Chapter 2. Evolution of Information Security (2/8)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

A Practical Guide to Security Assessments

drug for them. This information is competitive in nature and very critical to their business.

Drug companies must employ appropriate security measures to protect this information.

However, companies have always had critical information, and securing this

information has always been a concern. Several factors have made securing data a

more signiﬁcant issue today. Some of the factors driving this include:

• The Internet and the availability and accessibility of information

• The shift from information on paper to information in electronic format

• The integration of systems

•New legislation and the legal environment

• Cyber-related threats

NTERNET

AND

THE

VAILABILITY

AND

CCESSIBILITY

NFORMATION

Technology and the Internet have made information more accessible and available

than ever before. Through the use of electronic mail, the Internet, and other electronic

means, information is widely accessible. Sensitive and conﬁdential information is

exchanged by electronic mail, which has become a standard and acceptable form of

communication. Much of the information sent over e-mail is conﬁdential in nature.

Anyone using electronic mail on a regular basis knows how easy it is to share

information this way — e.g., with a simple “Forward” command, information can

be disseminated to countless people with the press of a button. Some also know how

inherently insecure electronic mail is and how the conﬁdentiality of e-mail can be

breached. Someone who is technically savvy can intercept mail or employ social

engineering techniques to gain unauthorized access to a person’s mail account.

Besides electronic mail, the accessibility and availability of information have

been promoted in other ways, including company Web sites, Internet bulletin boards,

and message boards. Information about companies is out on the Internet and there

for the taking. By doing some simple searches and researching a company using

freely available tools on the Internet, one can ﬁnd out quite a bit of information

about a company and its systems. This type of company-related information com-

bined with software tools has made hacking a front-page issue. Hacking has evolved

considerably and is now a risk for any company with a presence on the Internet or

connected electronically in some way. Insiders can also use this information along

with what they already know about a company to hack into a company’s systems.

Although companies can beneﬁt signiﬁcantly from having information about their

business on the Internet, minimizing any sensitive information that can eventually

be used for malicious activities is a challenge.

Access and availability of information have made sharing information very easy

and efﬁcient. As a result, considerable security implications exist including access

control, protecting information in transit, Internet-related security, etc. Determining

whether controls to secure these processes exist is one aspect of a security assess-

ment. How to determine and quantify these risks will be discussed in greater detail

later in this book.

AU1706_book.fm Page 10 Tuesday, August 17, 2004 11:02 AM

Evolution of Information Security

HIFT

FROM

APER

-B

ASED

LECTRONIC

-B

ASED

NFORMATION

In the past, many business functions were paper based; for example, mail was in

the form of memos written on paper, and many ﬁnancial records were on paper. On

paper, information was tangible, and people who were responsible for safeguarding

it could secure it physically and not worry about it. Sensitive information was locked

up in ﬁle cabinets, which remained secure because few people had the keys to them.

Critical information could be physically secured in such a way that only those who

needed it could access it. The question of electronic access was not as prevalent.

Today, a signiﬁcant amount of information exists in electronic format. Everything

from documents to mail to pictures is in electronic format, including some things

that people do not normally think of as having security implications, such as

employee photos used in creating IDs or other sensitive employee information. The

distributed environment and the Internet coupled with sensitive documents, pictures,

etc. in electronic format have made sharing and communicating this information

very easy, to the point where it is now in the mainstream.

With this ability to share and communicate information electronically, people

and companies have less control over its distribution. Companies must take measures

to protect the conﬁdentiality of information through sophisticated access control

measures, which are more complicated than the measures to physically protect

information. Controlling access to information, with today’s companies, can be

internal (e.g., employees) and external (e.g., business partners). Besides access

control, security measures are required to ensure the integrity and availability of

electronic information. The security measures required are a moving target as both

business and technology are changing at a rapid pace.

Companies have generated signiﬁcant efﬁciencies in their business processes by

having information in electronic format, and at the same time, have introduced new

security concerns into the equation.

NTEGRATION

YSTEMS

Another key difference today is the integration of systems. Today’s systems are very

integrated internally (e.g., local and wide area networks, company intranets) and

externally (e.g., business-to-business). To keep up with business today, systems must

be able to talk to each other and process information quickly. With today’s business

requirements and stiff competition, companies want the most up-to-date information

at their ﬁngertips so that they can make the best decisions possible. Having systems

talk to each other and centralizing information provides executives with this type of

information.

