The Extent of My Organizations Vulnerability to Malware - Essay Example

Researchers and IT specialists appear to have reached consensus on one point: while Information Technology in all its manifestations is a critical component of business success, it remains the Achilles' heel of most corporate entities (Gold, 2001; Rhode-Ousley, Bragg and Strassberg, 2003; Chen, Thompson and Elder, 2005). Information technologies invaluably contribute to an organization's capacity for effective, near-instantaneous, intra- and extra- organizational communication; enables the organization and storage of data for retrieval upon request; and facilitates multiple business processes by automating many of the steps therein. The mentioned contributions, however, are not exhaustive and are only intended to demonstrate the extent to which IT has become an integral part of corporate life and the business process. At the same time, however, IT functions as an organization's primary area of vulnerability as it is through their malicious use that attackers can infest an organization's system with viruses, worms, spyware and countless other types of malware (Gold, 2001; Rhode-Ousley, Bragg and Strassberg, 2003; Chen, Thompson and Elder, 2005). In light of dependency versus vulnerability, therefore, it is incumbent upon organization's and business entities to institute such protections as would shield the entity from such attacks. Sometimes, however, whether intentional or unintentional, the attack may come from within. Discussing the extent of my organization's vulnerability to malware with the head of the network and ICT department, I learnt that the company had been subjected to several attacks in the past, two of which were quite serious and, both caused by the activities of employees. As the head of the ICT department remarked as a prelude to his description of the attacks, two years ago and, in the wake of an external attacks which bordered on the catastrophic, the organization made a substantial investment in network security. At the department's recommendation, the organization's leadership consented to the implementation of third generation IA technologies which focused on in-depth defense. As explained by Liu, Yu, and Jing (2005, p. 112) this type of IA embraces all of as "(a) boundary controllers, such as firewalls and access control, (b) intrusion detection and (c) threat/attack/intrusion response." Upon the implementation of the defined system, the general assumption was that the organization was immune to external attacks and to malware. This, as evidenced by later events, was an erroneous assumption. The source of the first malware infestation suffered by the organization following the implementation of the defense in depth IA system, came from the Research an Development Department. The ICT department had initially recommended the securitization of the network against direct downloads from the internet, even at the explicit request and consent of users. The R&D department had vehemently argued against this, emphasizing that were such a security procedure to be implemented, their work would be literally brought to a standstill. The argument presented was persuasive and, therefore, the R&D department maintained the mentioned privilege. Less than two months following the implementation of the system, complaints regarding adware and spam email which contained malicious attachments, remained high, to the extent that it seemed as if the defense in depth system installed was ineffectual. Indeed, the department remained as engaged as ever in the removal of adware and in dealing with malicious spam. Needless to say, the cost of wasted time and effort was substantial since, as the employees whom I discussed this event with recalled, attempting to access the internet was futile. Pop-ups and constant redirections from addresses initially requested simply meant that getting any work done was a monumental task in itself. The ICT department, as the head informed me, determined to trace the source as the possibility of the installed system being ineffectual simply defied logic. As the investigations revealed, several in the R&D department had abused the privilege they were given and violated company policy by downloading P2P applications such as iMesh and Kazaa, both of which were heavily infested with spyware and adware, Assuming that the IA technologies installed would protect the network from the bundled spyware and adware which came along with these applications, they had decided to violate company policy regarding P2P use and exploit high-speed broadband connection to download movies and songs. When questioned about the estimated cost of the incident described, the ICT department head put it at around $25,000. Upon my expression of surprise, he explained that the cost had been estimated in a meeting between the heads of the various departments and calculated according to lost productivity and the cost of removing the infestation. As measured through financial cost, the second attack was infinitely more serious. Prior to the implementation of the IA system described in the above, the organization's OS system was pre-Service Pack 4 Windows NT. This OS, unknown to users at that time, had a security flaw which rendered it vulnerable to DoS. The network suffered a land attack whereby, upon its sending of a routine ping, was forced into a "ping of death." What this means, as explained by the ICT head and Liu, Yu, and Jing (2005) the system was forced into the constant sending of packets which exceeded the maximum allowable size. The consequence was complete paralysis, in that the system simply crashed. The DoS attack cost the organization over $150,000. As the ICT head explained, denial of service effectively brought the company to a virtual standstill and that, in itself, was extremely costly. Added to that, the cost of repairing the system, of bringing to back to life, so to say, was expensive. This stands out as one of the worst of the malware attacks suffered by the organization. Not withstanding the first of the two incidents described, the fact is that the implementation of the defense in depth system invaluably contributed to the increased securitization of the company from malware attacks. That does not been to say that the organization is immune to infestation but that over the past two years, incident or occurrence rates have been decreasing. As the ICT department tracks malware infection, it has been able to determine that the system has reduced occurrence rates by over 60%. Nevertheless, as the ICT department head emphasized, the goal remained the complete immunization of the organization from malware infections. Bibliography Chen, T.M., Thompson, J., and Elder, M.C. (2005) Electronic attacks. Gold, B. (2001) Infowar in Cyberspace: Researcher on the Net. New York: Booklocker. Rhodes-Ousley, M, Bragg, R. and Strassberg, K. (2003) Network Security: The Complete Reference. New York: McGraw-Hill. Liu, P., Yu, M. and Jing. I. (2005) Information assurance. Read More