Cyber Security – Not Doing Anything About IT is a Crime
Raj G. Asava
Chief Strategy Officer
Perot Systems
This paper is an executive level primer about information security in the digital era, and a suggested framework to address the vulnerabilities and threats present at each of the layers that make up a typical information and communication infrastructure.
Recent news reports confirm that cyber vulnerabilities are real, prominent, significant, and unpredictable:
"Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea"
- The New York Times, July 9, 2009
"A wave of cyberattacks aimed at 27 American and South Korean government agencies and commercial Web sites temporarily jammed more than a third of them over the past five days… The Web sites of the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department were all affected at some point over the weekend and into this week, The Associated Press reported Tuesday, citing American officials."
"Another Day, Another DDoS Blitz for Twitter"
- TechNewsWorld, July 16, 2009
"For the second time in less than a week, Twitter has been hit by a distributed denial of service (DDoS) attack. Unlike the first attack last week, the latest cyber assault, which started on Tuesday, has been confined to Twitter so far…"
"130 million credit card numbers stolen in identity theft scheme"
- Yahoo! News, August 17, 2009
"U.S. authorities announced what they believed to be the largest hacking and identity theft case ever... Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen ..."
These examples are just a small sampling of the recent cyber security related headlines that highlight the seriousness of the issue we face in the public and private sectors. Before we dive into the complex topic of cyber security, it is important to understand what exactly cyber space is and why there is such an urgent need to make it secure? Cyber space refers to the components of the digital infrastructure (networking, storage devices, servers, etc.) that enable the creation and movement of digitized information between various entities ranging from consumers to companies to countries, and everything in between.
"As president, I’ll make cyber security the top priority that it should be in the 21st century," said President Barrack Obama. President Obama went on to say that the cyber threat is, "one of the most serious economic and national security challenges we face as a nation. It’s also clear that we’re not as prepared as we should be, as a government, or as a country."
Cyber Security Definition
The following are comprehensive definitions of cyber security from two credible sources:
United States, Computer Emergency Readiness Team (US-CERT) defines cyber security as: How much of your daily life relies on computers? How much of your personal or business information is stored either on your own computer or on someone else’s system? Cyber security involves protecting that information by preventing, detecting, and responding to attacks.
India’s Information Technology Act Amendment - ITAA 2008 Section 2 (nb) states: "Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
Simply put, cyber security is all about securing the physical and virtual elements of cyber space.
To reap the full benefits of the digital revolution powering the global economy, users must have confidence that digital information is fully secure at each stage of data creation, transportation, review, storage and manipulation leading to eventual archive and disposition.
Why Are We So Vulnerable Now
One word: Internet! Also known as and referred to as the world-wide-web or the famous "information highway." Over the years, the information highway itself has become a destination, thanks primarily to Cloud Computing that is now becoming a mainstream computing platform.
Since the advent of Cloud Computing, the Internet has evolved beyond being just a network-of-networks, to a robust repository where more and more information is being stored in strategically located data hubs right on this digital highway. No longer does an individual or an organization need to bring the data down to their computers to reference or process it, they can store it on these hubs, and have access to it from anywhere and any device with which they can access the Internet.
As the Internet becomes a powerful and ubiquitous modern day utility, much like the telephone and television, it is imperative that the infrastructure and information flowing through the infrastructure are secured from both accidental failure and intentional hacking.
Information Security Versus Cyber Security Information has been the underpinning of all eras of the past – right from the caveman days, and especially throughout the industrial era on into the current digital era. Given information’s importance throughout history, calling today’s digital era the information age is a bit ludicrous. In each era, consumers, companies, and countries all used data to make informed decisions and gain a competitive advantage. In fact, information warfare has been around from the time individuals started to organize as institutions – businesses, churches, universities, governments, etc. Great dynasties were able to defeat the enemy and record achievements surpassing those of ordinary men because they were able to obtain critical information about the enemy in advance. Making use of spies was the crux of war in the past, because the action of the entire army was in response to the intelligence furnished by spies.
In the biblical story of "Samson & Delilah," Delilah was promised a great sum of money from the Philistines to discover the secret of Samson’s incredible strength. In a like manner, intelligence information gained in the Ramayana enabled the slaying of the demon king Ravana.
