CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Strategies

Book Excerpt Part I: The Executive Guide to Information Security

By Mark Egan with Tim Mather

The following article is adapted from Chapter 1 of "The Executive Guide to Information Security," by Mark Egan with Tim Mather, which is scheduled to be published in November 2004. This is the first of a three-part series.

The Internet has grown from just a few thousand users in 1983 to more than 800 million users worldwide in 2004. It provides a vital online channel to conduct business with existing and potential customers. However, despite this huge upside, the Internet poses significant security risks that businesses ignore or underestimate at their own peril. The following describes major information security challenges to businesses today.

Electronic commerce

In the past, the ability to connect with millions of customers 24 hours a day, 7 days a week was only possible for the largest corporations. Now even a company with limited resources can compete with larger rivals by offering products and services through the Internet with only a modest investment. E-commerce services are quite appealing to consumers who do not want to spend their limited free time in traditional retail stores constrained by normal business hours of operation, unfriendly staff, and long checkout lines. Executives must understand how to leverage this new channel of electronic commerce while managing the associated risks.

Companies now rely on the Internet to offer products and services according to their customer's buying preferences. The Internet is no longer an optional sales method but rather a vital distribution channel that a business cannot ignore.

Pioneering companies such as eBay and Amazon have revolutionized the easy purchase of products through the Internet. Not only is it easy for customers to purchase their products, but also companies have innovated the use of concepts such as "personalization" to create unique relationships with individual customers. Using personalization, companies are able to identify their online customers by name, offer products based upon previous buying habits, and safely store home address information to make purchasing online much quicker. These strategies have enabled successful e-commerce companies to create a positive shopping experience without the overhead associated with traditional retail stores.

Along with increased capabilities come some new challenges that businesses must overcome to be successful. For instance:

  • Companies are under tremendous pressure to deliver these systems as quickly as possible because being first to market with a new capability can be a great competitive advantage.
  • Timely and accurate access to information for employees, customers, and partners is no longer nice to have -- it is expected.
  • Companies must offer these services in an easy-to-use but completely secure manner because they store confidential information such as home addresses and personal credit card numbers.
  • The systems are expected to be available 24 hours a day, 7 days a week because customers expect to be able to access the products and services at their convenience, not the company's.

These challenges place considerable demands on IT organizations because delivering these e-commerce systems in a timely and secure manner is very difficult. As expectations increase, so do the demands on the systems and technology.

Constant growth and complexity of attacks

Early computer viruses were often contained to individual users' systems, resulting in only a small decline in staff productivity for a given day. However, present-day blended threats, such as Code Red and Nimda, present multiple security threats at the same time, causing major disruptions and billions of dollars of damage to enterprises. A blended threat combines different types of malicious code to exploit known security vulnerabilities. Blended threats use the characteristics of worms, viruses, and Trojans to automate attacks, spread without intervention, and attack systems from multiple points.

These attacks now cause losses of billions of dollars each year, so businesses can no longer ignore the problem. The Love Bug Virus in 2000 had an impact of $8.75 billion alone, causing businesses to finally recognize viruses as a significant issue and to begin to broadly implement anti-virus solutions. This work has lowered the losses experienced since that year; however, the impacts continue to be significant.

Three major issues have fueled the growth in security incidents: the increased number of vulnerabilities, the labor-intensive processes required to address vulnerabilities, and the complexity of attacks.

Vulnerabilities are holes or weaknesses in systems that a hacker can exploit to attack and compromise a system. For example, a system administrator can forget to limit certain restricted privileges to authorized users only. This would be like giving everyone on your street a key to the front door of your house when you only meant to give one to your family members. Other examples include existing vulnerabilities resulting from defects in computer software. In these situations, the software vendor should have identified and resolved these weaknesses during the testing processes but overlooked them while under pressure to ship new products by a deadline.

The software industry's solution to these vulnerabilities is to provide fixes in the form of software patches that a company's staff must apply to "patch" the "hole." The process of testing these patches and applying them to your environment is labor-intensive. It is often quite difficult to address the highest-level vulnerabilities and the staggering growth of new vulnerabilities compounds this problem. Vulnerabilities reported in 2003 grew by 300% from those reported in 2000.

The complexity of security attacks has also greatly increased over the past few years. The early viruses caused individual productivity issues, but they had nowhere near the impact of blended threats such as Code Red or Nimda. As we mentioned earlier, blended threats use a combination of attack vectors -- five in the case of Nimda -- to spread more rapidly and cause more damage than a simple virus. For example, Code Red infected 350,000 computers in just 14 hours. In January 2003, the Slammer Worm hit the Internet and had an even higher infection rate than Code Red, infecting 75,000 machines in less than 10 minutes of its release.

The fastest-spreading mass-mailing worm to date was MyDoom in January 2004. At the height of the outbreak, more than 100,000 instances of the worm were intercepted per hour. MyDoom relied on people to activate it and enable it to spread. Cleverly disguised as an innocuous text file attachment, unsuspecting users opened the attachment and launched the worm.

The rapid spread of these threats makes it increasingly difficult to respond quickly enough to prevent damage.

The threats are expected to continue to grow in magnitude, speed, and complexity, making prevention and clean-up even more difficult. These factors contribute to the need for a proactive plan to address information security issues within every company.

Mark Egan is chief information officer and vice president of Information Technology at Symantec.

Tim Mather is Symantec's Senior Director of Information Security, and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM).

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Timely and accurate access to information for employees, customers, and partners is no longer nice to have -- it is expected."
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Mobile and Malicious
Playtime: 10 min 10 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service