||Add To My Personal Library
July 16, 2010
Vol.32 Issue 15|
Page(s) 1 in print issue
Assess Your Defenses
Regular Security Evaluation Is A Top Priority In A World Of Ever-Expanding Threats
All is quiet on the IT front. Your systems are operating as designed, and the IT staff hasn’t reported a serious security breach in ages. Yet despite the calm, are you truly confident that your enterprise’s defenses are ready to protect your assets if a major threat came crashing through the doors? In a world teeming with increasingly sophisticated intrusion methods, nonchalance is never a wise strategy.
• Although seemingly secure controls might be in place, intruders will almost always find and exploit any existing vulnerabilities if something valuable resides behind those controls.
• A thorough security assessment should not only identify your critical assets but also the potential threats to those assets and how much damage the threats could cause.
• Instead of relying solely on in-house personnel to test your systems, consider hiring an outside auditor who can approach the process without familiarity and bias.
“Being vigilant about monitoring for threats is essential, and enterprises need to realize this before a threat actually becomes an issue, so that threats can be managed by exception and not ‘trial by fire,’” says Gene Kim, CTO and co-founder of Tripwire (www.tripwire.com). “Many attacks take advantage of misconfigured, inadequately configured, or inconsistently configured infrastructures. It is essential to obtain visibility into all the activities, events, and changes that relate to business-critical systems and resources.”
Know Your Security
A strong security track record might indicate that your defenses are indeed strong, but it could instead simply reflect a string of good luck. But regardless of whether you’ve been hit by malware or other threats, it makes sense to occasionally test your security systems to ensure that they can handle any threats that might come your way. A closer look at your systems might reveal that vulnerabilities exist where you’d never expect them.
Take the example of a company that lost $450,000 as a result of a banking Trojan that took advantage of several missing or inadequate layers of defense. According to Brian Beal, information security officer at Sensiba San Filippo (www.ssfllp.com), that client has since spent months and countless man-hours trying to recover from the overnight theft.
“Here is how the attack occurred: The client allowed open, unfiltered Internet access for employees, which resulted in a payroll administrator’s PC getting infected with a banking Trojan,” Beal explains. “This payroll employee then logged in to the company’s online bank account, which was an administrator-level account, allowing the attackers to gain access to the account. The attackers then changed the password of the payroll employee’s account and set up multiple new admin-level accounts, from which they transferred the $450,000 out to accounts set up at other banks.”
Several security downfalls led to the successful attack, Beal says. These included open Internet access that permitted employees to visit non-business-related Web sites; elevated privileges, which go against the recommended security principle of “least privilege,” in which users are granted enough rights only to do their jobs; and lack of user awareness. “Employees need to be made aware of the vulnerabilities and threats facing company assets, and they need to know what their responsibilities are in the protection of those assets,” Beal says. “If this particular payroll admin had been trained to understand the risks of visiting non-business-related Web sites, perhaps they could have avoided the site that led to the Trojan infection.”
Beal recommends conducting an information security risk assessment to determine which assets are mission-critical and to address threats that could impact your enterprise. This assessment should include the identification of critical assets (such as systems, data, and processes), identification of likely threats to those assets (such as theft, intrusion, fraud, fire, and vandalism), and determination of the values of these assets and the estimates of potential damage. From there, the assets should be prioritized by importance, the enterprise should decide on cost-effective controls to reduce the risk to those assets, and assessment results should be documented to help facilitate an action plan to implement new polices and appropriate controls, Beal says.
When evaluating your defenses, relying on personnel who are overly familiar with the systems might not be the best tactic. Instead, it can make sense to employ an outside auditor—or attacker, if you will—to test those systems and look for leaks. Joseph Pedano, vice president of data engineering for Evolve IP (www.evolveip.net), notes that although these assessments might be costly, they accomplish two important things.
“They will give you a present-day assessment of where your security issues are, and most times, the auditor will give you suggestions on how to improve upon the issues they have identified,” Pedano says. “Most assessments provide an ‘un-jaded’ view into your enterprise and are easier to work with than an internal audit that might take the ‘well, that’s the way it is’ approach.”
Conducting longer-range assessments can also help to determine your overall security level. Beal recommends tracking security-related incidents (such as malware infections, incident-related downtime, and firewall-repelled attacks) over a six-month period. After any additional security measures are implemented after this six-month period, IT personnel can compare the following six months to the original assessment—and hopefully see a decrease in incidents or problems. Beal says this tracking process can occur through the use of the IT help desk ticketing system so that companies don’t have to incur additional assessment costs.
Finally, don’t forget user awareness training—a method that could have prevented Beal’s client from losing hundreds of thousands of dollars. Evaluation should also occur here by following up on the training with surveys or interviews. By doing this over time, Beal says, security personnel can determine if there is an elevation of security consciousness as well as if the training is effective or if its message or delivery method needs to be altered.
by Christian Perry
Expand Your Vision |
The process of evaluating your security defenses isn’t simply a device for putting out fires or satisfying customer complaints about specific system issues. These assessments are tied to a greater worth that ensures that the entire business can operate as expected and that its reputation remains intact, says Phil Lieberman, CEO of Lieberman Software (www.liebsoft.com).
“IT needs to understand that there is a substantial business value to examining security of their workstations and servers on a regular basis and [that] the implementation of enterprise security protections, monitoring, and password management can actually make their lives easier as well as protect the assets and reputation of the company or organization they work for,” Lieberman says.
The investment of time, money, and resources into security is akin to insurance, he adds, except that it actually removes plenty of workload and IT-related uncertainty. But although technology is essential, good security also relies on solid organizational practices. Lieberman points to GRC (governance, risk management, and compliance) frameworks for details on these practices, but companies must first commit and agree that there is value in better security—from both organizational and investment perspectives.