Return-Path: <sentto-279987-3892-1005873353-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 15 Nov 2001 17:18:08 -0800 (PST) Received: (qmail 26317 invoked by uid 510); 16 Nov 2001 01:14:42 -0000 Received: from n12.groups.yahoo.com (216.115.96.62) by all.net with SMTP; 16 Nov 2001 01:14:42 -0000 X-eGroups-Return: sentto-279987-3892-1005873353-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.52] by n12.groups.yahoo.com with NNFMP; 16 Nov 2001 01:15:54 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 16 Nov 2001 01:15:52 -0000 Received: (qmail 55560 invoked from network); 16 Nov 2001 01:15:52 -0000 Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 16 Nov 2001 01:15:52 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 16 Nov 2001 01:15:53 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAG1GfM06682 for iwar@onelist.com; Thu, 15 Nov 2001 17:16:41 -0800 Message-Id: <200111160116.fAG1GfM06682@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 15 Nov 2001 17:16:41 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:How.Vulnerable.Is.Your.Business.To.Cyberattacks?] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit How Vulnerable Is Your Business To Cyberattacks? By Sajay Rai, Information Security, 11/15/2001 <a href="http://www.infosecnews.com/opinion/2001/11/14_03.htm">http://www.infosecnews.com/opinion/2001/11/14_03.htm> Recent Events Heighten Focus on Security and Availability The September 11 attacks on the World Trade Center and the Pentagon, as well as outbreaks of distributed denial-of-service (DDoS) attacks in February 2001, and more recently the Code Red and Nimda worms, have created a sense of vulnerability in business organizations never seen before. While these events differ in their overall magnitude, each is having a significant impact on the economy, as well as on management priority and focus. One area that has certainly increased in importance is IT security and availability. Businesses are re-evaluating security efforts in response to future cyberthreats. With the credible threat of additional attacks as well as cyberterrorism, all levels of government are making secure IT networks a mission-critical priority. President Bush recently named Tom Ridge to head the cabinet-level Office of Homeland Security and Richard Clarke to head the Office of Cyberspace Security. Clarke has warned of the possibility of a "digital Pearl Harbor" in which a terrorist attack would paralyze computers, electrical grids and other key infrastructure. Just as the U.S. government has made this a top priority, businesses must address the increased vulnerability these events have exposed. As business responds to these events, the vulnerability of IT infrastructure has become 'issue one' for many business organizations around the world. What Has Business Learned from These Attacks? Companies now face deeper challenges. While trying to grow their business in a downturned economy, they also face higher priority security and availability issues brought to light by the recent events. IT is a core component of most business processes and recent events have alerted businesses to just how much they rely on their IT infrastructure. As a result, IT vulnerabilities have become a 'C-suite' and boardroom issue. Top executives are providing proactive sponsorship for efforts that will ensure adequate security and availability in their organization. So, what should companies do, now and in the future? What Companies Should Do Now View your Organization as an Economic Target Do you know where your company's IT assets are? Assets that cannot be identified cannot be protected. Are your IT assets secure? 1. Viruses, worms and other random and malicious external attacks are increasingly commonplace and the disruption of business is a costly reality. Proactive defense is critical. 2. Cyberterrorism is predicted to increase. Companies must ensure that targeted cyberterrorist vulnerabilities are addressed. Is your internal security as strong as your external security? Seventy percent of all security incidents are from internal sources. In an environment of downsizing, internal control efforts cannot be ignored. Are you monitoring your IT assets? While strong security measures may prevent many attacks, there will always be ways around these countermeasures. Understanding at all times how many people are in your network and who those people are, is critical. Monitoring and incident response procedures are a key part of successful security efforts. Sustain Business Availability Do you have comprehensive crisis management and incident response programs in place? Companies should review their programs with an eye to the emerging threats. Do your plans define "worst case" to include a catastrophe? Companies should revisit their worst-case scenarios and ensure that they are appropriate in light of recent events. Do you know your minimum business operating requirements? Companies should establish minimum requirements to continue to service customers in the event of a catastrophe. Is your continuity plan comprehensive? World-class companies address items like succession plans, inventory shortages, supplier disruptions, real estate, etc. Do your plans accommodate the human elements associated with a major catastrophe, such as loss of a critical employee, employee fear and grief? What Companies Should do For the Future Manage the Downturn Are you optimizing your return on your security investments? Security is an important investment - leading organizations prioritize their efforts carefully to ensure that security dollars are directed appropriately to provide maximum payback. Do you know where you can cut costs on IT infrastructure? Companies should take advantage of existing security technologies and services that allow them to operate as efficiently as possible and to do more with less. Plan for Future Growth Do you have adequate security and availability to achieve your strategic business goals? When we emerge from this downturn, successful companies will enable business stakeholders to securely access business information held in customer records, supply chain, order management, inventory applications, employee information and other critical systems. Will your systems be available when your competitors are down? High availability is being redefined: companies increasingly conduct business electronically, so it will be imperative for organizations to plan for disruption-free, high availability systems. Can you prove what you say you do? Companies will need to show their stakeholders their plans, test the plans and prove that they work. In my opinion, the organizations that proactively prepare themselves against these risks will have competitive advantage in the future and will enhance the shareholder value. The ones who do not - well, one incident could invoke questions of their survival. It is time to be proactive when it comes security and availability and it is time appropriate attention is given to this topic. Sajay Rai is a partner with Ernst & Young LLP (www.ey.com). He is area leader of security and technology solutions practice in Ohio. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Quit now for Great American Smokeout http://us.click.yahoo.com/B0gGED/9pSDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST