Download as PDF - Secunet
Download as PDF - Secunet
Download as PDF - Secunet
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
National<br />
PREVENTIVE SECURITY #1<br />
Preventive security is in this respect a key concept: specific organisational, infr<strong>as</strong>tructural, technical and<br />
staffing strategies that are tailored to individual circumstances and to constructing a defence that kicks<br />
in before something bad happens. In subsequent issues of secuview, you can read interesting and sometimes<br />
even amusing c<strong>as</strong>e studies (anonymised, of course) compiled by our secunet experts.<br />
FIFA World Cup<br />
Shoots Holes in<br />
IT System<br />
Directives from above defeat even the best<br />
technical defences<br />
There are many IT systems that, technically speaking, are well<br />
protected. But unfortunately, these too fall victim to elementary<br />
attacks because individually appropriate organisational<br />
processes have not been implemented or upheld.<br />
“How could they overcome the formidable barriers that we<br />
now have in place The way they were byp<strong>as</strong>sed makes us<br />
look like amateurs!” Unfortunately, this quote is genuine and<br />
the circumstances that permitted this successful IT attack are<br />
by no means exceptional. The technology and the administrators<br />
really were high calibre. The problem lay entirely elsewhere.<br />
The vulnerability w<strong>as</strong> caused by the instruction issued<br />
by a senior executive to allow certain IT services during the<br />
World Cup so that he could follow games live on his PC.<br />
Although the administrators expressly advised of the <strong>as</strong>sociated<br />
security risks, the desire of this senior person to watch<br />
the matches live at work obviously outweighed the concerns<br />
of the lower-ranking technical staff. The expert in this c<strong>as</strong>e –<br />
i. e. the system administrator – had no recourse against the<br />
decision.<br />
This real-life scenario is by no means exceptional. secunet<br />
is often called out to deal with emergencies that have been<br />
caused by the absence of organisational security me<strong>as</strong>ures.<br />
In the c<strong>as</strong>e cited above, a clearly defined and auditable documented<br />
process that gave the administrator suitable veto<br />
rights would have helped to uphold the high level of security<br />
afforded by the systems in place. It would then have been<br />
possible to take secure and responsible action, overriding the<br />
personal preferences of the boss.<br />
Security must be integral to<br />
corporate culture<br />
Experience h<strong>as</strong> shown that, although many government agencies<br />
and private businesses have put appropriate security<br />
me<strong>as</strong>ures in place, these are not upheld rigorously due to the<br />
organisational <strong>as</strong>pects of information security. At the same<br />
time, however, there is no shortage of standards and best<br />
practices to provide support here. For example, the IT security<br />
management standards typified by the ISO 27000 family and<br />
those implemented in accordance with BSI b<strong>as</strong>eline protection<br />
or the recommendations of ITIL (IT Infr<strong>as</strong>tructure Library) and<br />
COBIT (Control Objectives for Information and Related Technology).<br />
secunet experts with many years of experience are<br />
available to support any appropriate customisation or tailored<br />
implementation.<br />
More information:<br />
René Seydel<br />
rene.seydel@secunet.com<br />
IN THE NEXT ISSUE:<br />
Well confi gured – one click for enhanced security<br />
12 » 1 | 2013