Let s Not Go There
Let's Not Go There…Most of us know precious little about the people and/or companies that connect us and our data to the outside world. Whether you are dealing with an external ISP or an internal communications department, you need to ask some hard questions up-front. Do you have a contract with your ISP? If so, does it say that they are not responsible for your data that is, the data they are supposed to be caring for? Perhaps you don't even have an ISP that maintains your data. Even if all your data is maintained on your own internal network, you could unknowingly be overlooking the same risks found at TransWorld. Your system administrators may be installing your entire network using systems straight out-of-the-box. Every system on your intranet could be at risk. You need to know when your company last did a security audit. That's the only way to be sure that your systems are secure. Otherwise, you are playing Russian roulette with your own data not to mention your stockholders' expected returns. Remember, management is responsible for the reliability and integrity of the data. Know Your RisksDo you know what the risk to data is on your company's network? Most hackers are looking for information that they can sell, which could mean financial information, customer information, credit card numbers. CSI's 2002 "Computer Crime and Security Survey" noted that incidents reported by a mere 26 respondents produced losses of $170,827,000 from theft of proprietary information. And, if you still think the "standard" hacker is a precocious teenager with no supervision and poor social skills, think again. Increasingly, "hacker" theft is deliberate and well organized. In some cases, entire governments may be involved. In March 2001 FBI officials reported that ongoing computer hacking by organized criminal groups in Russia and the Ukraine had stolen more than a million credit card numbers. That 15-year old boy whom most people imagine could in fact be a 50-year-old bureaucrat embarking on a state-authorized scavenger hunt. Remember this when you think about what parts and aspects of your corporate data you need to protect. Make especially sure that all the people with access to your data understand what they are protecting and from whom. Obviously, some information is more important than other information. That's why a proper risk analysis of your network needs to be done. Have the experts inside your company classified the data? Has your company added higher levels of controls on the data that is high-risk? Maybe. Maybe not. Avoid Out-of-the-Box InstallationsInstalling systems out-of-the-box without configuring security clearly assumes that there is no risk to the data on the network. Is that how your network is installed? Is that the correct way to configure your network? Or did your company forget some of the basics? Like risk assessment, policies and procedures for configuring systems must be customized to reflect your company's special needs. Your network could be filled with security holes unless you take the proper precautions when installing and supporting the systems on the network. If your corporate intranet is filled with out-of-the-box installations, make no mistake your data is at risk. With computer crime on the rise, vendors need to provide easy-to-configure, out-of-the-box security. Don't wait for miracles demand that your vendors provide higher levels of security with their products. If everyone demands that, vendors will have to deliver to survive. Test Your NetworkIf you don't check your network for holes, someone else will. And, chances are that someone else will not be on your side, fighting for world peace or for freedom of speech on the Internet. He or she is more likely to be some hacker looking for corporate secrets. Unless you have conducted an audit lately and can prove that your network is secure, your data is most likely at risk. From experience, I can almost guarantee that if your employees don't know how to conduct a security audit and never have, your data is definitely at risk. Hire someone to conduct an audit on your network or purchase the right tools and get training. A wide variety of security audit tools are available. (For details, see Appendix A, "People and Products to Know.") Don't just hope or pretend that your network is safe. Conduct an audit and be sure! Know the People Who Know Your DataDon't assume that the systems experts who support your network are security experts. Great coders, engineers, and system administrators are not necessarily good protectors of data. Their different priorities and knowledge base could deliver surprising results. In particular, be suspicious of new ISPs. The rapid growth of Internet access services has had two major effects in regard to security. First, a good number of well-meaning entrepreneurs with no knowledge of security (and little knowledge of computer use in general) have plunged into the ISP business with high hopes for big returns and little intention of investing any more than they absolutely have to. At the same time, the growing number of new ISPs has created a vast new world of attractive targets for enterprising hackers. And hack they have. In