1. Assigning inadequately trained and non-dedicated personnel to handle security.  Use a specialist. Never assign security to Lan Administration. Keeping up with service patches and security technology is a full time job.
2. Failure to understand the relationship of information security to business problems (i.e Most people understand physical security, but do not see the consequences of poor information security). Poor information security and break-in causes severe business disruption. Treat it the same as a disaster recovery plan. Remember the loss of service can bring down the company the loss in confidence and liability associated with being hacked can keep the company down. Exercise due diligence at all times to limit liability.
3. Failing to deal with the operational aspects of security (i.e. make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed).  Be security aware. You can not keep up if you are doing more than security. Treat it as the most important thing in the job as keeping the disk drives running on the servers. Slip and a hacker will make sure you remember for the rest of your life.
4. Rely primarily on a firewall. With only one part of the Defense In Depth in place and with the firewall only trying to keep intruders out you are using only half of its' capabilities. What about the attacks within? Using only one part is an open invitation to being hacked.
5. Fail to realize how much money their information and organizational reputations are worth.  Never believe for one second that the company information is not worth protecting. It is the company. Forget this fact and a hacker will remind you in a very unpleasant way.
6. Authorize reactive, short-term fixes only, as a result, problems re-emerge rapidly. OK for the short term but never for the long term. Always perform due diligence and follow through.
7. Pretend the problem will go away if it is ignored. Hackers love to see this one. Ignore the problem and it will come back to haunt you. Always perform due diligence in matters of company risk and liability.

If you’re an executive or business owner you have seen on the news reports of companies attacked by viruses, cracked by hackers and generally compromised.

The best assumption is that everyone is a target if you are on the Internet. Are you a bank, government institution, power company, large retailer, mid sized business, part of the transportation infrastructure, small business, publicly traded company, private company or a private user? In other words if you are connected to the Internet in any way from a dialup connection to a dedicated line you are a target. The type of attack depends on what the attacker believes is on your system or what he can use your system for.

Using the Riptec report as well as incident responses from SANS (Systems Administration, Network and Security) Institute, INFOSEC (Information Security) Institute and others the following trends are apparent.

• Hacking falls into two (2) categories, deliberate and opportunistic.
• Hacking or attempts to compromise systems is rising 49% per year and will accelerate each  year as more people come on the Internet.
• It originates mostly in the United States but also comes from China, Brazil, Europe, the Middle East and Russia as sources of hacking and is worldwide in scope.
• Attempts range from the lone teenager to sophisticated Nation-States and intelligence groups attempting to compromise systems in each other's countries with the resources of their country available to them.
• Larger companies of more than 1000 employees are more likely to be subject to deliberate attack than smaller privately held companies.
• Publicly held well known companies are more likely to be deliberately attacked than less known privately held smaller less known companies.
• Companies without a security presence are more likely to be compromised than companies with a strong security awareness.
• Only 1% of the attacks posed a serious threat but based on the penetration compromised billions of dollars in company assets and ranged in severity from;
• Numerous high-profile Denial of Service attacks and company Internet presence shut down.
• Disabling all or part of some of the world's largest communication's networks.
• The possible Compromise of  the Windows source code at Microsoft.
• Numerous cases of servers being penetrated and credit card numbers and customer information compromised causing loss of customer trust in the company and in a few instances damaging the companies ability to do business beyond repair.
• These represented serious security breaches of company's assets and damaged the companies' ability to perform significantly.
• Most Trojan horse programs, viruses, Visual Basic or VBS, JAVA, and Active X based attacks are specifically written to breach Microsoft systems and are targeted at several specific parts of the Microsoft architecture.
• Targeted systems are either;
• Compromised and the information stolen or destroyed
• The system is used to attack other systems as in the case of distributed denial of service attacks or back end password theft to penetrate an internal corporate Virtual Private or Private Network.

Based on this information the following conclusion can be reached.

No Company that is connected to the Internet is safe from attempts to be hacked. This includes e-mail viruses and Trojan horses, malicious web sites, direct attacks to the company's computers on the Internet, attempts to hijack the companies web site and any other attempt to compromise the companies' ability to perform business using the Internet. It is simply a matter of time and percentages before any company's computers are penetrated and information stolen or the system used to attack another company.

How do I protect my company and myself?

Being aware that there is a possibility of being compromised is the first step. Don't think for one second that simply because the computer you use is safe simply because it is locked up in your office. If it is connected to the Internet in any way it can be compromised. Take a holistic strategy towards protecting your assets. Use a layered strategy to protect the people and information in your company and Defense In Depth (DID) approach.

e-Business Partners & Customers

The real liability of being "hacked" is perhaps not what an intruder might do to your systems and data. While the loss can be significant, it is perhaps trivial when compared to the potential liability you may face if an intruder causes harm to one of your e-Business partners or a customer as a result of their penetration of your systems.

Liability Trends

The current trend in liability law is for the law to rely on information security as the means by which businesses should be able to establish a level of "trust".

New laws and regulations are beginning to require, push or create incentives for businesses to implement a level of security that establishes the legal "trust" necessary for safe, enforceable and provable transactions. Under the law, sometimes security is an option, and sometimes it is a requirement. But at all times, security has a legal role in facilitating business transactions that cannot be ignored.

