Prevention

Previous page
Table of content
Next page

Prevention

Prevention is perhaps the most powerful means of defense. We can minimize the opportunity for attacks to occur by reducing our vulnerabilities and taking aggressive approaches to control the dissemination of tools and techniques that could be used against us. Some parallels can be drawn between the preventative actions and initiatives of governments, such as the Office of Homeland Defense in the United States, and the preventative actions and initiatives that can be undertaken at the corporate level.

In the extreme case of biological, chemical, or nuclear threats, controlling the tools and techniques behind launching these types of attacks is one of the most effective ways to minimize the risk. If the tools and techniques can be secured and contained, then there are fewer individuals who would even have the knowledge or opportunity to conduct such an attack. In the case of enterprise security, it is far harder to contain the tools and techniques. Software for launching attacks on corporate systems is readily available for download on the Internet and the methods of launching an attack can be comprehended and executed by school children. It is often as simple as running a downloaded program or script. With this widespread distribution and ready availability of tools and techniques, the main recourse for corporate security specialists is to protect the boundaries. Weapons of attack are readily available or can be custom developed, so prevention measures need to move from controlling the weaponry to protecting the borders.

In the enterprise security arena, the preventative measures include software for administration, authorization, and authentication, known as 3A, firewall, and virtual private network software, secure content management software, encryption software, and vulnerability assessment software. Secure content management software primarily includes Web content, email scanning, and virus protection software that aids in securing Internet content.

The basic concept behind prevention is to protect corporate networks, applications, and data by putting up perimeter defenses, validating the identity of users, controlling access, encrypting communications, and securing applications and content. Three key ingredients are authentication, access control, and encryption. Authentication aims to validate the identity of users wanting to gain access. Traditional techniques for authentication have been the relatively weak "one-factor" user name and password approach, and the stronger "two-factor" password plus token authenticator approaches. As an example, the RSA SecurID authenticator is in use by more than 10 million people worldwide. For end users, it typically consists of a hardware key fob that generates a one-time authentication code that changes every 60 seconds. This means that users logging into a corporate network remotely need to know their password plus have the key fob in their possession. The second ingredient, access control, aims to restrict user privileges once they have been authenticated so that they have access only to the data and applications for which they have permission. It is an often tedious and time-consuming task to keep user permissions updated as new applications are added to the corporate network, but basics such as access control can go a long way toward loss prevention and risk management. The third basic security ingredient is encryption. This aims to secure content while it is resident on the internal corporate network or in transit outside the firewall. It can help to protect the integrity of data and communications so that they are not intercepted or altered in any way. Newer and more powerful encryption techniques such as the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES) can be used as earlier encryption protocols such as the Data Encryption Standard (DES), first adopted by the Government in 1997, start to show signs of aging and vulnerability to cracking techniques such as brute-force attacks.

Biometrics

Recent techniques for improved authentication include biometrics. These offerings support the recognition of a variety of human physical attributes such as voice recognition, facial recognition, fingerprinting, hand geometry, and iris recognition. The strongest form of authentication occurs when systems combine techniques in order to achieve what is known as "three-factor" authentication. This technique combines what a person knows, such as a user name and password, with what they have, such as a hardware key fob, with who they are obtained via biometrics. However, not all security applications require this three-factor authentication or even a two-factor authentication. Facial recognition by itself can be applied to a wide variety of scenarios such as the identification of known criminals in public spaces such as airports and shopping centers, in addition to being used as part of a broader verification mechanism for high-security corporate or government applications. Some of the vendors in the facial recognition space include Viisage Technology and Visionics.

Viisage's technology was originally developed at MIT and translates facial characteristics into a unique set of numbers which they refer to as an "eigenface." Its technology can be applied for one-to-many identification processes that search large databases of millions of faces for a rapid match within seconds. It can also be applied for one-to-one verification of identity processes, such as verification at ATM machines. Viisage has the world's largest installed facial recognition database of over seven million images. Their current customers include federal government agencies, casinos, and local and state police, corrections, and social services departments.

