All organizations face a range of threats that have been around – and getting progressively worse – for a number of years. Few organizations have taken adequate steps to deal with them. A conclusion of the CBI Cybercrime Survey 2001 was that ‘deployment of technologies such as firewalls may provide false levels of comfort unless organizations have performed a formal risk analysis and configured firewalls and security mechanisms to reflect their overall risk strategy.’
Unless the organization actually has a risk strategy, it’s not going to be able to ensure that its cyber defences will meet its requirements.
The magazine Information Security carried out an online survey of 2,545 information security practitioners in a broad spectrum of public and private organizations in North America, Europe and the Far East. Although this was carried out in July and August 2001, its findings are still relevant:
A virus, worm, Trojan or some other form of malware had affected 90 per cent of the organizations – even though 80 per cent of them had antivirus software in place.
The number of organizations hit by web server attacks doubled in number between 2000 and 2001.
Hackers (black hat, white hat, and grey hat), crackers, script kiddies and automated hacking exploits all mean that no computer, no network, and no information asset anywhere in the world is safe. Any computer that connects to the Internet will be ‘fingered’ by an automated ‘sniffer’ and ‘brute force’ or ‘dictionary’ attacks can, in fifteen minutes, run through every word in the dictionary looking for the password.
There are 120,000 known viruses ‘in the wild’, with the number increasing daily. Viruses, worms and Trojans propagate globally in minutes and the gap between identification of a software vulnerability and release of the first related exploit has fallen to less than a day – the ‘zero day exploit’. Worms and Trojans are ever more virulent; the installation of anti-virus software is not, of itself, an adequate defence. Spyware and adware, the emerging malware issues of 2005/6, are still outside the scope of many anti-virus software packages.
Spam continues to consume bandwidth and, as spam technology becomes more sophisticated, so spam filtering technology needs to keep pace. With spam reportedly at about 85% of all e-mail, and the fact that one man’s spam is another’s useful new product information, organizations need an intelligent solution to the challenge that protects their resources without disabling their businesses.
Every major intelligence organization in the world devotes substantial resources to strategic commercial espionage. The theft of product and marketing information, of contractual and negotiating position intelligence, can dramatically alter the balance in a complex negotiation – and the impact on a smaller company can be even more destructive than on a larger one.
The Information Security survey also found that: ‘insider security incidents occurred more often than outsider ones, but security professionals were more concerned about securing the external perimeter of the organization than dealing with the internal issues.’
These internal security incidents included installation of unauthorized software at 78 per cent of the participant organizations, use of company computing resources for illegal or illicit communications or activities (such as porn site surfing or e-mail harassment), and the use of company computing resources for personal profit (gambling, unsolicited e-mail or spam, personal e-commerce businesses, etc).
Fraud is the most debilitating and destructive of insider security threats and the financial controls that evolved to protect organizations against insider fraud in the pre-digital age are inadequate in the digital one. It is essential that internal control structures evolve rapidly so that disasters of the type that destroyed Enron, Arthur Andersen and Barings can be avoided.
Financial organizations and quoted companies already face significant restrictions on the type (and timing) of information that can be published; modern technology – camera phones, MP3 players, USB sticks, Instant Messaging – are capable of outflanking ‘traditional’ security controls.
Malicious staff are a key source of information threat. Staff, contractors and sub-contractors who wish to damage an organization can usually do so with impunity, particularly where information security controls are weak and they have adequate access privileges – through, for instance, a system administrator password, a covert channel, or an inadequately partitioned network. Of course, the point of greatest danger is usually after someone has decided to leave, but hasn’t yet resigned; the fact that so few organizations have an adequate process for managing information access rights for exiting employees is a root cause of the level of insider destruction to information systems.
Systems failure – whether through incompetence, “fat fingers” or unpredicted external act – can be enough to severely disrupt or destroy any business. Few organizations have adequate, adequately tested, business continuity or disaster recovery plans. Few organizations, as a result, are able to survive a severe disruption and this simple governance failure can have an incalculable impact on shareholders, employees, customers and suppliers.