Creating Your Own Security Profile

Security in every organization works somewhat differently. Proper security measures must be determined based on the risks, threats, budgets, and general make up of an organization. The same security measures cannot effectively be applied to different organizations with different values, different risks, and different architectures. It is thus important for any organization desiring security to first develop a security profile.

A security profile defines several of the unique elements within an organization that can help focus security efforts. This is not a risk analysis, nor a vulnerability assessment (both of which are discussed elsewhere in this book); this is simply a guide on how to view ourselves through the eyes of our enemies. The unique security measures that should be applied to an organization should include this information as one of several defining factors.

Unique Hackers

Every organization has its own unique way of attracting hackers. Some organizations can go years without ever being the direct target of an attack, while others cannot last five minutes without attracting someone's attention. By defining who your hackers are and what their capabilities may be, you can better understand how to design a defensive strategy to keep them out.

Unique Targets

There are systems within any organization that are more likely to be struck than others. Combined elements of visibility, functionality, and vulnerability make some devices more likely to catch a hacker's attention. Identifying where such systems exist and why they are potential targets can assist in the placement of security defenses.

Who Are the Hackers?

Earlier in this chapter, we discussed the different categories of hackers, including their unique motives and capabilities. Each form of hacker presents a different type of threat to an environment. Some hackers are quite easy to deal with, while others are seemingly impossible. Knowing the type of hacker that may be drawn to your environment can be key in determining the length to which you will go to secure yourself.

Determining an Organization's Hacker Types

Table 7.1 is a chart of some common elements that will attract the attention of various hackers. This type of worksheet can be very useful in visualizing why an organization would be the target of a hacker and should be used as a guide. Each reader is encouraged to consider the unique elements within his or her environment that may draw the attention of a hacker and list them in the blank rows at the bottom.

Table 7.1. Considerations for a Hacker Profile

Common Hacker Attractions

 

Summer-time

Script Kiddie

Targeting Criminal

Employee

Is there a dedicated Internet connection?

 

1

3

1

1

Are there modems attached to some number of desktops, servers, or dial-up concentrators?

 

1

1

How many employees and consultants are there?

<100

>100

>500

>1,000

 

1

1

2

1

2

3

1

2

1

2

3

4

Is this a well-known type of government or activist organization?

 

1

1

Is this an Internet or application service provider?

 

2

1

1

Is this a health care provider or financial business?

 

1

1

1

Is this an organization that is significantly controversial? (Would this organization's function attract attackers?)

 

1

1

Is this a Fortune 500 company?

 

2

2

Does this organization experience heavy traffic on any of its external services (thousands of hits on a Web server)?

 

1

1

1

Does this organization host a mail server connected to the Internet?

 

1

Does this organization host a DNS server connected to the Internet?

 

1

Does this organization perform direct sales over the Internet?

 

1

1

Does this organization accept credit card information over the Internet?

 

1

1

1

Total Score

Score > 3

There is a good possibility you will be attacked by this type of hacker at some point in time.

Score > 5

Over the course of a year, it is reasonable to assume you will receive multiple attacks from this hacker type.

Score > 7

It is likely that your organization will be under constant attack from this type of hacker.

When the scoring has been completed, compare the values derived from the different types of hackers. This should give you a general idea of what kinds of hackers may be attracted to your environment. The higher the number, the more likely an organization is to encounter a specific type of hacker.

What Are the Targets?

Of course, any device within an organization is a potential target for attack. However, some systems, due to their function, content, and location on the network are much more likely to be targeted than others. I previously discussed where common targets exist, how they are commonly attacked, and what damage an individual could do with a successful "hack." We will now use Table 7.2 to help identify which objects are most likely to attract attention.

Determining Most Likely Targets

Take the following points into consideration for each object you wish to evaluate. Objects with higher point values could indicate they are more likely to be targets of an attack.

Table 7.2. Hacker Targets

Common Hacker Attractions

Points

Does this system have a modem and active phone line attached to it?

1

Does this system have access TO and/or FROM the Internet?

2

Does this system provide any network-accessible services?

2

Is this system a DNS, Web, or email (SMTP) server?

2

Does this system have a published entry in a public DNS server?

1

Does this system host customer, partner, or employee information?

1

Is this system an ordering system for purchasing goods or services?

1

Does this system accept credit cards or other forms of online payment?

1

Does this system host any subject matter that would be considered controversial?

1

Does this system receive more than 500 "hits" a day from outside the local network?

1

Total Score



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net