Book Excerpt Part I: The Executive Guide to Information Security

By Mark Egan with Tim Mather

The following article is adapted from Chapter 1 of "The Executive Guide to Information Security," by Mark Egan with Tim Mather, which is scheduled to be published in November 2004. This is the first of a three-part series.

The Internet has grown from just a few thousand users in 1983 to more than 800 million users worldwide in 2004. It provides a vital online channel to conduct business with existing and potential customers. However, despite this huge upside, the Internet poses significant security risks that businesses ignore or underestimate at their own peril. The following describes major information security challenges to businesses today.

Electronic commerce

In the past, the ability to connect with millions of customers 24 hours a day, 7 days a week was only possible for the largest corporations. Now even a company with limited resources can compete with larger rivals by offering products and services through the Internet with only a modest investment. E-commerce services are quite appealing to consumers who do not want to spend their limited free time in traditional retail stores constrained by normal business hours of operation, unfriendly staff, and long checkout lines. Executives must understand how to leverage this new channel of electronic commerce while managing the associated risks.

Companies now rely on the Internet to offer products and services according to their customer's buying preferences. The Internet is no longer an optional sales method but rather a vital distribution channel that a business cannot ignore.

Pioneering companies such as eBay and Amazon have revolutionized the easy purchase of products through the Internet. Not only is it easy for customers to purchase their products, but also companies have innovated the use of concepts such as "personalization" to create unique relationships with individual customers. Using personalization, companies are able to identify their online customers by name, offer products based upon previous buying habits, and safely store home address information to make purchasing online much quicker. These strategies have enabled successful e-commerce companies to create a positive shopping experience without the overhead associated with traditional retail stores.

Along with increased capabilities come some new challenges that businesses must overcome to be successful. For instance:

• Companies are under tremendous pressure to deliver these systems as quickly as possible because being first to market with a new capability can be a great competitive advantage.
• Timely and accurate access to information for employees, customers, and partners is no longer nice to have -- it is expected.
• Companies must offer these services in an easy-to-use but completely secure manner because they store confidential information such as home addresses and personal credit card numbers.
• The systems are expected to be available 24 hours a day, 7 days a week because customers expect to be able to access the products and services at their convenience, not the company's.

These challenges place considerable demands on IT organizations because delivering these e-commerce systems in a timely and secure manner is very difficult. As expectations increase, so do the demands on the systems and technology.

Constant growth and complexity of attacks

Early computer viruses were often contained to individual users' systems, resulting in only a small decline in staff productivity for a given day. However, present-day blended threats, such as Code Red and Nimda, present multiple security threats at the same time, causing major disruptions and billions of dollars of damage to enterprises. A blended threat combines different types of malicious code to exploit known security vulnerabilities. Blended threats use the characteristics of worms, viruses, and Trojans to automate attacks, spread without intervention, and attack systems from multiple points.

These attacks now cause losses of billions of dollars each year, so businesses can no longer ignore the problem. The Love Bug Virus in 2000 had an impact of $8.75 billion alone, causing businesses to finally recognize viruses as a significant issue and to begin to broadly implement anti-virus solutions. This work has lowered the losses experienced since that year; however, the impacts continue to be significant.

Three major issues have fueled the growth in security incidents: the increased number of vulnerabilities, the labor-intensive processes required to address vulnerabilities, and the complexity of attacks.

Vulnerabilities are holes or weaknesses in systems that a hacker can exploit to attack and compromise a system. For example, a system administrator can forget to limit certain restricted privileges to authorized users only. This would be like giving everyone on your street a key to the front door of your house when you only meant to give one to your family members. Other examples include existing vulnerabilities resulting from defects in computer software. In these situations, the software vendor should have identified and resolved these weaknesses during the testing processes but overlooked them while under pressure to ship new products by a deadline.

The software industry's solution to these vulnerabilities is to provide fixes in the form of software patches that a company's staff must apply to "patch" the "hole." The process of testing these patches and applying them to your environment is labor-intensive. It is often quite difficult to address the highest-level vulnerabilities and the staggering growth of new vulnerabilities compounds this problem. Vulnerabilities reported in 2003 grew by 300% from those reported in 2000.

The complexity of security attacks has also greatly increased over the past few years. The early viruses caused individual productivity issues, but they had nowhere near the impact of blended threats such as Code Red or Nimda. As we mentioned earlier, blended threats use a combination of attack vectors -- five in the case of Nimda -- to spread more rapidly and cause more damage than a simple virus. For example, Code Red infected 350,000 computers in just 14 hours. In January 2003, the Slammer Worm hit the Internet and had an even higher infection rate than Code Red, infecting 75,000 machines in less than 10 minutes of its release.

The fastest-spreading mass-mailing worm to date was MyDoom in January 2004. At the height of the outbreak, more than 100,000 instances of the worm were intercepted per hour. MyDoom relied on people to activate it and enable it to spread. Cleverly disguised as an innocuous text file attachment, unsuspecting users opened the attachment and launched the worm.

The rapid spread of these threats makes it increasingly difficult to respond quickly enough to prevent damage.

The threats are expected to continue to grow in magnitude, speed, and complexity, making prevention and clean-up even more difficult. These factors contribute to the need for a proactive plan to address information security issues within every company.

Mark Egan is chief information officer and vice president of Information Technology at Symantec.

Tim Mather is Symantec's Senior Director of Information Security, and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM).