to Information Security Basics
by Robert Geiger, info-defense.com
Lay of the Land
When the Robert Morris Jr. Internet worm stopped the fledgling Internet in its tracks in 1988, most people had never even heard of the Internet itself, much less considered the impact such a security incident might have on their own systems and data. And when the Michelangelo virus scare became national news in 1992, awareness of the risks associated with our reliance on computing technology continued to increase.
Indeed, as more and more high profile information security events have garnered media attention in the last five years, those responsible for protecting their organization's critical assets have increasingly realized the need for greater attention to the security imperatives faced in doing business in an information-based economy.
However, for too many people in such positions of responsibility, cognizance of prevailing threats and the will or means to act on them remains inconsistent with the increased risks involved in internet, intranet and extranet endeavors. And what money and energy is being allocated tends to be disproportionately focused on the external threat -- based to a tremendous degree on the media focus on hacking incidents -- rather than looking at an inside-out approach as the most effective route to a secure information infrastructure.
Not surprisingly, the Internet's "underground" community sometimes refers to large organizations with complex, expensive firewalls as being "hard and crunchy on the outside; soft and chewy on the inside" as they're often inclined to put up a fortress-like front door while leaving all the windows wide open by ignoring their internal security posture.
There is concrete data that strongly suggests that this outsider's view is true and that the costs associated with internal security breaches can easily justify expenditures that might prevent such occurrences. For example, the 1999 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey found that per-incident losses from theft of proprietary information averaged an astounding $2 Million. In addition, the survey found that unauthorized insider access of data costs organizations over $140,000 per occurrence.
Despite these quantifiable risks, many firms with any degree of Internet connectivity spend a large amount of time and money buying, configuring and monitoring elaborate security solutions, while ignoring the fundamentals of sound security inside the walls of their own organizations.
To be sure, it is vital to pay close attention to the exposures and vulnerabilities that are discovered daily for the prevailing operating systems and software in use on the Internet. But by getting its internal security house in order, the vast majority of companies can assert immediate control over their computing environment and give themselves a vastly superior start on securing their information assets.
(return to top of page)
What to Do?
Information Security efforts take many forms and have become increasingly daunting to both IT managers and system administrators as both internal and external connectivity challenges become more complex.
Fear not. Being more aware of and paying more attention to the following key elements of internal security will protect your information assets against the majority and most common security threats and will allow you to head off a significant portion of the consequential damage to your core business interests.
Know Who You're Letting In
User IDs have become a way of life on both internal networks, on many web sites and other Internet media. With password authentication becoming so ubiquitous, people Ð including IT professionals Ð are inclined to forget the purpose: to ensure that only authorized people log into acceptable systems and that those user IDs are strictly traceable to a specific individual. Protect these primary security mechanisms by enforcing prudent passwords via the implementation of software that rejects poorly-chosen passwords.
Train employees with access to your systems to practice safe computing by guarding the secrecy of their user account information and in selecting good passwords of their own to protect those accounts. Good passwords are at least six characters and do not contain proper names, words found in the dictionary, phone numbers, birthdates or other predictable number sequences. They should contain special characters, use mixed case and not be related in any way to your firm or the business your firm conducts. Finally, employees should memorize their passwords and not write them down anywhere.
Let your workers know that you take the security of your organization's systems seriously, that they should as well and that user IDs and strong passwords are the primary means of safeguarding organizational assets.
(return to top of page)
Once you're reasonably sure that only authorized users are accessing your networks and systems, the second part of a powerful security one-two punch is to turn the data traversing your network Ð and often the outside world Ð into unreadable mush that is useless to prying eyes.
Because the Internet Protocol (IP) was introduced at a time when the security of transmitted data was not a dominant concern, IP services in use on networks and the Internet at large transmit all information in clear (plainly readable) text by default. This makes it trivial for someone -- internal or external -- to gather packets of information and strip out the clear text being carried in the data transmitted. This extracted data can then be easily pieced together to form output that could contain critical information about your organization, such as user IDs, passwords, trade secrets or marketing plans.
Using encryption can also ensure that data will not be altered in the course of transmission and cause your business harm by relaying incorrect or intentionally misleading information.
While talk of encryption tends to make people's eyes glaze over, new products are being introduced that allow companies to easily encrypt data on-the-fly and with virtually no intervention or action required from the end user.
Intel, for example, is introducing a line of network adapters that provide hardware-based encryption based on IPSEC standards. These adapters -- see www.intel.com for more information -- address a central tenet of practical network security: make security painless for the users and it will succeed. by employing hardware encryption in a transparent manner, this new wave of network adapters makes it possible for IT managers to ensure the confidentially and integrity of their company's data in a way that won't send users fleeing. Encryption is going to be a key element of doing business in the next century and these solutions truly put complex, effective encryption methodology into the end user's hands in a simple, painless manner.
In addition to protecting data while it travels the network, pay attention to the wealth of important information being toted about on your organization's laptops. Supply a foolproof way for employees to back up critical company data stored on laptop computers and encrypt any critical data that may fall into the wrong hands if the laptop is stolen.
(return to top of page)
Who's the New Guy?
Do thorough pre-employment background checks on employees before hiring them to work with your company's vital information assets and check references religiously. You need to find out if that new programmer or systems administrator you've hired into a critical position was fired from their last three jobs for computer fraud before their start date and not after you have been similarly victimized.
