Special Report on Digital Security - Executive focus series by Innovation Networks

Executive

focus

Special Report on

Digital Security â&#x20AC;&#x153;The greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant ...â&#x20AC;?

Whether a company is a small business or a global giant, employees, managers, executives, CEOâ&#x20AC;&#x2122;s & owners, need to be more aware than ever of digital security. Originally, Information Technology (IT) infrastructures were built around central computers or mainframe solutions, while very few were developed around the personal computer. However, today businesses are being driven by the power of personal computers & the internet, creating a new frontier in applications & access to information. But as the infomation revolution opened new avenues for IT, it also opened new possibilities for crime.

Attackers use these opportunities to steal passwords & gain access to information or to create disastrous effects on networks & computers.

Business realities dictate that certain information is extremely sensitive in nature, leading to the need for specific security requirements.

Digital security has been required to continuously evolve in the 21st century as networks are designed & built to facilitate the sharing & distribution of data & information.

Today, IT security has progressed to more than just user names & passwords. It involves digital identities, biometric authentification methods & modular security strategies.

Controlling access to these resources can become a problem because you need to balance the requirement for access to free information (via the net) with the value of the content of that information.

This issue of Executive focus was written to help clients of Innovation Networks & participants in the Business Technology Seminar gain insight of some key themes when it comes to digital security.

Security Defined Computer security means to protect information. It deals with the prevention and detection of unauthorized actions by users of a computer. Lately it has been extended to include privacy, confidenality and integrity. For example: Two parties agree and seal their transaction using digital signatures. The signature cannot be ruled invalid by law-making bodies because it uniquely identifies the individuals involved. Or you visit a web site and the site collects more personal information than you are willing to divulge or the site distributes data to outside parties. By doing this, it compromises your privacy and opens your world to other people.

Defining Security

This definition of security on the previous page implies that you have to know the information & the value of that information in order to develop protective measures. You also need to know which individuals need unique identities & how much information may be divulged to the outside world. A rough classification of protective measures in computer security is as follows: Confidentiality: The prevention of unauthorized disclosure of information. This can be the result of poor security measures or information leaks by company personnel. An example of poor security measures would be to allow anonymous access to sensitive Detection: Take measures that allow you to detect information. when information has been damaged, altered, or stolen, how it has been damaged, altered, Integrity: The prevention of erroneous modification of or stolen & who has caused the damage. information. Authorized users are probably the biggest Various tools are available to help detect cause of errors & omissions & the alteration of data. Storing incorrect data within the system can be as bad intrusions, damage or alterations & viruses. as losing data. Malicious attackers also can modify, Reaction: Take measures that allow recovery of delete, or corrupt information that is vital to the information, even if it is lost or damaged. The above correct operation of business functions. measures are critical, but if organizations do not understand how information may be compromised, they Availability: The prevention of unauthorized cannot take measures to protect it. You must withholding of information or resources. Appropriate examine the components on how information can be data should be freely available to authorized users, enabling them to better do their jobs. compromised. Prevention: Take measures that prevent your information from being damaged, altered, or stolen. Preventive measures can range from locking the server room door to setting up high-level security policies.

Authentication: The process of verifying that users are who they claim to be when logging onto a system. Generally, the use of user names & passwords accomplishes this task. There are more sophisticated methods such as the use of smart cards & retina scanning. Note that the process of authentication does not always grant the user access rights to resourcesâ&#x20AC;&#x201D; this is achieved through the authorization process. Authorization: The process of allowing only authorized users access to sensitive information. An authorization process uses the appropriate security authority to determine whether a user should have access to resources.

The Need for Security Administrators normally find that putting together a security policy that restricts both users & attacks is time consuming & costly. Users also become disgruntled at the heavy security policies making their work difficult for no discernable reason, causing bad politics within the company.

Planning an audit policy on huge networks takes up both server resources & time, & often administrators take no note of the audited events. A common attitude among users is that if secret work is not being performed, why bother implementing security? There is a price to pay when a half-hearted security plan is put into action. It can result in an unexpected disaster. A password policy that allows users to use blank or weak passwords is a hacker’s paradise. No firewall or proxy protection between the organization’s private local area network (LAN) & the public Internet makes the company a target for cyber Organizations will need to determine the price they are willing to pay in order to protect data & other assets. crime. This cost must be weighed against the costs of losing information & hardware & disrupting services. The idea is to find the correct balance; If the data needs minimal protection & the loss of that data is not going to cost the company, then the cost of protecting that data will be less. If the data is sensitive & needs maximum protection, then the opposite is normally true. In 1999 an activist group called “RTMark” launched network-based attacks against internet start-up eToys, now owned by Toys “R” Us. The group also engaged the help of the Electronic Disturbance Theater—a hacker group claiming to attack sites only on behalf of social causes. The goal was to help Cripple Toys or deface its Web pages. Wanting to “destroy” eToys such raids are fresh reminders of the need for e-commerce sites to keep their defenses sharp. Read the complete story at ... http://www.networkworld.com/news/1999/1220etoys.html