Integration has happened at the network and application levels. Networks are

linked all around the world through wide area networks and the Internet. The Internet

is leveraged to connect a company’s network to other companies’ networks. For

example, virtual private networks (VPNs) are commonly used to create secure

tunnels of trafﬁc between two parties. On the application side, there is ERP, which

includes packages such as SAP

and Peoplesoft, which have signiﬁcantly changed

AU1706_book.fm Page 11 Tuesday, August 17, 2004 11:02 AM

A Practical Guide to Security Assessments

how companies do business. ERP systems by nature are integrated, and if used to

full functionality, systems such as accounting systems and their components (e.g.,

accounts receivable, accounts payable) are tightly integrated with manufacturing-

related systems and all are integrated with ﬁnancials. These integration aspects have

provided considerable beneﬁts that have resulted in better information and operating

efﬁciencies in areas such as ﬁnance and the overall supply chain.

Integration of networks and applications has given companies the ability to share

information across wide area networks and the Internet, enabling cost-effective

communication between employees in multiple locations around the world. Also,

the integration of business systems (e.g., ﬁnancial, accounting, production) and

currently, e-business integration, have made information processing much more

efﬁcient. Based on a report from Nucleus Research reported in

Computerworld

magazine “…e-business integration software such as Microsoft Corp.’s BizTalk

Server and BEA Systems Inc.’s WebLogic Integration have helped companies lever-

age existing investments in their IT infrastructures through both internal links and

business-to-business connections. Many of the returns from such projects result from

a streamlining of data ﬂows between applications and access to a broader set of

information for end users.”

Although system integration has yielded beneﬁts, some security concerns have

arisen as a result of it, which are discussed below:

•

Conﬁdentiality of data —

With much information in electronic format and

the ease with which information can be distributed, management has little

control over the distribution of information if proper access controls are

not in place. Information such as consolidated ﬁnancial data or pricing

information is very sensitive, and access to it should be controlled through

a process where individuals are given access to only what they need to

do their jobs. Giving the appropriate level of access can be time consuming

and requires a documented process both for giving access to employees

and taking away access from terminated employees or employees who

have changed jobs. Enforcing strict access rules is critical in these cases,

considering the sensitivity of the information being processed.

•

Integrity of data —

As systems are integrated, a risk exists that information

may be unintentionally changed. The reliability of data from systems is

based on the integrity of the data. Proper validation steps to ensure the

integrity of data should be in place. Some of these steps may include

manual or automated veriﬁcation of data at different stages of processing.

•

Availability of data —

Information is needed in real time for mission-

critical applications. Systems need to be available so that critical functions

such as e-mail and business applications can run properly. Some speciﬁc

systems, such as e-commerce systems and those systems that provide

services to the general public, have signiﬁcant high availability require-

ments. If these mission-critical systems are down, loss of productivity and

potential ﬁnancial impact in the form of lost revenue may follow.

AU1706_book.fm Page 12 Tuesday, August 17, 2004 11:02 AM

Evolution of Information Security

EGISLATION

Another aspect that is different today is legislation that has information security

implications. Although some legislation, such as the Computer Security Act of 1987,

existed in the past, no speciﬁc pieces of legislation forced companies to implement

security measures to protect the privacy and conﬁdentiality of information.

Two well-known laws that require information security are the Health Insurance

Portability and Accountability Act (HIPAA) and the Gramm–Leach–Bliley Act

(GLBA). HIPAA and the GLBA (both discussed in greater detail later in this book)

are applicable to health care–related entities and ﬁnancial services companies,

respectively. Each of these laws has an information security component, which

mandates companies to have certain information security measures in place to protect

sensitive personally identiﬁable information. In both industries, there is a public

interest in maintaining the privacy of people’s personal information. Review of the

information security requirements in both laws indicates that they are essentially

requiring companies to implement sound information security programs. This leg-

islation recognizes that only a comprehensive information security program consist-

ing of people, processes, and technology can effectively secure the information assets

of a company and speciﬁcally, consumers’ personally identiﬁable information. One

of the key parts of the legislation is the requirement to perform a risk analysis or a

security assessment to determine the security risks, so that appropriate measures can

be put in place.

