Security is a technology issue, right? Wrong, says Mark Edmead
Security is a critical element of your business operations and not just a technology product you install on your network. Technology is an important aspect of the security equation, but it’s also comprised of processes and people. Each element is a critical point of the information security triangle, and a change in one affects the other two.
For instance, applying new technology, such as a wireless LAN, affects processes (business or technology) and the people using the technology. So an effective security approach goes beyond just applying technology; it’s also about the process and the people that use (or manage) the technology.
The security triad
Information security can be implemented in a number of ways. The main focus is to protect an asset from a breach in confidentiality, integrity or availability. Confidentiality means that the information or the asset remains available only to the authorised individual or process. Integrity refers to making sure that there are no unauthorised changes to the asset either by authorised or unauthorised individuals. Availability means that the information or asset is available when needed.
Some people like to think of security as a hard candy with a soft filling. That is, hard security on the outside and soft security on the inside. The old way of thinking was that all you needed was a hard outside to prevent attacks to the inner circle. This approach addresses only potential attacks from an external source and not a potential attack from an internal source.
Implementing effective security architecture requires more than just a hard shell. A collaborative approach to end-point security should include systems management tasks such as configuration and patch management. In the past, when the focus was on perimeter security, companies believed co-ordination between security and systems management organisations was unnecessary. However, with the new focus on end-point security, co-ordination between security and systems management organisations is critical.
What is endpoint security?
For our purposes, an endpoint is an individual computer system or device that acts as a network client. Some common endpoints are desktops, laptops, application servers on the network, and personal digital assistants (PDAs).
Endpoint security includes all of the measures (process, technology and people) taken to implement security concerning endpoints. These measures include determining the risk required to protect endpoints, to protecting the network from the endpoints themselves. Endpoint security also includes the management and administration of these security measures, including risk management and reporting.
The term ‘host security’ usually refers to a host system that includes configuration management, virus protection, host intrusion detection/protection and some firewall capabilities. However, this system is only effective if configured correctly. Host security configuration might be able to provide some reasonable protection from the outside layers, but will fail when facing attacks from areas invisible to outer network security layers, such as attacks from ‘inside’ the network.
The need for security
The old school of thought was that perimeter security was enough to protect your network. All valuable information was contained inside the network, so perimeter security was all you needed.
But a company’s sensitive and valuable information does not always remain inside the company. Employees and contractors with access to the internal network can copy information onto laptops and take that information out of the protective shell of perimeter defences.
The typical perimeter security devices, such as firewalls, routers and perhaps a network intrusion detection system (NIDS), provide good security protection against attacks. The challenge, however, is this type of security architecture only works when these devices can inspect and sanitise the network traffic before it enters the internal network.
The other challenge facing management is to decide how much security is enough. If you don’t enable enough security, the chances of unauthorised use increases. And if we implement too much security, authorised users will have to do more in order to get access (i.e. long and complex passwords, multi-factor authentication).
The goal is to have just enough security to allow authorised users reasonable, easy access to the resources while having enough security so unauthorised users are denied access. If, for instance, you institute a very complex password policy (i.e. 14 character passwords that change every 15 days), many users will probably write them down and stick them to the bottom of keyboards. This defeats the whole purpose of passwords.
Another risk is peer-to-peer (P2P) file sharing. The use of P2P has become more prolific, not only because of convenience, but also because of increased broadband deployment. There are numerous security risks inherent in P2P clients such as Morpheus, KaZaA, and others.
P2P’s main feature, enabling direct communication between peers, offers the greatest security risk. Information can cross security measures such as firewalls. The use of P2P can result in insecure configurations and covert user-initiated connections to external networks.
We want employees to be productive and technology helps increase productivity. Take wireless LAN for instance. A WLAN allows access to public Wi-Fi networks available at airports, coffee shops, bookstores and hotels. But using an unsecured Wi-Fi connection can lead to a breach in confidentiality and integrity. Wi-Fi connections, even with WEP enabled, are inherently insecure. Would it be wise to have your employees transmitting sensitive corporate information over the internet using unsecured Wi-Fi connections? And what if laptops become infected with a virus, worm or other malware and are connected to the office network?
