New approaches to secure IT systems

Information and the systems that process it are a critical resource for an organisation, indeed it is a fundamental management responsibility. IT departments and users of IT systems are confronted by an array of threats including:

• spam [VNUN2004] and spim (instant messaging spam),

• phishing attacks - phishing attacks usually arrive in an e-mail message purporting to be from a trusted business like a bank; users are asked to visit a website, made to look like the real business's site, and provide private information for 'security purposes'. This information is often then used to commit credit card fraud,

• spyware - spyware can monitor a user's web habits for such purposes as serving pop-up ads or, more maliciously, to steal sensitive personal data,

• ineffective firewalls, particularly for e-commerce web applications,

• cyber crime such as cyberextortion, cybernapping (holding an electronic database for ransom and the ubiquitous

• virus's and worms (Netsky, MyDoom, Sasser, Korgo, Bagle, Blaster, Zafi).

Added to these threats is the alarming fact that most IT professionals have not been formally trained in IT security and the recent pool of graduates trained in IT security is not large (in the US in 2003 there were there were anecdotally around 30 PhD's in computer systems security).

However there are readily available resources that can assist greatly in developing, implementing and maintaining sound IT security for an organisation.

The NIST (National Institute of Standards and Technology) group based in the US Department of Commerce promotes the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems.

These guidelines are intended to be suitably generic to be applied to security in the private sector. For management charged with the responsibility for security of Information Systems applications and systems, but with limited security trained IT staff, the NIST publications offer much hope. They can assist with 'security implementation guidance' and 'system certification and accreditation'.

Check these websites

The following NIST websites, http://csrc.nist.gov/publications/nistpubs/index.html and http://checklists.nist.gov/ are strongly recommended for referral to by IS practitioners for security guidance. These publications are guidelines and as such offer a degree of flexibility as how an individual organisation implements any measures described.

They suggest what needs to be done, but not necessarily how. The 'how' will depend on the amount of security awareness and expertise that the organisation has available to it, either in-house or external such as outsourcing the security.

Prior to utilizing any of the above security guidelines it is mandatory that an enterprise have a properly developed and comprehensive security management plan. Once again, NIST guidelines can assist here too. When developing a security management plan, an excellent place to start is to conduct a security self-assessment.

NIST Special Publication 800-26 'Self Assessment Guide for Information Technology Systems' contains a comprehensive self assessment questionnaire IT practitioners can use for this purpose. The questionnaire can be used to develop the three major control areas: 1) management controls, 2) operational controls, and 3) technical controls to be placed into the security management plan.

In order to measure the progress of effectively implementing the needed security control, five levels of effectiveness are provided for each answer to the security control question. Each level represents a more complete and effective security program. These levels describing the state of the control objective provide a picture of each operational control.

Security management plan

Importantly, the results obtained from completing the entire security self-assessment can be readily used to implement a security management plan (if one does not already exist - future assessments of the system will require considerably less effort) or as input into an IT security program review (the completed questionnaire would establish a baseline).

The results of the analysis of each subsequent self-assessment can be placed in an action plan, and the security management plan should be updated to reflect each control objective and technique decision. In the action plan it should be documented how each deficient critical element (management, operational or technical control) is to be addressed.

The implementation of measures described in any of the NIST special publications will depend on the amount of security expertise that the organisation has available to it, either in-house or external such as outsourcing the security.

For those organisations who wish to retain security control and expertise in-house and for those companies providing managed security services then providing security training and education for the IT industry must be a high priority for academic institutions offering IT programs. This is urgently required to meet the rapidly increasing demand for qualified IT security practitioners.

IT Management also has a responsibility to commit to a proactive program of continued security education and awareness for its existing IT security practitioners to keep them abreast of current security issues. A very simple way to keep up-to-date with IT security is to subscribe to one of the numerous security journals, web sites and mailing lists.

One such recommended mailing list is the excellent Security in the News put out each working day by the Institute for Security Technology Studies based at Dartmouth College http://news.ists.dartmouth.edu/todaysnews.html. News articles from many sources are collected and summarized. Links to the main articles are included for further reading.

Finally, today's IT world is an extremely interactive environment of powerful computing devices and interconnected systems of systems across global networks. Combined with the complexity of current software systems and networks this presents great security challenges for both producers and consumers of information technology.