Security – The best laid plans

By | May 10, 2005

Picture this: John is a designer of safe and ergonomically advanced car seats. As he arrives at the factory where he is working on the latest top-secret design for BDA Motors, he swipes his access card to get through the front door and has his iris scanned at his office door.

He has a three level password system to log on to his computer, and opens the design file of the new vehicle. Distracted by a phone call, he inadvertently saves the design file for the whole vehicle into a public folder accessible from the company website. Within minutes the multi-billion pound project is in the hands of the competition.

Security used to be as simple as a solid lock on a solid door, a safe in the back room and perhaps even a retired police officer out front (if you were really serious). But the modern business looks at security, and threats to security in a whole different light. Security of information, systems and networks are now just as important as, and often integrated with, shop-front security.

Companies must look at security from a ´whole of business´ perspective. Risks include viruses, worms, SPAM, information theft and even identity theft as well as natural and other disasters.

While it is proven that the greatest threat to business security lies internally to an organisation, external threats contribute to a company´s security demands. With the introduction of more and more communications tools, staff have a greater responsibility towards security and businesses should ensure that they know what this means. Security should be addressed on all levels from physical access and security all the way through to application security. Security policies do little good if they are not enforced or not understood.

Reliable studies prove that reported security breaches are on the increase. CERT, which is a centre of internet security expertise based at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, USA, found that reported security breaches have risen from 1,334 in 1993 to 127,529 in 2003.

In one of its recent surveys CERT found that 80% of respondents attributed breaches to a lack of IT security knowledge, a lack of training, or failure to follow procedures. Alarmingly, one in five of the 896 respondents reported that their IT department had no formal security training.

The finding of most concern is that 49% of those surveyed had no written security policy. A clear security policy which is effectively communicated to all staff is key to any successful security practice.

But the responsibility for the management of security often falls on those without sufficient authority. Security should not be a ´bolt-on´ function of the IT department. Larger companies need a dedicated security person or team. These individuals will inevitably have a high degree of IT expertise, but will also be well trained in a variety of security practices. They will be able to take a broad view across the company and implement what is known as Enterprise Security Management (ESM).

To be effective, ESM needs to address the internal and external management of vulnerability, risk, survivability and accountability/responsibility. Management also needs to have an understanding of threats and be able to convey these threats clearly. Again, a thorough and well communicated security policy will aid this task.

At the front line of any security operation are authentication and access systems. These can be both physical and system based. Authentication won´t stop people from trying, but it will protect you. Authentication is about verifying who you are. Access controls where you go, what you can see and how you are allowed to use things.

Examples of modern access and authentication tools include:

  • Biometrics – fingerprint, iris imprint or face recognition technology. One of the most effective methods as the identifying data cannot be shared, lost or copied. Often used in conjunction with other methods such as PINs and video surveillance.
  • Access cards – essentially an electronic key, and should be treated as such. Susceptible to copying, loss or theft.
  • Fobs – devices carried on a key chain with a password that changes regularly (usually every 5 minutes). User enters PIN to reveal a single use password. Relies on PIN remaining secret.
  • Smart cards – contain a microchip which carries more detailed information and can be programmed to provide same level of authentication as a fob. Can have many other features (eg: credit/debit cards, library cards, ID cards).
  • CAPTCHA – Completely Automated Public Turing test to tell Computers and Humans Apart. Usually a work graphically displayed in such a way that only a human eye can recognise it (eg: slightly distorted on a noisy background). Foils OCR, but presents difficulties for the visually impaired.
  • Video over IP – easily provides central monitoring for all sites. Cameras can be placed anywhere there is a network connection and data is stored digitally (no more forwarding and rewinding tapes).
  • Intelligent patching – allows monitoring of all connections and allows a network security manager to determine where and when any fault occurred or a connection was either made or broken (authorized or otherwise). Can be combined with IP video and/or digital photos that will take a picture of the person connecting to the network at the point they plug in their patch cord or remove one.

Whether permitting or recording access, all of these systems are key components to the physical security of an organisation. However almost all of these involve human interaction and are therefore vulnerable to disgruntled employees. Discontinuation of services for former employees must be immediately implemented which means swift notification procedures should exist.

These security measures all rely on one critical element which is the physical infrastructure that supports them. The cabling medium, copper, fibre or a combination of both are key to assuring end-to-end effectiveness of security applications. The world´s best ESM can fail if the proper infrastructure is not in place or is not operating correctly.

In a recent IDC survey, based on 2003 data, network cabling was the third greatest threat to an enterprise. Much of the legislation that has been introduced includes documentation of all network resources including physical layer documentation for all points of ingress and egress. It is important not only to know what resides on your network, but where it resides can be equally critical.

Businesses are seeing a shift in the importance of data and intellectual property security. The old method of “trust” is no longer enough to assure business continuity and stability. While there is an increase in data theft, identify theft, and intellectual property theft, there are an equal number of new tools to identify, stop, and record infractions.

One thing is consistent throughout any security should start at the most basic level. From physical security through application security, all methods depend on infrastructure. If your infrastructure is not working properly, any security plan is at risk.

Leave a Reply