[an error occurred while processing this directive]
     <p align=left><font face=arial><big><b>CurzTech News Network</b></big>
      <hr>
      <small><a href="http://curztech.com/news/">CurzTech&nbsp;News&nbsp;Network</a> |&nbsp;<a href="http://curztech.com/news/worldnews.shtml">CurzTech&nbsp;World&nbsp;News</a> |&nbsp;<a href="http://curztech.com/news/usnews.shtml">CurzTech&nbsp;U.S.&nbsp;News</a> |&nbsp;<a href="http://curztech.com/news/entertainment.shtml">CurzTech&nbsp;Entertainment&nbsp;News</a> |&nbsp;<a href="http://curztech.com/news/politics.shtml">CurzTech&nbsp;Political&nbsp;News</a> |&nbsp;<a href="http://curztech.com/news/conspiracy.shtml">CurzTech&nbsp;Conspiracy&nbsp;News</a> |&nbsp;<a href="http://curztech.com/news/offsitenews_prev.shtml">Yesterday's News</a> |&nbsp;<a href="http://curztech.com/news/offsite_archive.shtml">Offsite Archive</a></small>
      <hr>
     </p>

<!-- Begin Content -->











<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>OSAC Item (Printer Friendly Version)</title>
</head>

<body>




<font CLASS="header"><strong>Are You Trained for Cyber war?</strong></font><BR>from Managing Information Strategies on Tuesday, April 01, 2003
<P> Investing in your Computer Emergency Response Team (CERT) will stand your business operations in good stead when hackers strike.  <P>
Investing in the education and training of a Computer Emergency Response Team (CERT) is one of the most important parts of a company's information security commitment. And with the hacker world progressing so rapidly, it should be an ongoing process.  <P>
The industry abounds with training and accreditation for information security professionals. Of these, perhaps the two most widely recognised are the Certified Information Systems Auditor (CISA) certificate from the Information Systems Audit and Control Association, and the Certified Information System Security Professional (CISSP) qualification.  <P>
Staff need not be experts  <P>
To even get to certification levels, an information security professional is likely to have had extensive hands-on experience in the information security area. And the experts agree there is nothing like on-the-job training.  <P>
Many CERT members within organisations may not have either the CISA or CISSP qualifications. They may simply be network infrastructure managers who know what to do in a crisis. In that case, they should know where to go to find specialised skills to help them through any situation.  <P>
Emphasising the point, Eddie Chau, CEO of Singapore-based managed security services company e-Cop.net, claims that despite getting formal training on top of their on-the-job experience, an organisation's CERT members cannot hope to be experts in information security, simply because they are not exposed to intrusions on as regular a basis as his staff at e-Cop.  <P>
He says: "Last year, we received more than 100 million incidents, and our command centre may receive half [a million] to one million incidents a day. There are so many and they are so diversified that it has accelerated our training.  <P>
We also give three monthly in-house examinations to all our staff."He believes the information security skill is the ability to accurately audit a company's systems, looking not just at the technical aspect but also policy and procedures. "We need to understand security not only in terms of product but also from the application, network security and policy angle."  <P>
Gartner research director Steve Bittinger agrees that best practice is not to let your CERT members handle security incidents by themselves. Their response must be coordinated within a structure that includes outsourcing providers and the global information security community.  <P>
He says: "You can't afford false opinions about how good your security expertise is in-house. You have to be in contact with some true gurus out there in the world of best practice security. So when you have a problem, you can tap one of those guys on the shoulder or tap into that flow of information.  <P>
"It doesn't mean you have to have people who are world-class security experts on your team. Best practice simply says you need [staff] with normal duties relating to infrastructure, who are nominated and trained to take action. And that means knowing who to call in an emergency."  <P>
How some do it <P>
Given the critical nature of information security, staff training is one of the most strategic aspects of the task. While they need not be experts, employees should be trained on how to take action in the event of an incursion.  <P>
Financial institutions definitely see the significance of training. Singapore's DBS Bank, United Overseas Bank and ABN AMRO strongly encourage their staff to pursue professional certification courses like CISA and CISSP.  DBS managing director and head of corporate security Ng Peng Khian holds a CISA qualification and believes strongly in keeping his CERT team up to date with the latest trends. "We regularly send this specialised group for external seminars, some training workshops and whenever there are qualified security experts passing through Singapore, we meet with them."  <P>
Within the bank, DBS has set up a laboratory for the CERT members to test software and new ideas on intrusion detection techniques. Ng says: "This is a way for them to continually sharpen their skills. We also provide computer forensic tools for them to do that." In addition, the team meets regularly with CERT bodies worldwide.  <P>
ABN AMRO sends its IT team for certification examinations at least once a year. The bank has two levels of security training. A generic level is targeted at all staff to achieve a common level of security awareness. The certified security professionals normally have to attain a certain number of "Continuing Education Hours" per year in order to retain the certification.  <P>
Says Vincent Lew, ABN AMRO's regional head of technology risk management, wholesale clients, Asia-Pacific: "The objectives of such training are twofold: keeping up to speed with the latest security issues and technology, and maintaining and building networking relationships with our counterparts for knowledge exchange."  <P>
Lew notes that both the latest and time-tested tools are in place to address all known security threats, and the bank keeps in line with regulation requirements and industry practices. "But there is no such thing as 100 per cent security, and with cyber terrorism and virus attacks on the increase, we have increased our level of awareness and vigilance to intercept and arrest any event before damage can be done."  <P>
At SingTel's Managed Hosting Services unit, senior manager of product development Max Neo says training is in two areas: on-the-job experience, and more formalised training built around industry seminars.  <P>
"On-the-job training is nuts and bolts stuff—what to do if equipment breaks down, how fast and quick can our security team swing to another network, or how to resume business operation," says Neo. "On top of that, we are always watching industry trends, and analysing attack patterns which are occurring elsewhere.  "We need all this information so we know which counter-procedure we have to put in place, so training is a very strategic part of keeping the team going."  <P>
Conduct drills and tests <P>
Penetration-testing and simulations are also important to the training regime, like fire drills or practice matches. Many large companies regularly engage teams of consultants—often former hackers—to try and hack into their systems as a training exercise.  <P>
Another big part of security vigilance is to cope with physical intruders, who may try and "sweet talk" their way into a secure area by pretending, for example, to be a friend of an employee.  <P>
"Send people in to try and gain access to the network, and see how ready your staff are," Bittinger advises. "Get someone to call up and find someone else's password, or send someone dressed convincingly in a suit to try and take away a personal computer and test your organisation's security culture."  <P>
e-Cop's Chau meets former hackers on occasion to discuss security issues. "The more exposed you are, the better prepared you are going to be," he says.  <P>
In the end, IT heads need to make sure they have a security-aware culture and that all staff observe the policies and guidelines in place.  <P>
Additional reporting by Joyita Haldar and Irene Tham  <P>
This story was found at: <A HREF="http://www.misweb.com/magarticle.asp?doc_id=21580&rgid=5&listed_months=0"TARGET="_new">http://www.misweb.com/magarticle.asp?doc_id=21580&rgid=5&listed_months=0</A> <P>
(c) 2001 Fairfax  <P></A></B></I></U></H1></H2></H3></PRE></BIG></FONT></STRONG></BLINK></SMALL></OL></UL></QUOTE> 












[an error occurred while processing this directive]