Content

In Internet Battle

The conflict being waged in Afghanistan is one of the most technologically advanced battles to which the world has ever been witness.

There are many among these witnesses who are branding it the first war of the 21st century. As U.S. Defense Department Secretary Donald Rumsfield continues to push the military into modernity, technology is increasingly playing a huge role in combat. For instance, while U.S. Department of Defense special forces are riding specially trained horses, sitting atop them in wooden saddles, they are also speaking on satellite phones and depending on global positioning system devices to relay targeting information about the enemy to B-52s, according to a recent report in Federal Computer Week.

More and more world leaders are seeing the necessity that technology plays in keeping their countries going. They understand that their critical infrastructures are worryingly and growingly dependent on technology. They grasp that all of the intricate systems on which their people depend must be protected, and are seemingly making moves to secure these webs of critical information.

Awareness about information security in both government and private sectors seems to be at an all time high. In speaking with industry players, most say that no longer are they tasked with educating top-level executives about the various infosecurity tools they can integrate into their networks. Instead, most of these officials seem to have a base knowledge of the various tools. As they've grasped how they might help their companies, so now they want to know how they are deployed, administered and kept updated.

Despite this more sophisticated view of security and what seems to be a call to action, that very thing - action - is far from occurring when talk turns to information security. According to a recent study conducted by the Cutter Consortium, security concerns still top the list of impediments holding companies back from depending on a computing utility model. About 65 percent of the respondents noted security concerns as a major concern, while another 56 percent made mention of a "psychological barrier" to storing data outside company walls. Additionally, respondents also noted that the instability of the service provider market, as well as other unresolved technical problems, slowed their progress in computing.

But not only the private world is worried about advances they are attempting to make in infosecurity. Indeed, governmental agencies, like the Federal Bureau of Investigation in the U.S., have also noted their discomfort at the level of information security defenses and the rate of cybercrime. Ronald Eldon, the FBI's assistant director, remarked during a recent conference in Hong Kong that law enforcement must catch up to the fast-moving Internet criminals, according to a report in SecureAgent Software Secure eNewsletter (April 1). He points out that officials must equip themselves with the ability to respond to cybercrime as quickly as it happens - that is, in Internet time, not "government time."

There are many guys at the top who are doing what they can to catch up with savvy cybercriminals and Internet terrorists after decades of operating in antiquated mindsets - ones that too often espoused the "see no evil, hear no evil" kind of thinking. Often, these same government leaders proved way ahead of their private sector brethren in giving some serious thought to information security and how best to protect informational assets (scary to ponder, I know - just think government versus Internet time again). The problem with governments has always been changing thought into action, though. Private businesses have always been wrestling with acknowledging that they have a problem with their information security practices in the first place, or even getting to a point where they know what information security actually means.

Finally, though, the tide is turning. As a result of all the cybercrimes, talk of critical infrastructures during a time of worldwide conflict, looming blended threats and viruses, corporate espionage aided by technology, cyberliability and a plethora more modern concerns brought on by the Internet, boards of directors are starting to really wonder how realistic it is to construct an enterprise built on systems that cannot be breached. While the perfectly secured corporate network would be heaven-sent to most executives, it's impossible to craft, as experts noted in a recent panel discussion sponsored by nCipher, called, appropriately enough, "Building the Unbreakable Enterprise."

As Ryan Kearny of F5 Networks noted, "I think it might be possible to build an unbreakable enterprise, as long as you can get rid of all the humans in that enterprise. ... But, unfortunately, since humans will continue to be involved, I think we need to make things easy to use, both from a management configuration and just general use."

What are some of the steps companies and government bodies alike can do to build something close to unbreakable? Chris Hagmann of IPIN, another participant in the panel, advised that organizations should identify all the different risks they face, making sure that this view should include technology, business and operational perspectives.

Historically, companies have tasked the IT department with the exercise of determining what security mechanisms are needed to protect the enterprise network. In most articles we've included in the pages of SC Magazine and on our online publication, experts have noted time and again that this is not the way to go. Businesses now depend heavily (if not solely) on network processes. It is critical that the various divisions making up a particular corporation launch an infosecurity plan that accounts for all their concerns and critical information.

As KMPG's Jeff Stapleton said during the panel discussion, a solid infosecurity plan always boils down to people, processes and technology. Keeping that in mind then, people must be educated, trained about security and their roles in it. Processes must be planned soundly first, then practiced continually, as well as reviewed and modified when necessary. Then, technology must be deployed to support these efforts. This involves researching what's available and knowing what tools will be necessary to plug those vulnerabilities found in the initial risk analysis.

While these steps sound inordinately simpler than when actually put into practice, they form the bare-boned outline for moving from awareness to action. And, as we all well know, moving from thought to action is critical in these Internet times. There is likely some poor company network being breached as you read right now ... so goes the war of the 21st century.

Illena Armstrong is U.S. editor of SC Magazine (www.scmagazine.com).
 

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.