Federal agencies in 2007 reported more than 5,600 cases of computer attacks, intrusions, probes, and plantings of malicious code from unseen enemies around the world. That’s up 56 percent from the previous year and up 80 percent from two years ago, according to a recent report by the Office of Management and Budget. The increase underscores the importance of managing security risk.
Intrusions include the chief information security officer of a sensitive agency discovering that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack. Once the attackers got inside, they had freedom of action to use his personal computer as a tunnel into his agency’s systems.
Or there are the problems that hundreds of senior federal officials and business executives encountered after they visited the website of a political think-tank and then found that their computers had been turned into zombies. Keystroke loggers, placed on their computers by the criminals—or, possibly a nation-state—captured their user names and passwords for personal bank and stock trading accounts.
Or there was the theft of sensitive patient records from a hospital website that was compromised because a web developer made a programming error. The theft was part of an extortion scheme: the criminals confronted the hospital with the choice between paying or allowing patients’ health records to be spread across the internet.
Individuals’ identities are at risk as well. In 2008, authorities indicted several individuals in the theft of 41 million credit and debit cards stolen from retailers’ networks.
Some ways to manage security risk are to assure system security, protect against threats by insiders, and ensure that the workforce is knowledgeable about security best practices.
Other ways include improving the software development process and building better software, because those approaches will produce software with fewer defects and vulnerabilities. It is important to identify the critical software components that control functions associated with security. Those components must be monitored closely throughout development and testing.
When security breaches do occur, organizations must minimize and contain the damage. But they also must think in terms of forensics: how can the organization collect information about the breach that is admissible in court as evidence, if and when the perpetrators are brought to justice? Still, an organization’s approach to forensics—and, indeed, to security—will only be as good as management’s willingness to enforce policies.