Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home


Print Friendly! Email This Article! Discuss NOW!

Security Spending - Are you spending it in the right places? - Part II
by Joseph Seaman, CISSP, GSEC
Enterprise Integration

When the Internet boom started to take off, everyone had to have a web presence in order to compete in the digital economy. Then web sites started to get hacked and at times were defaced causing business embarrassment as well as lost earnings. The solution was to put your web server behind a firewall. This slowed the ease with which sites could be hacked until hackers managed to bypass firewall controls so the next defense was to use a network intrusion detection system (IDS). This would allow you to see malicious packets that are not discernable by a firewall. Well, systems were still being attacked and then the focus moved to recovery and alerting by using integrity checkers. Now you could see what changed when and where and enabled you to recover from a modification much quicker than having to find out what file or setting had changed. Next came the problem of remote users and allowing them to access the internal network over the public Internet. The solution was to set up a VPN, but if the termination point of the VPN was inside your network, then that traffic was bypassing your firewall and IDS rendering them useless. Do you see a pattern here? We are in this constant state of tweaking and tuning our security infrastructure with escalating costs for support, configuration, and maintenance. It is no wonder that executive management is gun shy to pay for these items when many have not even presented a business plan on how all this security spending will help the business. FUD (Fear, Uncertainty, and Doubt) will not make a lasting business impression on the value that security brings to an organization. It will get you the quick sale but will not build a lasting relationship.

So lets look at the big picture and see how we can address it. If we start with a basic risk assessment, every organization will have various assets that will need to be addressed. They will also have various threats that could disrupt or impact the financial well being of the company. If we look at just the technical assets, we are talking for the most part about data. Be that financial data, personal data, private data, research data or strategy data. In some shape or form it is all broken down into 1 and 0's and stored on some electronic medium. Every piece of that data has some intrinsic value to the company as well as the general public. It is that value that leads people to do unpredictable things such as theft or destruction. So how do we control who does or does not have access to that information?

In order to look at how to provide access, we need to look at all of our vulnerable points. When you take into account all of the devices involved in an electronic business transaction combined with the complexities of the Internet, trading partners and providers, you can see how numerous these vulnerable points are. So our natural reaction is to simplify the problem by addressing it point by point. This basic problem solving mechanism can work for smaller problems but we run into redundancy and inefficiencies when we start incorporating the dynamic nature and frequency of the problems. What are the problems? The problems are that our systems were not built to be used in the way that we are using them AND be secure at the same time. We can see that in the way TCP/IP was designed. We can see that in the way the HTTP and DNS was designed. Security was never incorporated from the ground up. Why should we be surprised when Microsoft releases security patches just about every week? Windows source code has gone from 3 million to 50 millions lines of code not including other applications. Microsoft is not alone however. The number of reported security vulnerabilities has tripled over the last two years and the trend will continue until we address the root problems.

So how de we fix the root problems? The answer is not easy and will probably require a drastic life-altering event in order for changes to occur.

Several thoughts:
  • In general, security needs to be built and tested from the ground up. This includes the source code as well as the hardware it runs on.
  • The public needs to demand security from their vendors and partners in the products they buy. The power of the consumer's wallet can never be taken for granted.
  • Security will need to be viewed and be able to validate, how it can be used as a business enabler rather than an inhibitor.
  • Above all, security needs to be simplified in order to gain widespread market acceptance. Until these issues are addressed, we will continue to chase our tail patching servers, educating users, and adding more and more layers of security with the hope that someday we can wake up and know that our data and infrastructure are protected.
First published on BankersOnline.com 2/10/03


Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.