- Denial of service: This occurs when a hostile entity uses a critical service of the computer system in such a way that no service or severely degraded service is available to others. Denial of service is a difficult attack to detect and protect against. An example of denial of service is an Internet attack, where an attacker requests a large number of connections to an Internet server. Through the use of an improper protocol, the attacker can leave a number of the connections half open. Most systems can handle only a small number of half-open connections before they are no longer able to communicate with other systems on the net. The attack completely disables the Internet server.
- Compromising the integrity of the information: Most people consider that the information stored on the computer system is accurate. If the information loses its accuracy, the consequences can be extreme. For example, if competitors hacked in to a company's data base and deleted customer records, a significant loss of revenues could result. Users must be able to trust that data are accurate and complete.
- Disclosure of information: Probably the most serious attack is disclosure of information. If the information taken off a system is important to the success of an organization, it has considerable value to a competitor. Corporate espionage is real threat, especially from foreign companies, where the legal reprisals are much more difficult to enforce. Insiders also pose a significant threat. Limiting user access to the information needed to perform specific jobs increases data security dramatically.
However, most secure systems are difficult to work with and require extra development time. Networks connect large numbers of users to share information and resources, but network security depends heavily on the corporation of each user. Security is a strong as the weakest link.
Organizations should have a security program to assure that each automated system has a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure or modification of the information contained in the system. Each system's level of security must protect the confidentiality, integrity and availability of the information. Specifically, this would require that the organization has appropriate technical personnel, administrative, environmental and telecommunications safeguards;a cost-effective security approach, adequate resources to support critical functions and to provide continuity of operation in the event of a disaster.
Companies continue to flock to the Internet in ever-increasing numbers, despite the fact that the overall and underlying environment is not secure. To further complicate the matter, vendors, standards bodies, security organizations and practitioners cannot agree on a standard, compliant and technically available approach. As a group of investors concerned with the success of the Internet for business purposes, it is critical to pull the collective resources and work together to quickly establish and support interoperable security standards; open security interfaces to existing security products and security products and security control mechanisms within other program products; and hardware and software solutions within heterogeneous operating systems which will facilitate smooth transitions.
Having the tools and solutions available within the marketplace is beginning, but strategies and migration paths are also needed to accommodate and integrate Internet, intranet and World Wide Web (WWW) technologies into the existing IT infrastructure. While there are always emerging challenges, introduction of newer technologies, and customers with challenging and perplexing problems to solve, this approach should enable in maximizing the effectiveness of the existing security investments, while bridging the gap to the long awaited and always sought after perfect solution.
Security solutions are slowly emerging, but interoperability, universally accepted security standards, application programming interfaces (APIs) for security, vendor support and cooperation and multi platform security products are still problematic. Where there are products and solutions , they tend to have niche applicability , be vendor-centric or only address one of larger set of security problems and requirements. For the most part, no single vendor or even software/vendor consortium has addressed the overall security problem within "open" systems and public networks. This indicates that the problem is very large.
It is important to keep in mind, as with any new and emerging technology, Internet, intranet and WWW technologies do not necessarily bring new and unique security concerns, risks and vulnerabilities, but rather introduce new problems, challenges and approaches within the existing security infrastructure.
Security requirements, goals and objectives remain the same, while the application of security, control mechanisms and solution sets are different and require the involvement and cooperation of multi disciplined technical and functional area teams. As in any distributed environment, there are more players and it is more difficult to fine or interpret the overall requirements or even talk to anyone who sees or understands the big picture. More people are involved than ever before, emphasizing the need to communicate both strategic and tactical security plans broadly and effectively throughout the entire enterprise. The security challenges and the resultant problems larger and more complex in this environment. Management must be kept up-to-date and thoroughly understand overall risk to the corporation's information assets with the implementation or decisions to implement new technologies. They must also understand, fund and support the influx of resources required to manage the security environment.
No comments:
Post a Comment
Your feedback and comments are valuable for us: