The Myth of Secure ComputingRobert D. Austin andChristopher A.R. Darby

Presentation onThe Myth of Secure ComputingGroup- 6Daliya BhattaHemant Raj ShresthaMagina ShresthaPratima Kunwar

What affects 90% of all businesses and causes $17 billion of damage every year?

• Computer Security Breach• E-mail floods

• Insider Hackers

• Viruses

• Why is this a big problem?• Do not pay much attention to digital security

Why It happens?• Digital security is extraordinarily

complicated

• Careless or vindictive employees

• Digital security is invisible

What should a Business Manager do?• Protective measures are expensive

• Should focus on the risk management

• View computer security as an operational rather than technical challenge

• Reduce the business risk to an acceptable level

Threats to digital security

Three types of threats to digital security:

1. Network attacks• Without breaching the internal working

of an IT system, causes heavy damage to network via internet

• Denial of Service (DoS) attacks• DoS attacks are easy to mount and

difficult to defend against

Threats cont…

2. Intrusion• They penetrate organization’s internal IT system

• They steal information, erase or alter data, deface websites etc.

• Eavesdropping

• Difficult to figure out what precisely was done

Threats cont…

3. Malicious Code• Any code in any part of a software system or script that is

intended to cause undesired effect to a system

• It consists of viruses and worms, Trojan horses etc.

• Faster than human hacker

• Target is random

The operational approach

1. Identify digital assets and decide how much protection each deserves

What your digital assets are?

Assess how valuable each assets are

Decide how much risk company can absorb for each asset

Review people, process and technologies that support the assets

2. Define appropriate use of IT resources

Managers should ask people questions aboutAuthority for remote access to corporate

network

Safeguards to implement for remote location

access

Identify the normal behavior for jobs along with do’s and don'ts

Companies should explain the rationale for the limitations implemented

3. Control access to your systems

System should determine who access the specified information

Use of firewalls, authentication and authorization systems, and encryption

System should be configured to reflect choices of the critical assets

Monitor the use of the IT systems to log network activities

4. Insist in secure software

Demand reasonable levels of security from software vendors

Insist…

In case of in-house software, developers should follow secure coding and test practices

Companies should consider the issue of earnings vs. security

5. Know what software is running

Must document every modification of system

In case of breach, it provides current records along with digital forensics

Allow IT people to make changes quickly

Never procrastinate in updating patches

6. Test and benchmark

Bad guys always gets in

Focus should be on:How easy is to get in?

What systems or programs were exposed?

Do not rely heavily on audits

Hire external auditors periodically to benchmark the security standards

7. Rehearse your response• Difficulty in making decisions in crisis mode

• Helps to have procedures in place and specify who should be involved in problem-solving activities

• Enables decision makers to act more confidently and effectively during real events

• Always have a backup plan

8. Analyze the root causes of security problems • Detailed analysis of root cause is necessary

• Quality assurance tools can be used:• Fish-bone diagram,

• Eight step process,

• Plan-do-check-act cycles, etc.

• Toyota uses “The 5 Whys” approach

The Bottom Line• Complete computer security is a MYTH

• New threats and new capabilities are always emerging

• Complications in risk management• Managers attitude

• Estimation of cost and probabilities

• Well-defined management actions not applicable in all situations

• Addressing serious risk are expensive

Recommendation• Focus on serious risks rather than just spending

• Risk-management is all about business trade-off

Thank- You