this is a caption of an article I sent to a weekly IT newspaper in mumbai India yesterday..
Not quite so long, around the time I was learning how to walk approximately thirty years ago: the captions of some black and white TV clips I still have in my memory reflected the medieval sense of security with guards at the gate behind high walls, some in the interior on the tower watching for intrusion and others across the palace bridge proactively patrolling with armors to tackle intrusion. This same sense of security became ideologised into the modern computer networks with firewalls at the entry point , Antiviruses and Intrusion Detection Softwares in the interior, and Intrusion Prevention Software listening to terminate unauthorized services. There is a synergy between security and IT Risk management.
IT Risk is a potential damage to an organization’s value, often from inadequate management of IT processes and events. IT Risk is emerging as a significant component of total business risk as IT assumes a more prominent role in organizations, and can account for more than 50% capital expenditure in some companies .IT is now integral to most organizational operations and transactions as corporate assets relocates from bricks and mortars to bits and bytes , and a vast majority of corporate intellectual properties, sensitive client information and valuable trade secretes are stored in digital format; thus making network security a top priority against economically motivated efforts to infiltrate an organization’s network. A well prepared IT management plan guides system design and decision making, resulting in higher operational efficiency, greater capacity for innovations and lower IT cost. As a result, an effective strategy for militating against IT risk may both protect an organization against incidents and IT cost complexities. IT Risk evolves as technology changes, resulting in network security bugs; and network security is vital to the health and performance of the network, with threats coming from denial of service attacks , IP spoofing, ARP poisoning, DNS poisoning, Ping of Death, ICMP redirect, Session Hijacking, rootkit attack, phishing worms, viruses and Trojan horses , just to name a few. It is important that security devices both at the perimeter of the network and in the interior are performing as expected .But how do we guarantee operational security ?
In the first place, Security is the reduction of risk. One can never eliminate risk, but security helps reduce risk to an organization and its information related resources. Risk is the probability or likelihood of the occurrence or realization of a threat, threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset, asset is any item of economic value owned by an individual or corporation like software. The software which is an asset to an organization must not be vulnerable, as vulnerability is a weakness in the system design, implementation, software or code, or the lack of a mechanism. Vulnerability attracts exploits, because exploits are codes that take advantage of a weakness in software. To sum all this up algebraically, when you multiply threat with vulnerability you will get your level of Risk (Risk = Threat X Vulnerability). As vulnerability tends to zero, risk disappears. But since we can’t achieve zero level of vulnerability to totally eliminate risk, an organization’s aim now is how to develop a threat model on risk management. The degree at which vulnerability tends to zero will determine the shape of what I call the IT Risk quadrilateral at any particular point in time in your organisation. Your IT Risk quadrilateral is the angular representation of security, compliance, performance and availability in a four sided two-dimensional risk polygon. The security part of this polygon will further give birth to a triad of – confidentiality, integrity and availability which in essence is what security is all about.
Also, when discussing security, I like to break it down into three areas, as defined by the infamous Bruce Schneider in Secrets and Lies. Bruce breaks security down into the three categories as follows:
Prevention: We want to stop the hackers. If you were to secure your house, prevention would be similar to placing dead bolt locks on your doors, locking your window, and perhaps installing a chain link fence around your yard. You are doing everything possible to keep the threat out.
Detection: We want to detect the hackers when they get through. Sooner or later, prevention will fail. You want to be sure you detect when such failures happen. Once again using the house analogy, this would be similar to putting a burglar alarm and motion sensors in the house. These alarms go off when someone breaks in. If prevention fails, you want to be alerted to that as soon as possible.
Reaction: We want to react to the hackers once we detect them. Detecting the failure has little value if you do not have the ability to respond. What good does it to be alerted to a burglar if nothing is done? If someone breaks into your house and triggers the burglar alarm, one hopes that the local police force can quickly respond. The same holds true for information security. Once you have detected a failure, you must execute an effective response to the incident.
Risk is variable depending on what kind of organization we are talking about, a military facility would like to protect military intelligence while an academic institutions would like to protect students’ database and intellectual properties, and financial institutions will bother with protecting trade secrets and client confidentiality. Therefore deploying IT Risk management strategies across different strata of organizations necessitates our initial compartmentalization of IT Risk into four; Performance, Availability, Security and Compliance. Unfortunately, financial institutions in Nigeria and other developing countries at large bother only with Performance and Availability.