Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
Terror as the engine of progress
Material posted: -Publication date: 16-12-2002

According to many Russian and foreign experts, the increase of activity in the field of information security in various industries due to several reasons: from the threat of terrorist acts against important economic facilities to the unauthorized actions of competitors. The tragic events in USA on 11 September 2001 was forced to change perspective on the problem of providing confidentiality, integrity and availability of information assets.

In this article, we assess the situation in the sphere of information protection of American specialists from the Alliance for Internet security (ISAlliance), the National Association of manufacturers (NAM) and RedSiren Technologies Inc experts.

The purpose of the survey 227 professionals in the field of information security in several countries of the world have been finding out the situation in the field of information security, established after the tragic terrorist attacks on the world trade Center and the Pentagon in September 2001.

According to the survey, the majority of respondents agreed that information security today is a key issue and its importance is constantly increasing. 88% of respondents believe that information security is essential in ensuring the sustainability of their business and business viability, while 30% reported that their critical business information is protected is not enough. 45% of respondents are not ready to solve problems in the field of information security and cyber-terrorism, and in the case of a possible attack they would probably have to close his business than to rebuild it from scratch.

Thus, most organizations already occupy the correct position and realistically assess the degree of importance of computer security, however, many executives are still not adequately perceive the threat to information security.

Despite the fact that 91% of respondents recognize the importance of information security, 30% believe that their company is not currently able to be equipped with reliable equipment. 40% of respondents believe information security is more important today than before the events of 11 September 2001. Almost two thirds of respondents (67%) reported that their companies had identified the problems of information security as a top priority. However, 39% believe that their proposals for improving information security were not perceived by the user properly.

Interestingly, the issue of cyberterrorism "split" respondents into two camps: 48% said that certain events have made them "more interested" in countering cyberterrorism, the same people could not name any changes in their plans.

The survey results also demonstrated the importance of resource allocation to ensure adequate security. 47% of respondents reported that they have before the events of 11 September have resources. The same number of respondents noted that last year, 38% indicated that this trend will continue in 2003.

More than 50% of the companies had a sufficient level of physical and information security, and developed and implemented appropriate policies before the events of 11 September 2001.

Almost 40% took steps to improve protection in all areas including information. This suggests that organizations have changed their positions in relation to a number of categories of risk perceived by them as irrelevant before. Many respondents told at least one attack on their information system last year; 25% reported 1-5 attacks; 10% – about 6-20 attacks and 17% reported more than 20 attacks.

However, 18% do not know how many times their organization had been attacked. The results of this analysis confirmed that the top leadership is aware of the need for improved approaches to solving problems in the field of information security. Issues of cybersecurity and privacy threats become for top management more tangible. However, while the level measures remains inadequate threats.

Experts point out that the objectives of any project in the field of information security of the company must be:

  • active effective protection;
  • confidentiality of commercial information;
  • guarantees to the client;
  • increase civil and criminal penalties for violations in the field of information security.

To achieve the whole process to provide protection should cover the company's strategy and organizational aspects. The solution of these problems can contribute to the training of personnel, which should be aimed at increasing the degree of their awareness of the risks associated with the use of information systems.

Information security should be a priority activity of the company, to affect the whole organization and the corporate culture of the company, changing its strategy, structure, systems, skills, staff. Such approach is the future of building systems of information protection. The only way to create a reliable and sustainable information system.

Information security means much more than simply adding a few hardware and software security to existing tools: there should be created a working environment in which there is a necessary appreciation of the importance of information security and there are ways of analyzing the vulnerabilities of the system.

The first step in implementing an effective strategy of information system security – security policy of the company. This policy should define the rules of use of the system and management of the organization. Its aim is precisely to promote the safe use and management of information systems at the management level of the entire company.

With 2 billion euros in 2000 to 7 billion euros in 2005. The most rapid growth will be in the areas of systems authorization, administration, and authentication to the detriment of the use of firewalls and antivirus programs. This level of expenditure is justified by the fact that the number of incidents in the area of security has increased significantly. According to the statistics of CERT (Computer Emergency Response Team), in 1999 there were 3859 recorded incidents in 2001-m – already 34754!