In addition to these regulations, the Federal Trade Commission (FTC) is becom-

ing inﬂuential in enforcing good information security practices. One of the functions

of the FTC is to “enhance the smooth operation of the marketplace by eliminating

acts or practices that are unfair or deceptive.”

The FTC is taking a very active role

in ensuring that companies live up to any claims they make regarding how they

secure consumer information.

Example.

In the summer of 2003, the FTC launched an investigation against a pet

supplier, PETCO, because of a security incident that left approximately 500,000 credit

card numbers exposed and accessible from the Internet. The basis for the investigation

was PETCO’S privacy claim, which stated, “At PETCO.com our customers’ data is

strictly protected against any unauthorized access.” In the case of PETCO, an indepen-

dent programmer had discovered that a database with sensitive information had a

structure query language (SQL) Injection vulnerability.

The FTC has been a leading force in trying to enforce companies’ claims

regarding how they safeguard information. They consider information security an

element of fair information practices, which are deﬁned as companies taking “steps

to protect the security of the information they collect from consumers.” Based on

this, the FTC has quite a bit of latitude in being able to enforce good information

security practices.

To help achieve compliance, consulting ﬁrms and law ﬁrms have created offer-

ings around helping organizations achieve compliance with these laws. The laws

have led to the development of assessment software and variants of existing security

AU1706_book.fm Page 13 Tuesday, August 17, 2004 11:02 AM

A Practical Guide to Security Assessments

architecture components such as ﬁrewalls and intrusion detection systems, which

claim that their products help achieve compliance with these regulations.

The laws have helped develop awareness of information security issues. HIPAA,

for example, receives a decent amount of exposure in the media. As consumers see

that the government is stepping in to force health care companies to properly secure

electronic patient information, consumers are beginning to understand that there are

potential security issues related to the privacy and security of their personal infor-

mation, resulting in greater awareness. This legislation, to some extent, has led

consumers to understand the implications of their personal health information being

compromised.

In most cases, these regulations essentially call for good, solid information

security programs. They call for the key elements of information security programs

such as risk assessments, security policies and procedures, and enforcement. Each has

its particular nuances, but in the end, it is about protecting data, critical systems, etc.

YBER

-R

ELATED

HREATS

The ﬁnal major difference today is the cyber-related threat. Before the Internet and

networking became pervasive, the main threats were of a physical nature. Although

physical threats have not disappeared, cyber-related threats are very prevalent today.

New attacks are constantly developed and are becoming more sophisticated every

day. The Internet has enabled “script kiddies” to download tools and scripts to launch

attacks. Hacker tools are readily available on the Internet. Companies must be

vigilant to guard against threats that can cause harm, ranging from attacks such as

a denial-of-service attack, where systems are unavailable, or individuals breaking

into systems and stealing credit card information. These are but two examples that

can have signiﬁcant effects on a company’s well being. The results of these types

of attacks can directly impact revenue and the bottom line. For example, some

companies that are heavily dependent on their e-commerce activities, such as Ama-

zon, which generates signiﬁcant revenues from online activities, could sustain per-

manent damage if people’s credit card information was compromised or if the site

was unavailable for an extended period of time. A recent case of cyber crime involved

PayPal, a company that handles online payments for e-commerce sites.

Example.

Unsuspecting users were sent an e-mail asking them to go to another Web

site to conﬁrm that they are authorized PayPal users. The e-mail sent to PayPal users

said, “To conﬁrm that you are an authorized PayPal member, authorization is needed.

The New SSL 4.0 Secure Socket Layer has been updated to the PayPal servers. To be

authorized, please visit https://www.paypalauthorization.com/. After completion, you

will receive [sic] and [sic] e-mail conﬁrmation within 24 hours of reciept [sic]. Thanks

for using PayPal!, PayPal Security Team.”

Once users went to the fake Web site, they

entered personal information about themselves including credit card information. Some

users were victimized as their credit card–issuing banks called soon after the scam to

say that suspicious activity in their accounts had occurred.

For many consumers, security is one of the most signiﬁcant concerns when

purchasing online. To some extent, it is holding back the growth of business-to-

consumer activity. In a survey conducted by the Center for Communications Policy

AU1706_book.fm Page 14 Tuesday, August 17, 2004 11:02 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 2. Evolution of Information Security (2/8)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 2. Evolution of Information Security (2/8)