prev
next
out of 3

Security Failure

Embed Size (px)

Citation preview

  • 8/14/2019 Security Failure

    1/3

    Business Issues

    Security Failure

    1

    Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors

    Security Failure may be defined differently from

    business to business, and person to person,

    depending upon specific viewpoints and

    experience. Security in itself can also vary in

    scope and definition and might be considered very

    broad or very narrow. Generally, whatever the

    definition, any failure to consider, defend against

    or mitigate any attack or risk incident might be

    considered a security flaw irrespective of

    consequential loss. The stark reality is that

    security failure remains a very common

    occurrence in many businesses through the lack

    of an holistic perspective on security management.

    Security might commonly be considered as being

    applicable to the following business areas:

    Information all types of information but

    especially customer and market-sensitive

    business data that may appear in any form

    electronic, printed etc.

    Information Technology/Systems, Network and

    other Operational Technologies commonly

    allied to Information Security as a means to

    process and store data and are critical to the

    operation of the business.

    Physical infrastructure components office

    buildings, network sites, data centres and other

    constructions or sites hosting the technologies and

    people within the business.

    People employees, customers and suppliers

    surprisingly-often not the first consideration in

    terms of risk or protection but essential to protect

    operations and the good name of the business.

    Suppliers and/or business partners although

    some employ decent security policies and

    practices, these are often not reflected within the

    operations of key suppliers or partners.

    Business Continuity Planning incorporating

    mitigation, disaster recovery and incident

    management practices.

    The issues

    Good security protects assets, revenues,

    reputation and people and provides for a

    sustainable business. However, because of the

    difference of opinions and approaches to security,

    a fragmented security regime can easily develop,

    especially if security is not coordinated across

    business divisions or operations. An example may

    help illustrate this point:

    A Communications Service Provider (CSP)

    operating across major cities in Europe was

    especially focussed on the corporate customer

    sector. Their security budget was allocated to

    each division head and there was no coordination

    across divisions. One city of operations was

    subject to periodic terrorist attacks, particularly

    bombing of targets of key infrastructure

    components and business operations to affect the

    economy. To protect service to customers, the

    head of networks decided to encase a key

    switching centre in a robust metal room within the

    building effectively shielding the equipment from

    blasts. On the floor above in the same building

    was the billing system (and other important billing

    and operational support systems), but the head of

    IT decided that the security budget would be

    diverted to other projects.

    In analysing the exposure based on a bombtargeting the communications facilities, the

    network would still be able to function (albeit

    probably with some damage repair) and services

    provided to customers after a very short

    downtime, if any. However, the billing system

    would probably be totally destroyed and the

    recovery plan was based solely on the vendor re-

    installing a new system. Such a recovery plan

    would take between 4-6 months. Unfortunately,

    the network data could only be stored for up to 2

    weeks and so a significant revenue loss would be

    likely in the event of a targeted bombing.

    Business Assurance | Revenue Assurance | Fraud Management | Receivables Management

    http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/

  • 8/14/2019 Security Failure

    2/3

    Business Issues

    2

    Security Failure

    Business Assurance | Revenue Assurance | Fraud Management | Receivables Management

    Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors

    This illustration of security risk is not as uncommon

    as one might think. And when you consider the

    principle illustrated here in other areas of security,

    then the issues become even more significant.

    Many issues arise from the poor operation of

    security controls that are put in place, i.e. the

    human factor. Any security defence is only as

    strong as the weakest link and all too often that is

    our people! Security practices are often perceivedas a hindrance and so many will passively or

    deliberately not comply, without really seeing the

    bigger picture and the damage that can be done.

    What are the common problems

    leading to security exposure?

    Information Security is probably one of the most

    commonly addressed areas of risk, but in practice

    there tends to be much room for improvement in

    many organisations. Accentuated by the need to

    protect certain types of data through regulation,

    e.g. personal data protection laws, the highly

    competitive nature of some markets, and the

    increasing dependence on IT systems for business

    operations, Information Security usually draws the

    most attention. However, in reality this

    responsibility tends to be focussed on IT teams

    where IT is actually just one facet of Information

    Security the basic issues are often not

    addressed and sensitive information may beexposed through other (non-technical) means. For

    example, the head of marketing that had the

    companys new strategy document taken from his

    desk when the office was unlocked; or the early

    release of market-sensitive business performance

    data through a disgruntled employee that was able

    to lay hands on a print-out left on a photocopier; or

    the selling of VIP address and personal details

    obtained from forms or returned bills stored in non-

    secure facilities; or the non-secure disposal ofwaste paper providing a fraudsters dream!

    IT and Network Security has a strong element of

    Information Security embedded within, but more

    fundamental logical, physical and people security

    concerns should also be considered as part of an

    overall plan. Although certain systems may not

    host or process data that might be considered

    sensitive, security failure might result in lost

    revenues or increased costs. For example, internal

    fraud is a very common problem and every CSP

    will suffer to an extent (in one operation in Asia

    11% of revenue was lost to internal fraud). Many

    such frauds are facilitated by poor security.

