Information Security: Where We’ve Been and Where We Need to Go
Information security management consists of identifying an organization’s electronic informational assets, as well as the planning and programs that must be carried out to ensure its continued availability, confidentiality and integrity. Whether the organization is a commercial enterprise, governmental agency or educational institution, these goals are the same. What differs is the type of assets and to what degree they are critical to the continued operation of the entity.
The Threat Situation
Fulfilling these requirements used to mean having a unique logon and password for employees to control access to the system. As use of the Internet began to grow, organizations started to deploy firewalls at the perimeter to keep hackers from gaining access to the systems within. Most thought that we had handled the situation. Then the rise of the computer virus forced the development and deployment of anti-virus software onto workstations in order to protect the integrity of the data and the availability of systems themselves.
Today, the situation is not so simple. The current threats are entering from the Internet through our firewalls and landing directly onto PCson the network. These threats include e-mail worms, remote access Trojans, spyware, adware, network worms, blended threats, as well as multistage, incremental infections using all of the above.
Any machine that has direct or indirect access to the outside world is at risk, and puts all assets connected to the network in danger. Automated attacks can and do spread across the Internet faster than traditional reactive technology can be updated - this includes conventional anti-virus and IDS (intrusion detection system) solutions.
Laws have been enacted mandating that certain levels of confidentiality, accessibility and integrity of data be maintained. Whether it is the privacy of medical records, student records, personal financial data or simply e-mail archiving, there are laws covering it. The penalty for noncompliance can be fines and/or lawsuits.
However, the threat situation d'es not appear to be getting any better. In fact, it is actually worsening due to the addition of criminal elements that are now hiring technical experts to develop new attack methods on a for-profit basis.
So what do we do? Up until now, security has been reactive - providing protection against the known threats. If a new threat appears, it then develops a new defense. This is clearly no longer workable. The common viewpoint of security vendors that “some systems must die so that others may be protected” is outdated. This is the methodology of signature-based defense in which some systems had to get infected before the threat could be found. Well, if those were your systems, it was no fun being a guinea pig.
Proactive technologies that can protect against new, unknown threats without human intervention must be deployed to ensure the integrity of IT systems. This must fit into existing security budgets and must not increase the workload in already overstretched IT departments.
In the case of information security, a dollar of prevention is worth a thousand dollars of IT man-hours.
This article originally appeared in the 02/01/2005 issue of THE Journal.