REALISTICALLY speaking, 100 per cent security is next to impossible. The only secure computer is one that has no keyboard, no monitor, no external connection and no life as Microsoft (M) Sdn Bhd's product marketing director Alex Fong points out. Fong says computer security goes way beyond virus attacks and denials of service; it is an industry issue that requires attention from all stakeholders, from leaders in the public and private sectors and workers in the field of information and communications technology (ICT) to end users. "Computer security issues can only truly be tackled when we understand the entire value chain that impacts them." Understanding that computer security is not only about technology is key, Fong informs. Businesses need to start thinking of computer security as risk management, he says, which means it's not about spending more but spending wisely - that will reduce exposure to risk. "Consider all possible security risk scenarios. Evaluate how much to worry about each kind of breach and `loss expectancy' and work out the cost of defence. These measures could start with passwords, firewalls and encryption, and then formal policies and procedures for employees that relate to the external value chain. It's very often a fine balance has to be struck between security and flexibility." While most organisations have the expertise to handle computer security, risk management is usually missing from ICT departments but found in the office of the chief executive officer and chief financial officer where risk management is part of everyday business. "Managing computer security is as important as balancing the books, which is as much the business users' responsibility as it is the ICT department's," Fong says, adding that business users and ICT departments need to agree on the depth of security and control to computer and information assets. According to him, businesses must ensure that basic "hygiene controls" are in place - knowing the number of users and who they are (identity management), and how they access the ICT infrastructure and what tools they can use (software asset management) - because without them security implementations can never become totally effective. Other common challenges are interoperability of the security solution, the legacy investments in technology, and getting the requisite accountability from each stakeholder on the importance of security to the enterprise, including users and management, he adds. Microsoft recommends a four-step plan for enterprises that want to practise security hygiene with technology: 1. Perform a security audit: A periodic and frequent check is necessary on server and user ends to ensure that the latest patches are installed on the machines, and the necessary shields (anti-viruses, firewalls, etc) are up to prevent any intrusion. 2. Build a security plan: Identifying workable measures, and stakeholders from the company responsible to communicate with anti-virus and software vendors. Also important is to have a critical situation plan in place should an emergency occur. 3. Activate patch management strategy: The onus is on the information systems manager to regularly ensure that the latest patches are installed. This is vital because the time from the patch release to the time of exploit code (for example, Internet worms) release has significantly reduced in the past year. 4. Upgrade laptops and remote systems to Windows XP: Remote users dialling into the corporate network should have their machines quarantined and checked for the latest patch updates and firewall configurations before being allowed to go into the intranet. Windows XP has a feature which will automatically prompt users when new and critical patches are released. Meanwhile, e-Cop.net Surveillance Sdn Bhd's chief executive officer Alan See says for enterprises to work in a secure operating environment, they must ensure the confidentiality, integrity and authenticity of transmitted information. He adds that with cyberthreats fast developing, firewalls and other intrusion detection systems are quickly becoming ineffective protection mechanisms, so the most prudent option is to set up or source for an enterprise security management system (ESM) that allows the enterprise to proactively respond to any incidents, perform counter-measures to stop intrusions, and conduct impact analysis. ESM offers round-the-clock monitoring of an enterprise's Internet connections, internal networks, connection ports and server logs to detect, prevent and isolate intrusion. Hacking patterns, system vulnerabilities and other breaches will also be monitored. Logs from security devices, applications, operating systems and relational database management systems can be aggregated, correlated and analysed. This will provide the enterprise with a clear view of its security posture, hence improving on any equipment's weaknesses. "A comprehensive and dedicated study and appraisal of the security needs of the organisation is fundamental to combating security threats," See says. "After stringent segmentation of potential threats and understanding their varied negative repercussions on bottom lines, the organisation should then decide on areas of priority and the level of security needed for different aspects of its operating procedures. The utopia of things is for organisations to carefully adopt business solutions in accordance to their needs, but more importantly, to take time to educate and promote employee buy-in for new technology."
Reference : Ferina Manecksha,. (2003, October 30). Tackling computer security. New Straits Times.
0 comments:
Post a Comment