Gaps in Security Management of a Company - Essay Example

Gaps in Security Management of a Company In the previous essay importance of security management has been discussed and an attempt has also been made to show why the factor of security management is also considered to be a part of the business strategies. Proper planning is essential for the development of a business. It is quite evident that when someone plans to start up a new business, he needs to give the factor of business security a special priority. Any business incorporates various issues that cannot be disclosed to anyone or else there is a high chance of being misused. Such incidents not only prove to be wrong for the company but also they damage the reputation and security related issues of the company. In the recent years it has been observed that wit the advent of IT and Internet technologies, the rate of intervention to the affairs of a business has increased to a considerable extent. Most of the interventions are related to such matters that are associated with internal matters of the businesses. All the companies, for the purpose of perfecting their security system depend over computer networking and it is known as computer information security system. Despite taking all such initiatives, on several occasions, these companies fail to provide adequate protection to their confidential strategies or information as they often presume that due to development in the networking process the computer information security system is cent percent protected. On the other hand, if we look into the reflection of information and communication department of various countries, we will understand from their reaction that the computer information security system can also be breached. There are various techniques that help the other competing companies to avail information about any particular company. Thus, complete dependence over the computer information security system will not be a very prudent decision. In this context it must also be mentioned that there are several companies that feel illegal interventions can easily be prevented but it is impossible for the person concerned with the security related matter to manage a large network as well as provide proper protection to the database of the company. Though these days computer security system is considered as the most important method of preventing trespass of confidential information, but there are several other ways that contribute to a considerable extent in breaching security levels of a company. Unfortunately these aspects are often overlooked and the companies lead themselves to a grave peril. In this essay, factors that mainly cause trouble to IT security level of a company will be discussed. All these factors must be considered with great importance and adequate measures must be adopted for betterment of the information security related matter of a company. Physical security of an organization: Most of the companies, while architecting their IT security provisions, provide minimum importance to the factor of physical importance. Due to such ignorance sometimes the companies face great deal of problem and end up by disclosing information, related to confidentiality and security related matters. In this context Steve Delahunty, the senior associate with BoozeAllen Hamilton says, “In order to truly achieve 'defense in depth,' we have to think physical security as well as information security. The best [logical] security can't prohibit a physical theft of a server if the computer room is not adequately protected.” (Higgins, 2006) In this context it becomes important to realize the relationship between physical security and IT security. In the 90s, most of the companies provided highest level of importance to develop cyber or IT security. Development in this field has also provided considerable rate of success to the organizations from disclosure of confidential information. But it has always been a human tendency to trace out the lacunas of a system and such tendency has given birth to several procedures that has to disclosure of such information. Due to this reason effectiveness of the IT security system process has also declined. However, in the context of information security system of a company, it is important to understand that physical security and cyber security both are dependent over each other as the computer and instruments used for communication are interdependent. Sometimes it happens that an unauthorized individual gets into the operational area through different means with his own computer, which is ‘logged onto a network.’ At the same time if he has access to different systems then it is not at all tough for him introduce spy ware or Trojans or any other virus to the network. This kind of information disclosure can be stopped if special importance is provided over the physical security system of the organization. It would prevent an unauthorized individual to receive access with his own computer to the networking place and the company will be protected from disclosure of information. In his book Physical Security for IT, Michael Erbschole has traced another relationship between IT and physical security. “Another relationship between physical and cyber security exists when customers, suppliers, or services providers have remote access to a related organization’s computer system. If physical security at the facilities where such computers a located is not adequate, the cyber security of the host computers can be compromised in the manner similar to that described when a trespasser walks into an office and accesses a computer system.” (Erbschole, 2004, 4) Apart from all these aspects the main importance of integrity in the physical security system depends over economic condition of a company. The instruments that are used for assuring IT security of a company are highly sophisticated and expensive. If one those are stolen or removed due to lack in the physical security system then finding a proper replacement sometimes become a matter of great trouble. Consequently, the total operational process of an organization is effected due to such negligence of the physical security system of the organization and it leads to “disruption of operations quickly turns into unnecessary costs and, when applicable, a potential loss of revenue.” (Erbschole, 2004, 2) Most importantly, if, due to the negligence of physical security system certain valuable data or information comes to public notice, then