    How do you know if you have a

    problem?

    The range of security issues is broad so the nature

    of the problems will reflect that. There will always

    be specific incidents that bring security failure to

    the attention of management; however, it is thesecurity failure that remains undetected that

    causes the most concern. Apart from responding

    to incidents, the only real way to identify security

    risk is to be proactive and assess risk throughout

    the business.

    http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/

  • 8/14/2019 Security Failure

    3/3

    Business Issues

    3

    Security Failure

    Business Assurance | Revenue Assurance | Fraud Management | Receivables Management

    Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors

    Managing the problem

    Security failure can arise from any aspect of the

    operations. Incidents might be man-made or

    natural in origin, and may result from deliberate

    and planned attack or opportunist activity. It is

    impossible to prevent all security failure, but

    focussing on the key risk mitigation, management

    and prevention (deterrence) for certain risks will

    help maintain a cost-effective and pragmaticsecurity risk management approach.

    Incorporating security as part of a Business

    Assurance strategy is essential. The cost of

    security will be outweighed many times by the cost

    of security failure which may lead to business-

    critical exposure. However, to be effective, security

    must be coordinated across the business and

    sensible judgements made to balance risk and

    costs, customer experience and people protection.

    Any security policy should be augmented by

    guidelines on how to apply policy in practice

    without this, application will be varied and often

    weak. These in turn should also be subject to

    awareness activity to maintain a focus on security

    throughout the operations and keep the people

    motivated to play a key role in good security

    practice.

    Security risks will arise through partnering with

    suppliers or businesses it is imperative to protect

    your interests through ensuring good security

    practices with partners.

    ISO27001 (ISO/IEC 27001:2005) is an

    international security standard for Information

    Security Management System (ISMS) that might

    be considered as a target for operations.

    Contact Usto discuss building a security strategy

    or plan or to discuss other areas of interest.

    The Business Assurance Cycle may be

    applied to Security practice as with any

    other Business Assurance domain

    http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/

One Failure Leads to Another: Developing Leading ... · #RSAC #RSAC One Failure Leads to Another: Developing Leading Indicators for Security Threats and Risks Dr. Lance Hayden Solutions

One Failure Leads to Another: Developing Leading ... · #RSAC #RSAC One Failure Leads to Another: Developing Leading Indicators for Security Threats and Risks Dr. Lance Hayden Solutions

Documents
MuSeQoR: Multi-path failure-tolerant security-aware QoS routing in

MuSeQoR: Multi-path failure-tolerant security-aware QoS routing in

Documents
7 Methoden für Kernel Security Check Failure

7 Methoden für Kernel Security Check Failure

Documents
Enhancing Availability and Security Through Failure-Oblivious Computing

Enhancing Availability and Security Through Failure-Oblivious Computing

Documents
State Failure Revisited I: Globalization of Security and

State Failure Revisited I: Globalization of Security and

Documents
Avoiding EHR Pitfalls - SVMIC · Risk audit . Organization level – Security – Training – Configuration – Disaster preparedness, backup – Power failure, network failure,

Avoiding EHR Pitfalls - SVMIC · Risk audit . Organization level – Security – Training – Configuration – Disaster preparedness, backup – Power failure, network failure,

Documents
Anatomy of a Security Failure · 2019-06-19 · Anatomy of a Security Failure “ut we get audited every year” • Many audits are financial in nature • Yes, they ask technical

Anatomy of a Security Failure · 2019-06-19 · Anatomy of a Security Failure “ut we get audited every year” • Many audits are financial in nature • Yes, they ask technical

Documents
Security Management in the Internet Era - WIDE University · Security Management in the Internet Era ... Case: Failure Worldwide network ... Supply Chain Management (SCM), today

Security Management in the Internet Era - WIDE University · Security Management in the Internet Era ... Case: Failure Worldwide network ... Supply Chain Management (SCM), today

Documents
Cyber Security - A Failure of Imagination by CEOs · PDF fileall these cases, but it would ... so easy to use that a group of local ... Cyber security a failure of imagination by CEOs

Cyber Security - A Failure of Imagination by CEOs · PDF fileall these cases, but it would ... so easy to use that a group of local ... Cyber security a failure of imagination by CEOs

Documents
Security Analysis Principles, Failure Analysis and Architectural Validation

Security Analysis Principles, Failure Analysis and Architectural Validation

Documents
WHITE PAPER Oracle Database Security: Preventing ...hosteddocs.toolbox.com/database security preventing...solutions outside the heavily regulated industries. A privacy failure, or

WHITE PAPER Oracle Database Security: Preventing ...hosteddocs.toolbox.com/database security preventing...solutions outside the heavily regulated industries. A privacy failure, or

