A Taxonomy of Loss
Types of Loss
A security breach doesn’t have to mean something stolen; any type of action that reduces the value of a computer system can be seen as a loss.
Considering different types of loss leads to a better understanding of the potential problems which a computer system can present for an organization.
Hardware can be stolen (laptop computers are a favourite), software pirated, data such as customer information copied (including credit card details), networks and communications systems misused by internal or external people for nefarious ends.
Software can be modified to subvert systems policies, data can be intercepted and corrupted during network transmission or forged to appear to come from a different source.
Attacking any of the sub-systems can compromise access to the computer system.
You may be held responsible for any misuse of your computer systems. This can range from access to inappropriate web content by staff to an attacker using your systems to attack a third party.
In addition to physical defences such as locked or isolated computer rooms, many organizations adopt sound basic security measures to protect their investments.
These basic strategies are not always sufficient.
Basic security processes
As a first step, all access to internal computer systems should require authentication by at least an account code and password.
Acceptable use policies
Written guidelines covering the use of internal and external computer systems including web browsing, email use.
A properly configured firewall can control the types of traffic allowed between the internal network, public interfaces (such as the organizations own web and email servers) and the internet.
On workstations and servers to prevent known virus programs from damaging files or spreading to other systems.
A recent, verified backup is essential is any recovery operation.
All of these elements can be characterised as fixed defences and suffer from the inadequacies of fixed defences throughout history. The Great Wall of China, the Maginot Line and the Berlin Wall were each seen as a total security solution; this proved to be overly optimistic.
Problems with fixed defence strategies
Using the historical analogy of a defensive wall we can draw comparisons with computer system defences.
Imperfections in the Defence
Walls cannot defend against all attacks; they can be undermined with tunnels, knocked down, scaled and avoided.
Virus protection software cannot protect against new viruses, firewalls cannot protect against internal attacks or attacks using allowed traffic types.
Maintaining a large defensive wall is very expensive; the supply chain requirements are enormous and there is a great temptation to regard the mere presence of the wall as sufficient defence. Attackers have the ability to choose their point and time of attack; defenders have to be ready for anything.
Computer systems evolve, new weaknesses are discovered and new applications are deployed. Maintaining strong security in the face of competing budgetary requirements and a dynamic business environment is difficult at best and perhaps impossible without the commitment of the organization’s senior management.
The Need for Commerce
Even the highest and strongest walls need gates. The requirements of trade and communications means that a wall is never as solid as you might wish.
Computer systems serve the needs of the organization. The power and potential of the connected world requires the free flow of some information between systems. It is difficult to determine legitimate traffic from some intrusion attempts.
Insider Assisted Attacks
A border is a political fiction; in practice the people of each side of the wall often have more in common with each other than with their respective rulers and actively work together to by-pass the interference of the troops supposed to be defending them against each other.
Various studies suggest that 60-80% of computer system security breaches involve someone from within the organization. External attacks are a real threat but ignoring the problems of internal security is a serious mistake.