But threats to these information assets can come in seemingly endless forms and countless sources, from viruses and worms launched across the globe to customers and employees who may inadvertently expose confidential data, to hackers and identity thieves. Vulnerabilities also abound. Flaws in operating systems, loopholes in authorization mechanisms, and weaknesses in software combine with an expanding range of Internet threats to jeopardize corporate IT infrastructures and the information they support.
To sustain a secure and resilient environment in such an climate, organizations must first consider the challenges they face, and then implement innovative ways to manage and protect their environments.
Threats and targets
In the information security space, most organizations focus on two predominant categories of threats. The first category is a threat that relies on chance and lacks a specific target. Viruses and worms can be generalized as threats that select targets based on chance, as they cascade across the Internet and indiscriminately impact any technology that is exposed to the path of infection utilized by the virus or worm.
The second category of threats have a target of choice; in this case, a person, group, or piece of software intentionally singles out its target for specific reasons. A malicious person or group that architects a denial of service (DoS) attack on a particular business would be an example of a target of choice threat.
Targets of choice might also be attacks launched by a competitor who is looking for corporate secrets to determine when new products are scheduled for launch, to take a peek at pricing strategies, client lists, and more. It might also be an organization that disagrees with a company's environmental posture and, consequently, chooses to tarnish that company's brand and reputation by defacing its Web page. A target of choice threat might also be an attack on a particular organization to hijack the identities of its clients in order to gain financial benefit.
Each type of threat deserves consideration as organizations analyze the level of risk associated with them. And, based on the type of information and the state of information that is at risk, an organization's target of chance posture and target of choice posture will change.
But just what kind of corporate information must an organization protect? Identifying information assets is one of the most fundamental and important components in the risk management process. Information comes in many forms, from intellectual property to corporate financials, employee information, and customer data.
Once an organization has classified its information, it must define the commensurate risk tolerance it is willing to accept. For example, a company might choose to have a greater level of risk acceptance with intellectual property than it would with its clients' personally identifiable information. The respective level of risk is based on the company's tolerance for the recourse that would likely occur should the information be compromised.
Organizations must also consider the various phases of information as they assess an acceptable level of risk tolerance for each type of corporate data. There are five core phases of the information lifecycle, or states of information, that should be considered. They include information creation, information transfer, information storage, information viewing, and information destruction.
Information is created, for example, when a user types his or her name, home address, and credit card number into a Web page to purchase a product or service. That user information is transferred when it is sent across the network or Internet. It is then stored in a database and can be viewed by both internal personnel as well as other individuals involved in the purchase. And eventually, that information will be destroyed because it is no longer needed or viable.
Each phase requires unique security considerations. However, many organizations have an incomplete understanding of where their risks are because they are evaluating information in some but not all phases of the information lifecycle. Or perhaps they address each phase to a limited degree -- for example, encrypting traffic using SSL in the transfer phase of the information lifecycle but neglecting to encrypt the sensitive information at rest within the database.
For an organization to accurately assess and manage digital risk, it is important to look at the information lifecycle and map associated attack vectors and threats with each information state, including components such as application security, infrastructure security, operational security, organizational security, and third-party controls.
Managing risk and protecting the availability, integrity, and security of information cannot be accomplished without also considering the three primary challenges facing most organizations today: cost, complexity, and compliance.
Managing IT is becoming increasingly costly. As hardware and software costs go down, operational IT costs are going up -- even as the amount of data to be protected is growing exponentially. The challenge for many organizations is defining the right balance between securing information and maintaining its availability with fewer dollars, resources, and personnel.
IT infrastructures have also become extremely complex and sophisticated. Organizations run a wide variety of operating systems and applications and are expanding corporate boundaries with wireless networks and anytime, anywhere access.
At the same time, IT threats have grown in frequency, number, and intensity. Confidential information exposure is a boardroom issue, even as more and more software vulnerabilities are being discovered -- and exploited -- every day.
Compliance issues are a third challenge. From Sarbanes-Oxley to Gramm-Leach-Bliley, the Health Information Portability and Accountability Act (HIPAA), and more, industry and government regulations are driving organizations to reevaluate and revise their policies and procedures on record retention, discovery and retrieval, security breach disclosure, and auditing.
The multi-faceted nature of identifying and mitigating digital risks and safeguarding information assets while maintaining business operations is a challenging process for many organizations.
Keeping it simple
One of the most effective ways to reduce and manage risk is to normalize the environment -- that is, know which systems are in place, how they operate, and the functionality required to meet business needs. To that end, rather than support any and all software, operating systems, and hardware configurations, an organization might choose to standardize on a handful of platforms and configurations. Rather than allow all services and protocols on all servers, an organization might choose to harden its servers by turning off unneeded services and alleviating the effort required to support these services and/or the potential risks these services might introduce.
These normalizing activities not only reduce the complexity of the IT infrastructure, they also lighten the resource and cost burdens associated with supporting a more complex infrastructure. What's more, in many cases, these activities also help optimize the performance of existing systems and software by decreasing their workload.
A less complex IT environment reduces the level of effort associated with operational security. With a standardized, streamlined architecture, IT administrators have fewer platforms, applications, and systems to manage, update, patch, and troubleshoot, and a more condensed list of vulnerabilities to watch for. And organizations can leverage the economies of scale associated with standardization to gain financial benefits that can have a significant impact on the bottom line.
Managing risk to create a more resilient infrastructure will likely always be a serious challenge for IT organizations. But the payoff -- ensuring the integrity of corporate information and easing IT administration -- justifies the level of effort required.
About the author:
Samir Kapuria serves as principle security strategist for Symantec Global Security Consulting.
This was first published in August 2005