Risk Assessment in the Past

Risk Assessment

In the past thirty years there has been a sharp increase about the potential dangerous impacts, which from inadequate information security. But the scale of the problem has increased faster than the commitment to fight it. In addition, the emphasis on hackers and viruses by the publishers of information has distorted the debate and diverted the awareness of senior management from the more basic need of information security. There seems to be a requirement for a greater concentration on technical solutions, and well publicized attacks on problems of internal information security. There is clearly a fundamental necessity to view information security for an organization-wide business, management and technology issue. Demands for effective security management come from perceived risk assessment, and that involves looking at all aspects of losses that have come from lack of security.

This involves serious study of past history of the organization and checking back on it to determine where instances of losses to the organization have arisen from lack of security of information about the organization. Organizational security officers are generally responsible for ensuring the security of information assets and systems. They have to make sure that technological systems are implemented and operated in a manner, to reduce the business risk to organizational information. In certain cases, the information systems are operated in a manner that the losses to the organizational assets occur in spite of their best efforts as there are some leakages which are taking place from the system itself. In that case, a serious view should be taken of the matter, and if needed, the systems themselves should be changed so that no such leakages occur in future.

The Nature of Information

The company that is being discussed here is that of software company which has a large amount of trained personnel in different areas, and many of them has consulting experience along with that of extensive project management skills. Today trained IT personnel are difficult to get and in such situations, it is often easier to take staff away from another company than develop and train staff. Development and training takes time apart from being expensive. The changes bolster the acquirers with strong presence in important U.S. metropolitan business markets and also provide the acquiring company with capabilities in some key segments like "e-commerce implementation, knowledge and content management and Web-enabled application development services." (COMSYS Expands Portfolio of Internet Expertise with Acquisition of Automated Concepts, Inc. Chicago Division) The company concerned is Technology Concepts Inc.-- TCI. This is a privately held company with offices in Chicago, New York and New Jersey. (COMSYS Expands Portfolio of Internet Expertise with Acquisition of Automated Concepts, Inc. Chicago Division)

The company provides information technology consulting, and systems integration services. In addition, they are experts in providing services for client/server and Internet-based systems. It has an important focus in the technology services industry. The special areas of the company are IT project management, e-commerce, and web enabled application development and knowledge and content management. Comsys has taken over the Chicago division and that is a company headquartered in Houston, TX and former part of Metamor Worldwide. Comsys is one of the country's important providers of IT project support and project services which are of specialized nature as it has highly skilled consultants. (COMSYS Expands Portfolio of Internet Expertise with Acquisition of Automated Concepts, Inc. Chicago Division)

Though TCI has other offices in New York and New Jersey, those offices were not informed about the changes that took place in Chicago. The move helped Comsys in its operations in the key U.S. metropolitan business market of Chicago and increased its operational capabilities in e-commerce implementation, knowledge and content management and Web enabled application devices. The acquisition will build a platform of growth for Comsys in both the project services and outsourced additional staffing areas within the area of greater Chicago. TCI's Chicago division, as the organization used to be known will shift to Comsys Chicago office, and TCI existence in Chicago will be lost. This will result in the loss of the results of efforts that have been put in over many years. In terms of size, Comsys is a much larger company with a presence of more than thirty years and a leader in staffing of IT projects, irrespective of size. It also handles comprehensive turnkey projects. Comsys has a staff or more than 4,000 consultants and associates which are concentrated in over thirty offices in United States. The organization has many major clients and of them 129 are within the top 500 industrial corporations listed by Fortune. (COMSYS Expands Portfolio of Internet Expertise with Acquisition of Automated Concepts, Inc. Chicago Division)

Another organization called Tier Technologies has announced an agreement to attain and secure some assets and liabilities of TCI. The organization taking over is a leading provider of training services to top companies within the Fortune 500. In this case TCI will be given an initial payment of $1.5 million in cash. If the acquiring company is able to reach certain targets, then TCI is likely to get a further payment in the form of shares of the acquiring company with a value of $1.5 million. The acquired group has a good reputation countrywide and is a leader in providing curriculum inclusive of client and server technologies, Internet and mainframe development. The number of individuals in the group is around 30 and according to reports, the group had achieved a turnover of about $5 million during the last financial year (Tier Technologies, Inc. Announces Agreement to Acquire Certain Assets of Automated Concepts, Inc.)

The group has also publicly stated that they expected to be strengthened in their performance with the new acquisition. The main reasons for the strength are ascribed to being financial strength and technical platform. However the statements about future progress should not be viewed seriously as the transaction may finally be not completed as the deal is subject to a number of contingent factors. Even the non-completion of the process need not be informed to the general public as there is no such liability that has been taken in the statement. (Tier Technologies, Inc. Announces Agreement to Acquire Certain Assets of Automated Concepts, Inc.) Thus it is clear that in one case some activities within the organization have taken place with the full support and desire of the management, whereas in the other case, it has taken place without the knowledge of the management. There must be certain leakage of information within the organization or outside to permit this to happen.

