Imagine the scenario... The managing director arrives early one morning, logs on to the network and fires up his e-mail. It's not long before he realises there's a major problem.
The first 15 e-mails are from irate customers and partners. It transpires that the company's systems have been compromised. A hacker has posted sales forecasts, customer credit card numbers and several proprietary trade secrets on the Internet.
Make no mistake about it, there'll be a hefty bill for repairing the damage done. The 'charm offensive' needed to soothe disgruntled customers, an IT overhaul to ensure better protection against any future attacks and a PR campaign reassuring the marketplace that the company now offers a safe haven in which to do business. None of this will come cheap.
For his part, the managing director reasonably assumes that, since his company passed a written insurability audit to obtain coverage, his systems were well-defended against attack. He calls his insurance company to file a claim. That, ladies and gentlemen, is when the nightmare really begins...
The insurance company insists on conducting an extensive IT forensic analysis regarding the attack. Results will need to be compared against the application to see if the company had actually implemented the security measures claimed on its insurance form. Finally, the insurer denies the claim because it uncovered 'vulnerabilities' unknown to anyone on the company's IT staff, as well as new holes introduced through software upgrades subsequent to the application form.
Since the company in question never performed a test to determine what technical vulnerabilities existed prior to obtaining insurance, the managing director worries he's liable for the full damages from the attack. Ultimately, he's been paying for insurance coverage that provided no assistance whatsoever when he needed it the most.
Insurability in a virtual world
Many organisations regard risk management for on-line information resources as relevant only to technology vendors or e-commerce concerns. In truth, any organisation that stores critical business information on a network needs to protect against risk from external attack or internal misuse.
In addition to simply operating any business in a networked, global economy, drivers for the need include regulations, legal and shareholder liabilities, merger and acquisition considerations and insurability issues.
On-line asset protection is essential. In many cases, on-line assets are currency in today's global economies. Trade secrets, customer profiles, sales forecasts and accounting information need significant protection. To a growing number of companies it's the opening up of their supply chains, inventory systems or shared digital market places that's the key, and they must be protected. To others it's their web site, because that represents the company's 'public face'.
Security will be achieved by due diligence and an assessment – the kind that seeks to exploit vulnerabilities and correct them before an attacker has the chance to strike. Security due diligence through an assessment is the key to selecting a reliable and comprehensive insurance policy that will adequately protect your company's business operations. By definition, any process that allows underwriters to bind policies without any security assessment opens that business up to unnecessary risk.
Although a security policy is the best means for establishing and enforcing security management throughout an organisation, only an assessment provides the ongoing feedback necessary to ensure that baselines are in place and, crucially, that the security policy is having the intended effect.
Building an assessment programme
One of the myths about security assessments is that they are expensive, complicated or potentially destructive. In reality, powerful automated software tools make sophisticated testing a reasonably-priced alternative for any business, searching as they do for potential vulnerabilities in production environment hosts, networks, databases and applications – from both inside and outside your networks.
That said, quality of service is a serious consideration for the security manager. Although current offerings range from the hideously expensive to the free, caveat emptor ('let the buyer beware') definitely applies. Free system scans generally skimp on the breadth of tests being offered. More seriously, they don't contain the expert analysis required to determine the difference between true peace of mind and a disastrous false sense of security.
Security management is a complex, often confusing process. It takes an experienced security professional – not usually an IT manager – to generate the best results. For example, three seemingly unrelated 'medium' vulnerabilities are actually a common method for disguising a serious, aggressive attempt at hacking into a system. It's unlikely that a free or 'quickie' assessment would recognise such a pattern, or make appropriate recommendations for defending against it.
There are three options open to companies wishing to build a cost-effective information security risk management programme:
- develop a security policy, design/implement a security management system for IT networks and monitor the security process in-house;
- manage that process in-house, but use 'best-of-breed' products and consulting services from prominent security vendors;
- (possibly) outsource the security management process.
In general, only those organisations operating in highly regulated environments are willing to absorb the cost of an in-house solution. This expense must be incurred even though information security is rarely a core competence or 'revenue opportunity'.
Assess, remedy, monitor and insure
An effective information security risk management programme covers four key areas: assess, remedy, monitor and insure.
As we've seen, assessments are used to test systems for potential vulnerabilities using technical penetration from inside and outside the network. The results of ongoing assessments lead to immediate remediation
for all medium and high risks. Each system is monitored on a regular basis to ensure that the 'security posture' is maintained and, finally, tightly-targeted on-line intellectual property and liability coverage transfers the remaining risk.
Properly executed, on-line risk management is not a technical process but a business process. A natural extension of tried-and-tested best practices from the non-virtual world. At the end of the day, though, whichever risk management programme you choose, it must synchronise with your brokers or underwriters such that it creates a seamless spectrum of security management.
Only then will underwriters receive concrete assurances that sufficient protection is in place to minimise the potential for bad losses.
Source
SMT
Postscript
Kenneth de Spiegeleire is security assessment services manager at Internet Security Systems (UK) Further information on Internet security and e-business technology can be found at E-Business Expo, which runs from 27-29 November 2001 at Earl's Court 2, London (www.ebizexpo.com)