By Matthew Wilson, MCSE As technology consultants to CPA firms, we at Boomer Consulting are often asked for “the” solution to a given technology issue, question, or problem. Easy answers to the question of security do not exist. This article gives the non-technical reader a glimpse into the world of computer security. Hopefully, you will understand the threats, preventative measures, and countermeasures that comprise the cat-and-mouse game of security.
This article outlines the broad scope of the security playing field, including a summary of risk analysis/alleviation/management. Later articles in this series will explore the concepts of authentication, cryptography, event auditing, authorization, certificates, isolation, compartmentalization, multi-level security, role separation, and other relevant security concepts.
Am I really in danger? Do I really have enemies?
The information stored on your computer network is only as secure as your technology and access policies make it. However, no electronic system is totally secure; the determined thief or nosy hacker can, with diligent effort and enough computing power, break any security system.
Stated another way, any one of your competitors, former employees, angry clients, or interested government parties, given enough motive and/or funding, will be able to “own” your computer network if it employs the latest and greatest penetration tools that exist.
Just as dead bolts, wrought-iron window bars, and alarm systems merely slow down the determined burglar with the proper tools, your network’s firewall, passwords, file encryption, and access policies are mere speed bumps on the thief’s path to owning your network. Such protections comprise your intrusion prevention system. They might stop the casual hacker’s foray into your network, but an attacker who has a financial interest in breaking your security will eventually succeed.
Just as a high gun ownership rate in a given town effectively deters would-be burglars, if the attacker thinks you have a good intrusion monitoring and event auditing system, this will deter all but the most determined of attackers. Such systems are usually very expensive to put into place, so only the largest of firms have such in place, which brings us to risk management.
Smaller firms just don’t have the resources to hire a Chief Security Officer and a team of security engineers. Probably only the Big4 and maybe the rest of the top 25 can afford it. On the other hand, such big companies will inherently have many more points of entry, not to mention a great amount of information that is much more valuable to potential attackers. Hopefully the previous three sentences have given you a glimpse at the economics of risk management.
There are several steps to Risk Management, but each step is an ongoing heuristic process, not a one-time event:
- Asset assessment and valuation
- Identifying security risks
- Analyzing and prioritizing security risks
- Security risk tracking, planning, and scheduling
Development and Implementation
- Security remediation development
- Security remediation testing
- Capturing security knowledge
- Reassessing new and changed assets and security risks
- Stabilizing and deploying new or changed countermeasures
Asset assessment and valuation, if you have never done it before, will take the majority of your time, and create the most fear in you. It involves placing a black market value on the information your firm stores. If your firm were a medical office, the personally identifiable medical records of your patients could be highly valuable, hence the recent HIPAA compliance guidelines and regulations for information privacy.
Public accounting firms are in a special situation, since they are not only storing information about their own businesses, but also highly detailed (not just financial!) information about their (sometimes very secretive!) clients. These information assets must be valued as how valuable they would be to potential thieves. It has been suspected and alleged that some marketing research firms obtain customer and competitor information through information thievery.
Protecting your (and your clients’) information assets should be a top priority. Your clients should also be worried about their information getting into the wrong hands. Over the next few years, as public awareness about the security problem spreads, a public accounting firm’s security measures could become a selling point, as in, “We safeguard your data.” It is my personal suspicion that this very issue will lead more firms to consolidate just to achieve the economies of scale necessary to afford such security systems.
Information theft is not the only thing to be worried about. The threat of corporate espionage has ballooned into the whole battlefield of corporate warfare. Information warfare isn’t just for “rogue nations” and destructive anarchists; the underground fables that circulate about “hackers for hire” have definite grounding in fact. Several acquaintances of mine from my younger years got involved in the hacker scene; trust me, if you hire a hacker to break into a competitor’s network to steal information, you had better pay them, and on time! You don’t want a mad hacker to anonymously attack you.
Seriously though, there is a reason that large public companies each spend millions per year on information security. Their exclusive ownership of their information assets is just worth that much. A team of skilled security engineers bristling with the weaponry of information warfare is just as important to your security as armed guards inside your building’s entryways (if you were a large bank), and an alarm company ready to signal the local police to bring the heavy guns.
The threat of information blackmail and information ransom is just as scary. What if an untraceable individual/entity (who was able to communicate with you anonymously) claimed to have penetrated your network and downloaded your entire content/document management system database and all your email for the past 10 years? I suspect there would be some very potentially damaging information to your firm, if not by way of the activity records of your employees.
Summary and Your Steps
In summary, information assets should be internally valued and protected just like any other asset. Take steps to hire a security firm to evaluate your security measures, recommend and implement new, proactive and reactive measures, and even install countermeasures. Some security firms are already offering SLAs (Service Level Agreements) that work like a form of insurance. If you experience a break-in or security break-down for which the security firm is deemed accountable, you would be eligible to file a claim for payment, depending on the valuation of the information exposed or endangered. The security firm will then make you take the necessary steps to lock down your information assets. If you already have IT staff in house who can support a sophisticated full event auditing and intrusion prevention system, perhaps hire a security professional to consult with your IT staff on how to avoid these threats.
Matthew S. Wilson is the Network Administrator and Webmaster at Boomer Consulting, Inc., an organization devoted to the application of computer technology and management consulting, located in Manhattan, KS.
Boomer Consulting, Inc.
Manhattan, KS 66502