Developments in technologies, specifically in communications, that made
robust connectivity possible among business houses, governments, and social
outfits have led to numerous benefits to mankind in various ways. With the kind
of development we are witnessing in areas of communications, there also comes
the risk of being susceptible to some invisible and unimaginable threats.
Networks are growing with the growth of businesses, and these networks are
running numerous applications on them. Enterprises are becoming more dependent
on these networks, but securing them has become a prime concern of enterprises.
It is a fact that criminals are always smarter than the cops and probably the
reason why one finds cops behind the criminal, always. In the world of cyber
crime, there is always an incentive for these 'bad guys'-money, and that they
are making for sure! Money is driving them crazy to find loopholes and
vulnerabilities in networks said to be the lifeline of all business houses. CIOs
and CTOs of enterprises are under tremendous pressure to make sure that they are
secure in an unsecured world.
 |
Categorizing Threats
There are three broad classifications for security threats depending on
their source, target and duration. The source could be an insider
threat-originated from within the organization by internal IT users, mobile
users, etc, or an outsider threat-stemming from the Internet or partners/vendors
hooked into the organization's network. Targets of threat can also be
sub-divided into two categories: direct threats targeted at an enterprise's
infrastructure/application or database, and indirect threats that are targeted
toward an enterprise but routed through the user, for example, phishing.
Indirect threats are a new trend that has emerged over the last 4-5 years.
One of the biggest threats today is security attacks from people within the
organization. Research has shown that over 50-80% of threats to security
originate from within the enterprise. While external attacks are critical to
today's e-commerce world, internal attacks should not be overlooked. These
internal attacks are very hard to detect and prevent because users within the
organization are part of the trusted domain. Perimeter security provides no
protection if the attack stems from within the perimeter. Using the existing
perimeter security solutions, organizations are struggling to implement an
effective, unified security policy that complies with regulatory security
standards (Sarbanes-Oxley, HIPAA, FIPS), while maintaining the level of
ubiquitous network and resource access required by today's mobile and remote
workforce.
A targeted attack often begins with an incoming email with a document
attachment and with an intention to steal sensitive and confidential information
from the organization. The email is never sent en masse and looks extremely
legitimate with a relevant email address and attachment. For instance, if an
email applying for an open position was sent to the HR manager with a CV as an
attachment, the HR manager would more than likely open up the attachment and see
if the candidate is suitable for the position. Instantly, when the file is
launched, the malware drops and executes a malicious file before showing the
content of the CV to the HR manager. Unknowingly, confidential information is
stolen.
 |
The theft or loss of a laptop can cost a company big bucks. One of the many
perks of working for a company is the access one gains to multiple computer
systems, from email messaging to HR payroll. Yet it's precisely this access that
can endanger the security of mission-critical applications. Despite today's
sophisticated user provisioning systems, many IT administrators are simply too
time-strapped to actively update users' access and privileges. In fact, research
has revealed that it can take upwards of four months to remove the user rights
of a former employee. Within that timespan, there's no telling what havoc a
disgruntled employee can wreak on a company's critical business systems.
Even as new threats arise, there is no respite from tradition threats, which
include spyware, virus, worms, information leakages, intrusions, hacking, and
script kiddies, among others. A new kind of threat increasingly attacking
enterprises is infrastructure theft-robberies of physical infrastructure such as
data cards, etc. Another trend in the market is integration of logical and
physical security of an enterprise, in turn arising a new kind of threat
targeted at facilities. Earlier, where security of a building was the
responsibility of the administration teams, today, information security experts
handle it.
Taking on a New Meaning
From phishing attacks to crimeware, from vulnerabilities disclosed to
zero-day exploits; 2007 was a big year for threats. From amateurish attacks in
the early 2000s, when hackers attacked to gain quick fame and make the world
stand up to their hacking prowess, 2007 saw Internet attacks become more
sophisticated and extremely deadly.
Hacking has transformed from a hobby to a crime over the last 18-24 months as
attacks clearly show traits of an organized crime. Criminals are now the main
perpetrators of Internet attacks, profit being their motive. There have been
many cases of hacking in major bank websites across the globe, where millions of
dollars have been phished out from these banks. More than 100,000 new viruses
and trojans (a 50% jump in the total number of threats ever catalogued) have
been recorded. The level of sophistication employed by hackers was unparalleled.
A converged network of phishers, spammers and bot masters were working in unison
to materialize their goals. Spamming, phishing and botnets (tens of thousands of
compromised PCs) was used with seamless precision to extract huge amounts of
money.
