|
My advice to companies on managing the risk to their systems
has been simple: Drive security through people and processes. Put an IS security
policy in place and ensure that it is communicated widely within the
organization. Help employees understand the significance of IS security and the
negative outcome of not complying with security procedures. Equip your IT
infrastructure with appropriate technologies. Review your IS security policy
regularly.
Risks related to IT networks have increased considerably
during the last five years primarily due to a paradigm shift in the burden
systems have to bear.
IS security professionals need to be empowered much more than
they are in India currently. The IT staff in an organization has IS security as
just one of the deliverables in a long list of services unlike security
professionals whose only job is to keep IT networks secure.
Organizations interacting with external networks on a regular
basis need to have a strong authentication and authorization (A and A) framework
at all levels. A and A forms the building block of a secure IT system.
Authorization framework must be built on a ‘need to know’ or a ‘need to do
basis’. Authentication techniques may include VPNs, biometrics, single sign-on
(SSO) and other such emerging technologies. But merely implementing tools is not
enough. A popular model based on military thinking put up by D E Bell and L J
LaPadula in 1976, had two basic rules: People can read data only at their level
of classification and lower; People can write data only at their level of
classification and higher. The motivation for the rules was that secrets should
never be shared with less-trusted individuals.
Attacks on systems can come from unimaginable sources and
angles, a stark similarity to physical assaults (passenger airliners in WTC and
a car bearing an MP’s authorization sticker in the December 13 attack on
Parliament).
Certifying authorities (CAs) may face a very unique ‘risk
of eavesdropping’ resulting from the emanation of electromagnetic radiation
from video display units. TEMPEST (Transient Electromagnetic Pulse Emanation
Standard), is both a specification for equipment and a term used to describe the
process for preventing compromising emanation. Unintentional emissions from a
computer system are captured and processed to reveal information about target
systems. This could vary from simply copying keystrokes or capturing images off
a monitor. An attacker using off-the-shelf equipment can watch for and retrieve
information as it is being processed, without the users being aware that a
security breach has occurred.
The solution: shielding cables and computing equipment,
placing essential computer equipment underground or in a Farady cage (an
enclosure with electrically conductive external surfaces) or using low-emission
monitors.
Things may get even more complicated in the future as we
slowly move away from password protected systems. Passwords are no longer
considered sufficiently robust. This is mainly because of carelessness on the
part of users. Neither is ‘password-protection’ considered practical anymore
as passwords continue to become longer and unwieldy. Companies are fast moving
towards using encryption techniques. Another area that is catching up is
biometrics that uses body parts for identification of users. This could involve
finger print checks or using a hardware token like a smart card or a key.
Companies must prepare to tackle the complexity of emerging
systems and the ever increasing threat to connected enterprises where
information could flow beyond corporate systems, supply chains and distribution
partners to competitors.
The author is partner, global risk management solutions
group, PriceWaterhouseCooper India