And of course, the famous "Helen of Troy" story that gave birth to the term Trojan (Horse), which has become a part of our lexicon, and is one of the most popular methods used to carry out cyber attack.
Today, practically all businesses – small, medium, to the Fortune 100 companies – depend upon competitive information and information analytics to gain business intelligence that enables informed decision making. Before the cyber-world, information breach by espionage was carried out through a network of spies and confidants. In the cyber-world, the network changed from spies and confidants to digitized bits and packets.
Rise of the Hackers
At the dawn of the digital era, the super powers created super computers, which only they could afford. They used these super computers to analyze massive amounts of data to gain intelligence on their "enemies" while showcasing their supremacy over cyber space.
Cyber-based information warfare started in the ‘80s, when personal computers were unleashed. Information trapped and contained within the monolithic mainframes suddenly became distributable. This empowered both good and bad elements around the world.Productivity and efficiencies gained by private and public sectors are testimonials to the value and benefit of the brave new cyber world.While most of the world enjoyed productivity gains, the mischievous faction excelled in finding ways to disrupt economies, regulations, and our way of life. The cyber world gave rise to a new class of "faceless" entities. Today, a small obscure hacker group has the means to plan and carryout cyber-based attacks, which in the past would require the backing of a State; a State with advanced resources and deep pockets.
Some of the common cyber attack types that have become part of our vocabulary are worms, viruses, Trojans, phishing, and Bot.nets, to name a few. These popular methods are used to attack and cripple websites, steal confidential data, compromise individual identities, and even wipe out entire servers or hard disks.
How Real is the Cyber Security Market?
Security and Privacy spending (Actual & Forecast) Outlook Source:
Source: Datamonitor IT Services, July 2008
2008 Security and Privacy spending
Source: Datamonitor IT Services, July 2008
Cyber security is expected to be one of the fastest growing segments of the Information Technology (IT) industry in the coming years with every industry investing heavily to make their computing environment secure. Recent U.S. projections alone depict a 49% increase in spending, in as little as six years.
A Comprehensive Cyber Security Framework
While individuals must be vigilant in the way they go about their business in the cyber space, organizations can reduce the risks associated with cyber security threats by assessing the vulnerabilities and threats present at each of the layers that make up the typical information and communication infrastructure. Models such as the Open Systems Interconnection Reference Model (developed by the International Organization for Standardization and The Telecommunication Standardization Sector), and the defense-in-depth for Information Security framework (developed by the U.S. Department of Defense) can be used to systematically address and secure each of the layers and the interactions between the layers.
A defense-in-depth approach involves applying countermeasures at every layer of the information and communication infrastructure, from perimeter routers and firewalls to users’ personal computers/devices. This includes the policies and procedures that govern the way the infrastructure as a whole is managed, enhanced, and even transformed.
The process of addressing and securing layers can be carried out in three broad phases: Consulting, Implementation, and Operations, and is typically the responsibility of the Chief Information Officer of the organization.
The Cyber Security Framework will be the topic of the next paper with an in-depth review of each layer and best practices and approaches at each of the intersection points.
Conclusion
Information has been the underpinning of all eras of the past. In the current digital era, the Internet has become a powerful and ubiquitous modern day utility that allows for rapid creation, replication, and movement of information to the masses, from one part of the world to the other, through simple strokes on the keyboard. The digitization of all kinds of information has made it imperative that the infrastructure connecting into the Internet and the information that flows through it are secured from both accidental failure and intentional hacking.
Recognizing the magnitude of challenges faced by this powerful digital value chain, President Obama has identified cyber security as one of the top priorities of his administration.
While governments and businesses must be vigilant in the way they go about their business in the cyber space, they can reduce the risks associated with cyber security threats by assessing the vulnerabilities and threats present at different levels of the typical information and communication infrastructure.
It comes as no surprise that cyber security is expected to be one of the fastest growing segments of the Information Technology (IT) industry in the coming years. A "Comprehensive Cyber Security Framework" envisages vulnerabilities and threats present in each of the layers that make up a typical information and communication infrastructure (e.g., Defense in Depth model), and addresses them in a systematic manner (e.g., Cyber Security Services Lifecycle) by leveraging and applying industry compliant security products and services.
Cyber security has become a matter of national security and is a top priority for the U.S. government and so should it be for organizations and individuals.
Not doing anything about IT is a crime waiting to happen…