The first law to recognize the legal role of security was the Uniform Commercial Code Article 4A, which governs electronic fund transfers. Proposed in 1989 and now enacted in all 50 states, this law relies on security procedures such as verification and error detection measures rather than signatures as the basis for verifying electronic transactions and apportioning liability. Since then, new laws and regulations are increasingly giving legal significance to security for a variety of reasons.

Legal Precedents

In some cases, the law literally requires security. For example;

The federal Gramm-Leach-Bliley Act, finalized in 2001, requires financial institutions to adopt a comprehensive written security plan to ensure the confidentiality of customer information.

The federal Health Insurance Portability and Accountability Act (HIPPA) requires healthcare providers to implement the security necessary to ensure the integrity and confidentiality of healthcare information (42 U.S.C. § 1320d-2).

Penalties include fines and possible imprisonment.

Such regulations require businesses to;

• Identify and assess potential risks
• Design a security plan to manage and control those risks
• Implement the plan internally and require third-party service providers to comply
• Periodically review and adjust the security plan as necessary (12 CFR Part 30).

Moreover,

These regulations put the responsibility for adopting and implementing the plan directly on the Board of Directors.

Electronic Signatures

In other cases, the law pushes businesses to implement security by providing that certain electronic transactions will not be legally binding without taking appropriate security measures.

For example, under the 1999 New York Electronic Signatures and Records Act, and some other laws in the U.S. and other countries;

Electronic signatures are enforceable in certain cases only if appropriate security is used.

Specifically, the signature must be;

• Unique to the person using it
• Capable of verification
• Created using information under the sole control of the signatory

Attached to the data in a manner that authenticates the attachment of the signature to the data and the integrity of the data transmitted (NY CLS State Technology Law § 101).

The Model Law on Electronic Signatures, approved by the United Nations in 2001, recommends that countries adopt laws basing the enforceability of electronic signatures on an assessment of their level of reliability or trustworthiness.

Legal Benefits

Some laws provide incentives to businesses by giving them a legal benefit if they implement appropriate security. For example;

Under the 1998 Illinois Electronic Commerce Security Act (5 Ill. Comp. Stat. 175), the signer of an electronic document is legally presumed to be the person identified by the signature when certain security attributes, similar to those in the New York law, are present. Without that presumption, the source of an electronic document must be authenticated in the event of a dispute.

The Uniform Electronic Transactions Act, proposed in 1999 and now enacted in 37 states, allocates liability for a change or error in an electronic record that occurs during transmission to the party that failed to implement security to prevent or detect such errors.

Legal Guidance Today

Most laws provide little guidance on the subject of how much security is enough, nor do they require companies to adopt particular technologies. These laws often state only that security must be;

• "Commercially reasonable"
• "Sufficient to "ensure" protection from reasonably anticipated threats.

It remains to be seen whether mere penetration of a company's defenses will establish the legal inadequacy of those defenses.

Future Trends

The trend is unmistakable: Security will be the key to creating enforceable and trustworthy electronic business transactions. No security, no deal.

Most companies network administrators are saturated with work on printer problems, new users, new applications and failed systems. Adding security to the current burden without increasing staff leaves little time to dedicated security tasks. The skill sets involved in security range from operating environments and network protocols to applications. This wide range of experience makes it difficult to find people with broad enough skill sets to accomplish the security goals.

Network threats are just that, they reside on the network.  What most Lan Administrators forget is that the threat is not only on what's trying to get in from the outside but what may be inside their network trying to compromise other machines or get out to report back to the attacker.

Reconnaissance: Techniques used to gather technical information about your systems.

Threat - While not destructive in themselves, these information gathering techniques give hackers what they need to actually
attack your systems. Preventing these types of activities is the best defense.

• Target Discovery - A technique used to discover the network addresses of possible attack targets.
• Network Commands - Certain commands/information services available in the Internet network environment that give an attacker technical information about potential targets.
• Ping Sweeps - An automated method of scanning ranges of network addresses for possible attack targets.
• Port Scans - A technique used to sense for vulnerabilities in a network server.
• Eavesdropping - A way to passively observing the information in network traffic. This information can then be used in later attacks.
• Information Theft - Taking data from an information system without proper authorization.

Threat - Attackers can access your systems often without anyone noticing and steal/destroy information (often over
extended periods of time), or cause denial of services by crashing your systems, sometimes beyond the ability to simply
restart.

• Password Attacks - Obtaining valid passwords without authorization (stealing password files, cracking password, etc.) and then using them to enter secure systems.
• Trusted Access - Gaining access to a secure or "trusted" computer and using that system's trusted status to penetrate and attack other systems.
• Secondary Access - Continued unauthorized access through means established during an initial security breach. This gives an attacker continued, access over a period of time if undetected.
• Remote Access - Attacks that are the result of initial authorized remote access. The most common attack is to gain complete control over a system to steal information.
• Vulnerable Software - Exploiting a software systems' security weaknesses to gain unauthorized access, steal data, modify programs, deny service, or destroy data.

Threat - Loss of access to services and systems by customers and employees.

Data Manipulation These attacks are accomplished by recording, modifying, and replaying the contents of ongoing
network traffic to gain access to your systems or by falsifying the contents of network packets to confuse your systems.