The results of the review, published in April 2001, the company Sirmi, indicate that the increase in the number of projects in the field of creation of interactive systems for trade and banking services will lead to the dissemination of the following technologies information security: SSL – 70%, the third trusted party (trust) is 60% and the SET Protocol is 28.3%. Their use will determine the increase in popularity of smart cards and electronic money (both items together – 15%). A survey of 600 companies conducted by Sirmi, showed that to ensure the security of communications Networks are used in such decisions: 65.2% of passwords; 47.3% of firewalls; 15,1% – hardware partitioning of the internal and external networks; 8,4% – methods of cryptographic protection.

According to a study performed by Colt-Idc, the security procedures for the physical protection of the equipment implemented in 32% of the companies. Standard strategy, used by 81%, is to "lock" the server, and register the input/output into the system and all connections. Wide enough to use different authentication tokens (36%) and smart card (24%); 20% of respondents chose continuous monitoring of system activity and only 3% – biometric access control system.

Thus, the results of the analysis in the field of information security and protection of information show that today for most companies is not characteristic of a systematic and comprehensive approach to solving problems of information security. Usually these issues are resolved, that is, after the fact, from case to case, without a clear program of action.

What is the reason for this situation?

It is clear that to ensure absolute protection of information is impossible, as impossible to create a complete armor. However, this statement is true only in the case if we consider the armor as such, and not as part of the system sustaining the combat vehicle. It is in the systematic and complex solution of the tasks set and is a positive result.

Consider a few examples. In some company And deployed one of the most sophisticated and expensive intrusion detection systems, however, the information system continues to be attacked, often successfully. The company And, despite substantial investment in information protection, continues to incur losses.

What is the reason? The analysis shows that the adoption of re 50 servers and 200 workstations) takes about 15-20 minutes. At the same time, skilled and prepared attacker to overcome a protection, the installation of special software and the hidden care enough about 8-10 minutes. Here we face one of the most serious problems, when the offender is able to function inside the loop control of the security administrator, forcing him to pace events, to respond to which specialist company are not able to.

Another example. The company has established a system for virus protection. In addition, it deployed subsystem for backup and restoration of data in the information system. However, after the next epidemic of a new virus, the company suffered serious losses, associated with viral lose parts information resources. What's the problem? Most experts in the field of information security knows that modern antivirus systems are imperfect. When a new virus vendors of anti-virus software can provide a vaccine not earlier than 24 hours after discovery of danger. All this time, systems are unprotected from virus attack. To save the situation in this case could clear implementation of recovery plan of the business or ensure its continuity. Those in the company did not exist.

Such examples could be quite a lot. However, they all share an important fact – none of the companies there was no SYSTEM of information protection. Yes, certain funds have been deployed, personnel involved, but a qualitative change in the characteristics, possible only through close integration of all processes of information protection in a single unit, was not provided. In this regard, the most urgent task is integration of information protection into a single system. Its construction should be based on a clear representation of the management of the company about the threats and possible consequences for the business, which emanate from the information areas of the company. Position of top management is reflected in the information security policy of the company.

To identify threats and channels of their implementation, assess the likelihood of undesirable interference and possible damage from it is possible only after a thorough and comprehensive audit of the information system. Only then we can talk about what protection means, in what quantities and where they should be installed.
Great importance is organizational-methodical maintenance of works on protection of information: needs to be developed risk assessment methodologies, instructions to personnel of the system and the division of information protection etc. And all documents must be interconnected among themselves.

An important role in ensuring the protection of information is the level of training, his ability to clearly and consistently act in extraordinary circumstances. Here the key role for the security administrator, his human and professional qualities. Thus, to have so much amount of investment in this sector as a clear and competent linking of already available remedies.


Tags: Russia , threat

RELATED MATERIALS: Defence and security