IT Security
Prepared by:
James Mote
Julie Schmitz
Jason Tice
Information Systems 6800
December 9, 2004
Dr. Mary Lacity
Executive Summary
In today’s high paced technology world, the notion of IT security has proven to be one of the greatest challenges to companies and the government. In a pre-9/11 world, IT security was something that every firm possessed but never really utilized in its fullest context. After September 11, 2001, the face of technology changed in the world and put tremendous pressure on IT security of all the world’s companies. The IT security budgets, teams, and vision changed dramatically while the security of every firm in the country was challenged. Additionally, IT security has been increasing in previous years due to the increased levels in security demanded by companies. On average in 2003, companies spent over $1 million on IT security[1], which was roughly 10 percent of a firm’s total IT budget.[2] To offset these large budgets are the detrimental costs of IT security breeches. In a study conducted in early 2004, the projected losses due to technology and security attacks amounted to roughly $141 billion, with denial of service attacks costing the largest portion at $26 million.[3] These staggering numbers are relatively large for companies with poor or unfavorable IT security.
Two very different firms that were dissected heavily in preparation for this literature, Human Resources Command – St. Louis (HRC) and Financing, displayed some typical trends and insight as to how companies develop IT security in the US after 9/11. Financing’s legal name was withheld at their request so as not to violate their company confidentiality agreement. Each firm is very different in many ways, including IT security aspects. For example, HRC is a government agency with stiff regulations regarding to IT security. For the most part, HRC would not divulge many questions posed to the agency strictly because it is a government entity. On the other hand, Financing was willing to address many questions regarding IT security with great detail in most cases. Despite this small shortcoming in information, both firms had solid IT security policies. In addition, each entity challenged the notion of being well prepared for all IT security threats. At HRC the greatest threat was not knowing what attacks could occur. Conversely, at Financing a proactive approach was taken to prevent attacks before they could ever occur. In all, the two different entities practiced many similar superior IT security measures.
Numerous best IT security practices arose from both research and the two case studies examined. At HRC, strong password policies and functional use of firewalls to discourage illegal sites were implemented as a way to increase technology security. In addition, a strong procedure was established to ensure proper measures for all personnel regarding network functions. A proficient virus protection application was installed on all computers and servers to guarantee the best virus protection. Lastly, professional audits were conducted to maintain that IT security was constantly verified and up to date. At Financing, some similar practices arose including utilizing strong password policies changed regularly, the monitoring of Internet access on particular workstations, and proactive security provisions. Additionally, Financing incorporated a third party expert to better evaluate system security. Another best practice implemented was the maintaining of complete system logs to facilitate recovery backups. The researched literature named several additional best practices including spending more, defining an overarching security architecture, and a comprehensive risk assessment process. In all, each of the best practices assumed at the different entities studied allowed for an increased IT security level.
What is IT Security?
The Security and PrivacyResearchCenter defines IT security as “the process of protecting data from accidental or intentional misuse by persons inside or outside of an organization. Although information security is by no means strictly a technical problem, its technical aspects (firewalls, encryption and the like) are important. Information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet.”[4] From this broad definition several different security issues are addressed. Such things as hackers, crackers, firewalls, social engineering, and password cracking impose on the IT security world in great numbers.
Hackers in their truest definition are people who enjoy exploring the details of programmable systems and how to stretch their capabilities. True hackers seek the weaknesses in programs and publish their findings. Many companies will hire hackers for the sole purpose of finding the vulnerabilities in computer applications before an outsider can exploit the weaknesses. On the other hand, a cracker is a hacker who uses the information he or she found within a weakness of an application or system software and exploits it. They tend to break security on a target computer system and never disclose their findings, except to other crackers.[5] Crackers can wreak havoc on firm’s systems with genuine vulnerabilities, costing firms large sums of money.
