Back to basics
While emergency reactions are under way to beef up security across the country, there remains an uneasy feeling that the most sophisticated of high-tech solutions are really only as good as the lock on the back door.
RiskWatch's Hamilton noted that electronic surveillance of facilities, biotech identity systems and other security measures are great--if the server on which they may all operate is safe.
"Take out the server, and what good is the security system?" she asked.
Forbes said such elementary steps as changing passwords regularly or making them more secure have been ignored by many businesses. A frequent complaint is that employees leave their passwords on sticky notes attached to keyboards, making the entire system vulnerable.
Such security concerns aren't limited only to small corporations.
"The range of clients seeking our assistance is running the full gamut," Grove said, "from major banking institutions, manufacturers, pharmaceutical companies, telecommunications players, Internet service providers, government agencies, hydroelectric operators, to food chain and agricultural companies. . .
"As such, there is no single silver bullet or blanket solution that can be draped over all companies. Each has specific needs, shortcomings, levels of risk that they are willing to assume, and levels of budgets that they are able to expend," he said.
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology