The Internet has become a vital resource for many companies around the world. By connecting to the Internet, a company can share information, send and receive files and email, and provide an online shopping experience to the company’s customers. Some might say that in order for businesses to “keep up in the global marketplace” (Wienclaw, 2008, p. 1) they must be connected to the Internet. In this paper I will show some of the security risks that have been introduced or increased with the Internet and I will attempt to provide some suggestions for mitigating these risks.
Security impact of the Internet
One of the most significant risks that companies face is the risk of unauthorized access to sensitive information. This risk isn’t new to companies, but with the Internet this risk has been increased. According to Dictionary.com, hackers are defined as “a microcomputer user who attempts to gain unauthorized access to proprietary computer systems” (dictionary.com, 2009). Prior to the Internet, hackers would have to gain access to a company’s computer system from within the company premises. Companies could mitigate this risk with physical security mechanisms such as access cards and guards. The Internet has opened up this risk to hackers outside the company as well. Unauthorized access can lead to regulatory problems for companies as well as intellectual property theft. The embarrassment to the company can also jeopardize customer confidence which could result in losing sales. According to Linda Musthaler, some “organizations that have experienced data breaches have been forced by law to report the occurrence” (2008, para. 1).
There was a time when software patches were just required to repair functionality of the software. Now that companies are connected to the Internet, security vulnerabilities that are inherent in software also must be patched. The Internet is an extraordinary communications vehicle. Just like companies use the Internet to find and communicate the latest information, hackers use this vehicle as well. According to Ruth Wienclaw, “research has found that the average time between the announcement of a software vulnerability to the time that attack is made on that vulnerability is 5.8 days” (Wienclaw, 2008, p.2). More recently, in October of 2008 “Microsoft has released a fix outside of its normal Patch Tuesday cycle” (Johnston, 2009, para. 2). This emergency patch was released because “targeted attacks exploited” (2009, para. 1) the vulnerability according to Stuart Johnston.
Computer viruses were not new to the computing world when the Internet was introduced. Computer viruses are software programs that are designed to harm a computer environment and spread from computer to computer. Before the Internet, computer viruses would spread by sharing disks from one computer to another. What better way to enhance the spreading of computer viruses than to connect all the computers to each other.
Many solutions can be implemented to minimize the risks that have been mentioned above. An important thing to mention though is that a company might not be able to eliminate all risks. The first recommendation that I would make for any company that is trying to implement an Internet Security program is to try to understand the assets the company is protecting. Assets could be physical assets, but here I am referring to data assets. The impact of the risk to those assets is important to understand in terms of cost. This is a common risk management approach. If the company doesn’t understand the risk in terms of cost, it may be difficult to justify the cost of mitigating the risk. The second most important recommendation that I would give is that no one solution will mitigate all the risks. According to Roark Pollock, “to effectively protect against attacks spawned by worms, hackers, and other forms of malware that target software vulnerabilities, enterprises should consider a ‘layered’ security approach” (2004, para. 6).
Most experts agree that implementing an Antivirus/Antimalware solution as well as a hardware based firewall is the basic building blocks for Internet Security. An antimalware solution will continually scan the computers and servers in the company’s environment to identify and block attempted spreading from viruses, spyware, and other malicious code. Firewalls on the other hand, will help prevent unauthorized computers from gaining access into the company’s networks, helping to prevent a hacker from gaining access.
Firewalls and Antimalware solutions are not free from vulnerabilities themselves. These products have software code that is susceptible to security breaches and new malware where malware definition files have yet to be updated. This is why I believe that a comprehensive patch management practice is implemented as part of the Internet Security solution. According to Linda Musthaler, “eighteen percent of hacks exploited a specific known vulnerability. In more than 71% of these cases, a patch for the vulnerability had been available for months” (2008, para. 4). One of the best investments a company can make, in my mind, is an automated patch management solution where known security patches are automatically downloaded and deployed to the appropriate devices as soon as the patch is released. At Interval International, my team has signed up for a third party notification service that provides us with immediate notification of security patch releases and scores the releases on a scale of one to five. A score of one is the least important to implement and a five is the most critical. In my department I have established guidelines around how fast a patch must be deployed based on the score provided. Our patch management product allows us to deploy patches rated a five within one day to all our systems globally.
Since remote login or remote access is a common requirement for companies that have Internet access, a two factor authentication solution is another important recommendation. Where a firewall will help ensure that only authorized systems will have access to the company’s internal resources, an authentication system will ensure only authorized users have access. Two factor authentication forces the user to enter a password based on a password policy set by the company. It also forces the user to provide another credential based on something they have. An Interval International, the users have a password committed to memory and the users are provided with a RSA security token where they have a number key that changes regularly. For a user to gain access to an Interval system from the Internet, the user is prompted for a user identification, a password, and the number from the RSA security token. This dual factor authentication approach lessons the risk of unauthorized access since an intruder would need to have a matching password and token.
The last recommendation that I would make is for the company to sign up for an annual penetration test. This test is where the company grants a third party the authority to attempt to breach the security and gain access to the companies systems. These tests use known vulnerabilities and provide the company with the findings and actions to improve security. This type of testing is required by the Payment Card Industry/Data Security Standard (PCI/DSS) if the company is a credit card processing company.
A silver bullet doesn’t exist for Internet Security. The basic building blocks of an Internet Security solution are a hardware based firewall and an antimalware solution. These two solutions are only as good as their upkeep. Internet threats change rapidly and in order to ensure that the company remains protected from new threats a comprehensive patch management practice must be implemented. Remote users will need to access company assets. In order to ensure that the appropriate users gain access, the company should invest in a two factor authentication solution. Lastly, having a third party double check the security is never a bad idea. This can be done with penetration testing and is a requirement for PCI/DSS compliance.
Dictionary.com, (2009). Hacker Definition, Dictionary.com. Retrieved January 24, 2009, from http://dictionary.reference.com/browse/hacker
Johnston, S.J., (January 2009). PCWorld, Bugs & Fixes, Retrieved January 25, 2009, from EBSCOhost database.
Kilpatrick, I., (January 2009). http://www.trainingjournal.com, 12 Tips for Ensuring Internet Security. Retrieved January 23, 2009 from EBSCOhost database.
Musthaler, L., (December 2008). Network World Asia, The True Cause of Data Breaches. Retrieved January 26, 2009 from EBSCOhost database.
Pollock, R. (April 2004). Communications News, Secure Networks. Retrieved January 24, 2009 from EBSCOhost database.
Wienclaw, R.A, (2008). Copyright of EBSCO Publishing Inc., Research Starters: Internet Security. Retrieved January 24, 2009 from EBSCOhost database.