Return-Path: <sentto-279987-4914-1025182151-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 27 Jun 2002 05:51:09 -0700 (PDT) Received: (qmail 15515 invoked by uid 510); 27 Jun 2002 12:49:02 -0000 Received: from n36.grp.scd.yahoo.com (66.218.66.104) by all.net with SMTP; 27 Jun 2002 12:49:02 -0000 X-eGroups-Return: sentto-279987-4914-1025182151-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.192] by n36.grp.scd.yahoo.com with NNFMP; 27 Jun 2002 12:49:11 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_3); 27 Jun 2002 12:49:11 -0000 Received: (qmail 8334 invoked from network); 27 Jun 2002 12:49:10 -0000 Received: from unknown (66.218.66.216) by m10.grp.scd.yahoo.com with QMQP; 27 Jun 2002 12:49:10 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 27 Jun 2002 12:49:10 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g5RCoP922898 for iwar@onelist.com; Thu, 27 Jun 2002 05:50:25 -0700 Message-Id: <200206271250.g5RCoP922898@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 27 Jun 2002 05:50:25 -0700 (PDT) Subject: [iwar] [fc:Information.Security.Moves.Front.And.Center.For.Corporations] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=3.2 required=5.0 tests=RISK_FREE,FREE_MONEY,DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: *** Information Security Moves Front And Center For Corporations <a href="http://www.telecomweb.com/ebusiness/feature.htm">http://www.telecomweb.com/ebusiness/feature.htm> This article first appeared in PBI Media's Electronic Commerce News June 26, 2002 As federal government officials on both ends of Pennsylvania Avenue delve deeper into what was known prior to the 9/11 terrorist attacks, government and corporate interests alike increasingly are turning their attention toward securing mission-critical information infrastructure. With Bush Administration officials characterizing the question about future terror attacks on the U.S. as a matter of "when" not "if", corporations must view the possibility of cyberattacks as a very real threat. The federal government already is moving down the road to minimizing its vulnerability in this area. Researchers at the IT research firm INPUT say federal government spending on information security systems and services will increase at a compound annual growth rate of 25 percent from $1.3 billion in fiscal year (FY) 2001 to over $4.1 billion in FY 2006. "The terrorist attacks on September 11th have added a sense of urgency to an already serious situation in which many agencies were receiving unsatisfactory scores in federal security reviews," says Payton Smith, manager of Public Sector Market Analysis Services at INPUT. "Federal agencies must respond to administrative pressure tying program funding to demonstrated security performance." According to INPUT's recent report on the issue, spending on information security systems and services will be highest among the agencies of the Department of Defense, exceeding $2.1 billion by FY 2006 due to efforts to secure and enhance the military command and control infrastructure. Growth in federal spending for information security will be most significant in fiscal years 2002 and 2003. "As federal agencies satisfy their immediate security requirements, INPUT expects that security spending will revert to a growth rate that is more in line with overall federal spending for information technology," Smith says. Enterprises Need to Do More, GartnerG2 Says While many enterprises are moving to shore up their defenses against cyberattacks, most are not yet sufficiently prepared - even when solutions are readily available, researchers at Gartner G2 believe. In a discussion of security issues during the Gartner Symposium/IT Expo in San Diego earlier this month, researchers said that between now and 2005, 90 percent of cyberattacks will exploit known security flaws for which a patch is available or a solution known. GartnerG2 analysts said that not only are patches available before the cyberattacks, but 90 percent of the attacks are imitations of other attacks. Moreover, recent cyberattacks could have been avoided if enterprises were more focused on their security efforts. "Nearly every major attack to hit the headlines involved the exploitation of known security flaws for which a patch or defense was widely known," said Richard Mogull, research director for GartnerG2. "Estimated losses from Code Red and Nimda were in the billions of dollars, yet Code Red exploited a flaw for which a patch was available, proving that we never learn from our mistakes. Nimda exploited the same flaw just a few months later. Both continue to survive on the Internet today." Between now and the end of 2005, 20 percent of enterprises will experience a serious (beyond a virus) Internet security incident. Of those that do, the cleanup costs of the incident will exceed the prevention costs by 50 percent, GartnerG2 analysts say. The GartnerG2 analysts believe the top five IT vulnerabilities to cyberattacks center on the security of suppliers and partners, lack of benchmarking (spending and value), failure to integrate security into projects, poor governance and culture, and a lack of risk management integration. Since hindsight is 20/20, enterprises must get out in front of potential information security challenges long before they occur. Specifically, they need to develop incident response procedures and monitor the right sources to detect an attack. "A proactive security posture doesn't mean you attack hackers before they attack you -- it means you have a well-developed response plan and keep looking for the early indications of an attack," Mogull said. "Increase the enterprise's overall security posture. Develop an internal response plan and aggressively monitor Internet activity on all systems, especially firewall and intrusion detection logs. Evaluate established security plans in light of recent events, and update as needed. If no cyber-incident response team, or CIRT, exists, consider forming one or contracting with an external provider to evaluate systems." People May Be Weakest Link in Security Plans While beefing up technology and closing system security holes is key, evaluating the human element of the information security plan is extremely critical as well, analysts at Gartner's people3 unit say. To ensure that security and business continuance programs meet their intended objectives, IT leaders must ensure they have an effective human capital infrastructure to support these programs. "Unfortunately, in most security and business continuance programs, the vast majority of resources have been dedicated to technical aspects, leaving the human capital element as an afterthought," said Linda Pittenger, president and CEO of people3. "The concern is that while many organizations will have created state-of-the-art technology defenses for their IT environment, those defenses will ultimately fail due to the lack of an effective human capital infrastructure." The analysts have prepared a new report detailing these challenges -- "Before the Alarm Goes Off: Analyzing Human Capital Readiness for Security and Business Continuance." For those companies looking to re-evaluate the people component of their security and business continuance program, the people3 report recommends concentrating on four key elements: Strategy Assessment. Reassess the organization's overall business and IT strategies, perform comprehensive risk assessment, and identify and close process gaps. Policy and Governance. Establish a chief information security office to ensure policy consistency, clearly state policies, define and consistently enforce consequences for non-compliance, and institute governance processes to monitor and control the execution of processes and procedures. Resource Planning. Establish budget and staffing plans for security and business continuance functions. Communication Process. Distribute policies and procedures through appropriate channels, create and reinforce organizational awareness of security and business continuance policies, and promote a culture where security and business continuance are considered everyone's responsibility. "Business and IT leaders must also take a hard look at their human capital management processes to ensure their enterprise's security objectives and standards are reflected in their organization's culture, organizational structure, work process designs, and staffing and career development processes," said Pittenger. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Free $5 Love Reading Risk Free! http://us.click.yahoo.com/3PCXaC/PfREAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:33 PDT