[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Unternehmen und IT-Sicherheit
Hier leider mal wieder als Terrorismus-Problem verkauft, obwohl das
Thema auch so wichtig genug wäre. RB
Are Companies Prepared for Cyber-Terrorism?
By Esther Shein CFO Magazine Dec 12, 2001
Security experts say attacks on corporate networks may already be under
Anthrax may be getting all the headlines, but the next lethal infection
may be the technological kind. Hackers have posed a threat for years,
but the attacks on the World Trade Center and the Pentagon have raised
fears that terrorist groups might wreak havoc on the Internet.
According to security experts, the danger is imminent. "I firmly
believe that not only is the threat of a cyber-attack real, but the
first phase is already under way,'' says Mark Fabro, president and chief
scientist at Terrasec Corp., an information security consulting firm
based in Toronto. Fabro maintains that the preliminary scanning, or
information-gathering, process has left an electronic trail. He points
to the Intrusion Detection logs of large multinational corporations.
"When closely and correctly cross-referenced," he says, "they show
precise data-gathering operations in which outsiders are looking at
network structure, points of weakness, and infrastructure locations of
weak security." Fabro says that since 1998 there have been no less than
three global scanning projects sponsored by "rogue" nations.
Despite such warnings, corporate executives appear relatively confident
in their current security procedures. While not downplaying the risk of
cyberterrorism, those interviewed for this story stress that their
fundamental approach to computer security has not changed since
Security professionals argue that current approaches are inadequate.
With companies increasingly using the Internet to connect to suppliers
and customers, they say, organizations place too much faith in
technology to protect their data, while not paying enough attention to
security education and awareness. "Companies always assume the
technology--including firewalls, VPNs (virtual private networks),
intrusion detection systems, and authentication mechanisms--will take
care of a security problem," Fabro says. But the technology won't work,
he contends, unless everyone in the company is educated about
That awareness must start with the technology team, which, while aware
of security issues, often has other priorities. "In most instances, the
tech people are [just] worried about keeping the network up and
applications running," says Ron Baklarz, CISO (chief information
security officer) for the American Red Cross in Falls Church, Virginia.
"When you introduce the security component, there's concern about how
they're going to support their users because of the increased
One problem is that many servers are unprotected, explains Fred Rica, a
PricewaterhouseCoopers partner and national leader for its National
Threat and Vulnerability Assessment Practice in Florham Park, New
Jersey, either because they were installed improperly or because patches
were never installed. Another problem is that in the rush to keep up
with the demand of electronic- business systems, organizations have
often turned to off-the-shelf software, much of which is released
without thorough security testing, thus making entire systems
vulnerable. Ultimately, the corporate consumer must determine where the
holes are and fix them, says Baklarz.
The Corporate Defense
That is the undertaking facing Baklarz, who joined the Red Cross last
March as its first CISO. He says his approach is to better implement
security measures at all levels of the technology infrastructure. "There
are a lot of things in place or readily available," he says. "The
questions are: Do you have discipline to use them properly, and are they
being used effectively? " He believes that cyberterrorism is a real
possibility, but maintains that his approach to security hasn't changed
all that much since September 11, because, "The posture I take is,
you're always under attack."
Even before the terrorist attacks, he points out, everyone was dealing
with the Code Red and Nimda worms. "I get about 100 E-mails a day
[about] vulnerability alerts, so I know that it's a continuous battle."
Other organizations are also staying the course with security. Micki
Krause, director of information security at PacifiCare Health Systems,
based in Santa Ana, California, says her company has not modified its
network protection systems, because security entails "a continual,
ongoing risk assessment, with a comprehensive approach to network
security." Like Baklarz, she says the company strategy takes every
component of the enterprise into account from a risk perspective and
then defines and prioritizes risk mitigation for each component. Krause
has instituted a Computer Incident Response Team (CIRT), an internal
group whose charter is to determine how serious a network breach is and
how to respond. "Security really is a business issue,'' she says.
Baklarz, who co-authored the 1999 book The Art of Information Warfare,
says that although he will request additional funding for 2002, measures
can be taken to leverage existing technology as well. For example, he
points out that some routers incorporate technology that allows for
filtering at the application level, which can prevent viruses from
infecting Web servers.
As for new spending, Terrasec's Fabro estimates that in North America,
companies devote 4 to 6 percent of their IT budget to security. "Not
only is that not enough, but the money itself is not being spent on a
dedicated line item called 'security,'" he says. Only when security is a
dedicated line item in the budget does management recognize it, he
Because of the terrorist attacks, Fabro projects that security spending
will double by the second quarter of 2002. "Companies are revisiting
their budgets, and if they're serious about security, they will spend up
to 15 percent of the IT budget on information security."
How much companies should spend on security depends on the value of the
information to be protected, says PwC's Rica. Devoting 10 percent of the
IT budget to security may be enough for an informational Web site. For
an E-tailer or online brokerage firm, the figure may be much higher, he
"You really need to figure out what are the crown jewels of your
company, what are the absolute 'must' things," says Jay Ehrenreich,
senior manager of the Cybercrime Prevention and Response Practice at
PricewaterhouseCoopers in Tarrytown, New York. "Then you have to ask, If
[a security breach] happens, what will the implications be? Spending
must match your risk profile, but you have to know what your risk
Advice from the Experts
Companies should approach security as they did remediating systems for
Y2K, says Rica. They should analyze the entire
infrastructure--firewalls, routers, applications, operating systems, Web
applications, and databases--for weak spots. "The weakest link can
compromise the strongest,'' he says.
Fabro says that more often than not, a successful attack takes
advantage of a service or function inside the server that is never or
only rarely used. This "additional functionality" should be removed, he
advises, and the operating system secured so attackers cannot get the
necessary toehold on the system.
Above all, companies should make sure that they bring plenty of human
intelligence to bear. "Careful inspection of the frequency, type, and
source of attacks can lead to insights that the intrusion detection
software can't provide," says Fabro. That may motivate more companies to
create a CISO position, but whether a company designates an information
security czar or not, making all the troops aware of the dangers is the
first line of defense.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.