/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThe Slammer: Malicious code has emerged as the
single-largest factor behind security breaches. According to the CSI/FBI Survey
2002, more than 94% of large corporations worldwide have had sizeable downtime
and financial losses due to malicious code attacks. As per the recent
CII-PricewaterhouseCoopers Survey, 75% of Indian corporates have had serious
incidences of malicious code attacks "forcing them to shut down external
connections to the Net, resulting in large losses due to downtime and lost
business opportunities". The recent SQLSlammer attack is a case in point.
Electronic Scavenging: Next to security breaches caused by malicious code, the
second major cause of a security breach–often used for corporate espionage–
is ‘electronic scavenging’. Electronic scavenging involves rummaging through
disposed magnetic media for retrieving sensitive data that is left behind on it.
Results from an MIT study, which is being published in the January/February 2003
issue of IEEE Security and Privacy, suggests that the secondary market is
awash with confidential information. Scavenging through the data retrieved from
158 used and formatted disk drives, the students at MIT’s Laboratory for
Computer Science found more than 5,000 credit card numbers, detailed personal,
and corporate financial records, numerous medical records, gigabytes of personal
email, and pornography. The intention here is not to scare you. How-ever, if you
are one of those who consider data a critical corporate asset, and essential to
business continuity, read on...
|
/dq/media/post_attachments/e0e387ddc11b6ef0b666790302710989da89b638eaf76a6ccafa8818d91cbce3.gif)
While integrity, confidentiality and availability of data that a computer
system or a network holds are increasingly becoming the lifeline for any
organization, the growth of threats and vulnerabilities that affect data
integrity, confidentiality, and availability have unfortunately kept pace with
the growth and development of IT itself. No wonder then, managing information
security has become a high priority area for organizations. The objective of
information systems security is to minimize the risks in the use of IT while
optimizing performance and introducing predictability to operations. While the
nature of threats to an organization’s information assets continues to change,
the good thing is that the efficient use of people, processes, and technology
still continue to remain the foundation of an effective security management
initiative. However, before proceeding to determine what needs to be protected,
what is more critical is the degree of protection each asset requires. The
security levels need to be determined in order of priority, and people across
the organization should be aware of the same.
Analyze your business impact
Most organizations realize the need to protect their systems adequately. The
challenge is how to determine what to protect and how much should be protected
in addition to issues related to costs. The answer is simple, though tough to
implement and quantify. Allocation of financial resources should be on the basis
of the value of information they seek to protect. An information system in an
organization involves people, processes, and technology. It is important that an
IT security solution design considers all the above factors. The business impact
analysis is also important to understand the degree of potential loss that may
occur. This will cover not just direct financial loss, but other issues, such as
damage the reputation and regulatory effects.
|
Business impact analysis (BIA) is essentially a means of systematically
assessing the potential impacts resulting from the exploitation of
vulnerabilities. This involves a comparison of the cost of the risk vis-Ã -vis
the cost of controlling the same. Also, the probability that vulnerability will
be exploited needs to be determined. To determine BIA, it is important to first
classify the information assets, which in term will help determine the area of
concerns. Based on this one can figure out the vulnerabilities and probability
of security breaches. Multiply vulnerability with probability and you have in
hand the business impact.
Compare this with the cost of managing the threat and you have the order of
priority in which they need to be protected and hence the deployment cycle.
Having determined the business impact and having compared it with the cost to
control/mitigate the risks, one is aware both of the order of protection and the
level of protection sought. This enables the organization to spell out its
requirements and decide on the technology/products that best meet its needs,
considering a number of other factors as well like cost–both one time and
recurring, and upgradation capacity.
It is also important to understand and categorize your security
considerations on the basis of how it needs to be tackled. Information security
products are broadly classified as technological and ‘soft products’, or ‘non-technological
services’. Purchasing information security involves mapping the purchase
decision to business requirements in a phased manner.
Categorize your needs
Security considerations of today are different. It includes protecting
against attacks coming from the Internet and the Intranet, enabling trust and
privacy protection for e-transactions, controlling access to systems and
performing security management. Security management needs can be categorized
into three broad areas–identity management, access management, and
threat management.
