All too often we think about our security in terms of protecting the United States from the terrorist who crashed into the World Trade Center on November 11, 2001 but as we grow our information technology how are we going to protect ourselves from hackers and the cyber-criminals who plan to steal our identities or even worst hack into our National Security. How are we as a nation as well as our universities planning on dealing with these new threats and new requirements? The security that has been implemented in the past is headed for a major overhaul but how do we address these issues? First, let's take a look at what information technology security means for us in our growing use of computers and our age of information. Secondly, we need to identify the threats to our IT systems we are now using. Thirdly, how do we prepare and deal with these cyber-criminals to maintain our security systems.
Information security has been around for a long time. The military in the Roman Empire secured their important messages by using ink on a parchment that could be dissolved in water after the message had been read. During the World War I and II, allies were able to decipher German and Japanese encryption codes which gave them a tremendous advantage over their enemy's. As a nation, our reliance on computers, laptops, computer networks, cellular phones, and other electronic systems has grown to enormous proportions. Today, as technology grows at a faster rate then we can keep up with, the challenge is how we can protect our data that we have on the internet or in our businesses.
Large organizations have their own local computer networks that allow their employees to communicate and share resources by linking their IT systems with other employees or connect with the internet. Some of these organizations will limit access to sensitive electronic information on a need to know bases. The challenge for every organization is how to keep updated on their security systems. Some of the objectives to keep in mind when considering security are confidentiality, availability of data, and integrity. An organization must be able to protect or keep confident important data from those who do not have the right to access it. By having integrity, a company has systems in place that does not allow others to modify their information. Also, employees need to be able to have access to data on timely bases. Unfortunately, with our growing need to be mobile, security challenges are increasing as employees are working from remote locations.
What are some of the threats we are facing in our IT systems today? Dr. James Canton, CEO for Institute for Global Futures, believes it includes the following items; "encryption, firewalls, Internet viruses, wireless, Denial of service, cyber hackers, biometrics, surveillance, genomic security, data protection, customer theft, profiling the cyber terrorist, identity theft, case studies about industrial espionage and information warfare" [1] When we first started out with email, we did not have worry about which email to open or which email was sent by a friend that contained a virus. As technology changes the cyber-criminals becomes more knowledgeable on how to gain access to new systems. The more networks we are connected to the more vulnerable we become and it increases our security risk. Most computer crimes that don't happen internally are usually from small groups of people but can we allow ourselves to believe that it will stay small? Because information technology is growing at a fast rate, it is hard to identify which way the threats to our systems will be directed. Other countries have an interest in learning more about and unleashing computer warfare by creating viruses.
The world is becoming wired and what better way to affect the United States than by our IT systems. Until our organizations become aware of our cyber-security threats we will remain vulnerable to cyber-attacks.
One of our weaknesses is rooted in the lack of security in our operating systems. Manufacturers are hung up on providing slick new features to get people to buy their product rather than upgrading their security performance. Our computer systems only provide us with minimal patches such as firewalls to filter out potential viruses. Other intrusion detectors will look for a known pattern to detect their threat. These devises are becoming outdated. Businesses put security alarms on their building because of insurance reasons and not because it makes them feel safer. Businesses put fire sprinklers in their building because of building codes and not because of their concern for their tenants. So this leads us to ask, will security insurance be the next step to limiting our liability or provide us with standards that computer techs will have to install in their systems in order to get this type of insurance? The CEO of a business will want to know how much he is saving on this type of insurance when he invests in a higher performing security system for his IT needs. Software companies will be forced to look at how they can compete with other companies offering a higher level of internet security when they start losing market share.
Cloud computing is being adopted by small to medium sized businesses who have lower-risk systems. Even though the trend for these companies are lending toward cloud computing technology's, a report by Houston outsourcer states that, "seventy-eight percent of the 140 IT managers surveyed by TPI fit in this category, yet a smaller number are actually adopting these technologies". [2] Larger companies with more complex systems such as ERP had a very small percent of interest in implementing this type of security for their enterprise. Sears addressed some of the risk factor concerns that the enterprise had when he explained, "…with 79 percent stating that cloud security is inadequate or unclear. Forty-nine percent are concerned with integration to legacy systems, and another 49 percent are concerned about losing company data. Half of the respondents worry about non-compliance with regulation, and disaster recovery and business continuity issues". [3] Some of the other factors affecting the decisions of making the move toward cloud computer are the future costs of their cloud services and being tied to one company without the option of transferring their service to a competitor down the line. Many of the cloud suppliers do not offer extended contracts that would guarantee their costs over years to come. Private clouds are appealing to other companies because of their lower cost and they can leverage their power usage during peak times.
Larger enterprises are using their IT departments to start their own in-house security program. One of these companies's is US GreenFiber. US GreenFiber is the largest manufacturer of cellulose insulation used in our churches, schools, and businesses today. They have a commitment to recycling and developing a green environment. They have chosen to develop their own internal security policies to help design a secure infrastructure. One of the things I like about them is they are considerate of their employees. At a lunch meeting, the IT department took the time to explain their security policy's addressing the issue of how it affects individual employees all the way to the corporate level. The company executives did not want their employees feeling like they were being spied on, rather they took the time to explain the importance of security for everyone in their company. US GreenFiber implemented an application-control option in their security systems which allowed them to control policies on who had access to different internet applications. The Fortinet's application control allows US GreenFiber to block Facebook and MySpace chats. This system also keeps a record of all the chats that were allowed to be used by employees such as on AOL Instant Messenger.
