Security 101: Advanced Topics in Security

Through the past three courses, we have examined the basics of IT security. It is important to remember that like any technology, changes can be rapid and, as we have witnessed during the past several months, dramatic. The role of IT security is moving from an afterthought adoption to a precursor to building solid IT systems. It has transitioned to become an important enabler of e-business moving forward. For the final course installment, we will look at a number of hot topics that are the most likely to influence the direction of Security for some time to come.

What is a Managed Security Service?
Based on an outsourcing model, organizations can now contract with an outside managed security service provider (MSSP) to handle some security functions. Most commonly, these providers remotely manage firewalls and offer 24/7 monitoring, which can generate alerts and responses to potential threats and other service issues. VPN, antivirus and intrusion protection are some of the other services commonly seen. An MSSP is a good alternative for organizations whose internal resources may not be able to maintain baseline defense functions.

Privacy vs. the Right to Know: A Growing Debate
Prior to the events of Sept. 11, there was a strong move by government to protect through appropriate legislation the privacy of an individual's electronic data, be it medical records held by healthcare practitioners, financial data held by banks, or personal records maintained in e-business customer databases. After the terrorist attacks, however, it quickly became apparent that government's right to know more about its inhabitants and to be able to access database records was necessary to combat terrorism. Will government needs infringe on individual rights and privacy?

The National ID Smart Card
Several advocacy groups have been formed in order to establish a national user ID for every U.S. citizen. This ID could be the size of a credit card and contain the citizen's photo and microchips embedded to store more individualized data. With a demand being made for higher levels of authentication in the case of airport identity controls, some type of ID smart card could fit the bill. Similarly, a number of biometric authentication devices are being considered to validate identity including handprint scanning or face recognition systems.

Trends in Wireless Security
With the number of mobile, wireless devices growing rapidly, those devices will likely be the next major Internet evolution. These devices offer mobility and immediate access and are becoming more affordable. They compliment a more fluid work style. Unfortunately, the way those devices access networks, and process and store data are a threat to overall enterprise security. In many cases, wireless device users maintain their own security settings ignoring the use of security policies and guidelines in the non-wireless world. For example, PDAs or new smart phones fall through the cracks when it comes to best practices of security, and, accordingly, they are unmanageable. Without audit trails, it is impossible to close down suspected leaks or abuse. Mobile devices need to be authorized by the company, and rules about access made simple and clear.

Will Terror Strike the Internet?
Who can predict if Cyber terrorists will use the Internet to induce fear? Will an organized group of individuals strike at target companies or governments? Hacktivism, or the expression of political beliefs using the Internet is a relatively new activity, could become a threat. Will an organized group attempt to destroy the Internet? Some say it is a technological impossibility because of the de-centralized architecture of the Internet. Others say a coordinated DDOS (Distributed Denial of Service) attack, for example, could spin the Internet out of control for periods of time. The open nature of the Internet, however, means any individual or group could use the Internet either for proper purposes or as a tool of destruction.

What Is the Future of Security?
IT Security will continue to grow in several ways. First, it will grow in importance as a defender and an enabler. Both its overall visibility and technological improvements will make it easier to deploy. Security solutions will become better integrated within themselves, as well as with existing software systems. Some predict that security solutions will become commodities like antiviral and even firewall solutions have become. Since a reduction in the threats to eBusinesses and corporate networks is not in sight, it is likely that the IT Security industry will continue to grow rapidly over the next several years (and maybe much longer).

How Do You Keep Up With Security?
There are a number ways to keep up with security issues, trends and technologies. A number of organizations support the IT security industry through education, training and conferences. These include the Computer Security Institute (www.gocsi.com), Information Systems Security Association (www.issa-intl.org), MIS Training Institute (www.misti.com), the Information Systems Audit and Control Association (ISACA, www. isaca.org) and the System Administration, Networking and Security Institute (SANS, www.sans.org). Leading industry publications include Information Security and SC Security. Computerworld and searchSecurity deliver two security news feeds with daily e-mails. Bruce Schneier's CRYPTO-GRAM is a free monthly newsletter on computer security and cryptography. A number of IT market research firms such as Aberdeen Group, Gartner Group, GIGA Group, IDC and Meta Group track security trends and requirements. National Institute of Standards and Technology (NIST, Dept. of Commerce) has a Computer Security Division and a resource center (http://csrc.nist.gov) that offers development of cryptography standards, security testing, research and security awareness programs. The CERT Coordination Center (CERT/CC, www.cert.org) at Carnegie-Mellon University has long been a leading source for Internet security, vulnerability research and outreach. The CERT Coordination Center also provides descriptions of the latest hacking exploits. Finally, security software vendors offer a wealth of information regarding product solutions, as well as the latest research and news updates.

* 2001 Computer Associates International, Inc. (CA) All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.