Feeds

Katrina: a tough lesson in security

Pay attention, or pay the price

Using blade systems to cut costs and sharpen efficiencies

4. Cost of response is shifted

A typical axiom in the tort law of negligence is that we impose the liability upon the party or entity best able to avoid the damage or risk. In the case of the New Orleans flooding, this would have been some combination of the local, state and federal governments, including the U.S. Army Corps of Engineers, and of course, the United States Congress that funds these projects, as well as the electorate that votes for these Members of Congress. Had better, stronger and more durable levees been constructed and maintained, billions of dollars of damage could have been prevented.

However, in most situations, the people bearing the risk of loss are not the same people who have to make the decisions about prevention. Homeowners in New Orleans essentially had little say about whether the levees were built (although they could have chosen to live elsewhere - like San Francisco or Sri Lanka?) What is worse, drivers in Washington, D.C., those who are now paying $3.70 a gallon for gas that was just $2.50 before the hurricane, previously had little reason to support plans to build stronger levees or redundant distribution centers on the gulf coast. Operators of the closed Houston Astrodome also had little reason to appreciate the effects of a hurricane in Louisiana on their facility.

In IT attacks, the same is true. The people whose information is affected by the attack may be distant - temporally, proximally or otherwise - from the decisions about whether or how to secure the IT. The cost of prevention may come from the IT budget, but the benefit goes to other business units' productivity and it is rarely captured. The same is true for the costs of avoidance. We need better metrics for the TRUE cost of NOT providing adequate security, and then we will be better able to make informed decisions about how much to spend on security.

5. Insurance is important

In the aftermath of hurricane Katrina, many individuals who thought they had insurance (because they had been paying thousands of dollars in premiums, for years) to cover damages resulting from the hurricane find that they may not be insured for the damages. This is because most insurance policies have specific riders excluding coverage for damage resulting from "flooding." So if a hurricane blows out a levee causing water to crash into and submerge your house, the damage, although caused by a hurricane, may not be covered.

Many insurance companies offer various forms of insurance to protect key parts of the IT infrastructure. These include general business interruption insurance, reputation insurance, theft, damage or loss insurance, critical document insurance, and various forms of cyber-insurance. However, these policies contain riders and exclusions that are often confusing and mutually contradictory. If there is "physical damage" to a computer that holds your critical documents, you may be covered, but "logical damage" may not be covered. If the hard drives are wiped out by a flood it may be covered, and similarly if they're wiped by a magnet or a power surge they may be covered - but if they're wiped by a virus or worm, they are excluded. Thus, in conducting risk assessment it is important to review all of your insurance policies (including your D&O policies) to make sure you have appropriate coverage.

Also remember that when you are reducing your risk by implementing a comprehensive IT security program, you are also reducing the risk of your insurance company who ultimately would have to pay for covered losses. As a result, just as when you put in a smoke alarm or burglar alarm, you should contact the insurance company when you plan to make significant changes in your security to see whether they will reduce your premiums -- or better yet, pay for the improvements directly. Some companies, particularly those that offer cyber-insurance policies, will even pay for comprehensive audits or assessment themselves. Free security? What could be better?

6. Backup, backup and backup

The day before I go to the dentist, I try to do about six months worth of flossing and brushing. Sure, we all know we need to do this, and there is nothing sexy about having a plan for backups, but we frequently don't do them properly - not only at the corporate level, but at the personal level as well.

The hurricane also taught us that many of our plans for data recovery and disaster recovery may be too limited. For example, prior to September 11, 2001, both the federal, state and city disaster centers were located in close proximity to each other for planning, coordination and communications purposes. These were, of course, located in the World Trade Center. Not a bad decision to start with, but a very unfortunate result.

Similarly, we often have wonderful backup plans to backup data and store it at a remote location just a few blocks or miles away. In the wake of the hurricane, we need to reconsider these decisions. Work locally and backup globally.

Of course, this creates new problems. The more distributed information becomes, the more vulnerable it is to attack, disruption, and to the legal processes of the country in which it is located. Outsourcing data storage may solve some of these problems, but it may also create new problems itself. There are all fun things to think about.

7. Training and testing

The ultimate defense against disaster are well trained and well equipped people. Too few companies bother to train their employees to recognize cyber attacks, and to respond appropriately to them. All the technology in the world won't help unless people know it exists and know how and when to use it. Awareness and training are critical to success.

A cyber attack, like the breach of the New Orleans levees, is more than likely. The best enterprises will be prepared, and therefore will survive.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.