"Authentication, authorisation, interoperability, recovery and validation are the key issues directors should be aware of when assessing the cyber security risks and vulnerabilities of their organisation`s critical information technology infrastructure," says Mark Danton, Partner in charge of e-Security at Ernst & Young.
"Technology has yielded tremendous market growth and competition, but this same growth and competition has yielded security inefficiencies and vulnerabilities.
"Without being too alarmist, the focus on innovation and the lack of focus on security makes critical infrastructure vulnerable to attacks from criminals, hackers, disgruntled employees and, yes, terrorists," says Danton.
He says that although effectively securing corporate and critical infrastructure systems is no small task, organisations have no choice but to confront it. "More can be done to encourage companies, individuals, and government to address vulnerabilities and tackle hard issues. That leads to the critical issues outlined earlier - authentication, authorisation, interoperability, recovery and validation. It is important to understand and debate these concepts if we are to move forward on a national or global cyber security programme," he says.
He describes authentication as referring to the ability to determine who is using computer systems, or how to make sure that individuals are actually who they say they are.
Following is authorisation, which is what an authenticated individual is allowed to use or see on a system. Without an appropriate system for authentication and authorisation, we will be unable to effectively track and limit unauthorised individuals that might gain access to systems for personal gain or cyber terrorism, he says.
"Thirdly, we need to establish interoperability," says Danton. This refers to the ability of systems to function seamlessly regardless of operating systems, applications, or hardware."
Market innovation and competition has resulted in each operating system, application, and hardware vendor having a proprietary interest in their protocols.
This has created a dysfunctional environment of complicated interoperability. As a result, it is costly and difficult for organisations to implement truly effective security solutions.
Danton says the fourth key issue is recovery. "This indicates the ability to correct systems failures and catastrophes in a timely manner. Today, most companies are alone when it comes to implementing fail-safe systems and contingency plans. Many companies lack the necessary rigor and scale of recovery systems to respond to a national attack or cohesive cyber terrorism threat. Any consideration of cyber security must, therefore, take into account the necessity for a national recovery system."
Validation is the final key issue. "Securing critical infrastructure should not be perceived as a problem that can be fixed simply by purchasing the latest and greatest software or installing a firewall," he says. "Once a security application or process is put in place it must be regularly monitored and its effectiveness validated. This applies to all levels of security, including authentication, authorisation, interoperability, and recovery."
"Unfortunately," says Danton, "there is no common set of standards for validating the security of computer and information systems. Instead, different countries, individual industries, application vendors and hardware providers employ different standards for assessing vulnerabilities and the effectiveness of security solutions."
He says this in turn hampers efforts to conduct comprehensive risk assessments of network safeguards and controls across industries and applications. "Business advisory firms such as Ernst & Young must then determine how to make all of these competing standards work within a complex corporate environment while allowing for innovation and growth.
"Any long-term discussion of information technology security should, therefore, consider the need for harmonising standards for validating effectiveness. Only by regularly assessing the effectiveness of controls will we be in a position to offer assurance that security measures are working as intended," says Danton.
Share