The Basics of IT Security

The Basics of IT Security

IT security, or the protection of information and information systems against malicious attacks, is perhaps the most undervalued aspect of business today. Most business operations rely on a vast amount of confidential data, including customer preferences, sales figures, internal finances, and product innovations. As Rowan Trollope (http://www.securitypronews.com/articles/security/spn-23-20050126InformationIntegrityKeepingYourBusinessUpRunningandGrowing.html) writes in Security ProNews, “Information is the fuel of your business. Everything about your company - product development, sales, customer relationship management, marketing, competitive analysis, investor relations, policy compliance, finances, human resources - exists in and is managed through your information system. In a very real sense, your information is your company.”

Many businesses today often neglect IT security. The 2010 Carnegie Mellon University’s CyLab Governance of Enterprise survey, sponsored by RSA, found that less than one-third of CEOs, presidents, corporate secretaries, and board chairs from the Forbes Global 2000 list had implemented basic strategies for cyber security, and 66% “rarely” or “never” took action in approving privacy and IT security staff (http://www.scmagazine.com/report-says-cyber-security-still-takes-a-backseat-for-major-companies/article/241654/). However, the potential costs of failing to protect IT systems are severe. As reliance on IT systems increases, so do the attacks on those systems. Security vendor Symantec’s recent Internet Security Threat Report (http://www.eweek.com/c/a/Security/Symantec-Attacks-Rose-While-Vulnerabilities-Fell-in-2011-522074/) identified an 81% increase in malicious system attacks since 2010. Information can be damaged, accessed illicitly, or even destroyed by a variety of cyber and physical threats, including everything from worms, phishing, hoaxes, trojans, viruses, hackers, spam, spyware, and even physical sabotage. Virtually any aspect of a system can serve as a leak for sensitive information or as an access point from which to cause damage, from individual emails all the way up to the main servers.

For optimum security, businesses need simultaneous protection for IT networks, hosts, applications, and data. IT security is primarily concerned with maintaining the confidentiality, integrity and availability of IT systems at multiple levels. Confidentiality involves protecting the secrecy of sensitive data, ensuring that customer confidentiality is maintained and information like technological innovations or financial information are not leaked to competitors. Integrity involves making sure that data and systems cannot be altered by unauthorized individuals or systems. Availability involves making sure the system functions effectively to make necessary information accessible at all times, or, in worst-case scenarios of system shutdown, that day-to-day work will be able to continue while data is recovered. The most effective security for modern businesses, ‘security in depth’, involves the operation of multiple strategies, products, and personnel at multiple levels, working in concert to protect all aspects of a system from compromise.

Physical controls like locked doors or backup servers help to prevent systems against physical damage or threats, ensuring ongoing availability. Incident management helps protect against loss of availability in cases of a security breach. Critical applications, like servers, can be protected by system-level backup and recovery help to prevent loss of data and interruption of business practice. Business continuity planning, or the formulation of plans for continuing and recovering businesses following an unplanned disaster, can be applied to situations when IT security has failed.

Administrative controls, or rules, regulations, and policies, also help to protect against security threats by coordinating the operation of IT security on multiple levels. The principle of least privilege, whereby each employee is given only as much security access as is necessary to do their job, is one of the most essential aspects of administrative control, because it reduces the chances that employees will be able to leak sensitive data. The principle of separation of duties works in a similar fashion by ensuring that no single individual maintains complete responsibility for any one critical task. Risk assessment by risk management professionals can serve as a useful tool for administrators in coordinating different policies and programs to ensure the security of IT systems.

Access control is essential in maintaining confidentiality through the identification and authorization of system users. Access control systems first identify a user as someone entitled to access the system or information, and then prove that the user’s identity is authentic. Usernames and passwords or lists of authorized WACs or IP addresses are the most widely used methods of ensuring user authentication within IT systems. Cryptography can also help control access to sensitive information, but it creates additional problems. Cryptographic keys must remain protected despite being shared among a large number of people, and can also be decoded if too short or too weak. The field of PKI solutions addresses the problems of managing access to cryptography keys. Digital signatures and public key encryption are two of the most common strategies used by IT security systems to ensure access control during e-commerce. These systems ensure that information sent during e-commerce transactions is authentic, and that neither party involved in a transaction can deny that the transaction occurred, thus protecting against possible lawsuits and breach of contract.

Perhaps most importantly, IT security at all levels must be managed in concert and updated on an ongoing basis to respond to constantly developing threats. Logical controls, or technical controls, use software like network and host based firewalls and anti-virus programs to protect networks against breaches of confidentiality. Systems for detecting network intrusion can also help prevent unauthorized detection, alteration, or destruction of data. However, all of these programs become rapidly outdated if not updated continually to respond to ever-changing threats, or if new systems of communication are not integrated effectively within the overall security network. Layering different defensive mechanisms of IT security can be expensive in terms of both money and time, but the potential costs of failing to protect data are far greater.