Social engineering is a term focused on the human part of a system. A system consists of three parts: the hardware, the software, and the human part. Of these three, the human counterpart is the easiest to manipulate and cause security breeches. It is also the weakest link in any security system. Because of this, crackers prey on the human capabilities within a system.[6]
A denial of service (DoS) attack actually prevents users from using a computer service or application. A type of DoS attack involves continually sending phony, yet authenticated, messages to a targeted server, keeping it constantly busy and locking out legitimate users. The attacks are specifically used to prevent the normal flow of information through the modification or destruction of data. A password attack or password cracking is an attempt to decrypt a user’s password usually through the use of an easily created program. It involves repeatedly trying common passwords against an account in order to log into a computer system. Because password cracking programs are freely available via the Internet, many companies enforce strict password policies, including using numbers and letters and constant changing of the password.[7]
A Trojan is another example of an IT security nightmare. Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc. When the user opens an affected file, the Trojan horse runs in the background and can physically cause damage to the computer system or applications running. A virus is a program that replicates itself without being asked to. It usually copies itself to other computers or disks and creates a revolving cycle from one infected system to another uninfected system.[8] Viruses, such as the Melissa and Love Viruses, are huge threats to companies on a monetary and security level.[9]
Antivirus tools were developed to counteract the increased vulnerabilities that viruses and Trojans have. These tools are launched at the desktop or server level to halt, eliminate, and recover data ruined by viruses.[10] Despite these large measures taken to counteract malicious codes, some viruses slip through the antivirus software. Because of this, companies always attempt to enforce strict and up to date virus policies.
IT Security Trends
Because there is a growing need for an increase in IT security, several trends, or “mega-trends”[11] have developed to foster this growth. From online crime to worker mobility, there exist several areas for improvement. As companies teeter on the edge of evolving to an online storefront for many computer applications, many new high technology developments are being created. According to Dan Blum of the Burton Group (an IT advisory and service firm), “increase in online crime, compliance issues, worker mobility, service-oriented architecture (SOA) and open source technologies”[12] are some of the trends that the IT security industry is currently facing. Online hackers place tremendous fears in companies that heavily rely on online technology. The idea of a complete attack on the entire online world is something in the mind of many CIO’s. The Burton Group believes that an all out attack of malicious code could be plausible since there is an upward trend of increased vulnerability. Compliance issues are also an increasing trend in the IT security department. Many companies do not have a security compliance database to universally target challenges. In the online world that many companies heavily utilize, the Burton Group sees a trend to set compliance regulations for all companies to follow. Because workers can become more mobile than ever, and essentially work from any remote location, the notion of a more secure wireless protective policy is arising in IT security. With mobile workers come more threats to applications that utilize the Internet.[13]
On the other hand, Greg Holliday, Regional Director of Security at Crescent Real Estate Equities Ltd., believes that a more universal and compatible security management trend is developing and demanding more united controls on security.[14] "The biggest trend here at the show is how computers and IT as a whole are improving the delivery of security services,” says Holliday.[15]
Outsourcing different core activities within a firm has become more prevalent than ever, forcing many firms to jump on the bandwagon and outsource security within their company. Jay Heiser, of advisory group TruSecure, believes that as more and more companies outsource, they will continue to outsource more of their core activities, including IT security. Matthew Kovar of the Yankee Group, sees a trend in outsourcing security rise to 90 percent by 2010. In an effort to free resources to foster growth within companies, many will outsource more and more of their IT security to specialists overseas.[16] Although many firms believe that they might lose the added benefit of utilizing their own sources for IT security, that notion is downplayed by releasingexpensive assets for cheaper costs overseas.[17] Because outsourcing is become a more utilized phenomenon, there is a lot of room for development in this area and IT security will play a major role in its growth.
Budgets and IT Security
According to Dr. Mary Lacity, on average a firm will spend 5 percent of revenues on information technology.[18] IT security will be a large portion of the total IT budget amount. Over 10 percent of a company’s IT budget went towards security in 2003, which was an 8 percent increase from the previous year.[19] According to CSO magazine’s Security Sensor survey, customer confidence was the main driver in the increase in security budgets, along with government regulations and compliances. [20] The foundation of IT security being a spin off of the entire IT budget has rendered a completely new idea of creating a specific budget guaranteed for IT security. With this notion lies the suggestion of letting top executives, not just the IT department, be in charge of IT security as a whole.[21]
To counteract the trend in increased IT security budgets is the idea of allocating a portion of the budget strictly to the prevention of current systems and hardware from breaking. Because so many CIO’s cannot justify IT spending to corporate leaders, the CIO’s have to tediously use their budgets accordingly. Despite this, security spending can follow two different approaches: spending the bare minimum to prevent IT security breeches and spending according to what will deliver the greatest return on the security investment. At a bare minimum level, the budget should allow for sufficient firewall and antivirus tools. The problem with both approaches is the technology department or IT security department justifying the intangible outcomes of spending money on security to upper management.[22]
According to CIO Magazine’s survey on the State of Information Security, the average IT budget in 2003 in North Americawas $461 billion. Of this, the average IT security portion was over $1 million. The survey by CIO Magazine and PricewaterhouseCoopers was derived from over 7500 upper level CXO’s in a wide range of industries from computer related businesses to healthcare. The respondents concluded that the average number of security incidents experienced in the previous 12 months was 40 while the average hours of downtime as a result of these incidents was 20. In addition, over $100,000 in losses were incurred for each security breech.[23]
CIO Magazine also conducted a 2004 Global Information Security Survey to uncover the truths about IT and security spending. The survey included the remarks from over 8100 respondents in 62 countries. From the data collected, several IT security themes were discovered. Most notably was the issue of flattened security spending in 2004. Because of this stagnant spending on security, the number of breeches had increased over the past year. Although less money was spent on security and breeches had increased, the number of hours down caused by threats and their associated costs decreased. In addition, US respondents claimed they spent less than 9 percent of IT budgets on security, while the global average was 11 percent. [24] According to the survey, biotech/biomedical, computer manufacturing, and Internet/new media spent the most amount of their IT budgets on security, while metals/natural resources spent the least amount. Surprisingly, nonprofit organizations spent the second most amount per capita, only $139 less than Internet/new media and $170 more than electronics firms.
