Even small businesses should create computer security teams

February 10, 2004

COLUMBUS, Ohio - With computer viruses and other Internet attacks on the rise, even small businesses should create dedicated security teams to minimize the financial and political fallout from these incidents, according to a new book.

A senior security engineer at Ohio State University has joined with a director of security operations for a Fortune 500 company to explain how businesses can create such teams. The book is The Effective Incident Response Team (Addison-Wesley 2004, ISBN 0-201-76175-0).

Brian Moeller of Ohio State said he and coauthor Julie Lucas wrote the book primarily for office managers -- the people who often bear the responsibility of creating and supervising a computer incident response team (CIRT), even though they may have no technical background in the area.

As a result, the book offers step-by-step details ranging from how to protect a computer network from attack, to how to write an effective computer use policy for employees.

For readers who want to persuade upper management to invest in computer security, the book makes a convincing case. One chapter outlines the costs of computer crime, including a 2002 survey by the Computer Security Institute and the FBI that found that such crime has cost American businesses nearly $1.5 billion since 1997.

Computer security threats can come from inside or outside a company, and vary from unauthorized access to information to denial-of-service attacks that shut down a network, Moeller explained. And theft of business intelligence or lost hours of operation can end up costing a business more than just money.

"The big lessons here are that preventing computer attacks is really worthwhile, and having clear policies that employees can follow is worthwhile, too. Those things sound very easy, but it's sometimes a challenge to actually implement them," Moeller said.

Other chapters cover a wide variety of CIRT issues, such as how to form a CIRT team, define its mission, and work with law enforcement. The book offers lessons in security terminology, walks readers through a typical security incident, and includes copies of relevant federal codes for cyber crime.

Still, the book isn't meant only for managers who don't know a packet sniffer from a port scan. (The former is a program that eavesdrops on the activity in a computer network; the latter is similarly malicious software that probes the outskirts of a network for points of weakness and, ultimately, illegal entry.) Even businesses with established CIRT teams can still have something to learn, Moeller said.

For instance, one question managers face when budgeting for a CIRT is which security tasks to perform in house, and which ones to outsource.

One job that companies may want to outsource is computer forensics, Moeller said. Just as the police rely on forensic scientists for crime scene investigation, so should businesses when an employee has used a computer to commit an illegal act. In that case, evidence must be carefully gathered from the computer and the area around it -- and that takes expertise.

"When you don't have incidents that require forensics very often, it's hard to keep up with forensics technology," Moeller said. "So if you can't justify the expense of maintaining a full-time forensics capability, it may be more cost effective to outsource."

Years as a computer security consultant have helped Moeller formulate some general advice.

"What people really need to do is look at their information technology infrastructure and think about what's important to them," he said. "They should make sure they're backing up their data, patching their networks, and managing users."

Moeller says many common mistakes are easily solved. For instance, many companies don't automatically cancel an employee's access to the network after the employee has left the company.

"I've worked with companies that have never removed a user, even after they've been gone for years," he said.
Contact: Brian Moeller, (614) 247-7136, moe@net.ohio-state.edu

Written by Pam Frost Gorder, (614) 292-9475; Gorder.1@osu.edu

Ohio State University

Related Computer Security Articles from Brightsurf:

UCLA computer scientists set benchmarks to optimize quantum computer performance
Two UCLA computer scientists have shown that existing compilers, which tell quantum computers how to use their circuits to execute quantum programs, inhibit the computers' ability to achieve optimal performance.

Computer-based weather forecast: New algorithm outperforms mainframe computer systems
The exponential growth in computer processing power seen over the past 60 years may soon come to a halt.

Focus on food security and sustainability
The number of malnourished people is increasing worldwide. More than two billion people suffer from a lack of micronutrients.

Eliminating infamous security threats
Speculative memory side-channel attacks like Meltdown and Spectre are security vulnerabilities in computers.

UBC study: Publicizing a firm's security levels may strengthen security over time
New research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

Discovery casts dark shadow on computer security
Two international teams of security researchers have uncovered Foreshadow, a new variant of the hardware vulnerability Meltdown announced earlier in the year, that can be exploited to bypass Intel Processors' secure regions to access memory and data.

Shh! Proven security for your secrets
Researchers show the security of their cipher based on chaos theory.

A library for food security
Researchers are uncovering the genome of cowpeas, also known as black-eyed peas, in response to challenging growing conditions and the need for food security.

Bring your own (security) disaster
Bring your own device (BYOD) to work is common practice these days.

'Security fatigue' can cause computer users to feel hopeless and act recklessly
A new study from National Institute of Standards and Technology researchers found that a majority of the typical computer users they interviewed experienced security fatigue -- weariness or reluctance to deal with computer security -- that often leads users to risky computing behavior at work and in their personal lives.

Read More: Computer Security News and Computer Security Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.