[iwar] [fc:Information.Security.Moves.Front.And.Center.For.Corporations]

From: Fred Cohen (fc@all.net)
Date: 2002-06-27 05:50:25


Return-Path: <sentto-279987-4914-1025182151-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 27 Jun 2002 05:51:09 -0700 (PDT)
Received: (qmail 15515 invoked by uid 510); 27 Jun 2002 12:49:02 -0000
Received: from n36.grp.scd.yahoo.com (66.218.66.104) by all.net with SMTP; 27 Jun 2002 12:49:02 -0000
X-eGroups-Return: sentto-279987-4914-1025182151-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.192] by n36.grp.scd.yahoo.com with NNFMP; 27 Jun 2002 12:49:11 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_3); 27 Jun 2002 12:49:11 -0000
Received: (qmail 8334 invoked from network); 27 Jun 2002 12:49:10 -0000
Received: from unknown (66.218.66.216) by m10.grp.scd.yahoo.com with QMQP; 27 Jun 2002 12:49:10 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 27 Jun 2002 12:49:10 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g5RCoP922898 for iwar@onelist.com; Thu, 27 Jun 2002 05:50:25 -0700
Message-Id: <200206271250.g5RCoP922898@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 27 Jun 2002 05:50:25 -0700 (PDT)
Subject: [iwar] [fc:Information.Security.Moves.Front.And.Center.For.Corporations]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=3.2 required=5.0 tests=RISK_FREE,FREE_MONEY,DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: ***

Information Security Moves Front And Center For Corporations
<a href="http://www.telecomweb.com/ebusiness/feature.htm">http://www.telecomweb.com/ebusiness/feature.htm>

This article first appeared in PBI Media's Electronic Commerce News
June 26, 2002

As federal government officials on both ends of Pennsylvania Avenue
delve deeper into what was known prior to the 9/11 terrorist attacks,
government and corporate interests alike increasingly are turning their
attention toward securing mission-critical information infrastructure.

With Bush Administration officials characterizing the question about
future terror attacks on the U.S. as a matter of "when" not "if",
corporations must view the possibility of cyberattacks as a very real
threat. The federal government already is moving down the road to
minimizing its vulnerability in this area. Researchers at the IT
research firm INPUT say federal government spending on information
security systems and services will increase at a compound annual growth
rate of 25 percent from $1.3 billion in fiscal year (FY) 2001 to over
$4.1 billion in FY 2006.

"The terrorist attacks on September 11th have added a sense of urgency
to an already serious situation in which many agencies were receiving
unsatisfactory scores in federal security reviews," says Payton Smith,
manager of Public Sector Market Analysis Services at INPUT. "Federal
agencies must respond to administrative pressure tying program funding
to demonstrated security performance."

According to INPUT's recent report on the issue, spending on information
security systems and services will be highest among the agencies of the
Department of Defense, exceeding $2.1 billion by FY 2006 due to efforts
to secure and enhance the military command and control infrastructure.
Growth in federal spending for information security will be most
significant in fiscal years 2002 and 2003.

"As federal agencies satisfy their immediate security requirements,
INPUT expects that security spending will revert to a growth rate that
is more in line with overall federal spending for information
technology," Smith says.

Enterprises Need to Do More, GartnerG2 Says

While many enterprises are moving to shore up their defenses against
cyberattacks, most are not yet sufficiently prepared - even when
solutions are readily available, researchers at Gartner G2 believe. In a
discussion of security issues during the Gartner Symposium/IT Expo in
San Diego earlier this month, researchers said that between now and
2005, 90 percent of cyberattacks will exploit known security flaws for
which a patch is available or a solution known.

GartnerG2 analysts said that not only are patches available before the
cyberattacks, but 90 percent of the attacks are imitations of other
attacks. Moreover, recent cyberattacks could have been avoided if
enterprises were more focused on their security efforts.

"Nearly every major attack to hit the headlines involved the
exploitation of known security flaws for which a patch or defense was
widely known," said Richard Mogull, research director for GartnerG2.
"Estimated losses from Code Red and Nimda were in the billions of
dollars, yet Code Red exploited a flaw for which a patch was available,
proving that we never learn from our mistakes. Nimda exploited the same
flaw just a few months later. Both continue to survive on the Internet
today."

Between now and the end of 2005, 20 percent of enterprises will
experience a serious (beyond a virus) Internet security incident. Of
those that do, the cleanup costs of the incident will exceed the
prevention costs by 50 percent, GartnerG2 analysts say.

The GartnerG2 analysts believe the top five IT vulnerabilities to
cyberattacks center on the security of suppliers and partners, lack of
benchmarking (spending and value), failure to integrate security into
projects, poor governance and culture, and a lack of risk management
integration.

Since hindsight is 20/20, enterprises must get out in front of potential
information security challenges long before they occur. Specifically,
they need to develop incident response procedures and monitor the right
sources to detect an attack.

"A proactive security posture doesn't mean you attack hackers before
they attack you -- it means you have a well-developed response plan and
keep looking for the early indications of an attack," Mogull said.
"Increase the enterprise's overall security posture. Develop an internal
response plan and aggressively monitor Internet activity on all systems,
especially firewall and intrusion detection logs. Evaluate established
security plans in light of recent events, and update as needed. If no
cyber-incident response team, or CIRT, exists, consider forming one or
contracting with an external provider to evaluate systems."

People May Be Weakest Link in Security Plans

While beefing up technology and closing system security holes is key,
evaluating the human element of the information security plan is
extremely critical as well, analysts at Gartner's people3 unit say. To
ensure that security and business continuance programs meet their
intended objectives, IT leaders must ensure they have an effective human
capital infrastructure to support these programs.

"Unfortunately, in most security and business continuance programs, the
vast majority of resources have been dedicated to technical aspects,
leaving the human capital element as an afterthought," said Linda
Pittenger, president and CEO of people3. "The concern is that while many
organizations will have created state-of-the-art technology defenses for
their IT environment, those defenses will ultimately fail due to the
lack of an effective human capital infrastructure."

The analysts have prepared a new report detailing these challenges --
"Before the Alarm Goes Off: Analyzing Human Capital Readiness for
Security and Business Continuance." For those companies looking to
re-evaluate the people component of their security and business
continuance program, the people3 report recommends concentrating on four
key elements:

Strategy Assessment. Reassess the organization's overall business and IT
strategies, perform comprehensive risk assessment, and identify and
close process gaps.  Policy and Governance. Establish a chief
information security office to ensure policy consistency, clearly state
policies, define and consistently enforce consequences for
non-compliance, and institute governance processes to monitor and
control the execution of processes and procedures.  Resource Planning.
Establish budget and staffing plans for security and business
continuance functions.  Communication Process. Distribute policies and
procedures through appropriate channels, create and reinforce
organizational awareness of security and business continuance policies,
and promote a culture where security and business continuance are
considered everyone's responsibility.

"Business and IT leaders must also take a hard look at their human
capital management processes to ensure their enterprise's security
objectives and standards are reflected in their organization's culture,
organizational structure, work process designs, and staffing and career
development processes," said Pittenger.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Free $5 Love Reading
Risk Free!
http://us.click.yahoo.com/3PCXaC/PfREAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:33 PDT