Critical Information Characteristics

It is much quite easy to make a case for development of comprehensive security documentation, that to actually produce the document or the system. In many of the cases advice comes in the form that "I would not start from here." The information security management standards however provide an infrastructure for the purpose of information security management. At the outset the question comes as to what is being described here as security documentation. Most of the systems are being designed in order to assist operators and developers in their major tasks. Security documentation is not being targeted to that of a normal system of operation, but rather at the circumstances in which the system would tend to leak information to individuals who should not receive the information. Hence secure systems have the necessity to provide an agreed security model for the system. In other words an organization's security model has to match with the local parameters of a generally accepted form of information security model. (Network Management Security)

Given the magnitude, complexity and volatility of the modern information systems, some form of database representation need to be selected upon. Such a database is required to be supported by means of software tools and GUIs in order to facilitate the risk analysis, investigation, updating, development, and security reporting. In this case, external software would not be required; as the organization is really efficient or competent enough to develop its own requirements for the purpose or at least try to supervise over such development. In this case, regarding all of the places that network configuration information was being compromised and is likely to have been the information which is held in storage. Once that was being collected, it was possible for the individual concerned to have knowledge about where important information is stored and to get access to them. In most of the general cases, network devices themselves are being reasonably secure and are unlikely to give up the information easily to all of the individuals on the network. Generally network device management solution is a persistent storage location and it is quite likely that the designer would tend to forgot to secure it or decided that it was not being required. The simplest solution over here is to use file security in order to stop access to it.

Of course, it is possible to make use of the Operating System's file security features in order to prevent unauthorized access of any kind to that of the device management database files. It is also quite possible to use the file system's security characteristics or features in order to protect accessibility to the device management application itself. Then unauthorized users will not be in a position to read the application file, and they will not be able to run the application and have to attempt to guess a legitimate logon password in each of the step providing an extra layer of secured protection. (Network Management Security)

Confidentiality

In general any organization in a stable state has built in systems to decide on required confidentiality of information even within the organization, but when important changes take place to the organization, and then this concept of confidentiality is disturbed. A very big organization in the field of computer technology, Borland, had decided to use 23 industry leading system integrators and consultants to provide major corporations and government clients with applications, consulting and training services for Borland's client/server software products. The products concerned were Delphi Client/Server, Inter-Base and Report Smith. According to the world-wide marketing vice president at Borland, this had led to a situation where "The Premier Partner Program has quickly grown into an association of leading strategic solutions providers focused on delivering high-quality solutions and services for client/server and Internet application development." (Borland Strengthens Premier Partner Program; Borland Expands Program with New Premier Partners, Delphi Client/Server Certification, InterBase Test Drive Program, and New Premier VAR Program)

TCI became a premier partner along with Cambridge Technology Partners, IPC Technologies Inc., Millennium Computer Technology, Professional Computer Solutions Inc., Sterling Information Group and Tactics. (Borland Strengthens Premier Partner Program; Borland Expands Program with New Premier Partners, Delphi Client/Server Certification, InterBase Test Drive Program, and New Premier VAR Program) Considering the size of the organization, this was an achievement for the organization. At the same time, this required a lot of information to flow from the organization for requirements of business. This naturally influenced the considerations of security due to removal of confidentiality in some areas. The first step in preparing a secure site is to initially prepare a secure site and then decide which information needs to be handled specially.

To judge the requirement of security of any information, the first step is to decide why that information is at risk, and from where. The first step for security has been taken by developing a system as secure as possible. Often this makes us leave out information about that extra bit of security which is being required in order to stop internal theft of information which may even start off by accident or through means of easing of the tasks by the executives who want to give such information on certain of the occasions to answer all his queries. The first step is thus to keep the system to be as secure as possible by means of introducing all new types of software having controls, and all information should not be made accessible from all approaches possible. This is not as difficult as it sounds or might seem to be and requires only certain amount of classification of different entry points into the viable system. The second point is that which pertains to as soon as a new software is been installed and to have it checked by the experts so that any flaws which are being discovered can be easily rectified upon. Then when secure information is being transmitted over the system, make sure that there are secure ways of doing it, otherwise you may have instances of secure information being sent in the e-mail and in that case everybody on the system may get to that information which is not desired. (Handling secure information)

Even when current software is installed, there will be discoveries of holes in that system, and periods before that defect can be rectified. This is one of the most dangerous periods for the system and extra care have to be taken to keep the system safe during that period. The only way of handling that problem is to make sure that consequences of break in to the system are not serious. This is achieved by shifting important and confidential information away from the system to places where it cannot be tapped through the net. When confidential information travels over the net, one has to make sure that the information is deleted as soon as the transmission is over. The last danger comes from the system being compromised and there should be methods to find this out as soon as possible. Even if there is suspicion that the site has been compromised, then the site has to be cleaned and new passwords and keys selected and applied. (Handling secure information) Thus it is not enough to have a good system, but it must be kept up-to-date for it to be useful.

