Feeds

Katrina: a tough lesson in security

Pay attention, or pay the price

Beginner's guide to SSL certificates

In the waning days of August, a massive category four hurricane devastated the gulf coast of the United States, particularly devastating the city of New Orleans. In addition to the estimated $50bn in property damage, clean-up and reconstruction costs, and the hundreds of likely dead, and tens of thousands displaced, the hurricane and its aftermath have disrupted businesses throughout the southern United States. From this disaster, there are a few lessons IT staff, and IT security staff, as well as senior management should learn. The sad thing is that many won't take these lessons to heart.

1. Infrastructure is important

Much of the devastation resulting from hurricane Katrina, particularly to the city of New Orleans, resulted not from the initial wind damage, but from the collapse of key portions of the infrastructure which were not designed to withstand an event that, at least in retrospect, was eminently predictable, if not inevitable. The collapse of key levees in the Big Easy caused tens of millions of dollars of damage and loss because they were designed to withstand only a category three hurricane.

In most companies, the IT infrastructure has grown organically, based upon the needs or perceived needs of individual business units. Thus, the mix of hardware and software, applications, technologies and processes are generally not mapped, and generally not adequate. Most entities do not know what technologies that they have employed, what software (or versions) they are using, or even what the scope and extent of their network looks like. In addition, in most enterprises, "security" is a discrete item - it's an add-on, often an afterthought, yet it's frequently mentioned in one of those, "oh by the way" telephone calls after some new application is about to go (or has already gone) live.

Infrastructure is fragile and brittle. Survivability, redundancy, and security have to be built into it at the outset. An elegant network or application is of no use if it is destroyed, insecure, or inoperable. Duh.

2. Infrastructures are co-dependant

We typically think of IT as a single infrastructure, but it is not. Perhaps if your network and the Internet are seen as one of the same, it's easier to explain all those security breaches on "your" network. When the hurricane took down the electricity, the oil and natural gas refineries on the mainland of the gulf coast could not operate, nor could the pumping stations pump any oil or gas. A single catastrophic event will likely lead to the disruption of multiple infrastructures, each dependent upon each other.

The same is true for both IT and IT security. Electricity, telecommunications, Internet, transportation, and people are all co-dependent. Knowledge of these facts should inform not only your disaster recovery plans, but also your initial design. Don't forget that hardware, software, policy, planning and training are also key elements of your infrastructure.

3. Prevention is cheaper than response (usually)

Much of the work of prevention - knowing what the risks to the enterprise are, and mitigating these risks where it's cost-effective - can and should be done long before any attack or disaster affects an enterprise. It has been estimated that the costs of responding to an attack, including personnel costs, data recovery costs, diversion of attention from other priorities, direct economic damage and theft, and costs that damage one's reputation are often from 10 to 100 times the cost of preventing the damage in the first place. Right now, the tens of millions of dollars it would have cost to shore up and improve the levees looks like a sound investment. A month ago, it was government pork barrel spending.

We typically tie IT security spending to a percentage of the overall IT budget, and then value security based upon the value of the IT infrastructure. Why spend $50,000 to secure an IT asset that itself only cost (or is worth) $5,000? This is the wrong way to analyze the situation. We need to address the cost not of the IT itself, but the value of the information that is being processed by, stored on, or transmitted through the infrastructure.

The correct questions to ask are: "What would happen to my enterprise if this information was lost? Corrupted? Stolen? Unavailable?" What would happen to the company's reputation? To the ability to deliver services? Remember that in security we are protecting companies and agencies, not computers.

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.