Introduction

How secure is your company’s information? In this age of distributed computing and of client-server and Internet-enabled information access, computer security consistently rises to the top of most "important issues" lists.

 

To answer this question with certainty is difficult. There are no absolutes with security. An important first step for most corporations is a security policy that establishes acceptable behavior. The next, and more critical step, is to enforce that security policy and measure its effectiveness. A security policy is in tension with user convenience, creating forces that move security practices away from security policy. Additionally when new machines or applications are configured the security related issues are often overlooked. Therefore the gap between central policy and decentralized practice can be immense. These are significant tasks, as are identifying problems and taking corrective action on a constantly changing network. Many enterprises typically fall back on blind faith rather than wrestle with the fear of the unknown.

 

Sources of Risk

In order to assess your true security profile, you must first understand the sources of risk. The most infamous risk is embodied by the external hacker accessing a corporate information system via the Internet. Traditionally, these hackers view breaking into a system as mountain-climbers view scaling a cliff, for them it’s the next great challenge. However, as ever increasing numbers of corporations interconnect their information systems, successful break-ins become commercially rewarding. Practitioners of industrial espionage now view the computers on the Internet as valuable potential sources of information. Often these "professionals" masquerade as the traditional hacker to disguise their true purposes.

 

Although the threats from external attacks are real, they are not the principle source of risk. FBI statistics show that more than 60% of computer crimes originate inside the enterprise. These risks can take multiple forms. Unscrupulous employees may be searching for organizational advantages. A disgruntled employee may be co-opted by an industrial espionage agent. Increasingly corporations are turning to contractors for specialized skills or to absorb temporary increases in workload. These contractors are often given access to the corporate information system and thus they can also present a risk to corporate information.

 

Lines of Defense for the Corporate Information System

 

Firewalls

 

Many enterprises erect a firewall as the first and often only line of defense for their information systems. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet. Many corporations assume that, once they have installed a firewall, they have reduced all their network security risks.

 

A firewall must be configured to allow or deny appropriate traffic. The configuration process can be highly susceptible to human error. In a dynamically changing environment, system managers routinely reconfigure firewalls without regard to security implications. Access control lists on a firewall can be numerous and confusing. You must be sure that the firewall has been set up correctly and that it is performing well.

 

Internal Defenses

 

Even when properly configured the firewall can only repel connection attempts that come through the firewall itself. This represents the logical equivalent of the Maginot line that defended France’s border with Germany before World War II. The forts and defenses of the Maginot line were impenetrable; however, an attack around the line through other neighboring countries completely circumvented the line. The attackers were able to easily move through the rest of the country because the French defense efforts had been focused on the Maginot line. An information attack can be mounted via modem on the internal network. If all of the enterprise’s defenses are focused on the firewall then an attack that circumvents firewall though a modem or an internally based attack will have free reign over the information systems.

 

Thus the security features of the internal computers must also be employed. The important balance between convenience for the users and security concerns must be considered. That is the computer systems must be allowed to be collaborative in nature with appropriate access to information and functions across systems. At the same time this access provides a wide-open avenue for the industrial espionage attack.

 

Often the elements of the enterprise’s computer system must be updated to eliminate security risks introduced by bugs in operating systems and network service programs. If a bug creates a performance-related problem then it is a "squeaky wheel" that will drive the upgrade. A functioning version of a program or service with the security bugs can be easily overlooked as an important item for upgrades. By the time a security related bug becomes the proverbial "squeaky wheel" – it’s too late.

 

Assessing IT Security

 

Security must be assessed from multiple viewpoints for the best overall picture. These perspectives range from the physical security of the machines to the configuration of the firewalls to the trustworthiness of workers. The history of industrial espionage has been in the physical world and thus numerous practices have been developed to handle this portion of security assessment. The age of network based industrial espionage has a brief history and thus less developed security assessment practices.

The security profile of a network of machines can be assessed from three principal vantage points.

1. From the outside of the Enterprise - the view of the computer infrastructure through the firewall
2. From the inside of the Enterprise - the view of computers from behind the firewall
3. From the computer keyboard - the view from the actual operating system of the individual machine itself.

Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halt the efforts of the casual hacker and industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the "blitzkrieg" attack around the firewall through a modem or other non-protected entryway. Finally evaluating security from the machines themselves will close vulnerabilities that could be exploited through a firewall or from other machines on the network. It also hardens the security of the machines, restricting the avenues of attack for the disgruntled worker or the co-opted contractor.

 

 

Security must be assessed from multiple viewpoints for the best overall picture. These perspectives range from the physical security of the machines to the configuration of the firewalls to the trustworthiness of workers. The history of industrial espionage has been in the physical world and thus numerous practices have been developed to handle this portion of security assessment. The age of network based industrial espionage has a brief history and thus less developed security assessment practices.

The security profile of a network of machines can be assessed from three principal vantage points.

1. From the outside of the Enterprise - the view of the computer infrastructure through the firewall
2. From the inside of the Enterprise - the view of computers from behind the firewall
3. From the computer keyboard - the view from the actual operating system of the individual machine itself.

