Analysis: MIKE MAONDE
IN ZAMBIA, information security means different things to different organisations. Here are some of the frightful misconceptions I normally come across as I conduct information systems security and cybersecurity consulting engagements.
â€¢ Our systems have been running smoothly for a while without any evidence of systems attacks
â€¢ We have a firewall installed and so our systems are secure.
â€¢ Our IT department is handling this and they have told us we are safe.
â€¢ We are a small company that pose no threat to anyone and so we donâ€™t need a firewall.
This is not an all-encompassing list. Suffice to say you understand the mistaken and dangerous views accepted by many organisations.
So what is information security? ISO/IEC 27001 and 27002 Standards define information security as the preservation of confidentiality, integrity and availability of information.
Confidentiality is protection of data against intentional or unintentional unauthorized access, use or disclosure while in storage, in process, or in transit. Based on sensitivity and criticality, any such access, use or disclosure could result in financial loss, lawsuits or a ruined reputation.
Integrity is protection of the coherence and veracity of data from accidental or intentional modification or destruction. It is preventing unauthorized users from making modifications and authorised users from making unauthorised modifications.
Availability ensures that authorised users are granted timely and uninterrupted access to data or the ability to quickly handle interruptions by providing redundancy to critical systems.
As simplistic as all this sounds, effective information security is a never ending journey. This is why we have misconceptions because our level of awareness or practice, whether as individuals or as organizations is alarmingly very low and often misplaced wherever there is any. Many organisations are either negligent, unconcerned, or unaware of information security risks.
So, to say that we have no evidence of any attacks is to create a dangerous false sense of security. If you are connected to the cyberspace, chances are likely that your network is being probed every day. Incidents of cyber breaches are among the biggest challenges in the digital world and it will be folly for us in Zambia to be oblivious of this scourge. If you have information worth stealing, it is possible that an insider or external threat agent could be exfiltrating it from your network without your knowledge. Remember that information can be stolen from your systems yet it remains intact at the source. Any organisation that is not aware of either clandestine, covert or perceptible attacks to its networks will be unable to adequately defend or protect itself.
Implementing â€œcandyâ€ security where the more secure outer perimeter, such as a firewall, is protecting an insecure network behind is counterproductive. Installing a firewall, as is a common lackadaisical practice, when you fully donâ€™t know what you are protecting is not prudent management practice. Yes, you need that firewall but a pragmatic strategy is one that takes a holistic risk based and multi-faceted approach. Organisations that are seriously concerned with information security must always ask themselves these questions:
â€¢ What are we trying to protect and from who?
â€¢ Why are we trying to protect it?
â€¢ How are we going to protect it?
Information security is a people, process and technology conundrum which is best mitigated by the application of policies, awareness training and technology. A firewall is just a cog in the information security paradigm. It cannot not resolve all the vulnerabilities.
Many organizations treat information security as the responsibility of the IT department. Protecting the assets of any organization is the duty of senior management which must take information security as an issue of IT governance. Information security requires management leadership seeing that it affects the entire organisation. It must always be considered as a business operations issue and not just something the IT geeks should do behind the scenes. (Sorry guys to call you geeks). In most cases these geeks are not adequately trained to properly handle information security. Many just have the skills to manage the â€œcastleâ€ and not the â€œcityâ€. I will explain this analogy in my next article
Does the size of your company matter? No! Viruses, worms, Botnets (Robot Networks), RATs (Remote Access Trojans) and other Malwares (Malicious software) arenâ€™t smart enough to figure out the size of your network. Your computers could still be hijacked and agglomerated into zombies. As a result of your failure to adequately protect yourself and unbeknown to you, your zombie network could then be used to carry out concerted and malevolent distributed denial-of-service attacks on other networks.
Let me end here. More on the misconceptions in the next article.
The author is Director and Senior Cybersecurity Consultant at BULLDOG SYSTEMS LIMITED.
Analysis: MIKE MAONDE