Worrying about security is typically the domain of "the security" people, isn`t it? But how sound does one sleep when Fortune magazine runs articles like: "Who`s reading your e-mail? As the world gets networked, spies, rogue employees and bored teens are invading companies` computers to make mischief, steal trade secrets, even sabotage careers". Or how about this headline: "How we invaded a Fortune 500 company"! Suddenly, there goes the good night`s sleep!
Many organisations believe they have adequate security solutions in place to deal with the threat of these young "hooligans" who terrorise corporations by hacking into their computer systems via the Internet and cause havoc within the environment.
This may even be true. The issue is not so much whether you have a security product, such as a firewall, installed in your environment. The issue is about how that firewall, as well as all the other various security applications that one may have installed, is managed.
Putting security in perspective
To relay this message accurately, let`s picture the following scenario:
An organisation has a heterogeneous computing environment that includes a mainframe, a number of Unix boxes and a large deployment of NT in the field. It also has a staff complement of 10 000. All these platforms have "adequate" security on them and the security administrators seem to have things under control.
There are about 1 000 employees who require access to various applications spread across all three platforms. One month there is disciplinary action taken against two employees and they are dismissed acrimoniously. Who is responsible for making sure the employees` access to the various applications is revoked? How soon does the revoking of access occur after the employees have been dismissed? Maybe a day, a week or never? What would happen if these two employees decided to do some malicious damage to the organisation`s information?
Falling through the cracks
This is a story many companies have experienced first-hand. Too many organisations let things like this fall through the cracks. In this example there are only three platforms to manage. In the real world there are these three platforms and an endless number of applications and databases. All have security applications attached to them to protect the information from unfriendly invasion!
In many instances companies that suffer security breaches have the right security products but insufficient management mechanisms to keep the environment watertight.
Research has shown that over 80% of security breaches are committed by internal elements. This fact dispels the belief that all a company needs to worry about is outside influences.
In recent times the topic of security management is coming into view, allowing companies to obtain a different and more comprehensive view of security access across the enterprise. By focusing on the employee, these solutions allow security administrators to see, for the first time, exactly which user has access to what in the enterprise.
A security department can fully audit, add and remove an employee's access rights on the network. This is something that is new to security administrators. They have been used to looking at islands of security solutions while attempting to manually map the rights for employees within that particular security solution to any other access rights the employee may have.
This sounds almost trivial, so by way of example; in one case in the US, a telecommunications company used 12 consultants working full time for eight months to find out what access rights 8 000 retrenched employees had, and to revoke them.
The company ended up implementing security management afterwards, but it was the classical case of locking the stable after the horse has bolted.
In a South African context 12 consultants at R200 an hour for eight hours a day for eight months comes to R3 379 200. And that is just for the clean-up, without taking into account the potential for sabotage from employees who couldn`t have been too happy to be retrenched.
This quote from three San Antonio hackers which was recently published in Fortune magazine is a scary but apt representation of the mentality against which your security strategy has to protect your organisation:
"This is it
We`re in
There are things here I can now destroy
This is a good thing
The geek in me is happy"
Share
