Establishing a secure network is the biggest challenge faced by an enterprise today. According to data released by CERT India, corporate sites are attacked more often than others. Also, according to a Confederation of Indian IndustryPricewaterhouseCoopers survey, 58 per cent of Indian enterprises have faced one or two security breaches, 24 per cent have experienced three to five breaches, and 18 per cent have had more than six breaches.
The aim of any enterprise today should encompass four principles: achieving customer satisfaction, integration of the company’s suppliers and partners, ensuring productivity of the workforce and optimisation of back office operations.In order to achieve these aims, the enterprise must first establish a network that brings the partners, suppliers, workforce and customers on to one platform. This practice helps increase control, keeps a check on requirements and reduces complexity. However, a few issues and concerns remain. For instance, if the network is not secure, it becomes vulnerable to threats and malicious spyware.
The most common security-related mistakes made by end-users include:
Opening unsolicited email attachments without first verifying their source and checking their content.
Sharing of passwords, writing them down and storing them in a visible place.
Failing to install security patches on time.
Similarly, the most common securityrelated mistakes made by senior executives of an enterprise include:
Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
Failing to understand properly the relationship of information security with the business problem.
Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow-through to ensure that problems stay fixed.
Relying primarily on a firewall/technology ignoring the human/process elements.
The most common security-related oversights that are made by IT executives are listed below:
Connecting systems to the internet before hardening them (removing unnecessary devices and patching the necessary ones).
Connecting test systems to the internet with default accounts and passwords.
Failing to update systems on time when security vulnerabilities are found and patches or upgrades are available.
Using telnet and other unencrypted protocols for managing systems, routers, firewalls and public key infrastructure.
Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are Unix specific).
Implementing firewalls with rules that allow malicious or dangerous traffic ?? incoming or outgoing.
Failing to implement or update virus detection software on time.
Failing to educate users on what to look out for and what to do when they see a potential security problem.
To sum up, the main factors that increase the vulnerability of any enterprise’s network are inadequate processes and procedures for security management, weak security administration, lack of user awareness and training, and inappropriate technology selection and management.
In order to overcome the challenge of network security, enterprises must have a clear-cut idea of what their business objectives are. This implies that the organisation must define its security strategy and how this may impact the development of the enterprise and its security operation. So, a four-pronged structure is envisaged. This includes envisioning security, engineering security, operating security and responding to incidents in operations.
Envisioning security
This is the process of determining the types and degrees of security resources (for the organisation, firm processes and technology infrastructure) required to meet business objectives.
The resulting security strategy balances security initiatives with associated costs, justifying cost in terms of business enablement and security protection.
This process is designed to set the direction of the organisation and focus security resources on the areas of greatest business need.
Engineering security
This refers to transforming the security strategy into technologies and processes that accomplish business objectives.
These technologies and processes protect systems and data while enabling authorised users to perform their tasks
As a result of implementing this function, business rules are enforced and controls are put in place to empower those who should have access.
Operating security
This process entails continuously managing the security and controls built across the infrastructure of processes and technologies.
This helps the enterprise to update, enhance and monitor the technology environment while staying updated with known threats.
Incident response
This helps companies recover after an incident or emergency.
It reduces the impact of an incident after assessing its damage and allowing a quick return to normal operations.
After responding, other processes within the enterprise security business model are revisited to prevent recurrences.
(Based on a presentation made by Sivarama Krishnan, Executive Director, PricewaterhouseCoopers)