Once hired, make sure that employees can only access data to which they have a legitimate need based on their written job description. While the vast majority of employees would never do intentional damage to their employer's data or systems, damage can also be done through error or carelessness. An accountant who accidentally erases vital financial information meant no harm but can still cause considerable trouble. Limiting who has access to critical data will not eliminate this risk, but it can at least serve to minimize its potential.
Strict data segmentation and need-to-know access will also help in ensuring that a minimal amount of proprietary information can find its way to a competitor should one of your trusted employees leave to work for another company in the same business.
Your Employees Well
One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness.
Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information. Formal information security awareness training should be provided that reinforces the need to keep all information on your company's information assets confidential -- even data that appears the most innocuous. Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated.
An important follow-up measure is to have written information security policy that explains the company's security philosophy and the business rationale behind it. This policy should be imparted to all new employees as a part of new-hire orientation.
How can having security savvy employees help protect your organization? Many hackers make ample use of "social engineering" skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company. For example, a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running. He may follow up by asking for the names of key employees at your company. Armed with that basic information, this unwelcome visitor now knows how to identify your systems, what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems.
Having employees who are mindful of such ruses and are prepared to respond appropriately moves any company miles closer to a secure information security infrastructure.
(return to top of page)
Temporary workers, contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firm's full-time employees but may be granted the same high levels of system access. In addition, they will sometimes know the applications and operating systems running on your network better than your own employees will.
Watch these ad-hoc employees closely until you are familiar with their qualifications, the caliber of their work and, most importantly, the degree of trust that it is safe to allow.
Though usually honest and competent, these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your company's interest. Vendors, for example, will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates -- guard against this and make it expressly known that these mechanisms will not be tolerated.
These security holes can then be used by intruders to break in, steal information or plant viruses on your systems. In addition, it's not unheard of for a vendor's employee to suddenly become a disgruntled ex-employee and decide to embarrass their former employer by wreaking havoc on your systems.
Don't be afraid to ask consulting firms and contract agencies for details about their hiring policies and standards and be very leery if they are reluctant to discuss such issues. Clients have a reasonable right to find out just how much outside vendors know about the employees they will be putting in close contact with your company's information assets. Make sure you know in detail what these temporary employees are doing when operating on your systems and monitor all of their activities.
Forget to Lock The House
Another fundamental but frequently overlooked aspect of sound internal security is the physical restrictions put on access to systems and data. Having good physical security in place is a necessary follow-up to whatever office building security your organization may have in place.
Know who is coming into your offices at all times and make sure that your secure computing areas are locked and all access is strictly controlled. Many complex and expenses network security measures can easily be rendered irrelevant if a thief can bluff their way past the lobby guard, walk into your computer room and simply leave with diskettes, tapes or servers themselves.
In addition, all employees
should be instructed to keep laptop computers locked at all times and
to log off of any company systems when leaving their workstations.
(return to top of page)
What You Toss
A determined crook, intruder or competitor will seldom waste valuable time with fancy hacking techniques if they can simply dig through your trash for printed versions of critical data and information. Shred all papers and documentation containing sensitive company information, network diagrams and systems data to guard against "Dumpster Diving", in which the bad guys breach your firm's security by rummaging through your trash. Also, advise employees against writing down user IDs or passwords at all -- much less discarding them intact in their trash can.
for Rogue Modems
The best firewall on the market won't protect you if you maintain scores of unprotected modems open to the outside world within the confines of your office. With what they believe to be the best of intentions, workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data. IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor.
Whatever the cause of these unauthorized access mechanisms, it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems. All external access to networks, systems and data should be done through a centrally administered, tested and sanctioned remote access solution. Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately.
(return to top of page)
Your Anti-Virus Medication
Does the name Melissa sound familiar to you? A security breach doesn't need to take the form of a sinister hacker breaking into your systems in the middle of the night or a malicious insider transferring megabytes of proprietary information to a competitor. Much more common is the destruction of data and sheer IT human resources spent on ridding a network of a sudden virus infestation.
The installation, use and updating of good anti-virus software is a vital component in ensuring a strong internal security posture and, as recent well-publicized outbreaks would bear out, a necessity when operating Internet e-mail. Most of these programs are freely available for a limited time, and are inexpensive to purchase. The companies producing these programs -- such as Network Associates, Symantec, and Datafellows -- also have frequent updates to the virus database. In the case of a well-publicized virus, an update may be available within 24 hours of the virus's discovery.
Where possible, cut viruses off at the network and before they can even reach an individual user's workstation. There are many methods available to allow system administrators to detect and eliminate viruses before they reach the corporate desktop. There are publicly available additions to the primary configuration file for UNIX's Sendmail program that can configure Sendmail to either block the attachments, or to forward e-mails containing them through a virus scanner. In addition, most major firewall vendors provide some mechanism for virus screening at the network perimeter. These tools can be configured to either strip attachments from e-mails or to pass them through a virus scanner.
All of these measures will eliminate the vast majority of known viruses and the means by which they are transmitted. Remember, it doesn't necessarily take a person will bad intent to trash your systems -- just a destructive virus allowed to run wild.
it All Mean?
Information Security isn't necessarily easy -- but it is an involuntary element in doing business in the next century. While some organizations are entirely information intensive or based purely on the Internet, all business entities have in the last 20 years come to rely on networks, systems and electronic data as vital components of their core business.
While it would be folly to ignore the threat from the outside world, it is equally foolish to be vulnerable and open to serious damage to business interests based on ignorance of internal security issues. Pay more attention to what's going on in-house to achieve a sound, bedrock security posture that will allow you to protect your organization's information asset and maybe even help you sleep better at night.
(return to top of page)
Copyright 2000 info-defense.com