Visionics Corporation offers a number of biometric solutions including its FingerPrinter CMS live-scan fingerprinting system and FaceIt face-recognition technology. The FingerPrinter CMS system can capture, print, and transmit fingerprints electronically to the Office of Personnel Management, where they are submitted for searching against the FBI's Integrated Automated Fingerprint Identification System database. The system can be used for a variety of background investigation purposes. For example, the Transportation and Aviation Security Act of 2001 mandated fingerprint background checks on all airport employees by the end of October 2002. A number of airports, including Los Angeles International Airport, have adopted the Visionics FingerPrinter CMS systems for this purpose. The FaceIt face recognition technology has been deployed in casinos, soccer matches, and town centers and has been used by the U.S. Army military police as part of a wearable, hands-free, facial surveillance system.

Biometrics is also starting to find more mainstream applications as well. IBM offers the FaceIt face recognition software when customers purchase their UltraPort Camera for ThinkPad A, T, or X Series laptops. The software is part of a screensaver that can restore access to the laptop when the authorized face appears in view of the camera.

Wireless Security

With the proliferation of wireless devices and wireless access points such as wireless LANs, the opportunity to get onto a private network has never been higher. Instead of being protected behind physical security such as buildings, locked doors, and guards, corporate networks with wireless access are now, in effect, floating freely up and down office floors and even outside buildings. Wireless LANs are a particular problem because they spread the data signal in an uncontrolled dispersion pattern to anyone within the signal radius wanting to tap into the network. This dispersion can often be 500 to 1,000 feet. On an unsecured wireless LAN, all that is required to gain access to the network is a laptop with a wireless modem attached. A number of hardware and software vendors are on hand, however, to provide solutions. These solutions are similar to the wired network solutions and aim to offer firewalls, virtual private networks, and other forms of access control, authentication, and encryption for wireless data and devices. An example is the VPN-1 SecureClient from Check Point Software Technologies. The software provides virtual private network and firewall functionality for PDA devices such as the Compaq iPaq. In this way it provides mobile device users with the same type of protection that they have when using their laptops. The firewall serves as protection for the mobile device from attack and the VPN serves to ensure secure communications with the corporate network. Novartis, an international pharmaceutical company, is using the Check Point software to secure network access via Pocket PC devices for over 10,000 of their remote employees. For a long time, security has been one of the major barriers to adoption for mobile computing beyond niche, specialized applications. These types of security solutions for mobile devices will aid in the overall growth and acceptance of wireless computing as a whole, in addition to protecting wireless communications and the devices themselves.

With mobile devices such as cell phones and PDAs gaining more and more functionality, it is becoming critical for businesses to secure their devices to the same level as their desktop computing infrastructure. Wireless and mobile devices are gaining more processing power, more storage, and more access to business applications such as corporate email, personal information management, and sales and field force applications. They are also gaining business intelligence functions as corporations summarize business events and key performance indicators into digital dashboards for constant reporting and notification purposes. This type of information, if compromised, can be a significant risk for most businesses across a number of industries. It may include financial data, sales information, customer lists, competitive information, operational data, and other sensitive corporate metrics. Loss of a wireless device such as a PDA will shortly be as serious an issue as the loss of a regular laptop. Without the proper protection, these devices will be easy prey for individuals wanting to steal sensitive information or to gain access into your network. One of the steps to secure mobile computing is to standardize which types of devices are permitted onto the corporate network and to establish sound authentication, access control, and encryption policies and procedures.

 


Previous page
Table of content
Next page
Business Innovation and Disruptive Technology. Harnessing the Power of Breakthrough Technology. for Competitive Advantage
Business Innovation and Disruptive Technology: Harnessing the Power of Breakthrough Technology ...for Competitive Advantage
ISBN: 0130473979
EAN: 2147483647
Year: 2002
Pages: 81
Authors: Nicholas D. Evans
BUY ON AMAZON
Visual C# 2005 How to Program (2nd Edition)
Web Systems Design and Online Consumer Behavior
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Java Concurrency in Practice
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy