In the last few years we thought that fortifying our network perimeter would keep all the bad people out of our computers and the data on our networks. What we forgot to consider are changes in methods from the threats of accidents by insiders, insiders that abuse their legal access for malicious intent or those outside bad guys and gals that compromise user accounts and log on as your inside personnel.

Throughout history we see examples of ways that people prepare defenses for an opponent only to be compromised in a totally different way. Examples include the first introduction of a Trojan horse by the Greeks into the network servers managed by the City of Troy in order to retrieve the Helena program files. Another example is the French attempt during the 1930s to build a huge firewall across their border with Germany to keep German macro viruses out. Unfortunately, their firewall was not configured to block German attacks from a different IP address and new variants of their computer viruses.

What the defenders failed to realize and many of us today still do is develop defenses and security plans based on an outdated risk assessment. The French formulated their security plan for the Maginot Line on a risk assessment based on the German Army of World War I. They failed to update their assessment periodically to integrate new technologies (like new tank and plane designs and capabilities) or changes in the German Army such as development of mobile offensive tactics to breach defenses or to go around fortifications like the Maginot Line.

Are your cyber defenses based on the threats and vulnerabilities of the last century? Are you integrating a more defense-in-depth approach, adjusting to changes in technology and methods of attack by Internet threats and protocol vulnerabilities?

To properly assess the status of your company network and its ability to protect Information Technology (IT) resources and critical data, conduct a risk assessment. From the information you collect, do an analysis of the risk to determine those you can eliminate or mitigate with cost-effective security measures, and select risks you are willing to accept due to their low probability of occurrence or prohibitive cost of countermeasures. All of this data is then used to develop your network security plan. Ensure that periodic updates, not to exceed three years, are conducted to keep your plan current and realistic to the IT environment you are operating in.

Planning should always be the "cornerstone" of your IT security program, with the flexibility to make needed changes as risks change and ensure that established safeguards are enforced to prevent leaks or security holes in your network protection.

Training your employees and managers on security issues and what to do during incidents or emergencies are another measure in protecting your company's IT investments. You can't expect your employees to follow what they don't know. An often overlooked factor in IT security is contingency planning.

Risk management involves risk analysis, cost benefit analysis, selecting appropriate countermeasures, implementing countermeasures, testing and evaluating effectiveness of security measures, penetration testing, systems review and contingency planning.

Security of network functions involves conducting assessments of potential operating system and networks protocol weaknesses, correction of any security problems or issues, constant monitoring of network activity, and implementation of security mechanisms to protect all components of electronic transactions. There are security technologies and procedures to help provide secure operations; the challenge is increasing implementation of these methods.

During the Cold War, many of us in the government practiced more risk avoidance than risk management. Potential threats were central to our security strategies than the probability of their occurrence. Add the continuous efforts by foreign intelligence services and it is easy to understand the level we took to protect our critical assets for national security. With the end of the Cold War, we had to start reassessing our security measures in light of decreasing resources along with a reduction in the perceived threat. We found in some cases that we were using resources that cost, for example, a million dollars to protect an asset valued at only $100,000. The ratio did not make sense. Therefore, a new emphasis of implementing risk management instead of risk avoidance has given us a new approach of employing cost-effective security measures to give management more "bang for the buck."

Placing a value on the assets of your organization could be a subjective process but it is necessary. After all, if you don't fully understand what you are protecting or its value to determine the cost of protecting it, you may run into problems justifying the effort. For example, would your company spend a sizable amount of money protecting the $500 E-machine on your desk? How about if it had irreplaceable proprietary data for a contract worth about $2 million? If you were protecting a valuable diamond worth $10 million, would your company only allocate $100 for its protection? Is data that would cost $20,000 to replace been sufficiently protected for $5,000? It depends.

For intangible assets such as software, data or documentation, the value can be determined by their importance or replacement costs in terms of resources, including the time your staff spends to reenter any data or reload programs or applications. Estimating value is a difficult process in some cases. Tied into estimates are revenue losses when lost data causes any disruption to business functions or missed deadlines to clients. Placing data into categories for determining its priority would aid in estimating its value. Possible categories include financial, administrative, proprietary, client, technical, research or personal data of employees. The bottom line is giving a value to data in terms of its impact resulting from any loss, misuse, modification or unauthorized access, especially by competitors.

The initial step in risk management is conducting a risk analysis of your network environment by identifying assets that are at risk, identify and analyze threats and vulnerabilities and determine if current countermeasures are adequate.

Identifying tangible and intangible assets within the enterprise is the risk analysis team's next step. Tangible assets such as information or data, hardware, software, facility and documentation resources possess a certain value to the company. Intangible assets such as personnel, morale and reputation are evaluated as well.

Step one in risk analysis is to identify assets and the impact of their loss:

• You must determine what assets are critical enough to require protection.
• Identify what undesirable events and their expected impact on your assets that your security measures need to avoid.
• Put a priority or value rating on each asset based on their importance to your business or the consequence their loss would have on your business.

When organizing your asset information, the following categories help provide a starting point for your data collection efforts, adding more or less as needed:

DATA - Information essential to company functions and business operations.

• Proprietary data
• Sensitive data
• Administrative data
• Employee records
• Public information

HARDWARE - Systems and equipment for company functions.

• Network servers
• Desktop or other systems, including laptops/notebooks/Palm Pilot^TM-type systems
• Peripheral equipment (printers, scanners, etc.)
• Office equipment
• Office furniture

SOFTWARE - Licensed software for company functions.

• Administrative software
• Network management software
• Business software
• Training software

FACILITIES - Company-owned or leased facilities.

• Buildings - Office
• Buildings - Warehouse
• Other facilities

DOCUMENTATION - Records, magnetic storage media, audio and videotapes and other documentation for business operations.

• Record files
• Hard-copy documents
• Web site information
• Information stored on magnetic media (CD-ROM, diskettes, tapes, etc.)
• Information stored on systems (desktops, notebooks, etc.) or network servers
• Other records - video
• Other records - audio

PERSONNEL - Company personnel

• Full-time employees
• Part-time employees
• Temporary employees
• Contractors/consultants
• Senior management personnel

OPERATIONS - Core business functions and day-to-day operations.

• Company internal functions
• Client/customer support
• Supplier/vendor relations
• External communication links
• Internal communication links

Always remember, applying security to protect something, including a network or computer, is a process, not a goal. That's right. Repeat after me. Security is a process, not a goal or the blame for not implementing enough protection.

The growth of network transactions, including on the Internet, is changing the way that businesses interact with each other. Protection of IT resources require firewall implementation to enforce access rules based on security policy, encryption and authentication to protect vital data and employing fundamental network security principles. That includes protecting against known vulnerabilities of network protocols and operating systems. Business functions that connect partners and customers using Intranets, extranets, web sites, applications and other technologies require consideration for security planning. In addition to access controls and encryption, security policy, network architecture, integration of firewalls and intrusion detection systems (IDS) are essential.

As security professionals, we must focus on cost-effective options for management to select that meet specific and identified threats aimed at our specific and identified vulnerabilities, especially in applying risk management to the enterprise network security posture. This gives management acceptable security protection at reasonable costs.

Risk management is a process for identifying, measuring, controlling and minimizing security risks to your enterprise network. Its objective is identifying specific areas where safeguards will prevent deliberate or inadvertent disclosure, modification, unauthorized use or denial of service of network resources.

Risk management policies use a risk-based approach by conducting risk assessments periodically or when significant changes to the network occur, especially upgrades and modifications.

The risk analysis process involves determining the scope and definition of the risk analysis; evaluating the security environment; asset identification; identifying existing countermeasures; system vulnerability and threat identification; threat and vulnerability analysis; and, risk and impact determination.

The risk management process is a continuous effort to determine what requires protection, determine threats and vulnerabilities of any assets, and selecting cost-effective measures to reduce risks to those assets. As circumstances change, risk management looks at the impact of those changes and recommends new measures or elimination of unnecessary controls. The bottom line remains reducing risks at a reasonable cost.

Depending on your approach, there are several automated tools to use that help your efforts in risk management. Organizing the evaluation data into matrixes or tables (depending on the values you assign to your data) help focus on those areas that give priority or attention to, involving assets, threats, vulnerabilities, security measure selection and cost benefits to support your recommendations to management. It is always management that will select what measures to implement and what risks are acceptable.

While management will determine the scope and definition of the risk analysis process within the enterprise, evaluating the security environment involves reviewing the operational environment in terms of the sensitivity of information or data within the network. This includes identifying any proprietary or other sensitive information processed or stored on your networks. Determining the level of criticality that the security environment provides to the business process is the next step. Identifying the physical location, complexity and system connectivity are the final steps in this stage.