Even worrying and terrifying was the nexus hackers built with the world's
deadliest underground crime gangs to exploit the most vulnerable and valuable
data on the Internet. If reports from leading security vendors are to be
trusted, the situation gets murkier in this year. Hackers are working in
overdrive to rollout sophisticated hacking kits and making their ties stronger
with criminal gangs, ringing alarms of security agencies. Today,
security-related hardware, software and services represent a $38 bn industry
worldwide, a figure IDC projects will reach $67 bn in 2010.
 |
Earlier, security functioned as a vertical service, which was doing
everything pertaining to logical and physical security. However, as enterprises
face shrinking budgets and skill constraints, there was a need felt to trim down
the size and scope of the security team. This has led to information security
becoming 'tower-specific', with operations dispersed into the network, database,
and Windows security being handled by specific tower experts. Further, the
security team takes on the responsibility of overseeing the security functions
of each tower and compliance related issues of the organization. With
responsibilities and operations of the security organization being dispersed,
they now have the bandwidth to look after more strategic initiatives and devise
plans to mitigate new threats.
Compliance Criticalities
The biggest threats for enterprises surfaces from the fact that they seem to
be complacent. Enterprises are satisfied with what they have deployed for
security. CTOs, CIOs, and security heads should be consistently alert as the
threats today are evolving and upgrading themselves day-by-day with the
advancing technology. The globalization of Indian software companies and
business process outsourcing to India has highlighted the network security
awareness and standards of solutions implemented over these networks.
The Information Technology Act 2000 is silent on the laws pertaining to
network security. The Reserve Bank of India or Securities and Exchange Board of
India have laid down certain guidelines for financial transaction over the
Internet and private networks, there are no concrete rule governing the security
of the networks or information flowing over them.
The third party certifications and benchmarks are the only ways to determine
the security level in India. At the gateway level, ICSA certification is
required for any product to be deployed in a customer network for firewall,
anti-virus, VPN, IDS, and SSL. EAL 4 + is the bare minimum standard for
government deployments. Now AES has come as an answer to the conventional 3 DES,
DES encryptions.
Regulations such as HIPAA govern privacy and security in the healthcare
sector, while Sarbanes-Oxley dictates certain reporting and monitoring
requirements in publicly quoted companies. Basel 2 also has huge IT security
component. Then there are general certification like CISA and CISSP that need to
be adopted to ensure proper security procedures.
In recent years, the Computer Crime and Security Survey by CSI seems to
suggest that while consumer-focused crime such as phishing might be skyrocketing
security was improving within enterprises. While it was satisfying to see
security professionals estimating that their losses were down, it also seemed
clear that the trend couldn't continue indefinitely, especially not given that
several factors observable within the online world pointed toward troubled times
ahead.
Networks and operating systems have become more complicated in the past few
years. Malware developers have clearly been developing and trying out various
components that, as they are combined, will create attacks which are more
dangerous and difficult to detect. The IT sector is also retooling its
applications using service-oriented architectures that while they may produce a
Web 2.0 economy will also create a mother lode of new vulnerabilities that will
be very difficult to contain.
Buying Tips and Best Practices
Evaluate Risks: Assess your business and security environment. Analyze the
historical data to look for patterns and identify vulnerabilities. Try to answer
questions like: What are the special features of your business? What is your
network architecture like? Is your current network security infrastructure
adequate? How critical is the network to your business?
Formulate a Security Policy: Based on your risk evaluation, design and
implement a security policy and link it to your business risks.
Involve Business Managers in Risk Assessment: Involving business managers in
identifying potential threats, vulnerabilities, and the consequent impact on
business operations helps them better understand the imperatives of network
security.
Establish a Central Management Focal Point: Designate a central group to
carry out the key activities. Provide it with ready and independent access to
senior management. Allocate dedicated funding and designate staff for key
activities. Enhance staff professionalism and technical skills.
Promote Awareness: Use attention-gaining and user-friendly techniques to
constantly educate users on risks and related security policies.
Monitor and Evaluate the Policy and Controls: Monitor the factors that
indicate security effectiveness. Also monitor the factors that can affect the
risks. Use the results to direct future efforts. Fix the accountability of
managers. Stay alert to new monitoring tools and techniques.
Distinguish Between Policy and Guidelines: The security policy should only
outline what the senior management considers imperative. Guidelines should
provide more detailed rules for implementing the policies. Guidelines can also
be designed as educational tools that can help network users to understand and
follow desired security practices.
Create Mechanism for Security Breaches: Formulate an investigation procedure
that addresses evidence preservation and forensic examination. Designate a
trained response team so that emergencies can be tackled when they arise.
Go For Third-party Assessment: Carry out third-party audits regularly to get
an independent assessment of your network security's effectiveness.
Look For These in All-in-one Boxes: If you are looking for a complete
security appliance then it must have: a firewall, an anti-virus, IDS, and
content-inspection functions. However, do check out if too many features in one
box are affecting its ability to perform. This is likely in many cases. So,
avoid the everything-in-one box if your security requirements are complex.
The Box Must Complement Your Security Policy: This is the most important
factor that any enterprise should look for before buying a security appliance.
Do not buy a box just because it can perform elaborate security functions. Check
if the box is capable of meeting the stated objectives of your security policy.
Also, security appliances are deployed in extremely dynamic environments and
require constant appraisal to manage the threats. So, check the box for
scalability.
Step-by-step Buying: Organizations have a diverse range of security needs,
ranging from anti-virus protection, malicious content inspection, and hacker
attacks. However, an organization may not need all the security features at one
go. Depending on the current requirement, buy only what is needed today.
However, keep the option open for upgrading later.
Over and above the best practices and buying tips explained above, there are
some other points that need to be considered. These points refer to the
day-to-day security challenges that will appear in the course of running the
business.
Awareness: Awareness of threats and vulnerabilities is often low in most
organizations. Awareness about dos and don'ts of security is also very low.
Often, security threats are not taken seriously because users are not aware of
their possible impact.
Monitoring and Management: A major challenge that every enterprise CIO faces
is the constant monitoring and management of the public-facing core elements in
the network. A viable solution is to outsource the monitoring and management of
either all or parts of the network infrastructure to a remote infrastructure
management provider.
Policies and Procedures: Policies and procedures are a must for management of
network resources and introduction of new resources. Conversely, restrictive and
inflexible policies and procedures are also a problem.
Asset Identification and Valuation: Conduct the asset identification and
valuation exercise along with the end-user, who uses and owns data on resources.
Certifications like BS7799 can help implement a system of procedures and
controls to ensure that the asset identification is always up-to-date.
Viruses, Worms, and Antivirus Updating: Unfortunately, not just infected
servers, even one infected PC can create havoc for the entire network. Add to
these mobile users who constantly shuttle between insecure networks outside and
your organization's sanitized networks. A new virus could enter your network
through any of these. Thus, the anti-virus must be kept updated to handle newer
viruses.
Patch Management: The plethora of platforms running in an organization,
keeping pace with testing of patches and updating them on the production
servers, can severely tax the IT team. Security patch management is, thus, a
major concern. Currently, a majority of corporations do only manual and
need-based patch management. This leaves the organization vulnerable and drains
its limited IT resources.
Standardization: According to the research group META, during 2006-08,
IT-operation organizations will begin standardizing their work-sustaining
activities to platform-agnostic standards. The integration points between these
activities would also be platform-agnostic, bolstering the IT organizations'
abilities to enhance performance across the IT-delivery lifecycle and the
reporting/improvement activities (like quality, cost reduction, and reporting
structures).
Portability: This creates several obvious risks. The loss of a laptop is an
obvious one. Other risks are less obvious, such as a worker letting his friends
use the sanitized company laptop to surf the Net. Such activities can expose the
laptop to inadvertent virus and trojan infections, and can later threaten the
internal network when the portable computer connects to it. Even if the laptop
is sanitized before re-entering the network, the threat is still present. A worm
that sends infected emails to an employee's entire address list can pose a
serious PR problem for the company, without infecting its network.
Complexity: This is a major challenge for information security. Every new
policy or procedure comes with the possibility of being misinterpreted or poorly
executed. A simple security axiom is the KISS rule. Unfortunately, the
regulatory environment is becoming ever more complicated because of mandatory
controls. These can lead to confusing policies and procedures.
Resource Misconfiguration: Standardize your resource-management procedures
and deploy process-automation procedures to mitigate human error.
Educating End Users: Malware or spyware can invade the nodes if end users are
careless while surfing.
Log Analysis: Various IT resources generate a large number of logs, which
contain usage and trends data. Without log-data analysis, network administrators
may overlook the possible warning signals.
Gyana Ranjan Swain
gyanas@cybermedia.co.in
Page(s) 1
Print
Comment
Email
Digg
Del.icio.us
Reddit