Being aware is just the beginning...

ypes of

Security Threats Security Threats Natural Disasters

Human

Malicious External Hackers Crackers

Internal Disgruntled Employees

Non-Malicious

Floods Earthquakes Hurricanes

Ignorant Employees

Information is the key asset in most organizations. Companies gain a competitive advantage by knowing how to use & apply that information. Serious threats come from unscrupulous individuals who would like to acquire the information or limit business opportunities by interfering with normal business processes. The object of security is to protect valuable or sensitive organizational information while making it readily available to employees. Attackers trying to harm a system or disrupt normal business operations exploit vulnerabilities by using various techniques, methods & tools. Once again the emphasis is for business executives to understand the various aspects of security. Then & only then can they be involved in the development of measures & policies to protect assets & limit their vulnerabilities. Attackers generally have motives or goals—for example, to disrupt normal business operations or steal information. To achieve these motives or goals, they use various methods, tools & techniques to exploit vulnerabilities in a computer system or security policy & controls. “The chart above introduces a layout that can be used to organize security threats into different areas”

Human Threats Malicious threats consist of inside attacks by disgruntled or malicious employees & outside attacks by non-employees just looking to harm & disrupt an organization. The most dangerous attackers are usually insiders (or former insiders) because they know many of the codes & security measures that are already in place. Insiders are likely to have specific goals & objectives & have legitimate access to the system. Employees are the people most familiar with the organization’s computers & applications & they are most likely to know what actions might cause the most damage. Insiders can plant viruses, Trojan horses or worms & they can browse through the file system. The insider attack can affect all components of computer security. By browsing through a system confidential information could be revealed. In the past, these individuals were referred to as “crackers” or “hackers”. However the term hacker now refers to people who either break into systems for which they have no authorization or intentionally overstep their bounds on systems for which they do not have legitimate access. The correct term to use for someone who breaks in to systems is a “cracker.” Common methods for gaining access to a system include password cracking, exploiting known security weaknesses, network spoofing & social engineering. Malicious attackers normally will have a specific goal, objective or motive for an attack on a system. These goals could be to disrupt services & the continuity of business operations by using denial-of-service (DoS) attack tools. They might also want to steal information or even steal hardware such as laptop computers. Hackers can then sell that information which can be useful to competitors.

Attackers are not the only ones who can harm an organization. The primary threat to data integrity comes from authorized users who are not aware of the actions they are performing. Errors & omissions can cause valuable data to be lost, damaged, or altered.

Note that ignorant employees usually have no motives & goals for causing damage. The damage is accidental. Also, malicious attackers can deceive ignorant employees by using “social engineering” to gain entry. The attacker could masquerade as an administrator & ask for passwords & user names. Employees who are not well trained & are not security aware can fall for this.

Non-malicious threats usually come from employees who are untrained in computers and are unaware of security threats & vulnerabilities. Users, data entry clerks, system operators, and programmers frequently make unintentional errors that contribute to security problems, directly & indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system.

Being aware is just the beginning...

ypes of

Security Threats

Threats

Motives/Goals

Methods

Security Policies

Employees • Malicious • Ignorant Non-employees Outside attackers

Deny services Steal information Alter information Damage information Delete information Make a joke or show oﬀ

Social engineering Viruses, Trojan horses & worms Packet replay Packet modiﬁcation IP spooﬁng Mail bombing Various hacking tools Password cracking

Vulnerabilities Assets Information and data Productivity Hardware Personnel

Natural disasters Floods • Earthquakes • Hurricanes • Riots and wars

Natural Disasters

Nobody can stop nature from taking its course; Earthquakes, hurricanes, floods, lightning & fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur & damage to hardware can disrupt other essential services.

An organization has various modems & Integrated Services Digital Network installations and does not have surge protection. During a thunderstorm, lightning strikes the telephone & ISDN lines. All modems and ISDN routers are destroyed, taking with them a couple of motherboards.

Contingency plans

Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery & contingency plans in place. Other threats such as riots, wars & terrorist attacks could be included here. Although they are human-caused threats, they are classified as disastrous.

ypes of

Security Threats

Malious Attackers There is a strong overlap between physical security & data privacy & integrity. Indeed the goal of some attacks is not the physical destruction of the computer system but the penetration & removal or copying of sensitive information. Attackers want to achieve these goals either for personal satisfaction or for a reward. Here are some methods that attackers use: Deleting and altering information. Malicious attackers who delete or alter information normally do this to prove a point or take revenge for something that has happened to them. Inside attackers normally do this to spite the organization because they are disgruntled about some thing. Outside attackers might want to do this to prove that they can get into the system or for the fun of it. Committing information theft and fraud. Information technology is increasingly used to commit fraud & theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud & by using new methods. Financial systems are not the only ones subject to fraud. Other targets are systems that control access to any resources, such as time & attendance systems, inventory systems, school grading systems, or long distance telephone systems. Disrupting Normal business operations. Attackers may want to disrupt normal business operations. In any circumstance like this, the attacker has a specific goal to achieve.

Tsz-chung, 22, was jailed in April of 2000 after changing the password on another user’s account and then demanding $500 (Hong Kong currency) to change it back. The victim paid the money and then contacted police. Cheng has pleaded guilty to one charge of unauthorized access of a computer and two counts of theft. Cheng’s lawyer was quoted telling Magistrate Ian Candy, that his client committed the offenses “just for fun.”

Being aware is just the beginning...

ypes of

Security Threats

Non-Malicious Threats from Employees Non-malicious attacks occur due to poor security policies & controls that allow vulnerabilities & errors to take place. Natural disasters can occur at any time so organizations should implement measures & try to prevent the damage they can cause.

Unaware of transactions. Errors & omissions can lose, damage, or alter valuable data because users are unaware of transactions they are performing.

Unintentional errors. Data entry clerks, system operators, and programmers frequently make unintentional In review; threats can originate from two primary sourc- errors that contribute to security problems, directly & es: humans & nature. Human threats can be broken into indirectly. Errors can create vulnerabilities & can occur two categories, malicious & non-malicious. The non-ma- in all phases of the system life cycle. licious “attacks” usually come from employees who are not adequately trained on computers or are not aware Programming and development errors. Often called “bugs,” they range in severity from irritating to cataof various security threats. strophic. Improved software quality has reduced but not eliminated this threat. Non-malicious threats come from authorized users in the following ways: New technology installation & maintenance. Upgrading systems, changing passwords etc., can cause problems of all kinds. Also, changes in IT providers or managed services can cause problems with security threats, thus these changes need to be managed successfully.

onclusion

Developing security best practices begins with clear planning & communication with everyone in the business including owners, managers, employees & at times, customers & vendor/partners. Here are four key components to include in the planning process: Align the strategy with business requirements For example an organization that has multiple locations reporting into a head office needs a security policy that can adjust to their geographic realities. Obtaining this information requires input from business leaders across the organization & a willingness to coordinate policies and solutions. Build a security foundation from the start It’s essential to have an advocate or security evangelist in place to facilitate communication among various business units & their IT department or MSP (Managed Services Provider.) This person must solicit ideas from various departments & locations & hold regular meetings to keep key individuals informed on security initiatives.

Make staff training a priority Many company managers are not particularly knowledgeable about security & therefore completely leave their concerns to their IT providers ‘to deal with.’ While this responsibility is part of any effective Managed Service Provider’s expertise, it is only part of the solution. A secure environment requires a sound strategy & smart tactics from the organization.

Adopt a framework for managing security Companies must learn to take a proactive approach to managing security as opposed to one that is reactionary. To avoid constantly putting out fires in reactionary modes, create checklists & schedules for managing security tasks. For example back-ups should be scheduled & completed daily, weekly & monthly using the proper metrics and industry best practices whenever possible to gauge performance. One helpful source is the Center for Internet Security, which offers an array of tools, many free of charge. These cover everything from minimum care levels to advanced mobile & enterprise benchmarks for Windows 7 & other applications.

about

Executive

focus

Executive focus is written... ... for Entrepreneurial Executives, Senior Managers and Manager’s being groomed for advancement.

... to encourage innovative thinking, creative problem solving, and to help you make quantum leaps.

... by business technology experts to be an invaluable educational

Innovation Networks provides IT services to our clients including security solutions such as: • Spam Filters • Anti-virus solutions • SSL certificates, • Firewalls • Secure Back-ups

tool that will make your organization better.

The best executives today can no longer afford to be in the dark regarding technology opportunities and threats. Technology needs to be front and center when it comes to strategic decision making.

Business Technology

SEMINARS

The “Business Technology Seminar” is for proactive business people. The course is a complete, seven part seminar with over 100 practical and effective ideas that will improve every aspect of your business operations.