Documents
Failure to Cooperate Denials and Claims at CA DDS · failure to cooperate denials and initial claims backlog at the california disability determination services. ... social security

Failure to Cooperate Denials and Claims at CA DDS · failure to cooperate denials and initial claims backlog at the california disability determination services. ... social security

Documents
Electric Sector Failure Scenarios and Impact Analyses failure scenarios09-13 finalc.… · cyber security failure scenario is a realistic event in which the failure to maintain confidentiality,

Electric Sector Failure Scenarios and Impact Analyses failure scenarios09-13 finalc.… · cyber security failure scenario is a realistic event in which the failure to maintain confidentiality,

Documents
Forgetting. Encoding Failure Encoding failure Encoding Failure Encoding failure

Forgetting. Encoding Failure Encoding failure Encoding Failure Encoding failure

Documents
Grand Research Challenges for Cybersecurity of Critical ... · operational, preventing “failure”, as failure of a security property, when and if perceived by a user – Paradigms

Grand Research Challenges for Cybersecurity of Critical ... · operational, preventing “failure”, as failure of a security property, when and if perceived by a user – Paradigms

Documents
Railway System Failure Scenario Analysis - University opublish.illinois.edu/cps-security/files/2017/04/failurescenario... · Railway System Failure Scenario Analysis William G. Temple

Railway System Failure Scenario Analysis - University opublish.illinois.edu/cps-security/files/2017/04/failurescenario... · Railway System Failure Scenario Analysis William G. Temple

Documents
Intrusion Tolerance for CT Cloud Security - RSA … · Intrusion Tolerance for CT Cloud Security . ... IaaS Security. ... method of resolving the Byzantine failure problem can be

Intrusion Tolerance for CT Cloud Security - RSA … · Intrusion Tolerance for CT Cloud Security . ... IaaS Security. ... method of resolving the Byzantine failure problem can be

Documents
“The Failure of Collective Security” The Broken Promise of the League of Nations

“The Failure of Collective Security” The Broken Promise of the League of Nations

Documents
HIPAA Compliance training - libertydentalplan.com...analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had

HIPAA Compliance training - libertydentalplan.com...analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had

Documents
Failure to Protect: Syria and the UN Security Council

Failure to Protect: Syria and the UN Security Council

Documents
Cyber security: a failure of imagination by CEOs

Cyber security: a failure of imagination by CEOs

Leadership & Management
Security Application of Failure Mode and Effect Analysis

Security Application of Failure Mode and Effect Analysis

Documents
SECURITY IN E-COMMERCE Monir Arabjafari. Introduction Contents Threats Threats to information security Acts of Human Error or failure Espionage/Trespass

SECURITY IN E-COMMERCE Monir Arabjafari. Introduction Contents Threats Threats to information security Acts of Human Error or failure Espionage/Trespass

Documents
ACTS OF GHANA · 35. Procedure on failure of person to give security. 36. Power to release persons imprisoned for failure to give security. 37. Power of Court to cancel bond. 38

ACTS OF GHANA · 35. Procedure on failure of person to give security. 36. Power to release persons imprisoned for failure to give security. 37. Power of Court to cancel bond. 38

Documents
G4S Nominated for Award Despite London 2012 Olympics Security Failure _ Mail Online

G4S Nominated for Award Despite London 2012 Olympics Security Failure _ Mail Online

Documents
Data Security. Unauthorized Access Natural disaster Accidentals Destruction ( Hard ware failure )

Data Security. Unauthorized Access Natural disaster Accidentals Destruction ( Hard ware failure )

Documents
Welfare’s Failure and - aei.org · Welfare’s Failure and the Solution ... Behavioral Health Services Initiative (BHSI) Base Act 152 Behavioral ... Social Security Disability

Welfare’s Failure and - aei.org · Welfare’s Failure and the Solution ... Behavioral Health Services Initiative (BHSI) Base Act 152 Behavioral ... Social Security Disability

Documents
Special Anatomy of an Attack Or Layered Security Failure

Special Anatomy of an Attack Or Layered Security Failure

Documents
Cyber security: A failure of imagination by CEOs · Cyber security: A failure of imagination by CEOs 3. C-suite and board members traditionally have viewed cyber security as a tactical

Cyber security: A failure of imagination by CEOs · Cyber security: A failure of imagination by CEOs 3. C-suite and board members traditionally have viewed cyber security as a tactical

Documents
Combining Hardware Security, Failure Analysis and …sps32/ISTFA2017_Sergei.pdf · Combining Hardware Security, Failure Analysis and Forensic ... Combining Hardware Security, Failure

Combining Hardware Security, Failure Analysis and …sps32/ISTFA2017_Sergei.pdf · Combining Hardware Security, Failure Analysis and Forensic ... Combining Hardware Security, Failure

Documents