Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Trading Technology

03:44 PM
Evan Tegethoff, Principal Consultant, Security Solutions, Forsythe
Evan Tegethoff, Principal Consultant, Security Solutions, Forsythe
News
Connect Directly
RSS
E-Mail
50%
50%

Taming Corporate Insecurity

The IT department of Acme Corp. is currently in a state of chaos. Servers located throughout the corporate environment are either crashing, rebooting or at such a depleted level of performance that users cannot access them at all.

The IT department of Acme Corp. is currently in a state of chaos. Servers located throughout the corporate environment are either crashing, rebooting or at such a depleted level of performance that users cannot access them at all. The help desk is taking on more calls from users than it can possibly answer. The problem is the same for virtually everyone calling: "I cannot get my job done because I cannot get into any of our systems."

Suddenly, cryptic messages are popping up on critical internal servers, and hundreds of servers on the Internet and the local network are diverting traffic to a service that shouldn't even be available. It becomes apparent that there is a worm on the loose, and it is propagating itself quickly. The IT guys call the firewall guys and have them shut off all traffic from the Internet. This seems to help a little bit, but it also cuts off traffic that should be allowed into the systems. Meanwhile, there is an enormous traffic jam building on the internal network.

Twenty-four hours later, things are basically contained. The IT department has manually patched the offending internal systems and is about to re-open the Internet connection, with a different set of filters applied to remove the traffic that was causing problems. Everyone breathes a sigh of relief, until it hits them that they still have a massive cleanup job on their internal systems to remove the root of whatever it was that hit them, in case the worm might try to propagate itself again. Worse than that, there is an overall feeling of imminent doom that this type of security breach could happen again at any time and the department will once more be unprepared.

Why Did It Happen?

The easy answer is that the company did not have the proper patches installed. Solutions immediately come to mind, including patch-management software and vulnerability scans. But there is another, more overarching concern to address: The company does not have a comprehensive security program in place. A company needs a well-crafted approach to security that is championed by the highest levels of management, includes buy-off from all elements of the business and truly supports the mission of the organization.

If the only consequences of "corporate insecurity" are seen as attempts to recover from hacker events, a long-term view of the value of security as part of an organization will have a difficult time taking root. Tactical, chaotic fire drills, while dramatic and scary in the short-term, tend to have their impact fade for most in the organization in a relatively quick period of time. Also, it can be a challenge to tie these events to the more mundane aspects of a security program that, if missing, are often fundamental root causes for the fire drills in the first place. A hacker attack grabs people's attention; visions of Matthew Broderick and the movie "War Games" run through our heads, but it's hard to envision a Hollywood script based upon the writing of a comprehensive information security policy.

The Security Foundation

Security within an organization requires a firm foundation. An organization's approach to security is more important than specific security technologies because, while technology is always changing, the need to remain secure will not. Those responsible for security must show a commitment to tackling security strategically, tying the security policy to the business overall as an enabler for functions and activities. The security organization must be able to make others aware of the potential consequences of insecurity.

Consider the following examples:

- Security Manager A: "Recently, we had the internal audit team look at security. One of the things they pointed out was that we didn't have a formal policy, which is true - to an extent. We have a number of individual statements that relate to security that have been developed by different people in different departments. Thus, it was mandated by the audit team that we formalize security policies, despite having no budget and the fact that it was the middle of our fiscal year.

Previous
1 of 3
Next
Register for Wall Street & Technology Newsletters
Video
Exclusive: Inside the GETCO Execution Services Trading Floor
Exclusive: Inside the GETCO Execution Services Trading Floor
Advanced Trading takes you on an exclusive tour of the New York trading floor of GETCO Execution Services, the solutions arm of GETCO.