Tuesday, January 2, 2007

A Five-Step Plan to Help You Stay Ahead of Security Attacks, Risks, and Threats

A Five-Step Plan to Help You Stay Ahead of Security Attacks, Risks, and Threats
Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator

The University of Georgia network security system fight off 80,000 to 90,000 potential attacks daily. At the Bank of New York, sensors catch millions of security "events" in a month and "we don't even treat the scripts that run out there or worms flowing across the Internet at any point in time as an incident because they are not entering the network," notes Eric Guerrino, the bank's head of information security.

With all the threats floating around in the cyberjungle, how do you sniff out a serious Information Technology security breach? The best defense requires a mix of technology muscle and human interpretive skills. Detection systems are essential tools, but it's up to professionals to make some informed distinctions.

I have put together five steps that you can take under consideration when evaluating your home or business computer systems. These steps will be presented in five parts. Now, let's begin:

Step No. 1: Let the Bells and Whistles Alert You about the Initial Attack

The Bank of New York's incident-response team sizes up threats based on some critical calculations: the probability of imminent attack, the probability that an attack will succeed once attempted and the potential damage of the attack if it proves successful; the location of the potential targets, the host operating systems and their associated vulnerability to the attack; and the sensitivity of the data residing on affected devices.

What gives an organization the best chance to safeguard itself? The critical elements include multiple levels of traditional and emerging security monitoring tools; an analysis system capable of crunching copious amounts of event data; and the ability to process observations from employees and customers.

Firewalls and intrusion-detection systems are the old reliables of detection technology. Standing at the intersection of internal networks and the public Internet, firewalls are the established first barrier to external attacks. Intrusion-detection systems, which joined the security force in the late 1990s, monitor networks for suspicious activity. Intrusion-prevention systems go a step further, monitoring traffic and then initiating an automated response, such as dropping a particular packet of data.

Old-school intrusion-detection systems identify threats based on the signatures of known attacks. But some new threats are too nimble for that: So-called "zero-day" attacks occur at the same time vulnerability is discovered, leaving no time for the creation and distribution of signatures.

To address this, security teams have supplemented signature-based systems with behavior-based detection technologies, which establish a baseline of normal network traffic. The systems then search for anomalous patterns, for example, traffic coming from a network at a time when no one should be using it, helpful in flagging previously unknown types of attacks.

In responding to zero-day exploits, their biggest concern, Bank of New York deploys hundreds of intrusion-detection and intrusion-prevention sensors that record events on a daily basis. Its intrusion-detection/prevention systems shield the bank from the vast majority of exploits, and only a fraction of the events warrant a security-breach investigation.

The University of Georgia also uses an intrusion-detection/prevention combination. The university operates a Security Operations Center that monitors its intrusion systems around the clock and also minds firewalls, virtual private networks and other security products.

Step No. 2: Follow the Threat to Its Source

When an alert shows up on a security manager's console, it's as if someone set off an alarm, says Morrow, the Chief Security and Privacy Officer for Electronic Data Systems Corp. The security group's first question is obvious: Where is the problem? But finding the answer requires ingenuity. There's no single surefire method for finding a security breach and nailing down its scope.

The task is still more art than science. Event logs generated by firewalls and early warning intrusion-detection/prevention systems give security analysts one route of inquiry. And the demand for tools that help correlate the mass of security data held by the various systems is growing. Security experts advise looking at security information and event management software, which helps security managers detect incidents, for clues that may help identify the source of the attack as well.

Security information and event management software rolls up alerts from firewalls and intrusion-detection/protection systems, along with event data from antivirus products, databases, Web servers and elsewhere. It offers two tracks to get to the source. One is its visualization portion, which looks like a large, continuously scrolling spreadsheet and provides some amount of detail on a network attack, detected virus or other event, including the Internet Protocol address of the affected equipment and device name.

The initial information gives a basic sketch of the problem and where it may exist. Every device connected to a network is identified by an Internet Protocol address that can guide security personnel to the general areas requiring investigation. However, there are limitations to this line of inquiry; one is a lack of context. What does the IP address mean? Where is it and who is using it?

The other limitation is that an attack may spoof the IP address. Security analysts thus have to dig deeper into the second source, the event logs, which contain more finely grained detail. They'll be looking for Media Access Control addresses, which identify network nodes, to see if a given IP address is correct and valid, Lawson explains. The logs also will provide details on how an attack progressed through a network. By examining the firewalls and routers and operating systems, analysts can piece together how many Media Access Control addresses, Internet Protocol addresses and routers were targeted in a given incident, Lawson says.

Security personnel need information beyond the alert itself. A good security information and event management system will archive logs from different security devices, routers and operating systems. A security information and event management system's data gives the security team direction; after that, they must still physically find the affected system.

A configuration management database, which holds information about the components of an organization's information-technology infrastructure, can help. By identifying components and their status, the database helps security managers zero in on the source of trouble, though that doesn't mean all devices are easy to find; a laptop plugged into the corporate network by a temporary worker or other visitor will be elusive.

For all the automated sleuthing, a certain percentage of devices will be discovered only by simple hand-on crawling through offices, plugging and unplugging things. When it comes to detecting an attack, human intelligence must support automated systems in determining the scope and severity of an attack. Security managers say they seek out the affected asset's owner.

Determining the appropriate response means taking the attack's venom into account. Besides wanting to know how many systems are affected and the location of the attack, security personnel also seek to determine the insidiousness of the attack. They will want to know if it is a random exploit or a botnet propagating through the network and reporting information back to somebody or some organization through an IRC [Internet Relay Chat] channel. Something like that is much more impactful."

While corporate security groups chase down incursions when they happen, they've tried to become more proactive, looking for and fixing weak spots before attacks occur with the help of vulnerability management tools. Like intrusion-detection sensors and firewalls, these tools may feed into security information and event management systems and configuration engines.

Many organizations scan for vulnerabilities on a regular basis, allowing security personnel to determine which systems are vulnerable to attack and patch accordingly.

Step No. 3: Implement An Incident Response Plan at Home and at Work

When a security incident occurs, it's the information technology security group's job to respond. Among the group's first assignments: Determine whether an alert represents a serious incident or a false alarm. Security managers may call upon internal experts or external help from antivirus vendors and various intelligence services, which provide reports on computer security threats.

UPS subscribes to a number of such services and maintains a strategic relationship with an antivirus vendor. The relationships help UPS stay on top of the threat environment, which puts the company in a position to react ahead of time.

But the knowledge flows in both directions. When UPS discovered a variant of the Zotob worm, the company notified its antivirus vendor. Zotob achieved notoriety in August 2005 when it hit CNN and The New York Times, among others.

An alert that reaches full-blown incident status triggers an organization's response plan-assuming it has one. Security experts say large enterprises typically do maintain some type of formal response plan, though incident response varies widely. Some response plans, governed by extensive steps and checklists, become so choreographed that they are almost restrictive. The other extreme is no choreography, which results in a "mad dance." The best fit? Follow a middle path. The University of Georgia follows established incident-handling protocols, based on documentation from the National Institute of Standards and Technology (NIST) and the SANS Institute.

NIST's Computer Security Resource Center publishes a range of security policy guidelines, some of which touch on incident response. The SANS Institute, in conjunction with the Center for Internet Security, offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures and checklists. ISO 17799, which provides guidelines for security management, also covers incident management.

At some organizations, a computer incident response team (CIRT) puts the response plan into action. The corporate security chief generally heads the CIRT, but some companies prefer to tap an experienced outsider to manage response activity, so that one person doesn't wear two hats in a crisis.

The CIRT team consists of I.T. security specialists, either internal or external, and people with other areas of expertise. Miracle says CIRT usually includes desktop gurus, server managers, and help-desk representatives. The CIRT members' responsibilities are determined in advance. "In real time, you can't have people arguing ... that you can't shut that server down," Miracle explains. He adds that some companies hire consultants to help establish roles and get different groups across the organization to buy into the plan.

While the CIRT team may have broad influence, its physical reach may be limited. To address this issue, the University of Georgia's security group has deputized security liaisons in each of the institution's 14 colleges. Each college has a different security parameter, but through the use of institutional policies, standards and processes, the university has been able to set a security baseline. A security liaison also represents the university's administrative users.

For malware cleanup, an organization may choose to reload a fresh software image rather than delete the offending code. More companies choose such "brute-force methods" because they find it less arduous than potentially spending hours cleaning infected files from a system.

Brute force or not, cleanup comes to a halt when an incident calls for a forensics examination. During an ongoing network attack, the organization must decide whether to let the incursion continue to aid its investigation or cut it off to minimize damage. Technology and business leaders must weigh whether the investigative process outweighs the risk to the network.