February 2000, a teenager using readily available tools launched denial-of-service attacks that blocked legitimate customers from accessing Amazon, eBay, and Buy.com sites. While access to the sites was not completely blocked, access to critical pages was. Thus, most eBay bidders found themselves unable to view descriptions of items up for auction. Seller profits fell accordingly, as did revenues at eBay, which graciously extended all affected auctions. A similar attack on Yahoo the same month was intensive enough to leave users locked out for roughly three hours. For companies that exist almost solely in cyberspace, denial of service attacks can be fatal. British ISP CloudNine Communications finally folded in early 2002 after sustaining an extended campaign of denial of service attacks. According to Bernhard Warner of Reuters, industry experts described the closure as the "first instance of a company being hacked out of existence." The first, perhaps, but certainly not the last. Just how common are these attacks? During 2001, researchers at the University of California at San Diego detected 12,800 denial of service attacks during a single three-week interval. Assign or Acquire Adequate Funding for SecuritySecurity always comes down to funding. Obviously, you don't want to spend more to protect something than it's actually worth. Therefore, you need to know which data you should protect and what that data's worth. Just think of data as money. For example, let's say you have $10 billion to protect. How much are you willing to spend to protect this money? You probably need to start with a strong, secure safe, an alarm, and 24-hour-a-day, 7-day-a-week camera surveillance. In addition, you might want an armed guard. Again, that will depend on the level of risk. The level of risk may be determined by the location. What country are you in? What city? Which neighborhood? In all cases, analyzing risk means looking at different levels. For example, say your safe is located in the United States, one of the safest nations on the planet. No problem. But wait. Within the United States, the specific location is South Central Los Angeles first floor, public building across the hall from a pawn shop. Problem? You need to take a similar approach when assessing the risk to your data. A detailed and methodical risk assessment will tell you just what you need to protect and what level of protection is required. The first step, of course, is knowing the risks. The men at TransWorld never conducted a risk assessment because they figured that nothing was at risk. You know a hacker would never get into their network. Don't think like that. That's the kind of thinking that leaves you unprepared and vulnerable when an attack occurs. Even the experts aren't immune. Ask the CERT Coordination Center, headquartered at Carnegie Mellon University (CMU) and one of the major groups responsible for warning the public about new viruses and other cybersecurity threats. In May of 2001, CERT itself was hit with a denial of service attack. Evaluating the risk, knowing how you will respond, and defending your network are key when you are under attacks like this. In analyzing your data's worth to assess risk, also be sure to consider the real cost of losing that data. Consider the results of the Forensic Challenge held in March 2001 by the Honey Project (a nonprofit research group of security professionals). In this challenge, contestants analyzed an actual computer break-in, painstakingly recreating what was accessed and determining what (if any) damage was done. The result? It took the intruder less than a minute to break into the university's computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took the contestants, on average, more than 34 hours each. Had those contestants been on salary, the afflicted companies would have paid about $2,000 each. That inequity highlighted during the Forensic Challenge underscores the costs of cleaning up after an intruder compromises a network, noted David Dittrich, senior security engineer at the University of Washington and the lead judge in the contest. He estimated that if salaried employees lacked the necessary skills, and a consultant were called in, those 34 hours would cost a company about $22,000. Don't Export Read/Write Permissions to the WorldDon't do it! File permissions determine who can read and change a file a very simple concept. It only makes sense that the more access you allow to the files on your system, the higher the risk that those files will be changed, destroyed, or stolen. If you allow the entire world to read and access your data, sooner or later someone will do so in ways you didn't want, intend, or imagine. That's a mistake that the guys at TransWorld made. I've seen a lot of security vulnerabilities in my time, but this took the grand prize. It was the first time I'd seen anyone export read/write permissions for filesystems (to the world) over the Internet. Even though that was an extreme case, I do see excessive file permissions granted again and again. Why? System administrators often do not restrict file permissions. Sometimes they simply don't know how. Other times, they're just too busy to be bothered. Be bothered! Remove Old AccountsTry to keep system housekeeping up-to-date. Dormant user accounts, like those left by former employees or workers on extended leaves of absence, are a common security risk. It was just such an account that enabled the first break-in at TransWorld. Hackers can easily use dormant accounts to store information such as cracked passwords. The changes to the user files may be overlooked because the owner of the account isn't around to notice the change. To avoid this problem, be sure to delete or disable dormant accounts regularly. Test PasswordsOverall, the men at TransWorld were pretty good about passwords. Out of 1,000 user accounts, I was able to crack only four passwords. Of course, that was three more than I really needed! Don't wait for a hacker to come along and crack your passwords. Run a password cracker on your password files, and teach your users how to select good passwords. Passwords are the first line of defense against unauthorized users, yet password cracking is one of the more popular forms of computer attack. There are no good passwords that use words. Words that are in the dictionary can be cracked. There are only good nonwords that can make up a good password. Teach your users how to select good nonword passwords that they can remember. System administrators should also test how well their users are choosing passwords by running a program called Crack. If you're a system administrator and don't have a copy of Crack, be sure to get it, because the hackers already have it. Guaranteed. Before running Crack or any other password cracker on your company network, though, make sure that you follow your company policy. Using Crack on a system on which you're not authorized to do so could cost you your job, a hefty fine, or even land you in jail. Apply Security PatchesNo system is perfect. They all have flaws, and those flaws need to be patched. When any system is installed on a network, all of the security patches for that system (operating system) need to be installed. Security patches for known problems with communications software (like Netscape Navigator, Java, HTML, and so forth) also need to be applied. If your network is too big to handle, consider installing automated patch management software. Follow Policies and ProceduresAt a minimum, policies and procedures for installing systems, maintaining data, and providing basic physical security need to be developed and enforced. If your system administrators don't have system policies and procedures, systems can be installed with risky configurations. That's what happened on the TransWorld network. They had neither policies nor procedures in place, and the systems were installed with risky configurations. Once you have an entire network set up in a high-risk manner, it takes a lot more time and manpower to reconfigure the system to an adequate level of security. To avoid that, make sure that your systems aren't configured out-of-the-box without the proper policies and procedures. For details on policies and procedures, see Chapter 8, "Internal Network Security." Work with ExpertsUsing an outside expert is not a sign of weakness in your division. It's a sign of good sense! Unless your company is quite large, you probably don't need a full-time security expert on staff. So it makes sense in both staffing and resource allocation terms to bring one in short-term when needed instead. Don't wait until your entire network is out of control to bring in an expert. Not long ago, I was talking to the CIO of a Fortune 500 company. I told him that just by talking to the engineers and managers of his company I knew that they had some risky system configurations on their network. I felt they should hire a security auditor to test their network. I reminded him that the audit wouldn't cost much and it would let him know exactly how much risk he was dealing with. The CIO's response was interesting. He said, "Linda, that's like pulling a string on my most expensive suit. It doesn't cost a thing to pull the string, but the results are costly." I think he meant that the real expense wouldn't be in the audit, it would be in cleaning up the risky areas identified. The only problem with that attitude is that sooner or later, someone is going to pull that string. The only questions (other than "When?") are "Who?" and "Why?" Hopefully "Who?" is a security auditor, not a hacker, and "Why?" is to analyze risk, not to check out the potential loot. Use TrainingSecurity is not something that most technicians or system administrators usually focus on in school or in on-the-job training. Make sure that your people have at least the basics down. Also remember that security issues are far from static. So, years-old security training sessions don't count. One of the problems at TransWorld was that George and Nathan were (supposedly) protecting customer data without even an hour of security training between the two of them. That's crazy! Make sure your employees are trained on how to secure the systems they support. ChecklistUse this checklist to determine whether your company is at risk because of out-of-the-box installations. Can you mark a "Yes" beside each item?
|
EAN: 2147483647
Pages: 73