eTechnology Times: September 2009

Contents

News and Features
Enterprise Awards Finalists
Independent Contractors
Secrets of Success
Tech Times Wins APEX Award
Enterprise Awards Reservations

Departments
Business Technology
Guest Columnist
Medical Devices

Members
Featured Member
Member Reports

Departments

Business Technology

Pandemics and malware and
social media threats...oh my!
Three real information security
threats and how to contain them

Carl Herberger

Managing the security of critical information has proven to be a challenge for businesses and organizations of all sizes. Even companies that invest in the latest security infrastructure and tools soon discover that these technology-based “solutions” are short-lived.

From antivirus software to firewalls and intrusion detection systems, these solutions are, in fact, merely the most effective strategies at the time of implementation. In other words, as soon as businesses build or strengthen a protective barrier, the “bad guys” find another way to get in. Attackers are constantly changing their tactics and strategies to make their attacks and scams as damaging as possible.

In response to these realities, I’ve put together some thoughts on the top-three high-level management security issues facing companies over the next 12 months, along with some first steps companies can take to address them.

Pandemics

Planning for a pandemic or epidemic is very different than typical business continuity or technical recovery planning exercises.

In fact, in an advisory issued last year by the Federal Financial Institutions Examiner’s Council (FFIEC) they stressed the need for pandemic-specific planning exercises.

In April, The Gartner Group weighed in with an advisory of its own and said enterprises shouldn’t overreact to media reports about the swine flu, but should take the event as a wake-up call for reviewing and testing their pandemic response plans.

First steps
Understand how a Pandemic Event may affect your business through an abbreviated impact analysis focused primarily on people, not on process or business function.

Since a pandemic’s primary effect is on staffing levels, the rule-of-thumb is that companies should plan for up to 50% staff absences for periods of about two weeks at the height of a severe pandemic “wave,” and lower levels of staff absences for a few weeks on either side of the peak. Overall, a pandemic wave may last about 8 weeks. There will likely be additional waves of illness of varying severity over time. Here are the key attributes to consider in your first Pandemic Planning Steps.

Staff absences:

Illness/incapacity
Illness of a family member
People may feel safer at home
Need to stay home to look after school-aged children or adults normally cared for during normal work hours

Business impact:

Supplies of needed materials may be disrupted
Availability of services from sub-contractors may be affected
Demand for services may be affected. Demand for some services may increase, while demand for others may fall.

Personal life impact:

Closures of schools and public assemblies
Forced “social distancing” or quarantines
Degraded medical care

Malware

Malware is morphing in scale, scope and delivery payloads. Attackers have shifted away from mass distribution of a small number of threats and moved toward micro distribution of large families of threats. These new strains of malware consist of millions of distinct threats that mutate as they spread rapidly.

First steps
As you can imagine, if your networks, key business applications, phone or email system were to go down, it would be catastrophic for your organization on many levels. The negative impact of your customers receiving bounce back messages would be severe.

One of the key first steps in a Malware Defense Architecture is a robust patch and vulnerability management program. It is imperative to identify all potential malicious-code entry points — which include not only email, but also browsers, Web-based email accounts, remote users, instant messaging, etc. – and determine what type of protection will be used for each.

It is also important to test your platforms by conducting an IT penetration analysis. This type of assessment can help you improve your network security and survivability by identifying weaknesses, enhance the security of your critical systems, evaluate your incident detection methods and verify your incident response effectiveness.

Social networking & Web 2.0 threats

Trusted websites are the focus of a large portion of malicious activity. As more and more users go online to take advantage of Web 2.0 applications, such as social-networking sites, blogs and wikis, malware authors are right behind them, opening yet another front in the constant cat-and-mouse game between security defenses and hackers. These threats will become increasingly relevant to younger workforces who are proficient with these tools.

First steps
The vulnerabilities associated with social networking and Web 2.0 represents a new attack vector, and the tools to address this new vector are not yet satisfying. Businesses should spend some time assessing the true business value associated with Web 2.0 technologies, and wherever possible, block or limit access to these tools in hope of buying time for the vendor technologies to progress.

Before making such a determination, evaluate the value that such tools bring to your business, and at the very least, ensure that your employees are well educated about the inherent risks involved.

Overall, mid- or long-term blocking strategies are not realistic and you have to find a way to let people do what they’re used to doing. However, identifying the Web 2.0 technologies your business actually needs is a great first step in strategizing and conceiving a proper defense.

More predictions for 2010

Budgets may be tight moving into 2010, but businesses still will have to comply to regulations, react to new and low-cost virtualization technologies, and adapt to the growing trend of using outsourced business partners to accomplish key business tasks. Keeping things secure will be a daunting task, and many will seek external expertise to augment their internal staff. Those who have established an efficient system will reap the rewards, while others will find an ad-hoc security method nearly impossible to effectively maintain in the coming year.

Carl Herberger is Vice President of Information Security and Compliance Services, Evolve IP.