Managing risk for e-enabled business

Jun 1, 2002 12:00 PM, By RACHELLE MCLURE

Computer security: Is it another passing fad or is it something that requires a heightened level of awareness from each of us? Years ago, businesses were concerned primarily with physically securing information within their facilities. Now, as an “e-enabled” business society, computers have become integral to daily transactions. Businesses want to facilitate the sharing of relevant data while protecting proprietary and confidential data, but with the advent of networked computers comes the added need to secure these networks.

Companies are coming to realize the benefits of becoming more tightly aligned with stakeholders — agents, policyholders, and providers. Sharing information electronically outside organizations via the Internet has become an important aspect of business, but how is pertinent information securely provided to designated parties?

The risks

The lack of adequate security can result in the loss of revenue through compromised confidentiality, loss of data, legal liabilities or Web site downtime. A denial of service attack is usually achieved by flooding the target computer (or computers) with meaningless data so that legitimate traffic is unable to pass. This kind of attack can disable an e-commerce site or series of sites, resulting in a significant loss of revenue.

Information gathering, or reconnaissance attacks may be perpetrated by hackers or disgruntled employees. The “spy” violates the network, cracks passwords, collects confidential data, and may use the information to compromise the business.

As its name suggests, a Trojan Horse is a seemingly harmless program that contains hidden code that can be used to maliciously sabotage a computer or network. Once “inside,” the hidden code may be used to launch denial of service attacks, to change core processes of a computer or to delete its relevant data.

Viruses are the most well-known e-security risk. They are applications intended to replicate themselves across a network of computers. They typically attach to documents, Web pages or e-mails. Viruses create simple annoyances or, like a Trojan Horse, may promulgate malicious code.

Inappropriate e-mail use or Internet access by employees is a potential, often overlooked, form of revenue loss. Preservation of network bandwidth, effective management of employees' time, and limitation of legal liabilities are all reasons to address appropriate use of company resources.

The solution: Risk management

The only way to keep a secret truly secret is not to share it. But sharing secrets within internal organizations via e-mail, LAN/WANs and intranets has gone on for years. Recently, information has been shared externally through e-mail and extranets, but how are secrets prevented from becoming public knowledge?

In recognition of the risk in “e-enabling” a business, the risk management process begins by developing a comprehensive security policy that is enforced and regularly reviewed. Effective security policies must encompass access management. Whether the request to access information is from an individual or an application, the three A's of security apply:

• Authentication establishes the identity of the individual or application;

• Authorization determines what the individual or application is allowed to do within a given environment; and

• Administration manages the security policies and their execution, including how authorized users are managed as well as how unauthorized users will be prevented access.

Authentication factors can be as simple as a password, a soft or hard token which generates a one-time password per use, or biometrics such as fingerprints, retinal scans and voice patterns. The strength of authentication required for an organization or application is dependent on the confidentiality and proprietary nature of the data being secured.

Securing the perimeter with a firewall is still a necessity for network security. An application level firewall should be chosen based on a secure operating system. New embedded firewall technology is becoming commercially available that solves many of the problems associated with internal threats. Another important element of the enterprise security policy is content filtering, used to preserve network bandwidth, effectively manage employees' time, limit legal liabilities and scan for and eliminate viruses. Additionally, content filtering is a wise part of the enterprise security policy and standards.

Finally, consider the value of the information shared within the organization and outside of the organization. Is there a potential need for encryption — scrambling the data so it can't be read as it goes across the wire? Sending e-mail without encryption over the Internet is like sending a postcard in the mail — anyone can read it.

Computer crime is responsible for more than $1 billion in losses from 1997 to 2001, according to the Computer Security Institute's (CSI) 2001 report.

The risks are real, and the solutions work.

For the record

About the author

Rachelle McLure is national practice director of eSolutions for RCG Information Technology, an Edison, N.J.-based provider of IT professional services, specializing in strategy and design, application development, management and integration.

About the company

Visit infoLink at www.securitysolutions.com for more information on the company featured in this article, or circle the card number.

RCG Information Technology. — 37

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue