Also see current news and comments on politically motivated computer crime and hacktivism at:
http://politicalhacking.blogspot.com/
One of the greatest challenges in information security is aligning with business objectives. While practitioners talk about incorporating governance and business requirements, the reality tells a different story. A recent survey showed that 50 percent of North American security professionals’ time is spent on reactive and tactical activities such as remediation of operational vulnerabilities. This disconnect between information security operations and strategic business objectives results in pressure to increase security spending while risks, incidents and losses continue escalating to unsustainable levels.
A framework enabling information security professionals to align their activities with their organization’s business is needed.
All too often, security practitioners tend to think about security purely as a logical issue. Locking down firewalls and structuring access to user accounts is only one part of the puzzle, however; other aspects of security are just as important in the enterprise.
Marrying physical security with computer security can help to strengthen an organisation's overall risk profile, but Kent Anderson, a member of the Certified Information Security Manager (CISM) board within the Information Systems Audit and Control Association (ISACA), argues that to be truly effective, we must beyond this and embrace the concept of enterprise risk management.
How can this best be achieved, and what will the result look like? This article examines some of the drivers for this holistic form of risk management, and outlines some best practice principles to attain its goals.
Today's security practitioners feel more pressure and accountability to perform, yet never seem to have the resources to get the job done. Consequently, “executives just don’t get it” is probably the most common explanation among frustrated professionals, but have we ever stopped to ask if maybe we’re the ones who don’t get it?
IT security awareness is at an all-time high, and organizations are spending and hiring in record numbers. Legislation and regulations are proliferating. Yet, for all this effort, nearly every statistical measure of IT security performance — from the number of incidents and vulnerabilities to the cost and impact of a security breach — is bad news. In what other endeavor would so much investment be permitted with such poor results?
The potential for disruption from malicious or accidental threats is growing, yet our ability to manage risk has never been more uncertain. Throwing more money at IT security will not close the gap.
The Internet has created a social revolution in which business, non-profit organizations, academia and governments have undergone a transformation in their ability to gather, share and process information. The result is an unprecedented reliance on information infrastructures for their very survival. This dependency creates new opportunities for disruption.
Many politically motivated individuals and groups see the Internet as a medium to further their causes and disseminate their messages. While much of this activity is protected in Western countries as free speech, there is increasing misuse of technology as a mechanism to change or disrupt existing political, commercial and other social structures. Politically motivated computer crime (sometimes refered to as hacktivism) covers a wide range of online activity to promote the objectives of individuals, groups or nations supporting a variety of causes: Anti-globalization, trans-national conflicts, anarchists, labor disputes, environmental and animal rights.
This paper will look at various types of motivation behind activist and nationalist groups engaging in computer-based attacks, its history and present two case studies of politically motived attacks investigated by the author with an analysis of their impact.
Few organizations invest in proper risk assessment before implementing controls. Even fewer have the capability to understand and qualify specific threats to their information assets in order to assess risks accurately. The consequences can be profound. Not only are some threats overlooked leaving inadequate controls, but also scarce resources and budgets may be misapplied to threats that do not exist or have minimal impact. Furthermore, when considering risks to information infrastructures, the number, type and variation of threats are overwhelming.
This paper will discuss threat assessments, risk assessments and information infrastructures in general and provide an overview of an intelligence-base threat assessment model. This model identifies potential threats to networks and information infrastructures which cross organizational and national boundaries where no single entity, governmental or private, has control or responsibility to protect and secure information and applications. Vulnerabilities are identified in a systematic way by analyzing specific threat enablers. Using intellegence based techniques, these vulnerabilities are prioritizes using specific indications of use and an analysis of the effort and cost required to exploit them. This model is applicable not only in determining where safeguards and controls are needed within a network, but can be used by law enforcement and government agencies to better predict threats and understand where scarce resources should be applied to mitigate potential damage.
Computer and telecommunications networks are fostering a revolution in the way organizations do business. The unprecedented ability to interconnect every aspect of a company’s business through the use of networks provides myriad opportunities for increased efficiency and enhanced communications. The emergence of e-business is fundamentally altering both the way companies function internally and the way they interact with suppliers, partners, customers and governmental agencies. These changes are international, creating new markets and competitors.
With this unprecedented connectivity come new risks for the information infrastructure upon which organizations are building their e-businesses. The electronic assets of many of today’s top companies are of greater value than their physical "bricks and mortar". In this environment, the combination of global connectivity, employee mobility and rapid technological change creates new opportunities for fraud, theft, extortion, pirating, industrial espionage and business interruption.Technology is not the only source of risk to information infrastructures. Political, physical, environmental, legal and regulatory issues are all factors contributing to the creation of a multi-dimensional problem.While prevention is the preferred course of action, no security measures are perfect. Organizations must be prepared to quickly detect and effectively respond to the threats they face in the ever-changing e-business environment.
For more information on these papers or subjects, please contact Kent Anderson at: kea@EncurveLLC.com
This page has been accessed:
times.
Last updated: Friday, March 6, 2009.
Copyright © 1997 - 2009 Encurve, LLC