Sometimes it's strictly a business decision, but criminal cases may involve external authorities such as the FBI, or state authorities.

Because organizations may lack the specialized staff to investigate computer crime, forensics is frequently outsourced. Banks, for example, handle most response tasks internally, but may call in a forensics specialist if an incident looks like something that might lead to litigation. An event such as theft of service could spark a forensics investigation, but could also be treated as an employee matter if the theft occurs internally. Some banks have a retainer-like contract with a forensics services firm that gathers evidence and maintains the chain of custody.

While investigation and remediation activities continue, incident responders, ideally, keep lines of communication open with key constituencies. The CIRT team, for instance, notifies line-of-business managers of a problem so they can inform their customers.

Step No. 4: Dealing Effectively with Corporate Management

Picking up the phone to call the C-level suite ranks as the most delicate part of a security team's communications plan. Discernment is crucial in deciding when and how to inform the powers that be. Top executives need to be in the security loop, but the sky will fall on the security officer who issues one too many false alarms.

False alarm rate to business people has to be low for it to be taken seriously. If a security shop warns erroneously more than twice a year, people tend to ignore the next one. The experience and intuition of the security manager plays a major role along with knowing what is of interest to senior executives and what's not.

The University of Georgia's triage team always assesses the scope and severity of an incident before contacting higher-ups M&T Bank ranks incident severity on a 1-to-4 scale, with Level 1 deemed the most critical. A Level 1 incident must involve at least one of the following: unauthorized disclosure, modification, destruction or deletion of sensitive information or data; disruption of business continuity and critical business processes or communication; an impact on the long-term public perception of the organization; or identity theft of an individual or group.

In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank's incident response coordinator makes contact and provides further instruction.

At New York Presbyterian Hospital, the priority of an incident rises as a particular segment of a network becomes sluggish, and then escalates up to the point where there is a complete disruption of service which has to be reported. At the health-care facility, any incident that could potentially affect patient care must be communicated upward as well. Incidents all get reported, but not at the level of individual viruses and not every day.

At Pitney Bowes, context counts. An attack involving one application may sound small, but if that application is a key enterprise system that impacts many people, it may become a need-to-know incident. Incidents judged not to rate the C-level executives' immediate attention are periodically summarized and presented to them in a group.

Some security professionals provide an incident summary to a board-level committee of senior executives every six months. The summary includes the number of incidents by category, including unauthorized access, disclosure, usage, or destruction; loss or theft of information or equipment containing information; service disruptions; and copyright or trademark infringements. Incidents are further classified by impact and severity.

To ensure reasonably smooth communication in a crisis, security groups need to open a channel of communication with management. Having an established foundation for dialogue is crucial to the security officer's effectiveness even in the normal course of business, and more so in an emergency, security experts say. Security experts tout a close relationship with the top brass as critical for maintaining a healthy security budget and a corporate culture that values security. There is tremendous turnover among chief information security officers with some former security officers insisting they won't take that assignment again. But some security officers have established solid executive-level ties.

But there are several reasons why C-level executives may ignore the chief information security officer, including lack of trust in the individual and a perception that security manages are "inhibitors or disablers."

Regulatory compliance issues have pulled at least some senior executives into the information-technology security camp. Sarbanes-Oxley, which demands documented risk-management processes, has forged a much closer relationship between the chief financial officer and the security team today than before. When Chief Financial Officers familiarize themselves with their security group's processes and systems and have invested considerably in technology to address risk issues related to information technology security, the close relationship tend to exist.

Security managers, for their part, have been working to build closer links not just to executive management, but to all levels of an organization. Good communications and partnerships within the business as the biggest boons to a successful security strategy. Having liaisons working with a company's technology and software development team helps in maintaining contacts in key business units and subsidiaries. For example, a security group's outreach could be as simple as bouncing ideas for new security policies or technologies off business-unit representatives. The group may also provide assistance in implementing a security system.

Collaboration between the application and security groups means that security controls are embedded in software from the beginning, as opposed to being retrofitted after development. The corporate legal department and public affairs shop are two other groups beyond the C-level that might be notified about incidents.

The corporate groups, in turn, will likely have advice for the security team. The University of Georgia maintains a security advisory council with representatives from the human-resources, legal, internal audit, and public affairs departments. The university's Chief Information Officer also serves on the council, which offers guidance on security policies and standards, and acts in an advisory capacity during an incident.