Integrity

Another important point to be noted is regarding the integrity of the system which is in operation and all the company computers contain certain amount of information which is being sensitive, which is inclusive of personal data of the staff, financial results, and projections for the future of the company and so on. The importance is with regard to ensuring that the nature of information being provided that is stored should be analyzed or assessed and the information which should be secure needs to be secured. One of the important sources for getting the hold on to the information is when the information is brought under transit, and for this purpose, it is better to encrypt whatever information when it is in the process of transit. This process makes it really difficult for people who are not being targeted for the information in order to understand the information even if they can try to have a hold of it. The fact that information is being encrypted is indicated via the Internet and it is done through the symbol of a padlock, but this also does not ensure about security during all times. To understand this one need to first understand two important issues in system security. (Security)

The first is the use of passwords and these are the first items to be chosen and used securely. If the password is known to the person trying to get hold of the information, then all information being sent on the system by the individual whose password is exposed, can be tracked and found out. Passwords are used by systems to restrict access, and others can find out about your password if the person chooses a simple password like mother's maiden name, pet's name, favorite sports team or something similar; or through brute power by using a program which tries out all the words in the dictionary; or through social engineering which is to trick people into revealing passwords and this can be done even on the telephone by using special tricks; some others obtain stored passwords when they are stored on computers, post it notes or their diary and this is used by persons who has access to the person whose password is being taken. Some individuals use shared passwords for all their usage and when their password is revealed for one system, it is effectively given away for all usage. Passwords can even be stolen by using 'Trojan horse software' on the computer which records all key movements and these may also record passwords. (Security)

The problems with passwords can be solved by using good passwords and these should be of at least eight characters with punctuation and numbers within it if possible; another possibility is to make sure that the system allows permits a limited number of attempts at password before the system locks itself out; it is better not to store passwords on the computer, or even write them down; another good method is not to use the same password for all usage and it is better to use different passwords for different important uses; passwords should not be disclosed to anybody; virus checking programs should be used and thus making sure that e-mail programs are configured securely and kept up-to-date; and when passwords have to be sent online, it is best to make sure that a secure connection is used. In terms of configuration of systems it is better to configure servers in a manner that all unnecessary features are disabled from the beginning. This will stop the defects in the system from affecting the computer, if they are on the features that are disabled, which is of help since the features will not be used anyway. (Security)

The most important feature is encryption and this is to ensure security of information even when it is in transit. The method of encryption is using a public key method. When it is done well, the encryption is not easily broken, but some points have to be carefully checked in this context. The method of encryption permits communication even between two parties who have not communicated with each other before. To understand the system of encryption, one has to imagine a briefcase full of documents to the other party. Then the briefcase full of documents is sent to the second party, but since it is likely to be intercepted, the sender locks it and sends it to the receiver. The receiver receives it, but due to the lock, cannot open it. In turn, he fixes another lock on the briefcase and sends it back. Now, the sender receives it and sends it back to the receiver who has to open his lock and receive the documents. (Encryption)

The method is somewhat like this, but actually the materials are not being sent up and down on the system, and even when the keys are really in the form of numbers. The complexity relating to the key is in the form of bits of information which it has. It is possible to have smaller keys which have 8 bits of information, but that is relatively a simpler model of key and would be comparatively easier for the interceptor to have a break on. Thus the number of bits needs to be increased and certain keys have as many as 128 bits which are really very difficult to break. Combined with this is that of a private key for each of the users and sometimes, these private keys are being stored on the server, but then the key is liable to have been attacked and the purpose of the key is somewhat being lost. (Encryption) These are many different points that lead to the integrity of the system, and clearly if the system does not have enough integrity, then it is possible for others to gain entry into the system. This is probably what had happened and some individuals who had no business looking into certain files did so. This gave them an idea that they could benefit themselves at the cost of the organization and the result is known.

Availability

It has been seen that there are regular security risks to data within a system and many organizations employ elaborate methods to save their network from internal and external intruders and control access to workspace which is used for the purpose of editing and publishing of information within the network. In the CSI/FBI 2003 Survey, about 70% of organizations that were surveyed reported using wide security measures which included access controls, intrusion detection equipment, physical security, firewalls, and several authentication technologies. Yet the same organizations finally reported an average amount of theft of proprietary information which was worth $2.7 million. Thus it is clear that while these technologies are essential for removing several threats, they are usually intended for securing of the information in transit, to have control of the access, or to protect content stored within the scope of a repository, but not enough for total protection. (Protection & Security of Your Digital Content with DRM)

There are also other technologies like security solutions that make use of techniques, like secure sockets layer -- SSL, virtual private networks -- VPNs, access control list -- ACL, and encrypting file system - EFS, secure multipurpose Internet mail extensions -- S/MIME, but those methods secure only the channels of communication and the content which is stored but fail to entirely protect a document or an email message after it has reached the recipient's desktop. In terms of the protection of the confidentiality of data, these technologies are effective only within a narrow group of environment. Once a user has accessed a document by means of the secure channel, there is absolutely nothing which can prevent the user from unknowingly or maliciously changing, printing, or re-distributing the contents of the document. None of the above provided technologies give a complete set of security characteristics within a single solution which is essential for total protection of confidential data presented in the form of a document or email.

Digital rights management -- DRM is one among the comparatively new technologies that can be helpful for an organization to secure its digital content. DRM offers protection to content even when a network intrusion takes place. DRM technologies permit an organization to control capacities of a recipient after receiving the document via the network. DRM products may consist of identity management, auditing features, watermarks, encryption/decryption, and metadata content control. DRM thus avoids a technology gap that no other product is useful for both in the email space as well as with documents, through permitting users to dictate as to who can open up their content and how the document can be used or could be shared. (Protection & Security of Your Digital Content with DRM) Use of this type of a technology could have protected documents within TCI from interference and misuse for personal gains by some within the organization.

Security Measures

What has been suggested is the use of a specialized technology called DRM and for the application of that technology; products are being offered by big players in the market like Adobe and Microsoft. Aside from the big suppliers, enterprise-wise DRM products are offered by a few specialty vendors like Liquid Machines, Authentica, and SealedMedia. Products, that all of them have, offered almost same charactristics for protection of content and intellectual property when the material leaves the periphery of the organization or its branches. The real differences within the products are due to the methods through which an enterprise DRM product relates with other office productivity applications. As an example, it may be noted that Microsoft's DRM product presently functions only with documents which are being generated by Office 2003 and Adobe's product which is called Policy Server, is restricted also and works only with PDF-formatted documents. Thus one should be aware that presently available DRM products are proprietary and that standards are not fully mature, and this may lead to individuals making a selection that can cost more in the long run. The market for DRM products stays small and divided, though there have been entries by Microsoft and Adobe systems. According to analysts, the DRM market is likely to progress slowly for at least for some of the few years till the technology becomes further mature. (Protection & Security of Your Digital Content With DRM)

This has led DRM technology being included by Microsoft in its Windows Server 2003, Office Professional Edition 2003 and as an add-on, if desired for Internet Explorer. Thus it is not a regular part of Microsoft systems. The development by Microsoft has been given the name of "Rights Management Services" or RMS and it implements DRM on applications of Office within the framework of limited trusted Active Directory Service. It is up to the users to designate regarding who could open a Word document or Outlook email message and if or not it is possible to be printed, copied, or forwarded and the RMS will only implement the decision. According to Selena Wilson, Microsoft's director of Windows security product management, who is on record as having mentioned that there is hardly any work needed in convincing organizations of the value DRM products needed to safeguard electronic messages and documents.

Windows RMS permits businesses to distribute information inside their organizations and define as to how and under what of the situations the information can be used, when the information expires and the individuals who are authorized to open and modify it. This is a capability to express and enforce document-level protection, and this can permit organizations to internally share information at the desired level, with lesser chances of inadvertent or intentional misuse. Enterprise DRM products from Microsoft, Adobe, and Authentica use a central server to create and store information regarding permissions for email messages, documents, and all other digital content. These permissions limit access to documents regarding as to who all can open an item and what they can do with it in terms of copying and pasting, editing, printing, forwarding, etc. Accessibility to documents can be avoided based on a set expiration date or if further up-to-date version is being available. (Protection & Security of Your Digital Content with DRM)

Thus certain type of information can be given to some of the executives only for some of the information purposes, and it may not permit them in order to send it to other people or even have to store them on their own systems. Since the concerned organization was a software developer, it was really possible for them to develop the technology fully based on their requirement and thus prevent the untoward events that had happened. The risk is always there, but it is the responsibility of the systems authorities to develop software which is suitable for avoiding any untoward events that may otherwise tend to occur. The required security measure is only provided as a safety measure and nothing is unusual. Even several other organizations who have not had faced the experience of this organization may think of trying to implement the technological protection in order to avoid the dangers occurring from similar risks. (Spectrum Wireless, Inc. And Automated Control Concepts, Inc. Announce Cooperative Marketing Agreement; Agreement Provides Collaboration in Wireless IP Routing Space)