Internet Apocalypse and Enterprise Architecture

It is the 21^st century and we are a nation dependent on everything internet. We rely on the internet for communications, like email, text messaging, and even voice over IP. We also use the internet for getting news and information, social networking, storing and sharing blogs, videos, music, and photos, accessing various applications, shopping, and conducting financial transactions.

What happens if the internet is attacked or otherwise fails us?

This is the question asked in ComputerWorld, 21 January 2008: “If the internet goes down will you be ready?”

ComputerWorld states: “It’s likely that the internet will soon experience a catastrophic failure, a multiday outage that will cost the U.S. economy billions of dollars. Or maybe it isn’t likely. In any case, companies are not prepared for such a possibility.”

The Business Roundtable says: “The threat is ‘urgent and real.’ There is a 10% to 20% chance of a ‘breakdown of the critical information infrastructure’ in the next 1o years brought on by ‘malicious code, coding error, natural disaster, [or] attacks by terrorists and other adversaries.’”

What will be the effect of a major internet interruption?

“An internet meltdown would result in reduced productivity and profits, falling stock prices, erosion of consumer spending, and potentially a liquidity crisis.” It would disrupt our everyday ability to communicate, get and share information, work and conduct transactions. And let’s not forget the effect on the human psyche—there would be chaos.

Why have we not prepared ourselves adequately?

The Business Roundtable says that “business executives often fail to realize how dependent they have become on the public network—for email, collaboration, e-commerce, public-facing and internal Web sites, and information retrieval by employees.”

Where are we most vulnerable?

The Internet Corporation for Assigned Names and Numbers (ICANN) says that “the Internet is pretty robust at the physical layer. There are just too many alternate paths available. But the Internet is not so robust at other layers.” Hence, the risk of operating system failures, penetration by worms, and denial of service attacks.

Is there any reason for optimism?

The CIO of Yuma County, Arizona, reminds us that the Internet “having been based on the Arpanet [from DoD] and designed to keep functioning when pieces are broken, it seems less likely that the entire Internet would stop working.”

What can enterprises do to prepare for the worst?

Of course, all organizations need to fully address security concerns in terms of managerial, operational, and technical controls.

They need the best and brightest security personnel.

Additionally, they need to perform regular risk assessments, vulnerability testing, intrusion detection and prevention, back-up and recovery.

They need to have strict access controls, security awareness training of employees and contractors, and an IT security policy.

Our organizations need a comittment to continuity of operations planning (COOP).

ComputerWorld points out that the financial services sector is out in front in making preparations Here’s some of the architectural preparations that financial companies have undertaken:

• Dedicated networks—“set up dedicated networks independent of phone companies.”
• Guaranteed diverse routing—“negotiate more aggressively with communications companies to guarantee diverse routing.”
• Geographic dispersal—“separate data centers and communications centers more widely geographically.”

In general, enterprises need “diversity and redundancy” of communications.

Most importantly, we need to recognize the risks out there and prepare, prepare, prepare.

Internet Apocalypse and Enterprise Architecture

Intrusion-Prevention Systems and Enterprise Architecture

Firewalls have traditionally been used to “wall off” the enterprise from computer attack, but now intrusion-prevention systems are augmenting the organization’s defenses.

The Wall Street Journal, 28 January 2008 reports that “intrusion prevention systems promise an even smarter defense” than firewalls.

Firewalls are intended to keep intruders out. However, because certain traffic, such as email, needs to get through, holes or open ports allow in traffic that can carry viruses or malware into the network.

Intrusion-prevention systems work differently—they don’t wall off the enterprise networks like firewalls, but rather like a metal detector, they filter or scan every piece of traffic entering the organization for suspicious activity, and reject any item that is identified as a threat.

According to Wikipedia, Intrusion prevention systems (IPS)... [are] a considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.

Intrusion-prevention systems can be hardware that is physically attached to the network or software that is loaded onto individual computers.

Are intrusion-prevention systems really necessary?

Yes. “According to the Computer Security Institute 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks.”

Gartner analyst recommends antivirus on PCs and an intrusion –prevention system on the network.

Are there any problems with intrusion-prevention systems?

One of the biggest issues is false positives, which if not adjusted for will block desired incoming traffic. One way to handle this is to use the intrusion-prevention system to “detect threats and flag them,” rather than simply block them altogether. Additionally, the organization can adjust the filters that they may not need. This is the tuning required to ensure performance in terms of network speed and an appropriate level of filtering.

If your organization is not using an intrusion-prevention system, this is something your enterprise architecture needs to plan for and implement ASAP.

Intrusion-Prevention Systems and Enterprise Architecture

Information Security and Enterprise Architecture

Information security is generally considered a cross-cutting area of enterprise architecture. However, based on its importance to the overall architecture, I treat information security as its own perspective (similar to performance, business, information, services, and technology).

According to the Wall Street Journal (WSJ), 11 December 2007, professional hackers are getting smarter and more sophisticated in their attacks and this requires new IT tools to protect the enterprise. Here are some of the suggestions:

1. Email scams—“hackers have responded to improved filtering software and savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person of group of people” In response, organizations are installing antivirus and antimalware software from multiple vendors to increase the chance, the an attack that gets by one security software products, will be stopped by one of the others. These products can be obtained from vendors like Sophos, Sybari, Micosoft, Symantec, and McAfee.
2. Key loggers—“one common form of malware is a key logger, which captures the user names and passwords that an unsuspecting computer user types, and then sends these to a hacker.” However, software from Biopassword Inc. can thwart this by recording employees typing rhythms, so that even a hacker that knows a username and password is denied access if he types too fast or too slow.
3. Patrolling the network—hackers who get past the firewall often have free rein to roam once inside the network. However, CoSentry Networks Inc. has a product that imposes controls on where a user can go on the network, so even someone with a valid login will be prevented from snooping around the network or accessing information from an unapproved location.
4. Policing the police—one of the biggest threats to an enterprise is from the insiders, employees who have access to the systems and information. Software from Application Security Inc., however, monitors access, changes, repeated failed logins, and suspicious activity and notifies the designated security officer.

From a user-centric EA standpoint, information security is paramount to protect the enterprise, its mission execution, its employees, and stakeholders. As the WSJ points out, “breaches of corporate computer security have reached epidemic proportions. So far this year more than 270 organizations have lost sensitive information like customer credit-card or employee social security numbers—and those are just the ones that have disclosed such incidents publicly.” EA must help the chief information security officer to identify these enterprise security threats and select appropriate countermeasures to implement.

Information Security and Enterprise Architecture