Why IT security?

Information Security can mean many things, however the fundamental principle is that valuable information and assets are worth protecting. Managing risk means that vulnerabilities to systems and IT environments are understood and steps are taken to mitigate or accept risk, where the acceptance of risk must be an informed decision made by senior managers.

There are security requirements in both the private and public sectors, which must be balanced with the needs of the business. The Government of Canada Security Policy, the Access to Information Act, and Personal Information Protection and Electronic Documents Act (Bill C-6) all speak to the statutory obligations to ensure appropriate security on the collection, use and disclosure of personal information.  In addition to these legal obligations, the protection of information demands continuous risk management, due diligence and industry best practices to safeguard Information Technology systems and information. It's the secure way of doing business.

The need for IT security is ever present.  Government of Canada (GoC) Internet sites have been the well-publicized victims of hacker attacks from within and external to Canada. To objectively assess the level of threat to the GoC Internet points of presence, the Communications Security Establishment (CSE), in 1999, conducted a study to collect threat data. CSE installed an intrusion detection system (IDS) at the Internet point of presence of six federal departments. Of the 160 IDS signatures, forty-four were disabled to minimize the inadvertent capturing of user data.

During the two-month data collection period more than 80,000 alarms were collectively generated at the six sites. Analysis of the data identified that 531 of these alarms constituted malicious incidents. Eighty-nine percent of these incidents were determined to be attackers seeking to identify the vulnerabilities of potential targets, while the balance of eleven percent were determined to be denial of service attacks (34 incidents) or attempts to gain unauthorized access (11 incidents). Of the 531 incidents, nineteen were assessed as serious attempts to breach security requiring follow-up investigations.

Overall, security in cyberspace will get worse before it will get better. While there is an increasingly perceived need for improved security in cyberspace, a growing demand for a variety of cyberspace protective activities, and an increased willingness to provide funding for such activities, these are tempered by the financial realities of the current times.