Identity Management: Web-based technologies have spawned major changes
in how business is conducted today. Faced with this accelerated change in
business growth, business managers need to find new ways to control access to
corporate resources, along with new tools to secure those accesses. They must
also comply with new privacy regulations that require enhanced security for user
access to systems while meeting increased cost constraints.
|
Identity management is the creation, management, and use of online or digital
identities. It also helps an organization track and maintain personal
information through directory systems, provisioning tools and synchronization
services that automate the user management process across human resource
applications, IT systems, and non-IT environments. It should also be able to
help increase productivity while reducing user support costs. Usually all
standard identity management tools come with web-based self-administration tools
and features like single sign-on solution, which enables strong authentication
using a range of techniques including PKI, biometrics and hardware tokens. In
addition, an identity management tool should be scalable so as to keep pace with
the business growth and needs.
Access Management: Business-critical data and processes are more
vulnerable than ever due to increasingly sophisticated attacks and the dispersal
of applications across the extended enterprise. Native platform security–whether
a web server, application server, or an operating system–is ineffective
against internal and external attacks that gain access to administrator
privileges. Additionally, privacy and commercial confidentiality requirements
often conflict with system administration rights, which may provide unhindered
and unmonitored access to sensitive business and personal data.
The best access management tools are those that can address these issues with
a comprehensive access management solution that holistically monitors platforms
throughout the business for conformance to access policy, including distributed
servers, applications, mainframe systems and physical access devices. It also
helps organizations decrease the risk of internal and external attacks, thereby
enhancing system availability. In addition, it helps reduce costs with
centralized administration and enhance usability through personalization.
Threat Management: Hackers as well as political activists, competitive
snoopers, and disgruntled employees, drive the proliferation of threats that
include dangerous viruses, worms and malicious code. Even subtle outbreaks of
these threats can bring company operations to a halt, leading to severe
financial losses and countless hours of lost productivity. In addition, simple
everyday activities such as sending and receiving email, sharing files,
utilizing online resources and conducting real-time transactions can rapidly
disrupt an under-protected environment.
Threat management solutions enable organizations’ to elevate their current
defensive security practices to proactively protect against today’s and
tomorrow’s threats. It enables organizations’ to isolate, contain, and
extinguish enterprise threats and prevents further infection during a virus
outbreak.
Once you have categorized your security needs, its important to evaluate each
of the products based on where it fits in the entire need matrix of the company
and compare it with the business impact before you sign on the dotted lines. Any
business whose network is exposed to third party networks or connected to
multiple physical locations where the database is distributed across the network
and users log in from remote locations regardless of its size needs to invest in
security solutions.
The scale and exact nature of security solutions to be deployed will of
course vary on a case to case basis.
Enterprises require from their security solutions the same ‘abilities’
that business demands from IT. These include affordability, flexibility,
interoperability, manageability, and scalability. IT executives should ensure
that IT requirements at their enterprises include detailed current information
about security needs and that chosen and candidate solutions address those needs
adequately.
Interoperability: This is one key parameter to evaluate any
product as security architectures, like IT environments they protect are likely
to remain hybrid, multi vendor deployments for the foreseeable future at most
enterprises. Unfortunately where IT security beyond fighting viruses is
concerned, many of the current offerings are fragmented, highly manual, and
reactive. Such fragmented or poorly interoperable solutions cannot deliver
maximum security and RoI. Hence care should be taken to ensure that the chosen
solutions integrate into comprehensive, synergistic and centrally manageable
resources. It should also interoperate with key applications and incumbent
security solutions to optimize both protection and business value and be easy to
deploy.
The security solution should be capable of running on a variety of platforms
available in the market and should be interoperable seamlessly. You should not
need to decide your operating environment based on security products. The
security products should mingle with your network without major restructuring.
The security products you are buying should also be capable of integrating
seamlessly with other best of breed ones.
Scalability: Another important question that a person needs to ask is
how scalable the security product or solution is. This is extremely important
and an enterprise should have a clear roadmap of possible future applications
and IT requirements as well as the security needs and have scalability built in
accordingly. All business application profiles (BAPs) and user application
profiles (UAPs), or their equivalents, should be updated, expanded, and
integrated with data from relevant security solutions.
