Why should organizations be concerned about security? It is very easy to gain unauthorized access in an unsecured, networked environment. Even a workstation with seemingly non-sensitive information can be the "weak-link" where a security breach can occur. Information about the hardware, software, network connections, authentication procedures, etc. can be discovered and used for unauthorized access into the system.
Corporations can hire security experts/professional hackers to test the security of their network. Professional hackers can begin by finding weaknesses in the firewall, testing every phone line coming into the company until a computer answers, or posing as an employee and obtaining information over the telephone.
According to Chuck Nulan of Ernst and Young, finding the weak link and taking control of the corporate network is quite simple. "We've acquired control of trading systems -- every single one in a major trading bank. We've taken control of an insurance company database. If you broke into an insurance company, you could rewrite your policy -- set yourself up as deceased, and get a nice policy check." (CFO, Feb. 1998)
In the past, the solution for information security may have resulted in locking a mainframe safely in a room with limited access.
In the 1990's the problem of effectively securing information became more difficult as the popularity of personal computers, the availability of high speed, inexpensive modems and the popularity of the Internet combined to not only increase the number of computer security incidents, but also increase the severity of the incidents.
To make matters worse, attacks are becoming more sophisticated. In the past, intrusions were typically based upon exploitation of poor passwords or misconfigured systems. Many corporations set their computer systems with the default settings and passwords, so breaches were easy.
But recently, hackers and phrackers have gained sophisticated tools to automate attacks. Web sites such as DEF CON, L0pht and 2600 The Hacker Quarterly provide free hacking tools for download.
According to the 1998 Computer Security Institute/FBI Computer Crime and Security Survey, of 520 companies surveyed, 64% reported a security breach. Of those 64%, the total financial loss that could be quantified amounted to over $136 million.
But these figures are very conservative. Often, corporations do not even realize that they have been breached or are reluctant to report the breach for fear of negative press.
There are hidden costs to each security breach. The cost associated with the loss of proprietary information due to a breach can only be estimated. The loss in staff-hours, decrease in productivity, loss of credibility in the marketplace, legal liability, etc. are nearly impossible to calculate accurately.
Ernst and Young in conjunction with Information Week magazine concluded in 1997 that the average cost of a computer crime in 1996 was $250,000. The average cost of recovery was $750,000. This highlights the need to value the information and the network at not just the cost of the information, but at the cost to restore and recover the information.
For example, one home banking application was compromised and $13 million was lost. In the end, all $13 million was recovered, but the cost to recover the money included $300,000 in legal fees, $500,000 for technical support during the attack, $100,000 for a change in procedures, $500,000 upgrade to monitoring of accounts, and a $500,000 software rewrite.
An electronic funds transfer example recorded a $3 million loss with $2.6 million recovered. The cost of recovery included $1.7 million in legal fees, $750,000 for technical support, $1.5 million for media relations, $1 million in internal management time, $500,000 in a detection monitoring system, $1 million to rewrite the software interface, and $250,000 for new access devices and processes.
At the same time, companies must be realistic about deploying security measures. Minimizing risk and choosing security solutions that will allow flexibility and growth provide the proper balance for the corporate security strategy.
This paper is submitted courtesy of Cylink About Cylink
Cylink's range of network security products protect leased lines from 9.6 Kbps to 45 Mbps, asynchronous transfer mode (ATM), frame relay, TCP/IP and X.25 networks.
It also deploys smart card technologies to remotely authenticate users with the use of cryptographic technologies like digital signatures and digital certificates.
It has developed security solutions to protect information for financial institutions, telecommunications companies, and multinational organizations.