Padgett makes some valid engineering points about virsus defence and
barriers, but that is dealing with identified problems. If an enterprise has
unlimited funds, it may be possible to make the case for taking every
possible precaution against every conceivable threat. Usually though life is
a series of priorities drawn from probability of threat against operational
needs and available budgets.
The analysis of risk, and enterprise organisation and method, should provide
the basis from which all actions and counter actions can be based. There is
often great potential for reducing risks at a profit. Changes in personnel
selection and training may dramatically reduce a range of risks and produce
a more efficient enterprise. Withdrawl from a particular market may reduce a
number of risks, including those of terrorist attack. There are many
examples which can be given of risk reduction which is achieved and
financial advantage gained with little or no investment in technology.
Specific technical solutions may support opposing argument of equal force.
It could be argued that the implementation of a firewall reduces
availability because it imposes restrictions to the free flow of
communication and introduces an operational overhead. An equally valid
argument could be that implementation of a firewall increases availability
because otherwise a particular enterprise could not risk connection to the
Internet and therefore no firewall equals zero availability. Between those
two arguments there are many shades of grey. Air gapping may, or may not,
avoid the need for a firewall but still enable the enterprise to access the
Internet and some might regard air gapping as the ultimate firewall, or at
least a water filled moat. The lack of physical connection between private
networks and the Internet server makes hacking rather difficult. If the risk
analysis shows a threat which requires the implementation of a firewall to
reduce the probability of identified risk to an acceptable level, there is
considerable choice in the level of blocking and multiple firewalls may be
employed.
In the event that a firewall, or several firewalls, is/are considered
necessary, that does not mean that all identified risks have been reduced to
an acceptable level. There may be a need to employ a range of other
techniques, including protection of packets as they transit the Internet and
protection and segregation of data within the elements of the private
networks. Multi-level security can provide improved availability and
increased assurance and increased integrity because requirements can be
streamed and the heaviest protection is only applied to those transactions
and data which demand it. If a classification system sets four levels, 80%
of all transactions, subjects and data will probably sit at the lowest
level. Less than 2% will sit at the highest level. Therefore a system which
recognises these divisions will be able to provide adequate protection for
the highest level without slugging the mass of data/transactions at the
lower levels. If a personnel policy provides an accurate clearance system on
a need-to-know basis risk is further reduced with potential improvements in
assurance, integrity and availability because only duly authorised personnel
will be able to transact business electronically. Thats much like a
situation in a machine shop where dangerous machinery has to have safety
guards fitted, but no system is idiot proof. An intelligent manager would
ensure that only qualified people have access to the machine shop and only
people qualified to operate, or maintain, the machine are able to do so. He
would also be wise to ensure than correct tools were fitted to the machine
for a specific purpose and matched the materials and the job requirements.
In the event of a number of security systems being implemented there are the
questions of who controls everything and where from. Some may be able to
make a sound case for a central security officer who manages risk through a
bastion firewall installation. Equally, it could be necessary to have
regional, site and even work group security controls, combine the functions
of security officer and system administrator, or operate control from
something other than a bastion firewall installation. Every enterprise will
have some common generic threats, but each case will differ in detail and
need to apply different priorities.
On example of narrow and inadequate risk management is police criminal
intelligence computer systems. The US Federal Bureau of Investigation claims
that its system has never been penetrated by a hacker. Similar organisations
in other countries make similar claims about their equivalent systems. It
may be that the claims are not justified, but they have each spent a chunk
of money on security devices to protect all links with the outside world and
they do manage those devices. However, every CIC has been compromised. The
FBI is well aware that a range of unauthorised people routinely and
illegally obtain information from the system and periodically some of these
folk are brought to trial. The primary route for information is through
authorised users who use information in an unauthorised manner, usually for
money and often for very small sums of money. The typical rate for bank
statements and police records from their respective systems is typically
US$75 in most western countries. At those prices, even small private
investigating companies can afford to make frequent use of this illegal
service and who needs hackers.
In the CIC example, the other major problem is integrity of data. Once a
record has got into the system, it seems very difficult to remove or correct
it if it is found to be inaccurate. Thats all part of the risk management
requirements and it may be that a firewall provides part of the answer in
some of the systems but thats not much comfort to the person who is lying
nose down in the snow with a very large gun in his ear as a result of
someone making a data entry error. Its even less comforting when it happens
several times because no one removed the errors after the first incident.
Ian J-B.
|
|
