Johannesburg, 03 May 2004
"Worst-case scenario" has become a popular global thinking. Survival handbooks, crash courses and Web sites teach us how to survive life-threatening situations like how to react when hijacked, how to land a plane and where to punch, bite and kick when everything else fails.
But, is this "worst-case scenario" thinking helpful when it comes to network security and can imagining an extremely potent attack give IT security personnel a better picture of their infrastructure`s strengths and weaknesses?
Is this talking about doomsday really essential? I would say yes, especially with the world still reeling after the impact of Mydoom and its offspring. Imagining the worse can sometimes bring out the best in people.
Let`s look at IT`s "worst-case scenario". In all likelihood is would be a worm that finds a way into a company`s infrastructure, causing havoc and seriously damaging internal and external confidence, no even talking about the millions of rands lost in the process.
In essence it`s very difficult to control the activity of the worm once it`s set loose in the wild. So, how do prevent or immobilise it before it does irreparable damage to your business and its operations?
It`s important that organisations should be aware of who their attackers might be. This is why it there should be managerial buy-in - today`s security responsibilities no longer only lie with IT department.
And while initiatives such as the King II Report have done much to bring corporate responsibility to the fore, the issue of security still requires deeper involvement from the upper echelons of corporate decision-makers.
Knowing your enemy, what motivates them and how they think is a very powerful weapon.
William Hancock, chairperson of the Internet Security Alliance, recently listed potential security threats that companies need to be aware of. These included worms, viruses and hybrid attacks against communications infrastructures.
In fact, Hancock went so far as to say that terrorist organisations might use viruses and worms to "deteriorate, disrupt and disable economic and social support systems".
He also blames the vulnerable state of networks on senior corporate management - for failing to act responsibly and quickly when deploying security technologies.
The reality is that firewalls, hackers and security breaches have never topped the management priority list, but recent events demand that they become more involved, understanding how security affects the company as a whole.
Good security does not begin and end with erecting a firewall and installing anti-virus software. Good security is a dynamic process that is planned, designed, implemented and maintained - evolving as business needs and the IT environment change.
Security must be tailored to each business goal and objective, and management should understand how security issues affect the company and customers, allowing for the provision of proper resources, time and funding.
It is not only the IT department`s responsibility to carry the full brunt of company security. It needs to be understood, supported and funded from the top down.
Organisations must realise that security is not just an insurance policy - you`re not merely paying for things not to happen to you - it`s a mindset, a company culture that needs to be enforced and maintained.
Good security is more about surviving than dreaming of the "worst-case scenario". The ability to continue running your business in event of attacks and failure is what keeps you alive.
The bottom line is, software vulnerabilities are inevitable, and creative minds will always find ways to exploit them. It`s also impossible to look into the future and figure out what the next attack is going to look like.
However, planning for those "what-ifs" will do wonders for your business operations and culture and at least strengthen your company`s first line of defence.
Share