Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.informationweek.com/698/98iursk.htm
http://www.informationweek.com/698/98iursk2.htm
http://www.informationweek.com/698/98iursk3.htm
http://www.informationweek.com/698/98iursk4.htm
Acceptable Risks
In the digital economy, security breaches are inevitable. The
InformationWeek/PricewaterhouseCoopers global security survey reveals how
E-commerce is raising the stakes, and how far companies will go to ward
off intruders
By Gregory Dalton
rganizations rushing to build information systems for all forms of digital
commerce are realizing there's no fail-safe way to secure the free flow of
data or money. It's like trying to protect the telephone system from prank
callers, or trying to block spammers from clogging your messaging system.
Except it's often far worse. Organizations engaged in Web commerce,
electronic supply chains, and enterprise resource planning experience
three times the incidents of information loss and theft of trade secrets
than everybody else. Revenue loss, though not prevalent, is seven times
more likely to strike Web commerce sites compared with noncommerce sites.
These are two of the key findings of the 1998
InformationWeek/PricewaterhouseCoopers Global Information Security Survey
fielded this summer in 50 countries and completed by 1,600 IT and security
professionals.
A keen awareness of an organization's increased exposure to internal and
external dangers isn't enough to plug the gaps. The digital commerce
sites experiencing the most attacks, including banks and financial
services companies, are the same disciplined IT shops that also create
information security policies, spend lots of money on security products
such as firewalls and encryption, and institute policy training for IT
staff and end users.
All of which points to an obvious business trade-off, especially for IT
managers who want to open their enterprise to outside partners. "An
extranet is a risk," says Enno Becker, director of technology
infrastructure at the Forum Corp., a training and consulting company in
Boston whose extranet is linked to three corporate customers. "You're
creating a tunnel into another environment that you don't control. But the
business benefits are too great to be ignored."
Defining what's an acceptable risk varies greatly from industry to
industry. In retail, a 3% loss from online credit-card fraud might be
tolerable, but in the chemical industry the same fraud loss might be
considered a disaster. Such expectations not only drive security policies
and spending, but they also influence experience.
Overall, 59% of sites selling products or services on the Web report at
least one or more security breaches in the past year, compared with 52% of
sites that may have a Web site but aren't using it for monetary
transactions.
Sites with supply-chain networks or ERP applications are struck about 10%
more often than sites without such applications, possibly because they
have competitive intelligence available to plunder.
Information loss has occurred at 22% of firms conducting Web sales, but
only 13% of companies not selling products on the Web say they have had
the same experience.
Significantly, 12% of E-commerce sites reported theft of data or trade
secrets, three times the number of companies not selling products via the
Web.
Acceptable Risks
Continued...page 2 of 4
Among those survey respondents able to identify losses due to security
breaches in the past 12 months, 84% say they lost between $1,000 and
$100,000 in U.S. dollars. The other 16% say they racked up more than
$100,000 in losses.
"There are significant financial losses that people don't even know
about," says Bruce Murphy, managing director at PricewaterhouseCoopers,
which advises companies on information security issues.
"I think they are estimating low." In fact, 49% of those surveyed concede
they don't know if they were pickpocketed in the past year. Only 28% say
they're certain they haven't suffered any monetary loss. If companies
improve their detection capabilities via emerging intrusion- detection
tools and enhanced measurement criteria, Murphy says, they will become
more aware of the losses they're incurring already. And while E-commerce
is galloping ahead, he expects the incidence and amounts of financial
damages to surge upward, too.
Yet there are effective strategies to consider. Some IT managers are going
to considerable lengths to measure the success of their security policies.
McKesson Corp., a pharmaceutical distributor, has beefed up its policy and
installed double firewalls to provide a secure area where a drugstore
chain can have access to information about its accounts. Intralinks, a
financial services firm, asks banks on its extranet to adjust their
security procedures so that each adopts the highest common denominator.
And at VHA Inc., a group of health-care providers and suppliers, IT
executives are rethinking their approach to security after building an
extranet.
Other companies are doing more encryption and rolling out awareness
campaigns to educate employees about information security. Above all,
they're making security a priority at the earliest possible stages of new
projects.
Early And Often
In the world of information security, proactive measures are generally
considered the most cost-effective, too. McKesson makes an extranet
available to a few corporate managers at Rite Aid Corp., the pharmacy
chain based in Camp Hill, Pa. These managers will be able to go behind the
first of McKesson's two firewalls to view orders and track information
about inventories and past purchases by Rite Aid. McKesson's internal
systems are guarded behind the second firewall. Before launching the
extranet, McKesson began using Internet technologies to sell medications
to the Department of Defense in Asia, an arrangement that compelled the
distributor to implement a double firewall scheme.
"At the very first stage, security was considered," says McKesson CIO
Carmine Villani. "We think about security more as a core value or function
rather than a bolt-on." In the past few years, Villani says,
McKesson has spent more than $500,000 on various security measures,
including secure identification cards with constantly changing digital
codes for all employees, and double firewalls to separate the secure
servers where the company keeps customer information and its own internal
systems.
Much of that investment initially was made for the Defense Department
extranet and represented a 15% to 20% "security premium" for that project.
But now that those costs have been amortized over the Rite Aid project,
too, Villani says the additional security costs for both extranets have
dropped to less than 5% of overall expenditures. Business-side executives
have never vetoed such information security spending because they realize
it comes with the virtual terrain. "The reason people have problems is
they are not making the investments that can prevent them," Villani says.
Proactive thinking about information security doesn't just apply to the
Internet. "It's much cheaper to do security up front as you are designing
and implementing an ERP system than it is to go back and retrofit
something," says Mark Lobel, a security consultant at
PricewaterhouseCoopers. Adding security in the design phase of an ERP
deployment might add 5% to 10% to the overall project cost.
Though many organizations balk at paying a premium for information
security, those that have had to revise systems later on probably wouldn't
make the same mistake twice. A major financial company, for example, was
about to deploy a business-to-business E-commerce application for settling
big securities trades. Late in the development process, the firm hired
Cambridge Technology Partners to advise them on security. On Cambridge's
advice, the firm moved from the Windows NT platform to Unix because of its
perceived security advantages, but the move caused enormous cost overruns.
"The CIO had to go back to the board of directors with hat in hand,"
Cambridge VP Paul Kelly says. "That's not a good situation to be in."
Acceptable Risks
Continued...page 3 of 4
Plan Ahead For Security
Although security is often fundamental to success, it often remains an
afterthought. Companies looking to increase their business opportunities
via the Web typically look first at applications and then consider
infrastructure issues. "We see many cases where ERP or sales-force
automation implementations fail when infrastructure and security come into
the picture after the fact," Kelly says.
Another believer in proactive measures is Intralinks, a financial services
company that coordinates loan syndications. Intralinks helps its 15 bank
clients parcel out pieces of loans and other financial instruments to
2,700 institutional investors by providing a central Web site where they
can exchange offering memoranda and interact with one another regarding
the deals. Investors access Intralinks' servers to retrieve copies of
documents describing the terms of the deal and submit forms indicating
their willingness to participate.
Intralinks doesn't do it alone. The company's security is based on Lotus
Domino and is hosted by IBM Global Services. The company's practices are
so stringent it has refused to work with at least one institution whose
security procedures didn't pass muster. "There has been an example of
that," says Lenny Goldstein, Intralink's chief technology officer. "It was
a business decision rather than an IT decision."
For those who do make the security cut, Intralinks drives them when
feasible to adopt the highest common denominator. "If J.P. Morgan does
something a little differently than Chase Manhattan but if Chase is more
stringent, we will do it their way," Goldstein says. One example:
companies that change their passwords every 90 days were asked to change
them every 60 days because that was the most rigorous requirement among
the group.
One of Intralinks' trusted customers is PNC Bank Corp., which has raised
$2 billion in 10 different deals. The Pittsburgh-based bank is confident
it can handle security issues and plans to venture into other areas of
electronic commerce. The most important elements are deploying powerful
128-bit encryption and incorporating security during project formation.
"Our experience was positive enough that we are working toward an
Internet-based solution for treasury management," says James Mikula, CIO
for corporate banking at PNC.
Security products that used to be viewed as risk-management tools are now
being considered an "enabling mechanism" that is necessary for new
business ventures.
The Boston Globe, for example, takes security more seriously now that its
advertisers can place advertisements online and pay for them with a credit
card. "It has expanded our view of security," says Dave Pearson, director
of IT infrastructure. "I view it more as enabling than risk management,
though it has to do both."
For example, the Globe is centralizing its security management using
Netegrity Inc.'s SiteMinder, which is based on the Lightweight Directory
Access Protocol. SiteMinder separates security access from application
development and frees developers to create programs that are better suited
to the business, such as allowing advertisers access to their account
balances.
Creating Complexity
Some companies that build extranets realize they have to secure much more
than the extranet itself, and often end up reworking their company's
entire security regime. "Our extranet brought us into a whole new realm of
things we never did before in terms of security," says Scott Decker, VP
of information services at VHA, an alliance of 1,200 independent
health-care providers and suppliers that uses an extranet to exchange
health-care news and textbooks.
The extranet will become far more complex as applications come online for
exchanging patient records and lab reports. The Irving, Texas-based
alliance is planning to elevate its security by using encryption and
digital certificates for sensitive data. That review process and the
resulting heightened awareness about security has affected the way VHA
views all types of information. In the past, for example, VHA delivered
CD-ROMs that contained a catalog of supplies and their prices. "We never
thought about security with those things," Decker says. "But now we think
differently."
Surprisingly, however, 43% of companies surveyed don't take the basic step
of classifying their data into security categories. This is a
critical step in identifying data worth protecting. Although 19% do this
process daily, another 14% classify their data annually.
Acceptable Risks
Continued...page 4 of 4
Another key element of an enlightened approach to security is a
companywide campaign to promote user awareness. But that campaign "can't
just be an annual brochure," says Jim Patterson, VP of security and
telecommunications at OppenheimerFunds Inc., a mutual fund company in New
York. For example, Oppenheimer occasionally has a life-sized cardboard
figure named "Mr. Security" around its Denver campus. The character is
dressed as a baseball umpire and holds a stack of index cards with
information security tips for Oppenheimer's 1,800 employees.
PNC Bank has a booth dedicated to security at its annual company
technology fair. "It's another way of getting employees to understand
these issues," CIO Mikula says. And as a light-hearted reinforcement, the
bank hands out fortune cookies with security tips tucked inside.
Such internal campaigns are critical because, while the mainstream media
dwell on security threats posed by diabolical hackers or info-terrorists,
survey respondents say their biggest threats are still internal: 58% of
companies surveyed believe one or more authorized users have abused their
systems in the past year. Unauthorized users broke into 24% of the sites;
suppliers or customers together accounted for only 12%. "It used to be an
80/20 rule for inside/outside threats," says PricewaterhouseCoopers'
Lobel. "It's a 60/40 rule now."
Another change is the people directly involved in making security-related
decisions. While security remains an IT function, some of that
responsibility is gravitating toward the business side as the Internet
burrows into various parts of the company, such as the purchasing and
marketing departments.
"We are doing more transfer of ownership of applications and security from
IT to business owners," McKesson's Villani says. For example, Villani
handles security policy; but the the company's VP of customer operations
is responsible for applying it to the extranet.
Elsewhere, the spreading responsibility for security is causing tense
relationships and ill-informed decisions. "Techies want to protect the
firewall at all costs," says Roger Walters, CIO at consulting firm Booz,
Allen & Hamilton. "But sales and marketing people want to underprotect.
The result is general management executives have to make a decision about
something they don't know anything about."
Global Risk
Security has never been the business world's most important business goal.
And yet, most IT managers would consider "trust" to be a fundamental
requirement of doing business on the Web-especially internationally.
On average, survey respondents rate information security a 7.4 on a
1-to-10 scale, with 10 being the highest priority. Respondents say the
most important security techniques are blocking unauthorized access,
establishing network security, securing top management commitment, and
gaining end-user awareness. On average, most companies rate themselves a
6.9 on a 1-to-10 scale, with 10 being extremely successful, an evaluation
that suggests most respondents see room for improvement.
The survey strongly suggests, however, that even if companies do well
establishing these best practices, they must seek ways to do even more
with their existing resources. Managing risk is now a top priority.
McKesson CIO Villani remains optimistic. "If you don't pay attention,
security is going to be a problem," he says. "But if you do pay
attention, you can eliminate most of the risks."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Sep 10 08:40:32 1998