Solution Overview: Information Security

Background
Only a decade ago, network protection centered mostly on the concept of keeping people out of company networks at all costs. Today, the Web and networked Internet business applications, telecommuting, partner connectivity, and wireless networking have emerged as essential business tools. As a result, network protection has evolved to emphasize controlling access and protecting critical business data, rather than focusing on perimeter network security.

This shift also recognizes the fact that information security threats come from employees as well as people outside an organization, either due to intentional malice or through unintentional security lapses and errors. According to Gartner Group, more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses.

Whether internal or external, such threats represent a growing risk to firms of all sizes. "Network attacks are getting more sophisticated, and at the same time, they're getting much easier to deploy," says Kevin Flynn, senior manager of security marketing at Cisco Systems®. These security breaches can compromise a firm's data confidentiality and integrity; they may also disrupt a firm's business operations, imposing potentially enormous costs.

The bottom line is that many companies are not as secure as they'd like to be, and the problem is escalating. For example, Computer Security Institute found that 70% of companies that suffered a security breach reported defaced Web sites or similar malicious acts in 2002, up from 64% in 2000. In addition, 55% reported denial-of-service attacks, and a remarkable 40% detected system penetration from the outside.

Challenge
Today's Internet business environment is particularly challenging for security professionals due to the number of threats and points of vulnerability. As more companies extend networked applications to include remote offices and telecommuting employees, they must extend many of the same services available to employees within the corporate office. Firms must also extend their networked applications to partners and suppliers, creating more possibilities for further potential threats.

In addition, firms need to defend against network attacks that move far more quickly than they did in the past. These include "zero-day" vulnerabilities, which are network attacks that exploit previously unknown vulnerabilities in an organization's network infrastructure. "This is a change. Previously, security personnel had often been aware of a vulnerability before it was exploited," says John Stewart, information security director for Cisco. These network attacks typically happen faster than staffs can facilitate counter-measures, making it difficult for organizations to react to these threats using established response protocols.

Finally, as more firms store their intellectual property and other valuable data in networked storage systems, they increase their vulnerability to unauthorized data access. "The growth of data storage systems, combined with new methods for moving data across networks, makes it much easier for a firm to lose control of its intellectual property," Stewart said.

As these examples suggest, firms face numerous difficulties in trying to protect against every possible threat. "Network security is only as good as each individual component," Flynn said. "It requires a number of different technologies that must be tightly woven into the entire enterprise security structure."

"Every network is vulnerable, and security is a prime concern," said Laura Koetzle, an analyst for Forrester Research. "An organization that doesn't take network security seriously can find itself crippled by attacks and other threats." She divides potential assaults into two categories: internal and external. Employees, consultants, and visitors make up the former category, while hackers and unwitting accomplices–whose e-mail programs infect personal computers with viruses or other types of malicious code–are included in the latter category.

Solution
"Every device on a network is a potential point of attack. A company must have a comprehensive strategy in place for how to plug numerous technologies together, and it must develop a solid security policy," Flynn says. This two-pronged approach, combining technology and business practices, offers the best chance at keeping a network secure, he says.

Network security technology is also evolving away from its traditional emphasis on perimeter defense, with its focus upon creating virtual barriers between a corporate network and the outside world. Instead, new security technologies often include host-based protection systems that operate at the server or desktop level, and emphasize flexibility and defense in depth. "This approach relies on systems that allow every host to protect, police, and control itself," Stewart said. "These systems can adapt to meet emerging threats by adapting to the circumstances and reacting in order to protect themselves from attack."

At the same time, however, firms continue to rely on established networking products to create a multitier security infrastructure, including:

• Firewalls–both corporate firewalls and personal firewalls on individual personal computers–used by employees for remote network access
• Network infrastructure, such as switches and routers, supporting secure connectivity, perimeter security, intrusion protection, identity services, and security management
• Network monitoring tools, such as routers, that mitigate denial-of-service attacks by limiting the bandwidth available to a particular application
• Access control, including both physical security measures as well as robust authentication, authorization, and accounting services
• Virtual private networks
• Antivirus software, both at the host and gateway level
• Intrusion-detection and protection tools
• Encryption products designed to prevent unauthorized access to corporate data, even once it is beyond the confines of a secure network
• Secure wireless LAN access

Benefits
According to Stewart, information security is primarily a form of insurance. "You're protecting what is inside your company, in your database, floating in your applications and storage," he says. "You're protecting as you would have in the past with safes, alarm systems, and access lists."

The difference, Stewart noted, is that in the electronic world, the stakes are much higher. "You have a lot more to lose, and you can lose it much more quickly. In that sense, the return on a security investment is not losing what your company can't afford to lose," he says.

Nevertheless, it is also possible to calculate a specific return on a security investment by considering the losses a company would suffer if it lost access to critical systems or data. "Given that Cisco takes more than 90% of its orders online, the cost of even a five-minute outage is considerable," Stewart says. "You're protecting your ability to offer services consistently and reliably. When you use electronic systems to offer those services, even a minute amount of downtime is unacceptable."

Another technological advantage the system provided was one that Nolan had anticipated since he began his career in law enforcement. "We've always been frustrated by the lack of interoperability between different police and fire department radio systems," he explains. "We can't talk to our own fire department or neighboring county officers because we're on different radio frequencies. When Montgomery County switched to 800-MHz radio systems to solve that problem, Delaware County and Chester County purchased different brands of equipment, so we still couldn't talk to each other."

Next Steps
According to Stewart, the most important step in adapting an information security strategy is to get high-level support from the very beginning of the process. "There's a new type of executive who recognizes what the threats are to the organization, as opposed to just focusing on achieving his short-term numbers," Stewart said. "Responsibility for security permeates from the top down, just as corporate values and objectives permeate down." When an organization's leadership recognizes the value of a comprehensive IT security strategy and investment, the other pieces fall into place much more easily.

What Cisco Offers
Cisco is committed to helping customers build effective information security strategies through the use of best practices, innovative and resilient network products, and technology and professional services. The information security expertise at Cisco extends throughout the enterprise information security process, including:

• Executive education and awareness
• Network security training and education
• Network security products and technologies
• Professional support and services

Cisco expertise also extends into related security specialties, including critical infrastructure assurance and homeland security, ensuring that Cisco customers receive the broadest possible range of services and professional experience.

Further Reading

Key Findings
Excerpted from Computer Security Institute: "Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses From Attacks Climb For Third Year In a Row"

The Computer Security Institute's 2002 Computer Crime and Security Survey is based on responses from more than 500 security experts in U.S. corporations, government agencies, financial and medical institutions, and universities. Some of the survey's key findings include:

• Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months.
• Eighty percent acknowledged financial losses due to computer breaches.
• The 223 respondents willing to quantify their losses reported $455,848,000 in financial losses.
• As in previous years, the most serious financial losses occurred through theft of proprietary information and financial fraud.
• For the fifth year in a row, more respondents stated their Internet connections were a more frequent point of attack than their internal systems.
• Thirty-four percent reported the intrusions to law enforcement, as opposed to only 16% in 1996.