|
Tuesday, 8th October 2024 |
The greatest risks to information systems come from within |
Back |
Employees and contractors pose the biggest threat to companies’ information systems as they are best placed to know where security weaknesses are and can also identify the best prizes to go after says Michael O’Farrell. |
Information is the biggest asset any organisation holds and, as risk managers realise, information security is not just a technical issue that can be delegated to IT management. Whether or not businesses compete in the electronic marketplace they must consider not just the kind of risks facing business of 100 years ago but also those of current sophisticated information security environments.
What are you protecting
Information systems are designed to hold your organisation’s information assets in a manner that is organised and secure while at the same time making it available in a structured manner to those who are authorised to access it. Information assets are under threat from both external and internal sources. The Computer Security Institute (CSI) reported in 2001 that 85 per cent of respondents detected computer security breaches in the previous 12 months and importantly more than half of these acknowledged that financial losses resulted from those breaches.
So what
Successful attacks on information systems are seldom publicised as the impact to an organisations reputation is often perceived as prohibitive. Though this makes risk assessment difficult there are many examples of the cost of insecure systems. Business Week estimated that $2.7 million was the average cost of an insider attack while the worldwide cost of computer viruses has been estimated at $17 billion during 2000.
Privacy and confidentiality
The confidentiality of information on systems depends on proper implementation of the right controls. Many systems have not been changed since they were first implemented. This is not adequate as history shows that security vulnerabilities are regularly discovered and subsequently addressed by the system vendors. Tools to exploit these vulnerabilities are readily available on the internet. Many organisations do not require their system users to use good passwords. Poor configuration can help make the job of cracking a computer system a lot easier. These situations provide opportunities for employees or contractors to ‘test’ the security of the systems they work with. Where organisations send information over the internet the requirement for privacy and confidentiality controls is greater. There are more opportunities ‘out there’ for traffic to be intercepted by a large population of anonymous hackers.
Theft and fraud
The risks related to theft or fraud are probably more severe from internet based transactions than when using traditional ways, except for the scale or volume of transactions. Because the internet allows a fraud to be transacted from anywhere in the world it becomes easier for a person to commit a crime. The perceived anonymity of the internet encourages its use for fraud. The sophistication of information systems can provide opportunities for insiders where systems are not understood and controls are not properly implemented.
Data integrity risks
Loss of data integrity can be accidental or malicious and can be limited by having tight logical access controls on the databases or other structured information. Virus outbreaks are one of the biggest threats to an organisation’s unstructured information. Viruses often corrupt file contents and can destroy man-months of work. If a virus infection goes undetected for a long period you will end up with backup copies of infected files - can you risk re-introducing a virus?
Denial of service
Denial of service occurs when the service provided by a system to its customers is stopped or severely degraded. Deliberate denial of service attacks on e-commerce systems resulted in the closure of a British internet service provider, Cloudnine, in January. The denial of service attacks that took down Amazon and eBay in 2000 were launched from ‘zombie’ programs that hackers had planted in weakly secured servers.
Who threatens your information system?
Hackers, virus writers, eavesdroppers and cybercriminals are internet ‘speak’ for what would be in any other environment thieves, fraudsters, vandals and industrial spies. However, the biggest threat to your information system is still from the inside. Employees and contractors are best placed to know where security weaknesses are and can also identify the best prizes to go after. This is supported by the CSI report, which found that 71 per cent of organisations reported unauthorised access by insiders.
Web Server and client side risks
Typically, web and e-commerce security focuses on the preventative and detection controls at the server environment. Each e-commerce implementation is unique and most of its components have some role in supporting the overall security of the system. A point to note is that all components in an e-commerce environment need to be secured. An example of a risk to unsecured components is a misconfigured router, which can provide a hacker with useful information on the internal structure of your internal network. The client workstation connected to your mainframe or web site can also be used as a route to get unauthorised access to an organisation.
Web application risks
A significant difference between web applications and internal applications is that web applications are exposed to a potentially more hostile production environment. The hacker threat is greater if monetary transactions are carried out and the opportunity for fraud is present. Code review and test processes should catch such vulnerabilities as buffer overflow conditions and backdoors in the code. Other vulnerabilities are particular to the web environment such as - cookie poisoning: the modification of cookies to impersonate users or to gain access to sensitive information.
Email
Email seems to be an essential of business life and is not without its risks. Humans use it and automated processes to spread viruses malicious code and SPAM (electronic junk mail). Open relay servers can be easily compromised to send potentially fraudulent emails.
Plain old telephone system
The common or garden analogue phone line can be one of the greatest threats to the security of your organisation’s information. All dial up access to an organisation’s internal network should be controlled with secondary authentication though it is easy for any user to install modems and create a dialup connection. Some organisations forget about modems that were once used for testing and still connected or ignore the PBX modem - an interesting way to set up toll fraud! From a single modem connection a hacker can roam your internal network at will with little chance of detection. His only limitation is the amount of information he or she can download over an analogue line.
Regulatory comment
Publicly quoted companies are under pressure from stock exchanges to recognise information technology risks. The US Securities and Exchange Commission demands that companies list security measures in their annual reports while the London Stock Exchange requires listed companies to comply with the Turnbull report’s requirements for ‘internal control disclosure’. These measures have resulted in greater awareness of risk management responsibilities in the boardroom and among shareholders. The effectiveness of information security management can affect shareholder value. Similarly, the EU Data Protection Directive requires that organisations protect the personal information in their care whether or not they ‘own’ that information. The Directive goes on to define the kind of personal data organisations may and may not hold on their information systems.
Managing an information system risk
The risks to information systems arise from a variety of sources and though they may look numerous and legion they are not insurmountable. Most vulnerabilities exist because technical staff have not implemented basic security controls or were not comprehensive in implementing controls. The primary resources to address these threats are the employees and contractors in your organisation. The initial security task of management is the development of a security architecture followed up with policies that are supported by processes to implement it. |
Michael O’Farrell is a senior manager with Ernst & Young’s Security & Technology Solutions practice.
|
Article appeared in the April 2002 issue.
|
|
|