In order to stop internet attacks, US GreenFiber implemented a private cloud on VMwares's vSphere to host their numerous internet applications. Fortinet's application allows the company to move their personal information through a secure source which protects employee and credit card information. These systems have decreased their help desk calls regarding viruses and spam. US GreenFiber has documented through their Numara's Track-IT help desk software that about a third of their calls have been decreased from customers than before they implement it. Finally, they understand the need for their company to test their security to see if they need to upgrade it. [4]
For the individual user, there are several items that might consider for their future security needs. First, for a home user or small business there are hybrid models for security such as cloud services. Look for products that have a full-disk encryption and are capable to have more web threat integration. For the average household, use an identity protection service such as IDWatchdog to protect you from identity theft. Because so many households have multiple units and devises, the household needs to look for a software system that will cover multiple devises to save you money.
Internet technology also recognizes the need for a secure information environment such as seen in the Internet Protocol (IPv6) which will offer digital signatures, key passing, and encryption. Most of IPv6 distribution is seen in our universities today. One important issue that needs to be addressed with the internet is a packet-level billing system. Packet-level billing system makes internet attacks possible without the ability to trace the source.
Today and in the future, internet users will be looking for cryptographic methods as a tool to secure their internet technology. Cryptography is the art of writing in secret code which dates back to the Egyptians. For internet communication to be secure we must have the following requirements for any site to be trusted; Authentication, Privacy, Integrity, and Non-repudiation. With this system in place we can be sure of one's identity, be assured of confidentiality, be able to trust that we got the original form of the message, and know who the sender of the message is. There are three types of cryptographic algorithms that will be discussed which include: Secret Key, Public Key, and Hash Functions. The Secret Key Cryptography only uses a single key for both decryption and encryption versus the Public Key Cryptography uses a different key for the decryption and another key for the encryption. The Hash Functions uses math to transform information to an irreversibly encryption. The secret key cryptography algorithms that are used currently are the Data Encryption Standard (DES) which was created by IBM in the 1970's and had been accepted by the National Institute foe Standards and Technology. Unfortunately the Electronic Frontier Foundation created a machine which decoded the DES-encryption within 56 hours. DES, 3DES, and WEP are still being use today but they all have been broken into. A more current cipher is called
Advanced Encryption Standard (AES) which was adopted by the United States Government in 2002 and are believed to be unbreakable. AES was developed by Vincent Rijmen and Joan Daemen, two Belgian cryptographers, which system "uses a block size of 128 bits with a variable key length of 128 bits to 256 bits…Rijndael uses a substitution-permutation network. This substitution-permutation network allows Rijndael to perform fast in both software and hardware applications. Rijndael is simple to implement and uses very little system memory". [5]
So how are we going to advance into a future of secure information technology? The Greater San Antonio Chamber of Commerce meeting on IT security believes that it going to have to be a balance of joint efforts between individuals, universities, and corporations working together to develop the leadership needed to create custom solutions. Corporations are not finding the type of graduates that can handle developing their IT security for their future needs. Universities are networking with the Corporate World to design educational programs for their students that will guarantee them a successful high demand career when they graduate. By bringing their efforts together, they are hopeful to fill the void they are now experiencing in their work place.
At the University of Georgia, they offer a Security Awareness Training and Education (SATE) program. This program is design to make people aware of any security risks so that they can take steps to prevent the threat of cyber-criminals or hackers from doing damage on their system. SecureUGA is University of Georgia's training program that teaches everyone to be aware of IT security invasions. By educating the employee on what to look for with regard to cyber-criminals, SecureUGA trains people to be accountable and proactive in stopping these invasions in their organization. There are three elements that create the foundation to this program; policy, technology, and people. People must be prepared to deal with security threats. They prepare by understanding how these threats occur by getting the appropriate training and create policy's that will build a stronger infrastructure in their organization. The University of Georgia believes that all department heads as well as all employees should have continuing education in IT security in order to keep up with the latest techniques in combating the criminals that want to invade your computer systems. [6]
Susan Cramm, an expert on IT security, believes that there are seven objectives a company will need to consider if they are going to be successful in having a secure technology platform which include; increase IT education, manage company data, use innovative toolkits, have a model for change and growth for technology, be selective of your IT products, use outside technology, and have systems in place for the unexpected.
Because of how fast technology is developing, there is no clear road map to give us the exact direction or future plan of how to continually maintain our IT security. People in your organization should be educated on their technology so your IT department can spend time developing a security plan of action. Because of the amount of data storage is growing at 80 % per year, organization need a system that can sort through and discard unneeded information. Then use a private cloud to secure the information that is of value to your company. Don't use generic fixes when employees need to modify processes in real time, instead allow the employee to test and experiment with new ideas to create new solutions. A company does have to design a system to support the future changes and grow of their information technology. It is important to allow management a choice on which technology they think would be the best for their business. Also, IT personal need to be able to use external provides to help take the load off their shoulders. Some companies may need to use off-shoring, systems integrators, or cloud computing to help achieve the security level they need in this fast developing world of technology. Finally, try to create systems that control risks and help predict future needs. [7]