Business assets at risk
Business asset risks can be divided into two groups: direct and indirect losses. Theft and productivity loss are two examples of direct losses. The theft could be of actual money, trade secrets, digital assets, computer resources or consumer information. Productivity losses include recovery expenses and corruption of data. The result could be loss of potential sales, competitive advantage, or negative brand impact. In recent years the big focus is on legal exposure. This could mean failure to meet regulatory compliance laws (i.e. Sarbanes-Oxley, HIPAA, GLBA, SB-1386).
The increasing number and variety of threats to endpoints has recently made endpoint security a hot topic. Current threats to endpoint security include viruses, Trojans, worms, the use of endpoints as Distributed Denial of Service (DDoS) zombie hosts and spyware.
Endpoints are where the typical enterprise conducts most of its business, and endpoints are now a primary target of threats. What is more, the level of expertise required to execute an attack is decreasing. Research conducted by Laurence Rogers of the Software Engineering Institute at Carnegie Mellon University shows that attack sophistication versus the technical knowledge required by the intruder to operate hacker tools is decreasing. So anyone with a little knowledge can compromise systems.
The business need for security is to protect both the network and data from a single, central location. This requires the ability to identify network devices and the software installed on each computer. This information can be used to assess vulnerabilities to known configuration and security issues. If the vulnerability is mitigated by installing a patch, it is important to have the ability to access, sort, prioritise and install these patches.
Many of today’s exploits involve malicious software covertly installed onto machines. An effective endpoint security framework will detect and remove all forms of malware, as well as prevent the install of unauthorised software, restrict endpoint access to unknown ports, and report the security status at any time.
Technology best practices
Our goal is to protect ourselves from hacker attacks. So what does a hacker do in order to compromise a system? The typical hacker attack phases are:
3. Enumeration and vulnerability identification
5. Privilege escalation
6. Evidence elimination
7. Staging the return
Footprinting and scanning are methods used by hackers to gather network intelligence on IP addresses, machine locations and so on. Scanning is used to map out the network and identify specific information such as services running, open ports, protocols and applications running on the machines. With this information a hacker can determine vulnerabilities to exploit. Once a hacker gains access they have the keys to the kingdom and can create new accounts, install Trojans, rootkits and sniffers. This is why it is critical you know what is on your network and, more importantly, identify potential weaknesses before attackers do.
The easiest way to incorporate technology ‘best practices’ is to think in terms of a process flow or security ‘lifecycle’. A total enterprise security process is comprised of five main processes:
1. Issue a security policy
2. Design security defences
3. Perform active monitoring
4. Perform intrusion testing
5. Security management
Strong security policy
A security policy is a formal statement that dictates how security will be implemented. It defines the
level of security and roles and responsibilities of managers, administrators and users. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an ‘Acceptable Use’ policy would cover rules and regulations for use of computing facilities. Another example is a policy for the use of Wi-Fi.
Hardware and software inventory
Before you can design security defences, you need to understand what you are protecting. This is done by obtaining a network hardware and software inventory. This shows you what’s running on your network so you can formulate your endpoint security plan. An inventory will help identify new systems that might have connected to the network and determine their security threat due to unauthorised connections or insecure configurations.
Scan ports and services
The next step is to continuously monitor what is going on in your network. By performing vulnerability scanning you can identify known configuration and patch vulnerabilities. Vulnerability scanning requires searching for unused or unnecessary ports and services. Many system default configurations have running services (such as Telnet or SNMP) that pose a security threat. The same concept applies to open ports. Many systems have unused open ports that attackers can use to gain access to the system.
Attacks on our network infrastructure make it harder to do business; it costs money, can cause unbounded losses and can also result in bad publicity. The traditional ‘technology’ approach does not work, and while defensive technologies are getting better, so too are attacks.
With growing dependence on the web, it quickly becomes apparent we need a proactive approach rather than a reactive one. We need to fully understand our network and its vulnerabilities. To mitigate these we must closely monitor our systems to ensure we are secure and that we can quickly respond to possible attacks and learn from incidents.