The IT department of Acme Corp. is currently in a state of chaos. Servers located throughout the corporate environment are either crashing, rebooting or at such a depleted level of performance that users cannot access them at all. The help desk is taking on more calls from users than it can possibly answer. The problem is the same for virtually everyone calling: "I cannot get my job done because I cannot get into any of our systems."
Suddenly, cryptic messages are popping up on critical internal servers, and hundreds of servers on the Internet and the local network are diverting traffic to a service that shouldn't even be available. It becomes apparent that there is a worm on the loose, and it is propagating itself quickly. The IT guys call the firewall guys and have them shut off all traffic from the Internet. This seems to help a little bit, but it also cuts off traffic that should be allowed into the systems. Meanwhile, there is an enormous traffic jam building on the internal network.
Twenty-four hours later, things are basically contained. The IT department has manually patched the offending internal systems and is about to re-open the Internet connection, with a different set of filters applied to remove the traffic that was causing problems. Everyone breathes a sigh of relief, until it hits them that they still have a massive cleanup job on their internal systems to remove the root of whatever it was that hit them, in case the worm might try to propagate itself again. Worse than that, there is an overall feeling of imminent doom that this type of security breach could happen again at any time and the department will once more be unprepared.
Why Did It Happen?
The easy answer is that the company did not have the proper patches installed. Solutions immediately come to mind, including patch-management software and vulnerability scans. But there is another, more overarching concern to address: The company does not have a comprehensive security program in place. A company needs a well-crafted approach to security that is championed by the highest levels of management, includes buy-off from all elements of the business and truly supports the mission of the organization.
If the only consequences of "corporate insecurity" are seen as attempts to recover from hacker events, a long-term view of the value of security as part of an organization will have a difficult time taking root. Tactical, chaotic fire drills, while dramatic and scary in the short-term, tend to have their impact fade for most in the organization in a relatively quick period of time. Also, it can be a challenge to tie these events to the more mundane aspects of a security program that, if missing, are often fundamental root causes for the fire drills in the first place. A hacker attack grabs people's attention; visions of Matthew Broderick and the movie "War Games" run through our heads, but it's hard to envision a Hollywood script based upon the writing of a comprehensive information security policy.
The Security Foundation
Security within an organization requires a firm foundation. An organization's approach to security is more important than specific security technologies because, while technology is always changing, the need to remain secure will not. Those responsible for security must show a commitment to tackling security strategically, tying the security policy to the business overall as an enabler for functions and activities. The security organization must be able to make others aware of the potential consequences of insecurity.
Consider the following examples:
- Security Manager A: "Recently, we had the internal audit team look at security. One of the things they pointed out was that we didn't have a formal policy, which is true - to an extent. We have a number of individual statements that relate to security that have been developed by different people in different departments. Thus, it was mandated by the audit team that we formalize security policies, despite having no budget and the fact that it was the middle of our fiscal year.