Existing countermeasures are evaluated to determine their current level to prevent, detect and recover from unwanted security events and organized by their type: administrative, physical and technical.

You must then identify system vulnerabilities pertaining to physical, hardware and software, media, electromagnetic emanations, communications links and human factors. Related to a specific asset or undesirable event, identify potential or known vulnerabilities. Evaluate the effectiveness of any current countermeasures that reduce the vulnerabilities. Estimate the level of vulnerability for each specific asset or potential threat.

Identify potential threats, broken down into type, the impact they may have on the company, mechanisms or methods they employ and the probability of occurrence for each type. You need to organize threats by category and characteristics, assessing the capability of each, determine any previous activity to your company or others and estimate the level or probability of a specific threat to each critical or non-critical asset.

An unwanted event may range from injury or death of an employee, disclosure of proprietary information, disruption of telephone service, loss of electrical power or other utilities, destruction of company equipment due to fire or flood. Employee involvement in industrial espionage, letter or package bombs, employee theft of products or equipment, vandalism or negative protests against the company in front of your building are other considerations.

Determine the level of risk involving a specific threat to a known or potential vulnerability of a specific asset. The threat and vulnerability analysis reviews the level of a specific threat to a known specific vulnerability to determine the level of exploitation and ability to penetrate countermeasures as well as list resultant impact changes. The main objective of this step is to determine, in some measurable way, the percentage or level of risk this impacts on the enterprise. Further, the risk and impact determination provides documentation of probable risks, assigns a level of priority for implementing countermeasures and indicates probable costs and benefits involved with specific countermeasures.

Identify potential security measures that reduce vulnerabilities of specific assets, list countermeasures in terms of risk reduction, identify their costs, evaluate a cost-benefit analysis for tradeoff, and prioritize options and recommendations for a decision by management. A cost benefit analysis provides a calculation to determine a return on investment for the cost of a specific countermeasure versus acceptance of a risk. For example, if the probability of occurrence of a specific threat to a known vulnerability is a small percentage but the cost of implementing an appropriate countermeasure is expensive, then acceptance of the risk is warranted. On the other hand, if the risk reduction study shows the countermeasure is cost effective and the probability of occurrence of the threat-vulnerability ratio is high, then implementation of the countermeasure is justified. However, it is management that will make the ultimate decision in all implementation decisions as part of the final process in risk management. Documentation of these decisions will help in the finger-pointing wars during the aftermath of any compromise of a risk that was deemed as acceptable.

Countermeasures are evaluated to determine if additional security measures are available for identified risks and to see if the countermeasures selected will work in the environment. A countermeasure identification matrix is used to evaluate a balance between the types of security controls (administrative, physical, technical) in relation to the type of control objective (prevention, detection/deterrence, recovery). This helps to simplify the process.

The objective of the risk reduction study is to show management the available countermeasures for reducing risks to identified vulnerabilities to known or possible threats. This study includes the risk analysis results, threat and vulnerability scenarios, the results of the cost benefit analysis and the listing of alternative countermeasures.

Decisions on what countermeasures to select are determined by the priority. The needs of the company; the value of the asset in relation to the risk of losing it; determination of whether or not the risk is acceptable are important considerations. You must identify vulnerabilities to eliminate, evaluate the return on investment in countermeasures, and determine the impact of cost-effective countermeasures if implemented. Management must then allocate adequate funding to accomplish all these requirements.

When management has selected what risks to accept and which countermeasures to implement, document the decision. This will provide a baseline for the next risk analysis to determine what, if any, changes in processes, functions or responsibilities are needed based on an evaluation of how well or poor the implemented countermeasures are doing and any identification of new threats or vulnerabilities.

Risk management is a continuing process but a more cost-effective method than the risk avoidance of the past of over-spending on countermeasures for potential threats and vulnerabilities that had a low probability of occurrence.

The actual application of risk management principles to assessing assets, vulnerabilities, threats, cost benefits, risk reduction and presentation of recommendations to management promotes better security management of your network.

So next time you practice risk avoidance to fortify your doghouse, keep track of who is holding your computer. Risk management is always cheaper than risk avoidance. By the way, I am building a firewall in France, are you available this weekend?