On the other side of security budgets lies the outcome of a security breech. While spending more on security will not guarantee absolute security within a system, it will reduce the chances of losing revenues to a technology attack. Not only does spending more reduce the chances of a future attack, it minimizes the public embarrassment of an attack. According to a CSI/FBI Computer Crime and Security Survey conducted in 2004, the total loss due to security and technology attacks was $141 billion. The largest financial losses went to denial of service attacks, theft of proprietary information, insider Net abuse, and abuse of wireless networks. The survey was administered to nearly 500 computer security practitioners, yet the figures reflect the 269 that released financial figures. In all, security prevention can reduce these astounding figures for future years.[25]
Because more and more IT budgets allocate money to IT security, the problem of justifying how much money gets scheduled for security is a growing challenge. Companies are commonly moving away from evaluating security budgets based on security breeches to more practical approaches such as potential liability or exposure, regulatory requirements, and industry trends. Although this is an emerging phenomenon, 40 percent of companies relate their security budget’s justification to the crucial and expensive impact of a security breech.[26]
Risk mitigation goes hand in hand with IT security budgets. Risk mitigation may be the greatest tool to prevent security from being a liability to a company. From the end user perspective, human knowledge may be the weakest link in a company’s IT security. According to Greg Garcia vice president of Information Technology Association of America, true cyber security is a function of people, process and technology, and if any aspect is lacking, you can’t have good security.”[27]
Best Practices
In terms of best practices and recommendations for companies in the technology world, there are many companies“doing the right thing” and many “doing the thing right.” The 2004 Global Information Security Survey conducted by CIO Magazine described several best practices from an elite group of respondents. The “Best Practices Group” with average IT security budgets and fewer dollars spent on security mishaps, followed the suggestion of confidence in their firm’s security.[28] The “Confidence Correlation” proposed in the 2003 survey[29] became more definite with the results of the 2004 survey. According to the survey, the more a company is secure and confident with its security, the more secure the company was. Although this elite group of firms encountered more security breeches, the breeches caused less monetary damages and fewer down time hours.[30] Not only has confidence increased since 2003, there has been an upward trend since March 2001 according to Information Week.[31]
[32]
From the Best Practices Group, a virtuous cycle emerged. The cycle stems from devoting more staff, spending more, measuring effectiveness, integrating information security with physical security, employing people more likely to comply with policies, and belief in management.[33]
[34]
The survey concluded with the six secrets that other companies should adopt in order to be more confident with security and follow the virtuous cycle to improve IT security as a whole. The following IT security measures and practices were prevalent in each of the Best Practices companies: spend more, separate information security from IT, conduct a penetration test, create a comprehensive risk assessment process, define an overall security architect, and establish a quarterly review process.[35]
Overall, the Best Practices group was well prepared for most, if not all, security breeches. As previously stated, IT security incidents were up, but the cost and downtime associated with the incidents lowered over the past year. This may be due to the human management part of security. Many CIO’s and IT managers are aware of the security threats posed in today’s technology savvy world, and can anticipate the problems that arise. CIO’s are becoming more knowledgeable at managing and mitigating IT security incidents and risks. Two security practices that were uncovered in the increasing management of security threats were improved disaster recovery combined with incident planning and end user knowledge. These practices combined proved to minimize damage to a firm with a security breech.[36]
[37]