This will help you best match solutions with specific requirements and
resources within the enterprise and evaluate those solutions more accurately and
realistically.
It is also important that you choose a vendor who keeps abreast of the latest
operating systems and platforms by releasing new versions and can demonstrate
you a clear roadmap of the same. The roadmap claim should be backed-up through
historical proof. Also, the upgrades should be automated and should be
implemented with a minimum of user disturbance and no system downtime.
Vendor Support: While most of the big companies have in-house
resources to manage their IT need, a majority of the smaller companies cannot
boast of the same. However, irrespective of whether you have the capability or
not, vendor support should still be an important criteria for choosing a
product. As a security solution includes a combination of hardware and software,
one should certainly look for services that include application support and be
very clear and specific about the service-level agreement.
RoI & Affordability: While security may be one of the few areas
where RoI is fairly obvious, even to non-technical business executives and
managers, you may still need to justify the investment every time. From an
affordability point of view you need to focus on security solutions and
approaches that support layered or tiered approaches. This can help restrain the
growth of security costs, generally and for specific applications, and lines of
business within enterprises. Proactive security management will help not only
maximize RoI but return on value (RoV) as well!
The 21 Best Ways to Lose Your Information
Have you ever wondered what the best ways are to get hacked, be adversely
affected by disasters, or otherwise lose information stored on your computer
systems? Here, in no particular order, are the 21 best ways to not secure your
systems:
| n Don’t pay attention to or even bother to understand what you’re trying to protect. |
| n Leave your databases, especially those containing confidential information, unencrypted and store them on publicly accessible servers. |
| n Don’t patch your software or update your virus signatures, and never run vulnerability assessments to detect newly discovered software flaws and system misconfigurations. It’s just too time-consuming. |
| n When an employee quits or is let go leave his network log-ins and e-mail accounts enabled. You never know when he might want to check in on things. |
| n Don’t create any security policies that document how you’re safeguarding your information to protect your organization and clients from information disasters and legal liabilities. |
| n If you do happen to have a security policy, never refer to it, enforce it, update it, or do what it says. |
| n Completely outsource your information security initiatives. There’s no need for anyone inside your organization to worry about such matters. |
| n By all means, don’t take an inventory of your information systems or document your network. |
| n Apply the principle of greatest privilege. Give all users the greatest amount of access to your information systems. Everyone should have access to everything–it’s only fair, right? |
| n Rely solely on technology. Firewalls, encryption, and antivirus software are all you need to protect your information. |
| n Run your business without disaster recovery and business continuity plans. After all, you can think clearly and make critical decisions under pressure, right? |
| n Don’t monitor your systems. They’ll be fine running by themselves, and if anything major happens with the integrity or availability of your information, you’ll be notified automatically, won’t you? |
| n Don’t back up your data, but if you must, don’t test your backups. Also, leave your backup media on-site–preferably sitting on top of an uninterruptible power supply. |
| n Leave your operating systems and software applications with the default settings. System hardening is for the birds. |
| n Respond to hacker attacks, viruses, and other intrusions as they happen–don’t be proactive in dealing with them. |
| n Use passwords that consist of your pet’s name, your name, your mom’s maiden name, or your birthday. That way, you won’t forget them. Better yet, just use "password" for your passwords. Also, don’t forget to write them down and post them on your monitor or keyboard. |
| n Don’t subscribe to security bulletins and mailing lists, and don’t ever read information security trade magazines. |
| n Leave your servers and network equipment in a room to which everyone, including outsiders off the street, has access. |
| n Don’t train your users on your security policies and what to look out for, such as unsolicited e-mail attachments and common hacker activities. Your users can’t be burdened with more training. |
| n Ignore all known best practices and international information security standards from the International Standards Organization, Internet Engineering Task Force, SANS Institute and your local information security consultant, to name a few. And finally... |
| n Don’t, under any circumstances, get upper management involved in information security initiatives. They’re business-focused and shouldn’t be bothered or even care about technology or the liabilities associated with their information, right? |
Kevin Beaver, founder & president of Principle Logic
Security Forecast / Financial 2003-04
Firewalls
n On the
end-to-end security front, VPNs will get integrated with firewalls thus
enhancing security capabilities.
