Enterprise Security Strategy
Certain events in history profoundly influence the course of future thinking and strategy. The terrorist attack of Sept. 11 was definitely one such event. In February 2003 the U.S. government published “The National Strategy to Secure Cyberspace.” This document provides the framework for organizing and prioritizing security efforts as well as reducing the nation’s vulnerability to debilitating attacks against critical information infrastructures or the physical assets that support them. The focus of this article is on enterprise security strategy and the need for all security professionals to first determine their strategy, then work toward security policies and finally, the selection and deployment of security technologies.
Hacker Sophistication and Speed of Attacks Is Increasing
Businesses need to address long-term trends related to threats and vulnerabilities. What is known is that the attack tools and methodologies are becoming widely available, and the technical capability and sophistication of users bent on causing havoc or disruption is improving. Organized hackers have exploited business vulnerabilities and are beginning to acquire the technical sophistication to carry out debilitating attacks. These attacks can have serious consequences, such as disrupting critical operations, causing loss of revenue and intellectual property.
For example, the “NIMDA” (“ADMIN” spelled backwards) attack was an automated cyber-attack, a blend of a computer worm and a computer virus. It propagated across the United States with enormous speed. It tried several different ways to infect the computer systems it invaded until it gained access and destroyed files. It went from nonexistent to nationwide in an hour, lasted for days and attacked 86,000 computers. Despite the fact that NIMDA did not create a catastrophic disruption to the critical infrastructure, it is a good example of increased technical sophistication showing up in cyberspace, with the capabilities and intent to harm business infrastructures.
The arsenal of weapons available to organized attackers now contains the capability to learn and adapt to the local environment.
Speed is also increasing. Two months before NIMDA, a cyber-attack called “Code Red” infected 150,000 computer systems in 14 hours. The threat has never been more serious. Security professionals must be aware of such threats and work closely with the security officer to create a security strategy that meets the business objectives of the enterprise.
Business Nervous System
Cyberspace is the nervous system—the control system of businesses today. Business interactions with employees, communication with potential clients and suppliers as well as transactions are very dependent on the communication’s infrastructure as well as the Internet.
The security strategy of business provides the framework, the blueprint, for the identification of security requirements to meet the objectives of the organization. The security strategy must provide the basis for a comprehensive and scalable solution that is based on core business objectives, legislative requirements and threats to the enterprise.
A ‘Robust and Roving’ Shield
Businesses have to counter such attacks by developing what I refer to as a “robust and roving” shield to reduce vulnerabilities and deter those with the capability and intent to harm business infrastructure. A “robust” shield is critical to make the infrastructure as impregnable as possible to malicious attacks from the outside. This results in the deployment of technologies such as firewall systems and intrusion detection (or prevention) systems as well as the ability to detect malicious software such as viruses and worms. A “roving” shield is needed because the threat is dynamic, requiring the business defense to be adaptive and alert in detecting gaps that may be exploited by those who make it past the “robust” shield. The “roving” shield idea requires regular audits to review records to identify irregularities that may compromise the security of the enterprise.
‘Perimeter to Core’ Security
The threat to the business infrastructure comes both from outsiders and insiders. The “robust and roving” shield must be designed so that it delivers security for the assets of the business on the perimeter as well as the core. These critical assets include systems typically at the perimeter such as Domain Name System (DNS) and Web servers, while also defending core systems such as file, mail, database, compute, e-commerce, application and print server systems.
Strategic Objectives for Business Security
Every business needs to develop a strategy to help ensure adequate information security. The security strategy document provides the blueprint for enterprise security policies. “The National Strategy to Secure Cyberspace” document provides excellent insight into developing strategic objectives for securing the business infrastructure. Security professionals and businesses need to develop strategic objectives for their infrastructure so that it meets their business goals.
Every business needs to re-examine its security strategy to:
- Prevent cyber-attacks against the business’s critical infrastructures.
- Reduce vulnerability to cyber-attacks.
- Minimize damage and recovery time from cyber-attacks that do occur.
An organization’s security strategy must be guided by the principals of confidentiality, integrity and availability. Confidentiality safeguards prevent the unauthorized disclosure of sensitive information. Integrity controls prevent the unauthorized modification of systems and information. Availability safeguards prevent the disruption of service and productivity.
For example, the business security strategy must account for a concerted and intelligent attack and plan for information systems to be able to operate while under attack and have the resilience to restore full operations quickly. This addresses the security principle of availability, which requires business assets to be accessible and usable upon demand by an authorized entity.
The business security strategy should identify:
- Security objectives of mission-critical business functions.
- Risks to which the organization may be vulnerable.
- Security architecture to defend vital systems, networks and applications.
- Required security policies and procedures.
- Requirements for a security awareness and training program.
The security officer must understand the mission-critical business functions and clearly establish the security objectives to ensure the confidentiality, integrity and availability of all required components to ensure business continuity. Risk analysis will identify both the vulnerabilities and threats that the organization faces as well as an inventory of vital systems, networks and applications. Risk analysis is a critical business security function that must be executed on a regular basis.
The security officer must work closely with the security team to establish the security architecture—defining requirements for each area (zone) of the infrastructure. The principal of “defense-in-depth” must be used to develop the security architecture to protect vital assets from “the perimeter to the core.”
The team must then identify all required security policy and procedures documents. These documents provide guidance for the actual selection as well as the configuration of security technologies within the organization. The identification of the types of security policies establishes the priorities of the organization. For example, the organization may require the development of an incident response policy to address a process for responding to security incident types and corresponding procedures, roles and responsibilities. Another example would be the requirement fo