Computer Crime Research Center


Computer crime: Data breaches

Date: July 19, 2005
By: CyberArk

... today are the lack of senior managements’ commitment to drive a “culture of security” and set the proper tone throughout their enterprises, a lack of employee security awareness training, and a failure to consistently adhere to strong security best practices and procedures. By doing so, embarrassing and costly data breaches could be greatly reduced.

To help mitigate data breaches, organisations need to:

I. Classify and Determine the Value of Data and Business-Technology Systems
Security professionals know that before any data can be cost-effectively protected, it must first be classified. The first task in risk assessment is to identify, assess, classify and then decide the value of digital assets and systems. Many executives consider the most difficult aspect of a risk assessment is to uncover the abundance of system and configuration vulnerabilities that place their systems at risk. Not so: An abundance of tools are available to help automate that task. It’s deciding, organisation-wide, the value of their data and intellectual property that is one of the most daunting tasks security professionals confront. How much is the research and development data worth? How much will it cost the organisation if it loses access to the accounting or customer-relationship management systems for a day?

Without knowing the value of information, and the systems that ensure its flow, it’s impossible to make reasonable decisions as to how much should be invested to protect those systems and information. It makes little sense to spend $200,000 annually to protect information that wouldn’t cost an organisation more than $25,000 if it were exposed or lost. Tough decisions relating to the value of information need to be made. And that means bringing together management, legal, human resources, physical security, and other groups within the organisation.

II. Adhere to Network Security Basics
Good network security comes down to allowing only authorised access—both people and devices—to computing systems. The firewall is the cornerstone of network security and serves as the gatekeeper between one network and another (between a trusted corporate network and the Internet or the networks of business partners, customers, and other members of the extended enterprise).

Enterprise networks should regularly undergo a risk assessment. As part of the risk assessment, security managers need to identify and then classify, each portion of their network and its risk level, and then dedicate the appropriate levels of protective security controls. High-risk systems include those that if compromised or destroyed, could lead to significant business disruption, or give rise to potentially serious financial and legal repercussions. Because of their function within business-technology infrastructures, the following types of devices and systems are typically high risk: network routers, firewalls, and database and application servers.

Virtually every type of network-connected system should be classified. Once risk levels have been assigned to networked devices, it’s time to determine which types of users need access to those systems. Typical user sets include: administrator/privileged users, employees, business partners, as well as customers and other external users who may need limited access to internal systems.

The goal of network risk assessment is to maintain the delicate balance between security and adequate access to business systems. Networks should undergo regular risk analysis. Any changes to a network which could result in lowering an organisation’s security posture should always be reviewed by security managers.

These include changes to firewall configuration and alterations to access-control lists (ACLs). Current software versions should be maintained on all servers and network equipment.

III. Strictly Maintain Strong Application Security Processes
The security watch group, the CERT Coordination Center, estimates that 99 percent of all security intrusions result from the exploitation of system configuration errors and known vulnerabilities within software applications.

Gartner reports that organisations that incorporate a vulnerability management process will experience 90 percent fewer attacks than organisations that invest the same resources into intrusion-detection systems.

One of the most effective ways to mitigate risks to business-technology systems is to regularly (weekly, monthly, quarterly depending on asset value, threats, and organisational risk-comfort levels) scan applications for known software vulnerabilities. As soon as a software vendor publishes a software update, or “patch,” enterprises should immediately begin the patch testing and deployment process. Hackers begin developing software exploitation codes within hours or days of a software vendor issuing the patch. Attackers now create worms, and automated software attacks known as “exploits” within a month of public disclosure of a vulnerability.

IV. Maintain Adequate Employee and Physical Security Precautions
While worms, viruses, spyware, and other Internet-based attacks capture headlines, it is employees and other insiders who have access to trusted systems who have the potential, through malice or neglect, to cause great damage. While many business managers fail to correlate physical security with IT security, there’s virtually no IT security if physical access to business systems isn’t controlled. Internal cameras should be placed in hallways leading to the data centre or other areas leading to and around data-critical servers. Security policies relating to how visitors enter and exit premises need to be established and enforced. Careful attention should be paid to the physical security of the data centre. Entrances to the data centre should be limited. Enterprises which have not implemented strong authentication, such as biometrics, smart cards, or proximity badges to strictly enforce access to the data centre, should seriously consider doing so.

To mitigate potential insider abuse, new hires and contractors should undergo a thorough criminal background check. Employment, education, and motor vehicle histories should be carefully researched. Sufficient drug-screening and the verification of social security numbers should be conducted. While it may not be necessary to conduct background checks after an employee is hired, human resources and management should be trained to detect behavioural changes that could result in an update investigation into an employee’s background.

V. Effectively Create and Manage Passwords and User Accounts
Passwords remain the primary key used to unlock access to business-technology systems. Unfortunately, many applications known as password crackers, are widely available on the Internet and can crack most commonly used passwords in seconds. It is critical that organisations establish and maintain effective password management policies and procedures from account/password creation, management, and eventual retirement of password-protected accounts.

Given enough time and resources, most passwords can be discovered by a motivated attacker. Aside from the most easily guessed passwords in use today and “dictionary” attacks used to gain access to resources, there are keystroke loggers, worms, and Trojan horses specifically designed to gather passwords and account-access information. The weaker the passwords an organisation uses, and the longer the same passwords are in place, the weaker this method of authentication becomes.

Strong passwords consist of more than eight alphanumeric characters. They do not consist of words found within a dictionary of any language or within common slang. Passwords should never be the names (not even spelled backwards) of friends, family, pets, vehicles, movie characters, social security numbers, birthdates, or any other sliver of information remotely associated with the end user. Strong password construction includes employing both upper- and lower-case characters, and should also include a combination of letters, numbers, and special characters such as #@%^~. Passwords should never be written down on paper and hidden in desk drawers, or under keyboards or mouse pads.

Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed at least every three months. All privileged or “super” user passwords should be centrally maintained and managed in a secure database by the security management team. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled every 120 days. Despite widespread knowledge of sound password policy, many organisations still fail to adequately create, manage, and retire their usernames and passwords effectively.

VI. Implement Employee Security Awareness Programs
Every employee should be security trained. Employees need to understand relevant aspects of their organisation’s IT security policy. Certainly not every employee needs to understand cryptography, security systems architecture, or the nuances of forensic security investigations. But more organisations need CEO-level tone setting when it comes to the important task of protecting proprietary and sensitive customer information. Employees should be well versed in the risks of spyware and downloading unauthorised applications from the Internet and opening attachments; and they should be on guard for social-engineering techniques designed to...
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2007-02-26 03:18:26 - The information I found here was rather... uomo
2007-02-22 10:59:08 - Nice site you have!... dizionario
2005-09-17 07:16:20 - Your site is realy very interesting! Donny
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo