September 2001

Computer Security in an Internet Age

The very nature of computing changed markedly in the 1980s and 1990s with the advent of the personal computer. Business workflows revolutionized, competitive advantages and tremendous new opportunities sprung up, and computer use spread through businesses and into many homes. New industries rose and empowered savvy businesses to success. Moore’s Law, which argues that the processing power of a computer chip doubles approximately every 18 months, was fulfilled as processing power continuously doubled and more and more computing power became available to the average person. But rewards are not without their risks.

Depending on the source, in 2000, the “I Love You” computer virus caused between $7 billion and $9 billion in damage. According to the 2001 Computer Security Institute (CSI) and FBI Computer Crime and Security Survey, 38 percent of respondents detected denial of service attacks this year, compared with 11 percent in 2000. And the recent Code Red worm is estimated to have infected somewhere between 300,000 and 450,000 web servers and caused more than $2 billion in damage.

These incidents represent the tip of the iceberg; most security breaches are never reported, due to fear of negative publicity and future attacks. It is noteworthy that one of the most publicized aspects of the forthcoming Windows XP operating system has become concern over security vulnerabilities. Not only has the nature of computing changed, but so too have its risks and dangers.

The silver lining to these dark clouds is that these issues are addressable. Technologies are available and affordable that can help protect networks of all sizes and configurations from the dangers of the Internet and from the equally significant threats of internal security breaches. In this column, I will examine the issues and provide examples of the options and solutions available to protect computer networks and business resources.

Definitions of certain terms are helpful to understanding information security. In their book Firewalls and Internet Security: Repelling the Wily Hacker (Addison-Wesley, 1994), noted security experts William Cheswick and Steven Bellovin suggest that “security is keeping anyone from doing things you do not want them to do, with, on, or from your computers or any peripheral devices.”

To begin to develop satisfactory security, certain determinations need to be made, including what needs to be protected, who poses a threat and what actions can be expected of those who present a threat. Consideration then must be given to those actions that are deemed acceptable by business and those that are not. When completed, the result is called a security policy.

Computer systems should be configured to implement security policies. The security policy process is relatively simple and, in fact, involves business decisions, not technical ones. Note, however, that the process requires upper management involvement to approve the decisions and to ensure that the consequences of such decisions are supported when necessary.

Important elements of planning a security strategy include defining the various risks to business and intelligently assessing those risks as well as the business and financial impact or exposure from each area. Determining the appropriate investment in each area of exposure is necessary to protect the business against those risks. A $10,000 risk does not justify a $20,000 security system, but a $200,000 risk probably does.

Security breaches can lead to downtime and business disruption, loss of business secrets and information, bad press, or loss of competitive advantage. All of these risks and the significance they carry are unique to individual businesses, underscoring the need for technical and management personnel to properly address such issues.

Security policy is a reflection of business goals and objectives and the technology that is used to achieve them. Once defined, security policy relies on the appropriate selection of technology components. Such items could include firewalls, virtual private networks, intrusion detection systems, authentication systems and digital certificates.

Future columns will explore different types of threats and the technology components that are capable of handling those threats. The series will conclude by taking a closer look at some of the complex issues and considerations surrounding the implementation and management of a security system.