Tone is important in building cooperation between security and other business units. Information technology security professionals must be good at getting people's attention in a positive way. Further, they must develop positive ways to share information on security issues and explain to the application development team or the information-technology infrastructure team, for example, how those issues may affect them.

Security has this negative connotation that surrounds it and corporate security groups at some companies have a "Big Brother" image. Some groups build consensus rather than dictate security directives because they want the business to see the security team not as a roadblock, but as a security-minded business partner.

The university environment, in particular, demands communication and consensus-building, because higher education is very slow to change. It's extremely difficult to turn that ship around, if they don't want to be turned around. Some security professional find it easier and more productive to foster and build relationships with students, faculty, and staff before trying to do so with department heads.

Step No. 5: Learning From Your Company Security Experience

The follow-up to a security incident typically involves a round of vulnerability assessment. Security groups check to make sure that the remediation efforts truly eradicated the problem and patched the afflicted systems. Different types of attacks call for different recovery procedures. An unauthorized access incident could involve the attacker gaining root access to a system. If that's the case, the recommended course of action is to change all of the passwords on the system, according to the National Institute of Standards and Technology's Computer Security Incident Handling Guide.

But organizations don't always follow all the steps" toward comprehensively recovering and securing a system. Changing all users' passwords in a big organization is a very tedious job and a time-consuming and very intensive manual process. An intruder who gains root access may have obtained administrator-level access to the system.

Security teams usually conduct a post-incident scan with vulnerability assessment tools to ensure that necessary actions, such as applying required patches, have been taken. But security managers say they are continuously scanning anyway to uncover vulnerabilities or violations of security policy.

Vulnerability scans are used to scan desktops, servers, and networking gear for compliance to corporations' security policies. Then the resulting information is used to improve security measures. Some corporations check for gaps in several key areas including system security configuration settings, security patches, antivirus status, personal firewall status, and industry-known vulnerabilities.

Others have customized their security measures to help assess compliance to their acceptable-use policy. The result is an executive-level snapshot in time of whether end users are following policy. They may also bring in an outside analyst every few years to perform a vulnerability assessment.

The University of Georgia runs vulnerability scans and has vulnerability management applications installed on sensitive and critical servers. The vulnerability management applications check configurations or settings on servers and generate a report card, which covers areas such as operating systems level and patch, open vulnerable ports and user accounts.
Some corporations do vulnerability assessment and scans on a regular basis. Scans at UPS are performed by a managed security services provider and may be scheduled on an on-demand basis as a follow-up to an event.

A vulnerability assessment is largely a technical exercise. Enterprises also convene post-incident meetings with representatives from different areas of an organization, which focus on process as much as technology.

Some security group holds an "aftermath party" with the university's security advisory council, including the chief information officer and representatives from the legal, public affairs and HR departments, among others.

The meeting dissects the security team's response to the incident, assessing the effectiveness of processes and procedures. The follow-up meeting also serves as a springboard to spread the word about a given incident, with an eye toward avoiding it in the future.

Security experts point to education as the most important safeguard against future incidents. Some companies ensure their employees undergo security awareness training when they first join the company and annually thereafter. Managers are held accountable to make sure all who report to them have gone through the training.

Sometimes security training crops up in other guises. Sometimes security messaging and data protection messaging are integrated into all of leadership training ands sometimes a company may schedule a security awareness week each year.

Training aims to prevent incidents, but an educated user can also contribute to early detection. Because they'll know what not to do and when to call if they see something out of the ordinary, many serious incidents are prevented.

Education initiatives must be flexible, enabling security groups to take lessons learned from security incidents and fold them back into the training regimen. They also must study changes in attack types and methods and update the curriculum.

Some banks conduct quarterly threat assessments to close existing vulnerabilities and anticipate new exploits. They may review their security posture annually with a third party. Their new understanding of the threat environment is incorporated into training programs for technical people and awareness programs for the rest.

Keeping information-technology departments up to speed on security is another dimension of the security group's education initiative. Application developers, for example, need to incorporate the organizations' latest security principles as they generate code.

Ongoing training efforts help keep security on the front burner, say security executives, who warn that the absence of major incidents tends to lead to complacency. Companies that are not successfully attacked get lax and you have to reinvigorate them. Understanding the hazards and risks and threats of doing business in a networked environment will help employees and companies become much more secure.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVIII, Etienne A. Gibbs, MSW
Your Internet Safety Advocate and Educator

No comments: