Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.computerworld.com/home/features.nsf/CWFlashWeekly/980921mgt
Lotsa Talk, Little Walk
There's no shortage of statements supporting information security, but a
CW/Ernst & Young survey finds little action to back up the words.
By Gary H. Anthes
Despite statements of strong support for information security by top
management, an astonishing number of companies fail to take the most basic
steps to protect themselves from hackers, disgruntled employees and
industrial spies.
And the gap between words and actions seems to be widening as scarce
information technology funds get sucked into the black hole of year 2000
repairs.
Those are some of the conclusions from the Ernst & Young/Computerworld
Global Information Security Survey of 4,255 IT and information security
managers. This is the sixth year Ernst & Young has conducted the survey.
Of those surveyed, 84% said their senior management believes that
information security is "important" or "extremely important." But the
following results indicate that that concern isn't translating into
action:
* Forty-one percent said they don't have
formal security policies.
* Three-quarters said they have no
incident response plans.
* More than half said they lack disaster
recovery plans.
* More than a third said they don't
monitor their networks for suspicious
activity.
* Fewer than one in five use encryption
technology to safeguard sensitive
information.
The survey also spotlights a basic misunderstanding of information
security dangers. Asked to identify threats, respondents were almost twice
as likely to cite hackers as employees, but studies have shown that the
overwhelming majority of security breaches come from inside the company.
Thirty-two percent of the managers surveyed said security is the biggest
barrier to electronic commerce. (Inadequate technology was cited by 26%,
and unfavorable economics was mentioned by 25%.) But there were
encouraging signs that the security barrier is beginning to yield: The
survey showed a sharp reduction in just a year in the number of complaints
about the adequacy of security products.
"Over the past two years, security awareness has definitely increased,"
says John Darbyshire, a partner at Ernst & Young LLP and head of the
firm's security practice. "But many people are still not acting on it, and
senior management isn't putting its checkbook where it needs to be just
yet."
Friendly Attacks
One way to get management to take information security seriously is to
perform penetration testing, in which a company uses automated tools to
probe its own systems for security holes. That shows management the
vulnerabilities that are found and their implications, Darbyshire says.
"There's shock value in attack and penetration work," he notes. John
Wylder, a senior vice president at SunTrust Banks, Inc. in Atlanta, agrees
that showing management the results of penetration tests can be effective,
provided security vulnerabilities are related clearly to business
concepts. "You can say that they could have downloaded the customer list
for your Jacksonville office — that will get their attention," he says.
But at least one security professional advises security managers to
deliver a positive message whenever possible. Management becomes weary and
skeptical of gloom-and-doom scenarios, particularly if the company has
never suffered a loss, says Paul Jansen, manager of information security
at USA Group, Inc. in Indianapolis.
For example, USA Group used a firewall for Internet access, but Jansen
wanted to add another to tighten security on the company's extranet, which
was used by customers. Instead of telling management all the terrible
things customers might do to the company's systems, he showed that
dedicating a gateway to customers could improve security and provide
better service. His request was approved.
Another Reason To Hate Year 2000
"Y2K is the latest reason not to fund information security," Wylder says.
He should know; he previously headed information security at SunTrust but
now leads the bank's year 2000 project.
According to Wylder, it's easy for management to shortchange security in
favor of projects such as year 2000 because, despite much media coverage
of hackers, most companies just aren't getting hacked. Indeed, only 4% of
those surveyed said they'd been broken in to from the Internet.
Instead, companies are suffering losses "the old-fashioned way" - through
fraud unrelated to computer attacks, Wylder contends. "Management is
disappointed to have invested all this money in information security, and
then the accountant runs off with the books," he says.
Darbyshire says he isn't surprised by the high percentage of survey
respondents without formal security policies and procedures. "Time and
time again we see organizations where they are either not there or they've
been developed for the mainframe and have not been modified for the
client/server environment," he says.
But policies and procedures are the cornerstone of a security
architecture, and they require a relatively modest investment - perhaps
$150,000 for a $50 million company - to develop, Darbyshire says.
The primary impetus for information security shouldn't come from
information systems managers, information security professionals or even
top corporate management, says Patricia Gilmore, managing director for
information security risk management at Charles Schwab & Co. in San
Francisco. Rather, it should come from the business unit managers who own
the company's products and services, she says.
"In the past, IS owned the data, but we're trying to change that," Gilmore
says. "We're trying to get the businesspeople to understand they have that
responsibility."
Gilmore, who is also president of the Information Systems Security
Association, says no organization can afford to build risk-free systems,
but it can build them with "manageable" risks. IS managers at Schwab are
beginning to ask business unit managers to sign off on what are acceptable
levels of risk in the applications built for them, she says.
Jansen says too many people think technology - firewalls, intrusion
detection tools and the like - will solve their security problems. "But if
you put a firewall out there and an employee calls an ex-employee and
says, 'Here's my password,' what good does your firewall do?" he says.
Another protective measure too often absent is the computer security
incident response plan, says Dan Woolley, a marketing manager in Ernst &
Young's security practice. Effective response plans require the use of
intrusion detection software, he says.
Intrusion detection systems can monitor networks for suspicious
activities, such as repeated failed log-on attempts, and can trip alarms
when certain kinds of events occur. The survey seemed to suggest a sharp
increase in the use of alarms. Only 19% of companies surveyed didn't know
if they had been successfully attacked via the Internet, down from 42% the
prior year.
Better Tools
Survey results show that IT professionals are becoming more satisfied with
security products, with just 18% saying tools are "the greatest obstacle
to addressing security concerns." Last year, 31% made that assertion.
Enterprise systems management tools integrated with intrusion detection
and firewall products are giving the information security specialist
unprecedented capabilities, Woolley says. "You get them all talking
together, and if there is an attack, you can turn off a connection or
backtrack the attack to get additional information," he says.
"We've seen just over the past year a significant number of new tools on
the market filling gaps, particularly in the management and monitoring of
the environ-ment," says John Pastore, chief scientist at Capital One
Financial Services Corp. in Falls Church, Va. Better integration is still
needed among tools and products for centralized management of security
services such as password control, he says.
Cryptography is one area not much exploited by users so far, the survey
found. Just 17% use data encryption for Internet security, 4% use digital
signatures, and 5% use digital certificates. One reason is that the
technology isn't easily layered on top of packaged applications for which
source code isn't available, Pastore says.
Another Reason:
Users often take a "hard-shell" approach to security based on the
assumption that if things such as firewalls and passwords can keep
intruders out of systems, encryption need not further protect the data
inside. "That's a predominant attitude, and it's kind of scary because the
average firewall doesn't take that long to get through," Pastore says.
Cryptography "is the wave of the future," Darbyshire says. "But it's a
new technology, a complex technology, and a lot of training and awareness
needs to go on at the corporate level to understand the kind of
architecture to put in place with it."
But security-savvy IT professionals caution against seeing cryptography -
or indeed, any technology - as a silver bullet. "You need to take a step
back and realize that you can put in technology, but if you don't do the
basics, like awareness programs, policies and procedures and training, it
won't do you any good," Jansen says.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Sep 22 18:42:51 1998