyber-related threats are very prevalent today.
New attacks are constantly developed and are becoming more sophisticated every
day. The Internet has enabled “script kiddies” to download tools and scripts to launch
attacks. Hacker tools are readily available on the Internet. Companies must be
vigilant to guard against threats that can cause harm, ranging from attacks such as
a denial-of-service attack, where systems are unavailable, or individuals breaking
into systems and stealing credit card information. These are but two examples that
can have significant effects on a company’s well being. The results of these types
of attacks can directly impact revenue and the bottom line. For example, some
companies that are heavily dependent on their e-commerce activities, such as Ama-
zon, which generates significant revenues from online activities, could sustain per-
manent damage if people’s credit card information was compromised or if the site
was unavailable for an extended period of time. A recent case of cyber crime involved
PayPal, a company that handles online payments for e-commerce sites.
Example.
Unsuspecting users were sent an e-mail asking them to go to another Web
site to confirm that they are authorized PayPal users. The e-mail sent to PayPal users
said, “To confirm that you are an authorized PayPal member, authorization is needed.
The New SSL 4.0 Secure Socket Layer has been updated to the PayPal servers. To be
authorized, please visit https://www.paypalauthorization.com/. After completion, you
will receive [sic] and [sic] e-mail confirmation within 24 hours of reciept [sic]. Thanks
for using PayPal!, PayPal Security Team.”
18
Once users went to the fake Web site, they
entered personal information about themselves including credit card information. Some
users were victimized as their credit card–issuing banks called soon after the scam to
say that suspicious activity in their accounts had occurred.
For many consumers, security is one of the most significant concerns when
purchasing online. To some extent, it is holding back the growth of business-to-
consumer activity. In a survey conducted by the Center for Communications Policy
AU1706_book.fm Page 14 Tuesday, August 17, 2004 11:02 AM