Risk control
Leonardo DiCaprio alias Frank W. Abagnale Jr. strides confidently through every checkpoint, duping security guards by pretending to be a doctor, lawyer or copilot for a major airline. In Steven Spielberg's film Catch me if you can, Abagnale represents the perfect con man, a master of deception who always keeps one step ahead of his pursuers. The story is based on true facts, and is a remarkable case study of the methods used to circumvent security systems, comments Dr. Christoph Thiel of the Fraunhofer Institute for Software and Systems Engineering ISST. Corporate security and safety strategies are all too often entirely based on technological fixes that are not sophisticated enough to protect the complex IT infrastructures used to manage sensitive business processes. Virus scanners and firewalls alone are not sufficient it takes a comprehensive security policy to minimize the risc to the company. The solution proposed by scientists at the ISST is called Security Management Framework SMF. It works with data representing past and present risk factors and associated countermeasures. SMF helps to keep an eye on all corporate processes and assures their inviolability. Security audits have to be repeated on a regular basis, to keep up with the constant redefinition of IT standards and corresponding legislation. It is not easy to retain a complete overview of corporate processes, the vast range of software and hardware products, and amendments to statutory requirements, all at the same time. But it has to be done. The German legal system already prescribes a set of data protection requirements designed to provide adequate control and transparency of business processes. Greater management security If damage is incurred as a result of breaches in security, it is no longer possible to shift the responsibility away from the company's employees, business partners and customers onto the insurance company or the chief information officer (CIO), warns Prof. Heinz Thielmann, director of the Fraunhofer Institute for Secure Telecooperation SIT. The number of possible risks to a company has multiplied. Board members and executive officers can be prosecuted for failing to protect their company against threats to security. They are also legally obliged to investigate all security violations and to safeguard evidence. Hence Professor Thielmanns appeal for more reliable security management systems which also protect the staff involved. "Security is a management responsibility: Investments in IT security must be taken just as seriously as investments in quality assurance, for both are essential to business results, he emphasizes. We refer to this benefit as return on security investment, or ROSI. Encouraging greater awareness of security issues is one of the basic elements in ensuring a companys commercial success. Safeguarding critical infrastructures In the case of power and water utilities or the chemical industry, large-scale security measures are absolutely vital. Other critical infrastructures on which our daily lives depend include telecommunication networks, road transportation and banks. Conscious of the need to assure the long-term protection of these vital service networks, researchers at the SIT and the Fraunhofer Institute for Experimental Software Engineering IESE, together with international partners, are attempting to identify potential weakness in the associated IT systems. As part of the EU-sponsored research project ACIP, or Analysis & Assessment for Critical Infrastructure, we are analyzing various menacing situations, and developing protective mechanisms and methods of anticipating and blocking off attacks on computer networks, reports Dr. Rolf Reinema of the SIT. We have been investigating business processes used by companies in a variety of countries, to determine what resources and what types of protection are likely to be needed in future. The initial results indicate that too much attention has been paid to individual aspects of IT solutions, and that the need for an all-round security policy has often been overlooked. There is a considerable need for adaptable defense mechanisms capable of dealing with highly complex IT processes. Even the use of independently operating IT systems can help to improve security. But the best guarantee is provided by coordinating physical access controls and IT security measures, together with the establishment of international standards. For this reason, the researchers are drawing up a European security roadmap. A holistic security policy Small businesses are highly susceptible to outside threats, and their very existence can be placed at risk by a computer system crash or industrial espionage. In the best case, a company will have an emergency plan and a backup system to save data in the event of a serious outage. But how long will it take to recover all of its important data after a failure, and to restore the processes that will allow the business to keep running? The management may be faced with considerable repair costs and collateral expenses, and maybe even have to contend with damage to the company's image. A possible solution is offered by the security architecture for networked, heterogeneous systems, COSEDA, developed by the Fraunhofer-Institute for Computer Graphics Research IGD. Precautionary measures against new and well-known threats are linked in order to assure the confidentiality of information and the availability of services and resources. Conventional methods of protection are no longer adequate, says Dr. Christoph Busch of the IGD. The growing use of portable recording devices such as PDAs makes it easy for company secrets to find their way into the wrong hands. The Fraunhofer system blocks unauthorized transfers of data from a desktop computer to a PDA, and provides additional features to safeguard confidential data. For instance, security profiles are used to automatically encrypt e-mails. The system runs independently of other software applications and can be integrated in all common operating systems. And if, after all, the worst happens? The whole art consists in being able to deal with risks in a credible manner. A ship in a harbor is safe, but that is not what ships are built for, recites Prof. Dieter Spath, director of the Fraunhofer Institute for Industrial Engineering, outlining his holistic view of security in the enterprise. The chief executive of a business has to be capable of reacting immediately to signs of intrusion by hackers. According to IT experts, roughly 98 percent of cases of Internet crime are discovered purely by chance. And many cases are not reported, for fear of damaging the company's image. This allows the culprits to avoid detection and draw other victims into their web of criminal activity. Even if a company manages to identify the suspect and initiate criminal proceedings, the prosecutors usually have little chance of proving the accused party's guilt, because all supporting evidence has been destroyed in a misguided rush to repair the damage, says Spath. As part of the EU-sponsored project CTOSE (Cyber Tools On-Line Search for Evidence), researchers at the IAO are developing a reference model for dealing with such attacks, including unimpeachable documentation of the event and securing evidence for use in legal proceedings. A security policy can be backed up by information logistics and early-warning defense systems. IT security management means be prepared and prevention is better than cure.,For more information:,Prof. Dr. Heinz Thielmann ,Telefon: +49 / 61 51 / 8 69-2 81 ,E-mail: heinz.thielmann@sit.fraunhofer.de ,Fraunhofer-Institut fur ,Sichere Telekooperation SIT ,Rheinstra?e 75 ,D-64295 Darmstadt Prof. Dr. Dieter Spath ,Telefon: +49 / 7 11/9 70-21 24 ,E-mail: presse@iao.fraunhofer.de ,Fraunhofer-Institut fur ,Arbeitswirtschaft und Organisation IAO ,Nobelstra?e 12 ,D-70569 Stuttgart Dr. Christoph Busch ,Telefon: +49 / 61 51/1 55-1 46 ,E-mail: bernad.lukacin@igd.fraunhofer.de ,Fraunhofer-Institut fur ,Graphische Datenverarbeitung IGD ,Fraunhoferstra?e 5 ,D-64283 Darmstadt Dr. Christoph Thiel ,Telefon: +49 / 30/2 43 06-2 00 ,E-mail: ines.jansky@isst.fraunhofer.de ,Fraunhofer-Institut fur ,Software- und Systemtechnik ISST ,Mollstra?e 1 ,D-10178 Berlin Dr. Reinhard Schwarz ,Telefon +49 / 63 01/7 07-1 60 ,E-mail: petra.steffens@iese.fraunhofer.de ,Fraunhofer-Institut fur ,Experimentelles Software ,Engineering IESE ,Sauerwiesen 6 ,D-67661 Kaiserslautern,
Pays
Germany