IT-Sicherheit

Network Security Report

20.03.2003

There are two useful examples to demonstrate the use of an IT security policy: The first example can only be protected against to an extent by technology, with the remainder by the adherence of staff to the security policy. The second example can be set up using technology, but it is a policy that must initially be laid down by the business.

A top-down approach to IT security is recommended; from the top of the organisation and disseminated to all employees. If commitment to the security policy is not demonstrated at Board level, then it is unlikely to be a success and the technology implemented will have its effectiveness reduced. This results in poor value for money. Although spending on IT security cannot really provide a traditional Return On Investment (ROIROI), it can be likened to purchasing insurance, and all companies want to receive some value from the money they spend. Alles zu ROI auf CIO.de

Technology Issues

There are a wide variety of products designed to assist organisations in their quest for protection from hackers, crackers, and virus writers. This Report focuses specifically on securing the enterprise, therefore we cover products that can help businesses secure their networks, before allowing anyone in. Thus we do not review products and technology providing, for example, authentication and encryption. We cover three specific areas: In this section we have very briefly touched on Butler Group's recommendation for a layered approach to IT security. The three areas identified above help develop this layered approach by presenting different levels of security. The first two technologies, AV and firewalls, have been around for quite some time now and are well established in the market place. Most organisations connecting to the Internet will have at least one firewall in place, and use AV software to check e-mail and other packets coming into the network.

It is Butler Group's belief, however, that these products are not used as efficiently and effectively as they could be, certainly because organisations lack the defined policy discussed above, but also because of the perceived complexity and therefore companies do not want to configure the products too much. Certainly some vendors have been accused in the past of making their IT security solutions overly complex or difficult to use, but it appears that today vendors are working towards ease-of-use. It is a question we put to all of the vendors that we saw, and a subject that they all claimed to have fully embraced and addressed. On the other side of the coin is the issue of training - one would not spend £10,000 on a car without being able to drive. A similar analogy can be applied to the purchase of IT security, particularly considering that very few Small to Medium-sized Enterprises (SMEs) have the finance available for a dedicated IT security administrator to implement and manage their IT security. Training in the use of a product should be taken up wherever possible in order to get best use from the solution - returning to the issue of value for money discussed above.

IDS solutions are comparatively new on the market and require a great deal more day-to-day management than AV solutions and firewalls. These systems detect that an attack might be happening, with the only automation being the alerting of someone that an attack could be taking place. There are a lot of events on a network or appliance that may appear to be an attack but actually are not, and this is part of the reason for the high level of management necessary. At the beginning of using an IDS the volume of alerts is extremely high because the solution has not been tuned for use by that particular customer - once tuning has begun to take place then the number of incidents should reduce. As with any IT product, training is recommended in order for the customer to obtain maximum use from the IDS.

Zur Startseite