the company will be liable to pay huge fine to the authority the norms of cyber law says, “computer-dependent nations require the protection of data and proprietary information stored on computer systems…” (Erbschole, 2004, 2) The tendency to perfect the IT security system has grown to the level of obsession among most of the companies but they often forget that without proper integrity in the physical security system of the company it will not be possible to assure proper security of the companies’ information system. Thus, it is expected that the factor of physical security will also receive equal amount of attention from the management of a company. Devices, storage media and documents need to be disposed safely: There are a number of companies that do not have any specific policy for disposal of devices, storage media or other documents. Due to this reason several companies finally end up in revealing such information that helps their competitors to receive all sorts of confidential information about them. It is essential that companies come up with proper media disposal policies. Statement of Norm Laudermilch, CTO of Trust Digital, explains the importance behind destroying such media devices, “If you delete a file, you’re not really overwriting the data. All it’s doing is changing the index of the file system, or the file’s pointers.” (Higgins, 2006) Recently, various ways have been introduced for proper disposal and sanitization of such media storage devices. Special importance is provided to the hard drives of computers as they are magnetic media systems. Degaussing, overwriting, disconnection and removal of information are some of the processes that help in proper disposal and sanitization of such media devices. The degaussing process is also known as the demagnetizing process and highly effective for all magnetic devices. ‘Degaussing works by applying a reverse magnetic field to the magnetic media and reducing magnetic density to null.’ (King and Bittilingmeier, 2003. 254) This process helps in deletion of all data that has been previously stored and considered as a highly safe process by the companies. Overwriting is ‘an operation of completely rewriting every addressable bit pattern on the media with a single bit pattern…’ (King and Bittilingmeier, 2003, 254) This process is more time consuming that the degaussing process but effective in complete deletion of the stored data. The disconnection process is generally used for ‘volatile memory devices’. All sources of power supply to the device is ‘disconnected including backups and BIOS batteries and the computing device must be grounded before sanitization is considered complete.’ (King and Bittilingmeier, 2003, 254) Removal of information technique is mainly used for copiers or laser printers before their disposal. There is a chance that certain information may be stored in the drums of the device and if it is not sanitized properly before disposal, it can lead to disclosure of confidential information of the company. Devices having nonvolatile memory, such as flashcards or EEPROM have capacity to store various types of classified data, including customer data or proprietary software. A company must destroy or sanitize such devices before they opt for upgrading equipments of the company. In this context special attention must be provided to the destruction or sanitization of the smart cards. Smart cards bear credentials about employee and company. Thus if it is by any chance gets to a wrong person, can create several problems for a company. Hence, it is essential that companies must introduce strict policies regarding the use of smart cards. Employees must also be very careful and if the card is lost due to any reason. They must report immediately about such incident to the authority. During the time of headcount reduction, the company must take initiative that all cards are collected and while delivering those to new group of employees, such cards are properly reprogrammed. Though most of the companies have their different policies about maintenance of smartcard, but it is more important that they must implement more strict policies. They also need to have all sorts of preventive measures to stop others from procuring any information related to the company from such smartcards or storage media or other kind of devices. The companies must understand that introducing more innovation only to computer information security system process is not enough. There are other avenues that can lead an unauthorized person having access to company’s confidentiality. Thus, it is equally important to provide great deal of importance to apparently minor matters. Importance of background check: These days factors related to a company’s information security have become so important that companies across the world are providing special importance to it. “A background check should be conducted before an organization extends an offer to a candidate.” (Whitman and Mattcord, 2004, 493) What is background check and why it has become so much important? The background checking is a special type of investigation process, which is done by the company. This process unveils to the company about a candidate’s past life and his records. Background check is mainly done to find out if the candidate had any kind of “criminal or other type of behavior that could indicate potential for future misconduct.” (Whitman and Mattcord, 2004, 493) The background check is done by the companies depending on different types of regulations or policies set by the government. Such regulations determine ‘what the organization can investigate, and how much of the information uncovered can be allowed to influence the hiring decision.’ (Whitman and Mattcord, 2004, 493-494) After checking background history of the candidate, hiring of the candidate depends over decision of both security and HR manager as they discuss the pros and cons with the legal counsel of the company. In such discussion they also determine ‘what state and federal (and perhaps international) regulations impact the hiring process. (Whitman and Mattcord, 2004, 494) Depending on the ‘level of detail and depth’ of the examination of a candidate the degree of background check differs. For instance, the way in which background check is done to get recruited in military, differs from the degree of background check of being employed in the corporate houses. The sole purpose of such investigation of a candidate, before his hiring at a business house, is ‘the level of trust the business places over the candidate.’ (Whitman and Mattcord, 2004, 494) There are various aspects that are considered in case of background investigation of a candidate, including, check of identity, verification of educational and other sorts of credentials, previous employment history, integrity of the candidate with the reference that he has provided, motor vehicle records, compensation history verification, drug history, credit history and both civil as well as criminal court history. These are the regulations that have been determined by the government when it comes to investigation of background history of a candidate. In addition to these regulations, the companies also follow all the criteria, as laid down by the Fair Credit Reporting Act or FCRA. The Act also looks after rights of an employee and put a stop over employers if they are not informing the candidates about such investigation in written format. Great scholars as well as the companies have also understood the necessity of proper background security check. Words of the scholars are clearly telling though they believe cyber security is important but it is not the only important aspect. In the words of Hossein Bidgoli, “If we believe in the current surveys, we are spending more money now technical security controls than ever before, yet attacks on our systems are increasing annually,…” (Bidgoli, 2006, 12) In the same book, the author has provided considerable amount of stress over the background checking system but at the same time he reminds that it is not happening at the same rate that it is expected to happen, “Few companies actually carry out proper background checks or even bother to contact references the applicant has provided. The excuses most commonly given are the view that it is a violation of the applicant’s right to privacy…” (Bidgoli, 2006, 12) Raising all these points he is actually providing repeated stress over the fact that like all the other processes of protecting information security system, the background checking is also equally important. Ignoring such investigation process can lead to serious harm of a company, both from the perspectives of goodwill and economic loss. Restricting actions of employees at home: Geoff Bennett, product marketing director of the StreamsShield has observed, “The problem companies face with home workers is that the security boundary with the Internet has been extended to hundreds, even thousands of remote locations....The odds of a weak point are multiplied exponentially.” (Higgins, 2006) Most of the companies keep a close watch over their employees’ actions in the office only but home users do not receive that much of attention from the company even though they are connected with the company’s network. The companies provide laptops to the employees so that they can they can work from home. But last few years the rate of laptop theft has increased to a great extent. At the same time the matter of a company’s data security has also been questioned. The home users sometimes exhibit tremendous negligence on their part as they sometimes leave their computer while it is already connected to the company’s network or they allow their friends or family members to receive their official password. At the same time, confidentiality factor of the company is highly risked due to such actions. The situation is getting even worse as the home users are mainly targeted of ‘phishing attacks and botnet attacks’. Situations that arise due to such factors and are increasingly becoming problematic for a company can be avoided. All that is required is awareness among home users as well as their cooperation with security scheme of the company regarding use of company’s network. It is recommended that companies must maintain an audit over home security. Such initiative is proved to be quite helpful to avoid such situations. Moreover, regular training of home users regarding protection of their PCs as well as network of the company proves to be very fruitful on most of the occasions. Taking care of built in security functions: Addition of built in security system from hardware vendors often lead to exposure of confidential data of a company to unauthorized people. The hardware vendors are well aware about the fact that the security factor is a matter of big concern for most of the companies that provide most importance over cyber security for protecting the confidential company information. But according to the experts, use of such built in devices in technologies in a system most of the time contradict with the ‘encryption and authentication policies and technologies that enterprises already have in place.’ (Higgins, 2006) If proper attention is not provided to such devices during renovation process of the equipments used in the company, they can expose data to wrong hands, creating problems related to secrecy of a company. Firewall Architecture: Firewall is an excellent device to provide protection to a company network from being connected with public Internet but is equally important to decide the kind of firewall architecture is chosen by the vendor. The common firewalls generally use certain types of architectures, namely, Static packet filter, dynamic packet filter, circuit-level gateway, application-level gateway, stateful inspection, cutoff proxy, air gap, intrusion prevention, deep packet inspection and total stream protection. It is often said that network security is nothing but adequate balancing between “trust and performance”. All firewalls are basically dependent over “inspection of information generated by protocols that function at various layers of OSI model,…” (Tipton, Krause and Inc, NetLibrary. 2006, 74) The easiest way to understand various types of firewall architecture is to understand about the OSI layer that controls the operation of a firewall. Generally operation of firewall depends over two basic rules, a) ‘The higher up the OSI layer the architecture goes to examine the information within the packet, the more processor cycles the architecture consumes,’ and b) ‘The higher up in the OSI layer at which an architecture examines packets, the greater the level of protection the architecture provides, because more information is available on which to base decision.’ (Tipton, Krause and NetLibrary, 2006, 74) It is traditionally considered that between the afforded level of trust and throughput, there is an acclaimed trade off. Since the introduction of faster processors and symmetric multiprocessor, the performance gap has decreased between ‘traditional fast packet filters and high overhead-consuming proxy firewalls’. (Tipton, Krause and NetLibrary. 2006, 75) Performance of firewall in protection of network security system depends over two person, the vendor, who limits the choice of administrator in case of firewall architecture and “the administrator, in a robust firewall product that provides for multiple firewall architecture.” (Tipton, Krause and Inc, NetLibrary, 2006, 75) While firewall architectures are examined, several factors are taken into consideration that remain inside the Internet Protocol (IP) packet, including, IP header, transmission control protocol header, application level header and data-payload header. Thus, different levels of firewall architectures play different roles in providing security to a company network from being exposed to public connections. Companies that are putting highest level importance to cyber protection in order to maintain their respective confidentiality level must concentrate over the choice of firewall architecture. If proper firewall protection is chosen then sufficient protection can be provided to the company network. In order secure the information security system, a company at the first place, must appoint a senior or a group of senior officials, who have the capacity to receive complete responsibility for managing such security related activism. That official or the group of officials must be entrusted with that much of authority that they will be answerable to one except the managing director of the company for his/ their actions. At the same time, “The official should be responsible for drafting and implementing the security policy, which should be endorsed by the managing director.” (Hunter, 2001, 9) The most crucial part of managing factors related to information security system is ‘the determination of the actual risk posed by a specific threat and the costs to the organization should the threat actually materialize.’ (Hunter, 2001, 9) Once this information is gained, it becomes relatively easy for the security manager to decide over factors that will prove to be cost effective for the company. But in reality, it is very tough to identify the actual risk factors. Consequently, determination of cost effective measures also become tough for the security manager to decide. Thus, it is also impossible to provide proper information security from scientific perspective and loopholes always exist inside the system. If we consider about all sorts of measures related to information security system, we will see that all of them are interdependent and complementary to each other. It is not that the companies and their management do not understand or accept truth of the statement. Then why most of the companies are so fascinated about cyber protection? Reason is simple. It is only that, ‘There is a great temptation to reply on technical security measures, such as electronic and software security, and to ignore personnel security measures.’ (Hunter, 2001, 9) Then why such security measure is failing? The answer is simpler. Both engineers and operators have the intellectual capacity to overcome against any kind of technical defenses if they wish to do so. Thus, an information security system can said to be good only when it will fuse all the conditions related to security technique. Computer protection to an information system of a company ‘has to be designed into an information system from the outset.’ (Hunter, 2001, 10) Thus, specification, designing and physical citing must be done keeping in mind the requirement for providing security to the information system of a company. If it is not done in such way then the attempt to provide computer protection to the information system becomes an impractical as well as expensive approach for the company. According to John M.D. Hunter, ‘The most important security aspect of any information system is personnel security.’ (Hunter, 2001, 10) It is the basic requirement that those people, who enjoy exclusive access to the information system, must be loyal to the company throughout his life. Thus, in this context the author provides highest importance to the factor of human conscience, “Technology can assist in keeping the security risks down to a manageable level, but without the active cooperation of all concerned, any security plan it almost useless.” (Hunter, 2001, 10) Since last few years in the field of computer security to information system application of Unix has increased to a drastic extent. At the initial stage Unix appeared to be an extremely helpful option in case of information security system of a company but gradually the faults of the system have become conspicuous. The main faults of the Unix security system are a) the superuser account does not have any password and b) files that are essential for configuration, by default, provides access to all hosts whom the main host trusts. In addition to these two major weaknesses, security defenses provided by Unix can easily be beached due to its ‘poor system configuration and bad administrator practices.’ (Hunter, 2001, 63) In this context the author recollects certain incidents that have led to breach of information security system, “There are a number of notorious events which amply demonstrate that Unix is not impervious to attackers from outside. The most famous of these is the Internet Worm created by Robert T Morris and launched in November 1988….Clifford Stoll….spent nearly a year tracking a group of five German hackers …. These hackers attempted to gain access to over 400 computer systems around the world and actually succeeded in gaining access to about 30.” (Hunter, 2001, 63) There are other instances as well, including breach of SPAN network of NASA, the ‘Christmas Virus’ of IBM, virus that created MILNET and launching of the DEC – NET worm. In reason for mentioning such incidents in this context is simple. The failure of Unix as a perfect protection to information system of a company is not a separate incident. In different times different computer applications were introduced with the sole purpose of providing protection to information system of a company. At the initial stage all of them showed a great deal of promise and the owners of the company thought that finally the solution has reached their hand. But such relief to information system of a company has always been proved to be momentary. While providing