Know your security onions
By Steve Brown
Date: August 08, 2003
The biggest ever cyber-crime involved the theft of more than a million credit card numbers from online banks and retailers across 20 countries.
According to the FBI, the thieves were able to seize the details in spite of firewalls and other security tools in use at all 40 sites involved.
The immediate reaction to the heist was to ask how hackers bypassed the expensive security software. The answer was that they didn't have to.
An analysis of the attack showed that the hackers had exploited a known vulnerability in Windows NT for which Microsoft had provided a patch since 1998. The victims simply hadn't got around to updating their systems.
Indeed, the myth of the genius hacker who breaks into systems using cunning and expertise is just that: a myth. Most hackers simply don't have the skills or the resources to hack into well-protected systems.
The 2002 Computer Crime and Security Survey, published by the FBI, found that 90 per cent of companies experienced at least one internet security breach last year.
Those able to measure the losses (and willing to reveal them) reported an average cost of $6.5m per incident. What's most worrying is that 90 per cent of these organisations were using firewalls at the time they were attacked.
Simply having security products like firewalls, intrusion detection systems and antivirus software isn't enough to protect an internet-enabled organisation.
These tools are all a good start but experts recommend security strategies based on the 'onion' approach: multiple, overlapping layers of security, consisting of policies and products.
Security policies should be devised before any technology is deployed. An effective policy identifies the information that is at risk, and judges what level of protection is required as a result.
Devising a security policy is an extremely complex and time-consuming process. Before the internet, security consisted of using a firewall to act as a virtual reception desk, greeting traffic as it entered the organisation.
Today's web-enabled, wireless networks, mobile devices and remote workers mean that there's rarely a single point where your network meets the outside world.
Instead of a reception desk, it's as though your company had installed a dozen revolving doors and a couple of secret passageways, but still expected the receptionist to act as an effective gatekeeper.
This complexity makes it vital to have early IT involvement in setting security policies, along with a senior executive responsible for overseeing and monitoring the policy.
The first step to devising an effective internet security policy is appointing a senior executive, such as a chief security officer, who has overall responsibility for ensuring that the policy is maintained and adhered to.
No firewall will be effective if your employees don't realise the importance of secure passwords and regular system patches and updates.
Security policies should first and foremost define procedures and products for keeping unwanted visitors out of your systems, using firewalls to create a demilitarised zone.
IT departments should also ensure that all systems within the zone are locked down, with all unused ports closed and the file systems protected with appropriate access controls.
Filtering tools should be deployed to protect against the security risks posed by outgoing traffic.
In addition to network tools, organisations should use identity management to control who accesses their systems, and when.
Identity management's first task is to provide users with passwords and ensure that those passwords are deactivated the moment they are no longer required.
In addition, identity management verifies a user's identity when they use your computer systems - using biometrics or secure passwords, for example - and provides them with appropriate access depending on their role.
Once you've implemented a policy, regular testing is essential. Ensure that your security policy is accompanied by a disaster recovery strategy defining clear responses to a cyber-attack.
Research from Gartner Group shows that 40 per cent of companies developed disaster recovery plans following 11 September, but few outfits rigorously test their plans.
Running response drills to simulated cyber-attacks gets systems administrators used to responding to the inevitable.
Ethical hacking, where authorised attempts are made to crack the system to expose security flaws, is another valuable tool, identifying obvious weaknesses and offering the chance to train your staff to deal with the consequences of an attack.
So, what's the strategy if all else fails and a crisis occurs? This might be a good point to turn to computer forensic professionals, especially if you suspect that data might have been tampered with.
If the intrusion has taken place via the internet, consider filing a report with the Computer Emergency Response Team, which may give technical assistance in dealing with the intrusion.
Ethical hackers can also help in identifying the weak spot that was exploited, and tracking down the offender.
Original article at: http://www.vnunet.com/News/1142875
^macro[showdigestcomments;^uri;Know your security onions]