Each of these perspectives will reveal unique security vulnerabilities. Removing the vulnerabilities as seen from outside the enterprise is the first step to halt the efforts of the casual hacker and industrial espionage age. Removing the vulnerabilities as they appear from behind the firewall accomplishes two goals. It creates a second line of defense should the firewall become compromised. It also creates a defense for the "blitzkrieg" attack around the firewall through a modem or other non-protected entryway. Finally evaluating security from the machines themselves will close vulnerabilities that could be exploited through a firewall or from other machines on the network. It also hardens the security of the machines, restricting the avenues of attack for the disgruntled worker or the co-opted contractor.

 

Assessment Strategies

 

The Ideal Strategy

 

The ideal assessment strategy begins with the individual machines before they are ever inter-connected. Each machine’s vulnerabilities are corrected, putting the network of machines off to a reasonable start. Next the network of computers are probed for security vulnerabilities. Typically, the move from individual machines to an inter-network of interdependent machines creates a significant number of exploitable holes. Thus the network of computers is examined for security vulnerabilities. Finally the external network defenses, the firewall, are verified. In this final stage the last layer of defense - the first layer encountered by an information adversary - can be thoroughly checked. Problems are more easily isolated to the configurations and performance of the firewall connections themselves.

 

Pragmatist strategy

 

In real life the machines, the inter-network of computers and often the external connections to the Internet already exist. Additionally, a significant number of vulnerabilities exist at each level of the enterprise’s information systems. Often the number of known vulnerabilities exceeds an organization’s capacity to implement corrective action. This imbalance between known vulnerabilities and corrective capacity is a chief contributor to the gap between an enterprise’s security policy and security practice. An enterprise in this position often does not care to learn of more security vulnerabilities, following a "what I don’t know won’t hurt me" philosophy.

 

The real danger in this situation is that the scarce resources available to implement corrective security policies are squandered on the most well know vulnerabilities instead of being allocated to the vulnerabilities with the greatest risk to the enterprise. Firms in this position should invest in knowledge so that their limited resources are optimally deployed. The first step in a resource investment decision is to fully understand the range of options available and then pick the portfolio of investments that presents the highest aggregate return. In security assessment the firms must first evaluate all the vulnerabilities from all perspectives: system, internal and external. Aggregating and prioritizing the list of vulnerabilities will then provide a guideline for investing in corrective action to improve the match between security practice and security policy.

 

Continuous Security Improvement

 

As individual vulnerabilities are corrected under any security improvement process these vulnerabilities should stay fixed. Thus the corrections must always be monitored. By monitoring these changes over time the firm can look for the root causes of frequently occurring vulnerabilities. Then the enterprise can move on to lower priority vulnerabilities.

 

By undertaking a strategy of consistently fixing vulnerabilities, monitoring them to make sure they stay fixed and analyzing the causes of recurring vulnerabilities the enterprise enters the mode of continuous security improvement. The feedback loop of a security assessment provides the information flow necessary to improve the security of the enterprise's information systems

 

SUCCESSFUL SECURITY ASSESSMENT PRACTICE

 

To be successful, the security audit must be thorough, it can not leave out possible vulnerabilities. It must also be repeatable to provide a consistent perspective on the firm's security practice. By its very nature, a security assessment will initially increase the workload for an MIS department. These seemingly conflicting goals can be met through the use of security auditing tools that can provide thorough and repeatable process with an effective means of implementing corrective actions.

As individual vulnerabilities are corrected under any security improvement process these vulnerabilities should stay fixed. Thus the corrections must always be monitored. By monitoring these changes over time the firm can look for the root causes of frequently occurring vulnerabilities. Then the enterprise can move on to lower priority vulnerabilities.

 

By undertaking a strategy of consistently fixing vulnerabilities, monitoring them to make sure they stay fixed and analyzing the causes of recurring vulnerabilities the enterprise enters the mode of continuous security improvement. The feedback loop of a security assessment provides the information flow necessary to improve the security of the enterprise's information systems

 

SUCCESSFUL SECURITY ASSESSMENT PRACTICE

 

To be successful, the security audit must be thorough, it can not leave out possible vulnerabilities. It must also be repeatable to provide a consistent perspective on the firm's security practice. By its very nature, a security assessment will initially increase the workload for an MIS department. These seemingly conflicting goals can be met through the use of security auditing tools that can provide thorough and repeatable process with an effective means of implementing corrective actions.

As individual vulnerabilities are corrected under any security improvement process these vulnerabilities should stay fixed. Thus the corrections must always be monitored. By monitoring these changes over time the firm can look for the root causes of frequently occurring vulnerabilities. Then the enterprise can move on to lower priority vulnerabilities.

 

By undertaking a strategy of consistently fixing vulnerabilities, monitoring them to make sure they stay fixed and analyzing the causes of recurring vulnerabilities the enterprise enters the mode of continuous security improvement. The feedback loop of a security assessment provides the information flow necessary to improve the security of the enterprise's information systems

 

SUCCESSFUL SECURITY ASSESSMENT PRACTICE

 

To be successful, the security audit must be thorough, it can not leave out possible vulnerabilities. It must also be repeatable to provide a consistent perspective on the firm's security practice. By its very nature, a security assessment will initially increase the workload for an MIS department. These seemingly conflicting goals can be met through the use of security auditing tools that can provide thorough and repeatable process with an effective means of implementing corrective actions.

For questions or comments, give us a call. 1-800 762-3696