The Myth of Secure ComputingRobert D. Austin andChristopher A.R. Darby
Presentation onThe Myth of Secure ComputingGroup- 6Daliya BhattaHemant Raj ShresthaMagina ShresthaPratima Kunwar
What affects 90% of all businesses and causes $17 billion of damage every year?
• Computer Security Breach• E-mail floods
• Insider Hackers
• Viruses
• Why is this a big problem?• Do not pay much attention to digital security
Why It happens?• Digital security is extraordinarily
complicated
• Careless or vindictive employees
• Digital security is invisible
What should a Business Manager do?• Protective measures are expensive
• Should focus on the risk management
• View computer security as an operational rather than technical challenge
• Reduce the business risk to an acceptable level
Threats to digital security
Three types of threats to digital security:
1. Network attacks• Without breaching the internal working
of an IT system, causes heavy damage to network via internet
• Denial of Service (DoS) attacks• DoS attacks are easy to mount and
difficult to defend against
Threats cont…
2. Intrusion• They penetrate organization’s internal IT system
• They steal information, erase or alter data, deface websites etc.
• Eavesdropping
• Difficult to figure out what precisely was done
Threats cont…
3. Malicious Code• Any code in any part of a software system or script that is
intended to cause undesired effect to a system
• It consists of viruses and worms, Trojan horses etc.
• Faster than human hacker
• Target is random
The operational approach
1. Identify digital assets and decide how much protection each deserves
What your digital assets are?
Assess how valuable each assets are
Decide how much risk company can absorb for each asset
Review people, process and technologies that support the assets
2. Define appropriate use of IT resources
Managers should ask people questions aboutAuthority for remote access to corporate
network
Safeguards to implement for remote location
access
Identify the normal behavior for jobs along with do’s and don'ts
Companies should explain the rationale for the limitations implemented
3. Control access to your systems
System should determine who access the specified information
Use of firewalls, authentication and authorization systems, and encryption
System should be configured to reflect choices of the critical assets
Monitor the use of the IT systems to log network activities
4. Insist in secure software
Demand reasonable levels of security from software vendors
Insist…
In case of in-house software, developers should follow secure coding and test practices
Companies should consider the issue of earnings vs. security
5. Know what software is running
Must document every modification of system
In case of breach, it provides current records along with digital forensics
Allow IT people to make changes quickly
Never procrastinate in updating patches
6. Test and benchmark
Bad guys always gets in
Focus should be on:How easy is to get in?
What systems or programs were exposed?
Do not rely heavily on audits
Hire external auditors periodically to benchmark the security standards
7. Rehearse your response• Difficulty in making decisions in crisis mode
• Helps to have procedures in place and specify who should be involved in problem-solving activities
• Enables decision makers to act more confidently and effectively during real events
• Always have a backup plan
8. Analyze the root causes of security problems • Detailed analysis of root cause is necessary
• Quality assurance tools can be used:• Fish-bone diagram,
• Eight step process,
• Plan-do-check-act cycles, etc.
• Toyota uses “The 5 Whys” approach
The Bottom Line• Complete computer security is a MYTH
• New threats and new capabilities are always emerging
• Complications in risk management• Managers attitude
• Estimation of cost and probabilities
• Well-defined management actions not applicable in all situations
• Addressing serious risk are expensive
Recommendation• Focus on serious risks rather than just spending
• Risk-management is all about business trade-off
Thank- You