In a world where the spectre of the so-called “zero day attack” (in which a security vulnerability is exploited “in the wild” before there is time to report it to the rest of the security community) looms ever larger, and when network linkages between entities are springing up like bacteria in a Petri dish, American Water sees network intrusion detection as one of its most valuable investments. “We have a full suite of defence in-depth architecture and now information security. Network intrusion detection forms the core of that,” Larson says.
So does around-the-clock coverage – the only approach that gives American Water the flexibility to respond to a zero day attack. Larson says as the time line – from vulnerability to disclosure, to widespread malicious software distribution – decreases, the importance of being flexible with your apparatus continues to grow. And that’s why he believes network intrusion detection is one of the “most valuable investments that we have in the estate”.
New network linkages are proliferating as companies outsource operational aspects of their businesses – from design and manufacture to logistics and customer service – to partners along their value chains.
US IT research firm Aberdeen Group points out that every one of those partnership, outsourced business arrangements and reverse business functions places yet more strain on an enterprise’s ability to verify and preserve the sanctity of the underlying networks and computing infrastructures employed to advance missions and business functions. “The ability to maintain auditable control and security for these networks and systems is becoming more difficult and more important as external auditors expand the purview of their testing and are increasingly using automated test tools to root out problems,” Aberdeen reports.
“It’s no small wonder that Aberdeen’s research shows that best practices for security in an environment involving less direct control means firms are having to dramatically improve procedures to verify the sanctity of the interconnected networks, systems, applications and underlying data throughout their value chains to operate their missions and business functions.” As enterprises continue to automate processes and extend beyond traditional boundaries, they need to ensure that a strong security awareness program is in place.
It is a challenge companies have known about for the past 25 years, which has been important for more than five years, and critical during the past three, notes Greg Wood, the man who was in charge of securing Microsoft’s electronic environments for more than three years, and now CTO for biometric security software company BioPassword. “The challenge is, how do you correct 25 years of history in a short period of time, and that’s the challenge that people have today. So you have networks that are built based on little security measures that have been built over 25 years and all of a sudden you have eight months or nine months or a year to fix them. And that’s why they pick the most important holes and fix them first to recognize that it will take many years and huge investment to catch up,” Wood says.
“Security vulnerabilities are like the Florida fire ant – you can’t kill them, all you can do is maintain your garden better than your neighbour so they choose to infest his yard instead of yours,” says Dr James Whittaker, chief security strategist and founder with Security Innovation. “Companies without clear and effective security strategies will draw the hackers to themselves and away from the companies doing a better job.”
Yet according to The Global State of Information Security 2005, a worldwide study by CIO magazine and PricewaterhouseCoopers (PwC), most organizations are just holding their ground, although the third annual edition of the survey reports incremental improvement in the tactical battle to react to and fight off security incidents.
CSO magazine (Australia) says the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place, a “remarkable ambivalence” among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data. Just 37 percent of respondents reported that they had an information security strategy – and only 24 percent of the rest say that creating one is in the plans for next year.
With increasingly serious, complex, targeted and damaging threats continuously emerging, that is not a good thing. “When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PwC. “Right now, there’s hardly a fire code.” Lobel compares the global state of information security to Chicago right before the great fire. “Some folks were well-protected and others weren’t,” he says, but when the ones that were not protected began to burn, the ones that were protected caught fire too.
Top to Bottom Best Practice Aberdeen says best practices for governing security span a wide range of activities, from board involvement to what happens daily within the enabling technologies that support an organization’s missions. In between, security is fundamentally about how people interact with information systems. More specifically, Aberdeen research shows that firms operating at best-in-class levels emphasize repeatable procedures, effective management of data and knowledge, an efficient and transparent organizational structure and strategy, and enabling automation technologies that assist with responses to business pressures. “Most share this sentiment expressed by one respondent,” Aberdeen says. “‘There is no such thing as a silver bullet or a single source for security, and there never will be.’ But most organizations automate when speed, business cycles or business seasonality force them. Many of the firms humbly admit their security programs still have a long way to go before reaching their full promise.” Aberdeen emphasizes that enterprises must maintain control and security of networks and systems. “Enterprises are struggling with trying to balance flexibility and agility with managing the risk that comes with unfettered access to information among employees, customers, business partners and suppliers.”
CIO magazine polled practitioners and analysts for their own list of network security best practices.
1. Assess Your Risk
2.Define Your Boundaries
3.Rely on Multiple Solutions
4.Market Your Program
5.Take Your Measure
6.Set Some Standards
7.Train and Mentor
8.Use Biometrics
http://www.cio.com.au/index.php/id;1449363213;fp;16;fpid;0