A Taxonomy of Loss
The widespread commercial use of the internet has led to an increasing focus on systems security. Media driven hype and a lack of independent information can make the true level of threat to an organization difficult to determine. Adopting a structured approach to the analysis of computer system security risks and allows an organization to more effectively balance their operational requirements against the potential for loss, whether that loss involves physical equipment, information or reputation.
This article discusses the components of a computer system, the types of attack to which they are exposed, some typical defence mechanisms and some weaknesses in the standard defences. The information and concepts shown can form a starting point for the development of suitable security and operational strategies to assist organizations to obtain the maximum value from their investments in computer systems.
Recent years have seen the explosive growth of the internet; the number of web hosts has grown from under 19 thousand in August 1995 to nearly 700 million in June 2012 [Netcraft]. Many organizations are joining this lemming-like rush to connect, fearing the prediction that ‘anyone not on the internet will be out of business in five years’ (even though we’ve been hearing this for about five years and it has yet to be true).
This flight to join the networked world leads to poorly planned decisions and predictable adverse consequences. These consequences include; lack of scalability, missing functionality and poor integration with office systems.
Weak, or non-existent security is another common problem; a poorly secured network is an invitation to attack. One high visibility attack is the defacement of web pages; in a two year period in the mid-2000's between 10 and 20 web sites per day were reported as defaced [Attrition], your turn may be next. Recent FBI data indicated that over 90% of surveyed organizations had detected some security breach with 74% reporting financial losses as a result [FBI].
Although this paper has a particular focus on internet security, the problems and concepts discussed apply equally to internal systems security.
Why all the classifications?
The groupings shown in this paper are not intended as a formal taxonomy; the groups are neither complete (some elements are missing) nor deterministic (it is not always clear to which grouping an element belongs).
These classifications are a starting point for an analysis of the risks to which a particular system is exposed. Psychological research indicates that formalised thinking approaches are less prone to error or omission than looser, heuristic methods. A structured approach, using these or some other set of classifications is likely to produce a more complete security profile of an organization, with a correspondingly improved support from all levels within the organization.
I am not suggesting that these groupings are the best or even adequate in all situations. I am saying that a formal approach to a security analysis will produce better results.
- Next >>