Since this time "information warfare" has erupted around the world, encompassing everything from DOS (denial of service) attacks on a companies web site to direct hack attacks on a countries infrastructure (water, power, etc.). It's becoming easier and easier for individuals to became "hackers" in today's environment as hacking tools are more prevalent and easier to use than ever. To get an idea of some of the more publicized crimes committed by hackers, you can check out www.cybercrime.gov .
People are finally starting to understand the importance of security in maintaining public confidence in one's image (whether it be a company or a government), and the damage an information leak can cause. Military personel and law enforcement officers are being trained in IT crime prevention and detection. The U.S. government has even developed organizations to help identify crucial areas and work with the private sector to establish the most secure environment possible. This started with the PCCIP (President's Commission on Critical Infrastructure Protection) under President Clinton. Most recently a large portion of the responsibility for cyber security has fallen on the DHS (Department of Homeland Security) under President Bush.
This chapter briefly identifies the OECD (Organization for Economic Co-operation and Development) as being required knowledge for the exam and specifies that it will be covered again later. Essentially though, it is a group of about 100 countries (only 30 of which are actually members) working together to promote trade and economic growth. It outlines a set of guidelines, called the OECD Principles, which provide recommended corporate governance rules for countries to consider implementing.
How this all applies to the average security enthusiast, i.e. yours truly, is that along with the increasing reliance on technology and computers in today's environment comes a need for better security practices. This is essentially achieved by following two principles. Security must be a management driven, and security must be a layered endeavor.
As far as management goes, I'm going to quote Mr. Harris, as I don't think I could say it any better:
Good security does not begin and end with erecting a firewall and installing antivirus software. Good security is planned, designed, implemented, and maintained, and is capable of evolving. For security to be a good fit for a company, it must be in line with the company's business goals and objectives. Management needs to understand security issues and how security affects the company and its customers so that proper resources, time, and funding can be provided. In other words, information security should be applied in a top-down approach.If management doesn't specify what needs to be protected and from whom, it becomes very diffucult for the IT staff to improve the situation and they essentially become firefighters as opposed to a developmental asset.
As far as layering is concerned, it is a very easy concept to understand. Any given system can have multiple weaknesses and possible points of penetration. The only way to protect this system is to, not only have security measures which protect each possible area, but measures that can all protect the system at the same time, while working together. A single weak point or inconsistency in the security can provide an entrance for a skilled hacker.
Now we start moving into the real meat of the text with Chapter 3...
Here's a url for the OECD's Principles of Corporate Governance: http://www.oecd.org/dataoecd/32/18/31557724.pdf
ReplyDelete