cyber protection to information system of a company the factor of information sensitivity must be provided with special importance. Information sensitivity actually means “the “costs” arising from the information getting into the wrong hands.” (Hunter, 2001, 3) Such cost must not always be measured in terms of monetary benefit. In this context John M. D. Hunter has considered the classification done by the United Kingdom government to be the most useful, “…it might be rather more useful to define information sensitivity categories, in a similar fashion to the UK government’s classifications (UNCLASSIFIED, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET) (Hunter, 2001, 3) The business house of today’s word actually categorize corporate information exactly in the same categories. According to today’s business world, unclassified information can be provided to anyone. Restricted information is something that cannot be expressed to the general people. Such information can cause problem for an individual and personal of managerial raking or senior executives are accessible to such information. An information will be considered as confidential, reveling of which may give the competitors of the company to understand its strategies better. Secret and Top Secret information are those that are of highest sensitivity and can never be disclosed. It is evident that unrestricted information does not cost anything to a company, while private information must be provided with certain extent of importance. At the same time it is not a very prudent decision to spend a lot of money to protect such information. Disclosure of confidential, secret and top secret kind of information must be strongly prevented as they can cost huge to the company not only from monetary perspective but also from perspective of the company’s goodwill and reputation in the market. Monetary loss can compensated but if any wrong impression is formed in the minds of people about a company, it is very tough to gain it back. The companies every year spend huge amount of capital for proper protection of these information but the total planning is never full proof. Cyber protection at the initial stage provide a great deal of promise, every time a new application is introduced to the market but within a short span of time such system loses its value and the companies go on searching for new techniques that would provide proper protection to their information system. Experts also suggest that when a company is formulating its information security policy, apart from the information sensitivity factor, another issue needs to be kept in mind, that is, the importance of information. Importance of information is judged “…how important it is to ensure that the information is not destroyed or lost, either by accident or deliberately.” (Hunter, 2001, 6) Information, in terms of importance, can be classified into four parts, namely, Inconsequential, Significant, Essential and Vital. So, from perspective of both information sensitivity and information importance security of information system of a company is extremely important. At the same time it is also equally important to plan out the proper way that would help in providing proper security to the whole information system of a company. Keeping in mind all these perspectives, it can be said without any hesitation that for cyber protection alone it is almost impossible to provide compete security to information system of a company. Technology will progress and new avenues of software application for information security system will also be invented. Consequently, fertile human minds will also invent counter approaches to breach the barriers of such preventive measures. Owners of companies across the world can very significantly put forward the question that is there no means by which invention to information system can be stopped? If they keep on entrusting the procedure of cyber protection blindly, then there is no way. On the other hand, if options of countermeasures were considered with a liberal approach then various procedures could be invented that would help in providing protection to information security system of a company. In this context John M.D. Hunter has rightly remarked, “No single defense mechanism is sufficient in itself; all the defense mechanism have to be used in concert to produce effective security. Of course, the proportion of effort spent on each mechanism will vary from system to system.” (Hunter, 2001, 7) Earlier we have already discussed about various types of defense mechanism in detail and it is not very tough to understand that if a company and its management cast sufficient amount of focus to all the systems together, then it will not be very tough to develop a full proof company information security system. If all those defense mechanisms are properly followed, they automatically close all the possible ways to receive any information that is associated with privacy and confidentiality matter of an organization. Certain instances have also been cited in the paper mentioning the effect of information disclosure to wrong and unauthorized people. It is the matter of primary importance for the companies to put a stop over wrong utilization of their private information and it can only be done if the gaps in the security management of a company are adequately filled. References 1. Bidgoli, H. 2006, Handbook of Information Security: Threats, Vulnerabilities, Prevention, John Wiley and Sons 2. Bosworth, S.Kabay, M.E, 2002, Computer Security Handbook‎, John Wiley and Sons 3. Erbschole, M. 2004, Physical Security for IT, Digital Press 4. Higgins, K.J. 2006, The 10 Most Overlooked Aspects of Security, Dark Reading, available at: http://www.darkreading.com/security/management/showArticle.jhtml?articleID=208808177 (accessed on February 28, 2009) 5. Hunter, J.M.D. An Information Security Handbook, Springer, 2001 6. King, T., Bittilingmeier, D. 2003, CompTIA Security+ Exam: Devices, Media, and Topology Security, Que Publishing 7. Leeuw, K. de, Bergstra, J. A. 2007, The History of Information Security: A Comprehensive Handbook‎, Elsevier 8. Peltier, T.R. 2005, Information Security Risk Analysis‎, CRC Press 9. Stamp, M. 2006, Information Security: Principles and Practice‎, John Wiley and Sons 10. Tipton, H.F. Krause, M., Inc, NetLibrary. 2006, Information Security Management Handbook‎, CRC Press 11. Whitman, M.E., Mattcord, H. J. 2004, Principles of Information Security‎, Course Technology Read More