Welcome to Volume 2, Issue 15 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
The editorial calendar at this time includes:
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
Most security surveys I've seen attribute somewhere in the vicinity of 60-75% of security incidents to insiders. Today's columnist, Sharon Polsky, offers the opinion that, in reality, 100% of security incidents are caused from within the organization. Lost productivity, compromised information assets, and increased legal liability are the consequences of "uncontrolled information security, inappropriate e-mail use, and personal use of IS/IT resources". Sharon takes an unique tack by asking organizations to take ownership for their failure to develop, implement and maintain a comprehensive security policy. She also points out ways to begin to address the policy development.
Happy reading!
How many times in the last year has your company been the victim of information security breaches? Do you really know?
The increased use of e-mail and e-commerce has created a major threat to corporations in every industry and sector. In the rush to enter the world of cyber-commerce, companies have overlooked the actual and potential risks - and substantial costs - of information security and cyberliability issues.
Media reports attributing those risks to the external activity of virus attacks, hackers, and other infiltrators are becoming commonplace. In reality, though, 100% of security breaches are caused from within an organization. It is the average user who commits or contributes to security breaches - although often without realizing that their behavior attracts risk.
The ISBS 2000 Information Security Breaches Survey determined that 60% of organizations interviewed suffered some form of security breach in the last 2 years. Similarly, 50% of respondents to the 1998 FBI/CSI survey reported experiencing at least one significant security-related incident. The 1999 FBI/CSI survey revealed that employee cyberslacking - abuse of Internet access - occurred in 97% of companies surveyed.
In July of 2000, Dow Chemical Co. fired 50 employees and disciplined 200 others for e?mailing pornography and violent images from company computers - during a one-week period.
The Risks
The cost to business in lost productivity, compromised information assets, and increased legal liability resulting from uncontrolled infosecurity, inappropriate e-mail use, and personal use of IS/IT resources is among the most rapidly growing business risks.
Adding to that risk are the increased acceptance and reliance on e-business, increasingly sophisticated computer networks, wireless and other e-merging technologies - all opportunities for information to be jeopardized.
The high risk presented by people using some technologies has resulted in certain products being banned from workplaces. Monitoring technology is revealing other aspects of the problem. Some estimates indicate that inappropriate web surfing costs Corporate America more than $1 billion a year. The cost of internal security threats alone can be staggering. One large California-based company recently lost $500 million U.S. from employees engaging in computer crimes.
The public nature and media attention of some security breaches has heightened awareness of a need to protect information and to safeguard personal and corporate privacy. For many organizations that awareness has translated into a rush to protect and secure their networks.
When looked at from an organizational perspective, IS/IT departments cannot be viewed as independent systems. Like a body's reliance on complementary systems and functions, organizations rely on their IS/IT Departments as an integral function of the company. Many CIOs and systems managers view their roles as isolated and often unrelated to the functional departments throughout the organization. In reality, however, theirs is an integrated function that affects and is affected by other departments and users. There clearly is a cause-and-effect of interdepartmental reliance on IS/IT; but the broad-reaching ramifications that can occur from failing to implement appropriate use policies are often overlooked.
The increasing risk is often because CEOs/CFOs/CIOs and IS/IT managers:
In response to heightened awareness of the need to protect information assets, many organizations have researched alternatives and purchased firewall protection. It is astounding to discover how many IS/IT/IM managers think that their systems are protected because a firewall has been purchased - even though it remains in the shrink-wrap.
The Myth
Discussing information security with leading software development companies has garnered a range of comments, often along the lines of: "We don't need any policies. We have a firewall, and we trust the people who work here."
If indeed that were the case, physical security measures would adequately protect systems from external intrusion. On the contrary, organizations are requesting security audits at an ever-increasing rate, and firewall developers are aggressively trying to fashion solutions to meet a range of business needs.
Security auditors typically recommend that clients establish IS/IT policies, and that they implement tools to help monitor users' adherence to those policies. Proponents of firewall technology who pronounce "Network firewalls are great for implementing a security policy between different networks" (SecurityPortal.com) often make the same false assumption expressed in many audit reports -namely, that policies already exist.
All of these measures explore physical controls - and overlook the most fundamental aspect of information security: human nature. They also falsely assume that policies already exist.
The Misconception
Governments, industry groups, and some business leaders have expressed concern at the growing threat to business and economy, and are demanding new legislation to address the problem. Indeed, some groups deem computer and Internet crimes to be an entirely new class of crime. In reality, the types of crime committed are not different; they are merely committed in a new arena. In the same way that theft predated cars - and thus the crime of auto theft - so too do fraud, theft, and other crimes of opportunity predate computers and the Internet.
U.S. Attorney General Janet Reno recently warned, "Substantive laws and procedural tools are not always adequate to keep pace with the rapid changes in technology." Laws are particularly ineffective when, as shown in the 1999 Integralis survey, "42 per cent of companies were unaware of any laws or regulations relevant to use of e-mail and Internet."
The Missing Link
Using computers without any guiding policies is like playing a refereed sport without a rule book. What is allowed in one game is declared illegal in the next. Players are at the mercy of referees' whims. And, with no rules to refer to, players and coaches have no way to challenge the Ref's call.
What happens when there are no policies to tell employees and other users what is - and is not - allowed on company computers is no different. In the absence of policies indicating that any use is prohibited users might assume that all activity is allowed.
Broad-reaching ramifications can result from failing to implement appropriate use policies. For example, an employer might view personal use of company computers as theft of company time. But without policies that define the boundaries of acceptable use, the company might have no recourse to reprimand cyberslackers. And if the company does reprimand or fire the employee, the company might face a wrongful dismissal lawsuit.
Ironically, while many companies have control measures in place for various business areas, and surveys have shown that 86% of respondents think accurate policies are extremely important, only 14% of respondents had critical areas documented, and 57% had no documented policies at all.
Organizations usually have policies dealing with Human Resources, but those often are a restatement of Labor Standards legislation. Alarmingly few organizations consider where that confidential information is stored; who has access to that information; and what the consequences would be if the privacy of that information were to be jeopardized.
The Remedy
All information is valuable - even information that is ultimately destined for public release. Careers and businesses are built on knowledge, and protecting our personal and corporate information is vital. Information security is a fundamental but seldom-discussed aspect of computer security - and failing to protect that information is risky business.
Mechanisms for measuring inappropriate computer practices are available, but do little to prevent those practices from occurring in the first place. Despite increasing publicity of the need for information security measures, "companies are putting up walls or filling in holes and are not building a secure environment based on a cohesive, holistic security policy".
The most effective way to increase productivity and protect information assets - and to guard against lawsuits, losses, and risk - is to develop clear policies for appropriate use of information assets, computers, e-mail, Internet access, and other fundamental information security components.
The first step in that process is for management to make a realistic evaluation of the various types of information within the corporation and the level of acceptable risk for each type of information, and then develop IS/IT policies to address the level of risk for each type of information. To fairly assess what constitutes "acceptable" risk, consider the interdependencies between various functions, systems, and departments.
Companies must take an aggressive approach to information security by developing policies that are comprehensive, consistent, and implemented throughout the organization. Striking a balance that reflects both the corporate philosophy and work environment is necessary to avoid users' fear of Big Brother, and so the policies themselves ought not be aggressive.
The best way to stay ahead is to stay informed. In addition to attending security-related conferences such as TISC, ISOC NDSSC, InfoSecurity Europe and security symposia presented by USENIX and IEEE, a wealth of information is available online. Referring to reliable sources for information about information security, cyberliability, and policy development issues can help management and users in their quest to develop policy solutions - and to ensure that those policies are amended to reflect changes in security threats and technological developments.
In addition to Internet searches for terms such as "security policy" and "cyberliability" and "information security" or "infosecurity", consider referring to online resources and policy development models such as:
IS/IT policies must be specific to ensure that all users understand precisely what email and Internet uses are and are not permissible. For the policies to be comprehensive and protect both the company and the users, all aspects of computer use must be addressed. To ensure that all levels of user ability are addressed, the policies must include fundamental information such as including accountability for passwords, logon accounts, and system use. Management and more sophisticated users will appreciate the value of having policies that mandate verifying the internal use and security policies of suppliers including ASPs and offsite storage facilities. Delineating acceptable behavior in the workplace, ownership and marking of intellectual property, and appropriate use and handling of software source and executable code are other examples of policies that must be asserted.
The final step in establishing workable policies is to promote and apply them in a consistent manner. If the policies include monitoring provisions, it is prudent to have users acknowledge, in writing, that they are aware that monitoring is conducted by the organization, and of other corporate IS/IT policies. Educating users about the policies - not merely that policies exist - helps garner trust and support, and increases acceptance levels.
IS/IT policies - that set out what is and what is not permitted - protect users at all levels in a corporation because everybody knows the rules of the game.
With clear and workable policies in place, everybody can play the same game by the same rules. Along the way, users might become more enthusiastic about their own work when they realize their productivity has increased and their risk has decreased.
Additional Reading
If you are interested in pursuing this topic further, visit Paper #2: A Matter of Trust, by Ray Kaplan, Guardent, Inc.
Other TISC 2000 "best of conference" papers are available at at http://tisc.corecom.com/best_of_show.html.