April 2005

The last five years have seen a marked increase in threats to the integrity of Information System and underlying data sets. These make it extremely important for government and business leaders to treat the matter of securing all ICT assets under their responsibilities, as one of their top strategic priorities.

In the routine conduct of their affairs, those responsible for the running of government entities and enterprises have experienced a variety of attacks on their ICT assets. Some of these attacks were from internal sources, such as those from disgruntled employees, while others came about as a direct result of the proliferation of the Internet and the resulting distribution of computing power.

Attacks experienced have included malicious viruses, hacker attacks, intrusion by fraudsters and denial of service attacks. The effects of these have been compounded by a multitude of internet vulnerabilities systems’ software, which now forms an integral part of national and business infrastructure.

n the early to mid nineties when, due to the much reduced accessibility of distributed computing, threats were not so pronounced, ICT security activities were confined to a set of primitive tools, mostly devised as a quick fix. That is, corporations and government entities corrected their systems after experiencing an attack with very little anticipation of what was to come and how pernicious future attacks are going to be.

The situation today dictates a different approach. Dependencies on ICT assets are now so high that pro-active initiatives have to be taken by government and enterprise leaders to secure such assets before deployment. Non-action now will lead to being plagued by spam, viruses, trojans and worm attacks, resulting in denial of service. In lay man’s terms, entire IT systems crippled or handicapped, causing massive business disruptions and commercial losses.

Lax internal processes, lack of proper standards, inadequate staff training and poorly configured systems, will surely exacerbate the electronic epidemics we have been experiencing in the last years.

Industry experts say that the situation is going to get worse and the frequency, aggression and persistence of attacks are all forecast to increase in the coming years. The devastation left in the trail of the Nimda and SoBig viruses is likely to be experienced again and with increased magnitudes and frequencies.

The response from a number of players in ICT Security field has, so far, been to design and develop technologies ranging from Antivirus software, firewalls, anti-spam to anti-spy ware tools. These solutions are now at the mature end of the spectrum of defence weapons available. These are, by analogy, the fortifications and ramparts of a heavily guarded city.

But these were born out of a reactive impulse to protect and survive. However, the ominous predictions of more bellicose activities from even more versatile hackers and virus “craftsmen”, plus the onset of identity theft and fraud through “phishing” dictates the need for a broader strategy to combat intruders of an ICT real estate in many organizations, well before they attack.

These new threats and vulnerabilities have, in the last few years, triggered a number of new technologies that seek to intelligently intercept or preclude malicious intent to destroy IT systems. These emerging technologies include Biometrics, PKI and Security management tools. All heralded as being more pro-active in thwarting the attempts of hackers, fraudsters, spammers and digital property thieves.

There are new and indispensable tools that need experts to implement, integrate, administer and maintain at a professional level. Tools that need to be applied as part of the application of Information Security management standards such as, ISO 17799.

Particularly, the introduction and implementation of such standards, requires a new breed of consulting service. Performed by a new class of specialist, suitably trained and qualified experts to deliver services to the management of businesses and government entities.

Enter the Information Security consultant, duly engaged to carry out an assessment for potential vulnerabilities and threats to businesses and organisations that are most likely to affect the availability of Software, systems and applications uptime and the integrity of data sets.

Just as most government entities, public corporations and SME’s are bound by statute to have their books of account open for the security of internal and external auditor, so has the time come for government and business leaders to open up their ICT assets for scrutiny before the next attack happens. Such scrutiny is now a strategic imperative to ensure business can carry on as a going concern. It is also necessary to ensure that government, as a provider of a multitude of essential services to the citizen, continues to operate in a continuous manner and with the necessary respect to privacy. In this respect, the EU directives and local legislation regarding personal data must be taken as an important part of the regulatory framework for compliance assessment.

Such scrutiny will need to be carried out by seasoned technology practitioners who will carry out situation assessment based on the OSI model for systems security. Broadly, this will review and recommend changes to:

  • System Policies

  • Network Security

  • Physical Access policies

  • Password Management

  • User data areas access rights

  • System Availability

  • Non-repudiation schemes

The outcome of such services will also be to identify needs of staff education and training. This need arises as few staff in charge of information systems and currently in charge of precious data and critical systems, have been trained to handle the complexity of the security tools and precautionary measures.

There’s no doubt, ICT asset security is one of the critical issues facing government and businesses today. The threat posed by malicious viruses, hacker’s attacks and fraudsters adversely affect all organisations, as do the repercussions of accidental damage, equipment malfunctions and even information leaks from irresponsible employees.

Lack of appropriate ICT systems security measures may result in loss of business, lost revenue, lost customers and worst of all, the stain and loss of reputation. Mediocre levels of security can easily put a company’s survival at stake.

On the upside, a high degree of ICT asset security brings peace of mind to all stakeholders in any organization. While poor IT system security can be catastrophic, on the other hand, well implemented IT security schemes can bring real advantages to business owners and users alike. Customers and suppliers forming part of an organisation’s value chain, who are confident of that organisation’s security measures, spread the word.

Having confidence in the level of security of your IT assets will enable you to open those systems for various alternative means of working, like giving access to product literature and price listings to customers and conduct secure e-commerce with your suppliers. This can enhance reputation. The workforce will appreciate the greater flexibility in the way they are able to work, and the shareholders will enjoy the added value brought be the resulting competitive advantage.

It is the responsibility of all those in charge of ensuring the continuity of their organisation, to engage expert help now in order to forestall financial loss in the future. Being proactive and taking ICT security seriously as a strategic objective, will surely bring competitive advantage through newly devised professional approaches in protecting valuable ICT assets.

Ivan Mifsud
Business Development Executive
Megabyte Ltd

 
Copyright © 2008 Megabyte Ltd. All rights reserved.

Developed by