Information security is a concern for companies today who store and transmit sensitive and valuable information
over both public and private networks.
Why should organizations be concerned about security? It is very easy to gain unauthorized access in an unsecured,
networked environment. Even a workstation with seemingly non-sensitive information can be the "weak-link"
where a security breach can occur. Information about the hardware, software, network connections, authentication
procedures, etc. can be discovered and used for unauthorized access into the system.
Corporations can hire security experts/professional hackers to test the security of their network. Professional
hackers can begin by finding weaknesses in the firewall, testing every phone line coming into the company until
a computer answers, or posing as an employee and obtaining information over the telephone.
According to Chuck Nulan
of Ernst and Young, finding the weak link and taking control of the corporate network is quite simple. "We've
acquired control of trading systems -- every single one in a major trading bank. We've taken control of an insurance
company database. If you broke into an insurance company, you could rewrite your policy -- set yourself up as deceased,
and get a nice policy check." (CFO, Feb. 1998)
In the past, the solution for information security may have resulted in locking a mainframe safely in a room with
In the 1990's the problem of effectively securing information became more difficult as the popularity of personal computers, the availability of high speed, inexpensive modems and the popularity of the Internet combined to not only increase the number of computer security incidents, but also increase the severity of the incidents.
To make matters worse, attacks are becoming more sophisticated. In the past, intrusions were typically based upon
exploitation of poor passwords or misconfigured systems. Many corporations set their computer systems with the
default settings and passwords, so breaches were easy.
But recently, hackers and phrackers have gained sophisticated
tools to automate attacks. Web sites such as DEF CON
and 2600 The Hacker Quarterly
free hacking tools for download.
According to the 1998 Computer Security Institute/FBI Computer Crime and Security Survey, of 520 companies surveyed,
64% reported a security breach. Of those 64%, the total financial loss that could be quantified amounted to over
But these figures are very conservative. Often, corporations do not even realize that they have
been breached or are reluctant to report the breach for fear of negative press.
There are hidden costs to each security breach. The cost associated with the loss of proprietary information due
to a breach can only be estimated. The loss in staff-hours, decrease in productivity, loss of credibility in the
marketplace, legal liability, etc. are nearly impossible to calculate accurately.
Ernst and Young in conjunction with Information Week magazine concluded in 1997 that the average cost of a computer
crime in 1996 was $250,000. The average cost of recovery was $750,000. This highlights the need to value the information
and the network at not just the cost of the information, but at the cost to restore and recover the information.
For example, one home banking application was compromised and $13 million was lost. In the end, all $13 million
was recovered, but the cost to recover the money included $300,000 in legal fees, $500,000 for technical support
during the attack, $100,000 for a change in procedures, $500,000 upgrade to monitoring of accounts, and a $500,000
An electronic funds transfer example recorded a $3 million loss with $2.6 million recovered. The cost of recovery
included $1.7 million in legal fees, $750,000 for technical support, $1.5 million for media relations, $1 million
in internal management time, $500,000 in a detection monitoring system, $1 million to rewrite the software interface,
and $250,000 for new access devices and processes.
At the same time, companies must be realistic about deploying security measures. Minimizing risk and choosing security
solutions that will allow flexibility and growth provide the proper balance for the corporate security strategy. This paper is submitted courtesy of Cylink About Cylink
Cylink's range of network security products protect leased lines from 9.6 Kbps to 45 Mbps, asynchronous transfer mode (ATM), frame relay, TCP/IP and X.25 networks.
It also deploys smart card technologies to remotely
authenticate users with the use of cryptographic technologies like digital signatures and digital certificates.
It has developed security solutions to protect information for financial institutions, telecommunications companies, and multinational organizations.