n Encryption
and firewall functionality will be embedded in network cards. Many vendors have
already incorporated this technology.
n Content
filtering software will be integrated with VPNs, thus permitting VPN integrated
firewalls to filter content during the tunneling process itself, thus reducing
unnecessary bandwidth usage.
n More vendors
will offer quality of service functionality integrated with firewalls. This will
allow bandwidth allocation amongst the various tunnels created by VPN integrated
firewalls.
Intrusion Detection Systems (IDS)
n Switched
networks and traffic payload can be addressed using an in-line "packet
scrubber". A device like this would sit invisibly between two networks and
monitor all traffic exchanged, regardless of switches or hubs, while remaining
immune to attack attempts.
n Problems in
analysis and correlation will be addressed using applications similar to fine
tune filters and rules in order to reduce false positives. This would over a
time help in providing IDS feedback system that would be based on administrator
input and response.
n The future
of IDS lies in data correlation. The IDS of tomorrow will produce results by
examining input from several different sources.
n In future the concept of NIDS and HIDS will disappear, with
a group of distributed components performing specific tasks. The host will
perform packet analysis for encrypted traffic.
n As opposed
to the heterogeneous mix of Microsoft, UNIX, and application specific rules in
place on most NIDS, the signatures would be tailored to one host.
n Instead of sensors capturing all traffic on a network, the
client machines will monitor their own traffic and run a recurring scan that
would quickly monitor which services and programs run on a machine, allowing for
an even more precise rule-set.
n Future
applications would provide kernel and OS specific modifications which can
monitor logs, administrative actions, system accounting, and data integrity in
real-time.
n While the
log results are usually only reviewed by an administrator when a user’s
machine has been compromised, the new trend will see clients automatically
report data to centralized monitoring stations. This will be like the present
management station concept.
Operating Systems
n High-value
applications will continue to be hosted on mature operating system platforms
through the forecast period.
n The process
of uncovering and repairing security breaches in Windows products will recur
through the forecast period, resulting in more robust versions.
n The move to
server appliances for application and storage services will be motivated, in
part, by the fact that they provide standardized, pre-configured security
features.
n Concerns
will emerge regarding the security of new operating systems for handheld and
cellular devices such as Palm OS and Symbian EPOC.
Authentication
n Tokens and
biometrics will increasingly augment password-based authentication for
high-value systems during the forecast period.
n Two-stage
authentication systems that use more rigorous multifactor authentication to
provide access to critical data will be offered in the marketplace.
n Trusted
third-party service providers will play a stronger role in both authentication
and authorization (via digital certificates) during the forecast period.
Malicious Code
n Antivirus
software will continue to be the most widely deployed type of security software.
n However,
security threats other than viruses will cause more problems, precisely because
antivirus software is already so widely deployed.
Virtual Private Networks
n With the
availability of better encryption algorithms, integrated VPN and firewalls will
be deployed in future.
n With
advancement in encryption algorithms like AES, BlowFish, IPSEC will become
stronger to give even more secure VPNs.
n MPLS VPNs (RFC
2547 compliant) will increase the speed and security of VPNs.
n Quantum
cryptography will make encryption more secure by rapidly changing the state of
the photons.
n Virtual
enterprise networks will enable companies which have both a private intranet,
and a more public extranet to manage the twin requirements of keeping their data
and information assets secure at the same time allowing customers, partners and
suppliers to access relevant parts of their information systems and data, by
designing and engineering dynamic and logic-based security boundaries around
internal systems and data as opposed to the physical and static security models.
n Organizations
will continue to deploy or enhance VPN architectures to support mobile workers
and exploit the ubiquitous Internet.
n Trusted
third parties (certificate authorities) will provide key management support to
VPN users.
n VPN
appliances will appear in the marketplace for both the enterprise side and the
user side of the VPN.
Source: SecureSynergy and PriceWaterhouseCooper