|
Security is a war. As "keepers" of data
we must guard against every possible back door, every clever
hack, every possible weakness. We must be constantly wary
of hundreds and thousands of possibilities. It is a war we
can't really win. We must be ever vigilant; the hacker (or
information warrior) needs to find only one weakness to exploit.
We must balance security needs against
the effort and costs involved. Absolute security cannot be
obtained once you've turned on your computer (leave it off
and there will be no unauthorized access!). This paper explores
some of the thinking behind the technology of the security
industry and how a reasonably secured computing platform can
effectively serve an active business.
Our society thrives on information passed
from one person to another, from one system to another. We
take great pains to ensure that our information is seen by
those who need it, and not those that we deem "unsuitable".
Providing the sense of security in this digital age means
ensuring delivery, authenticating a source, and keeping information
away from prying eyes and more. Security and privacy are the
buzzwords for the new digital millennium. But what do we really
mean by these terms? What does our digital society really
need and want.
Security has taken on new meaning for
today's digital age. Microprocessors with significant computing
power have gotten to be very inexpensive. Martin Hellman estimates
that 10 billion (10 10 ) words can be search for a cost of
around $1.
Security is more than just secrecy, it
tends to function in one or more of the following four key
areas.
- Secrecy - the goal is to keep confidential
information private.
- Accuracy - the information received
can be relied on.
- Availability - the system(s) will
function when and how expected.
- Non-repudiation - the system guarantees
transactional integrity.
To meet the needs of these four areas,
different technologies and methodologies can be implemented
and incorporated into a security policy and a security architecture.
The popular press seems to be consumed
with the lack of security on the Internet. Corporations are
scared to "trust" the Internet for critical or strategic data
because Internet security is not strong enough. In fact the
weakness of Internet security is a complete fallacy. The Internet
has no security. Nobody has built in a security widget to
that product called the Internet. A new car comes with airbags
and seatbelts; you do nothing to them (just buckle up!), yet
they provide security when needed without intervention. On
the Internet, one must think about, plan and implement specific
security for specific conditions. The security component stands
apart from the 'net, it is managed independently.
The most developed standards for security
come from military channels. The primary goal for most military
security models is keeping data secret. The concerns here
can be obscure and unusual. The standard for military systems
is defined in "The Orange Book". It has an orange cover and
a real title of "Trusted Computer System Evaluation Criteria".
It is published by the National Computer Security Center (NCSC)
and details the requirements that secure systems must meet
to achieve government certification. These certifications
refer to the D, C1, C2, B1, B2, B3 and A1 (least to most secure)
ratings.
If your systems concerns relate to international
terrorism, government intelligence and covert operations,
an entirely different level of security (and thinking) is
required. And that's far beyond what we'll cover here.
Security is at best a murky field. Small
companies can easily be overwhelmed by the implications of
securing their digital business; large corporations create
complex organizations dedicated to running the security machinery.
The trade journals and press give us great details on packet
level firewalls, and application level firewalls, encryption
methods, routing protocols and a dozen other "obscure" technologies.
I attend security conferences and listen to my peers endlessly
discuss security tools, techniques and infractions.
We tend to think too much about tools.
One former client, a large US Bank, halted Internet rollout
because they could not come up with a good security toolkit.
But they had not identified what the toolkit needed to accomplish.
Hence the most important security component is the plan and
policy mechanism. It involves neither hardware nor software;
it is platform and OS independent and works in any language.
It also involves the single most hopelessly complex technology
component..people.
We know that we need to secure our information.
We know that there are significant concerns and issues surrounding
security. Before we start to look at how we can secure, we
must ask and answer a few questions.
Initial Security Questions
- What is the information that we are
securing?
- Who are we securing our systems
from?
- Are we concerned about outsiders?
- Competition?
- Criminal gain?
- Internal threats?
- Why are we securing our system?
- Fear?
- Pride?
- Genuine intellectual/property/financial
risk?
- Because we think we should?
Confidential/private (fiduciary
responsibility) information?
These initial questions may indeed
seem obvious. But they are the most critical components of any
security policy or architecture. It is here that we define the
very basis of our mission.
This is a paramount issue. There
is a huge difference in a desire to keep, for example, personal
e-mails private, quite another to secure the global network
of fund transfers in a multinational bank. The "kind" of information
defines to what length we'll go to protect it. The security
professional must first look at the originating system for
the information, the general business purpose and the direct
risk of compromise.
The origin of the threat is a critical
issue. Different "types" of threats require different security
measures. The threats that businesses are facing consist of:
"hackers"
(crackers) - those people that may "just want to
see what's in there". These threats may not be malicious,
in fact, the more secure a system is the more a target it
may become. Hackers can be enormously talented and may know
more about systems and communications than internal staff.
However, hackers may be conducting criminal acts and using
system access for malicious reasons.
Disgruntled
employees - former employees with a grudge may be
the greatest threat. This group will know the systems, understand
the methods and may even know the correct passwords of other
employees.
Information
warriors - are a new class of threat. These are
professionals who target a site for specific reasons which
can range from industrial or international espionage to plain
thievery.
Is the information valuable to
the public, to competitors?
What is the risk to the company
if outsiders access this information? Is it embarrassing,
meaningless or does it impact significant lines of business?
Depending on this answer, we'll next need to ask if the time
and expense involved to secure the data is worth it. Can we
live with the risk?
- What risks are possible ?
- outsiders reading e-mail
- unauthorized recipients for e-mail
- "impersonating" e-mail addresses
- data loss
- data changes
- financial or monetary theft
- data sold to competitors
Who may want our information ?
And what could they do with it ?
For how long is our information valuable to outsiders ? (Is
it?)
How much are we willing to spend to lower risk ?
It is the answers to these questions
that will help to determine what kinds of security techniques
must be implemented.
Once we understand our situation
we can move to plan our policy and a security architecture.
Then we can evaluate tools, platforms and products that can
be integrated to provide the level of security we want.
Questions or more information:
Paul
Seldes
http://www.ntb-group.com
http://www.seldes.net |
