Flagusa.gif (2238 bytes) Greenriv-lrg.jpg (10869 bytes)

Home of Defense In Depth (DID) Security and Disaster Recovery.

Executive Briefs

Email GreenRiver


Table of Contents

  1. The Top 10 Information Security Threats.
  2. The Top 7 Mistakes made by Companies implementing Network security.
  3. Who Is Targeted.
  4. What are the Liability Issues.
  5. Return on Investment.
  6. Network Threats.
  7. Workstation Threats
  8. HIPPA Security Over a local or Wide Area Network
  9. HIPPA SECURITY FINAL RULE
  10. HIPPA SECURITY MATRIX
  11. Back to Main

 


The Top 10 Information Security Threats .

  1. Weak and Inconsistent Authentication of who is accessing your systems. Cure this problem with a strong access policy.
  2. Weak Passwords (simple, too short, etc.).  Cure this problem with a strong password policy.
  3. Insufficient Security at the IP Network layer (leaves you open to anyone, anywhere on the Internet). Cure this problem with an IP audit. Then take appropriate action to turn off unnecessary services and maintain it with a strong IP Network Layer Policy and ACL.
  4. Information Services Not Controlled Properly (i.e. Remote Access, Insecure Internet Servers, etc.). Cure this problem with an Information Services audit backed up by a strong Information Services policy.
  5. Inappropriate Security Access Group Memberships. Cure this problem with a Security Access Audit and strong Access Policy.
  6. Too Many People with Supervisory Rights.  Cure this problem with a system audit and strong Access Policy.
  7. Weak Access Permissions on Files and Directories.  Cure this problem with a system audit and Strong Access Policy.
  8. Malicious Programs (Virus, Worms, Remote Control apps, etc.). Cure this problem with a system wide audit and strong Email and workstation policy.
  9. Failure to Fix Software and Operating System Bugs with Hotfixes and Service Packs. Cure this problem with a LAN Administration Audit and Lan Administration Policy.
  10. Not taking Action on Security Threats that are being logged by an Intrusion Detection System. Cure this problem with a log Audit and Strong Lan Administration Policy.
  11. ToolsLRG.gif (16893 bytes)
Back to Top

The Top 7 Mistakes made by Companies implementing Network Security.

  1. Assigning inadequately trained and non-dedicated personnel to handle security.  Use a specialist. Never assign security to Lan Administration. Keeping up with service patches and security technology is a full time job.
  2. Failure to understand the relationship of information security to business problems (i.e Most people understand physical security, but do not see the consequences of poor information security). Poor information security and break-in causes severe business disruption. Treat it the same as a disaster recovery plan. Remember the loss of service can bring down the company the loss in confidence and liability associated with being hacked can keep the company down. Exercise due diligence at all times to limit liability.
  3. Failing to deal with the operational aspects of security (i.e. make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed).  Be security aware. You can not keep up if you are doing more than security. Treat it as the most important thing in the job as keeping the disk drives running on the servers. Slip and a hacker will make sure you remember for the rest of your life.
  4. Rely primarily on a firewall. With only one part of the Defense In Depth in place and with the firewall only trying to keep intruders out you are using only half of its' capabilities. What about the attacks within? Using only one part is an open invitation to being hacked.
  5. Fail to realize how much money their information and organizational reputations are worth.  Never believe for one second that the company information is not worth protecting. It is the company. Forget this fact and a hacker will remind you in a very unpleasant way.
  6. Authorize reactive, short-term fixes only, as a result, problems re-emerge rapidly. OK for the short term but never for the long term. Always perform due diligence and follow through.
  7. Pretend the problem will go away if it is ignored. Hackers love to see this one. Ignore the problem and it will come back to haunt you. Always perform due diligence in matters of company risk and liability.
Back to Top

Who is Targeted.

Who Is Targeted

 

 

If you’re an executive or business owner you have seen on the news reports of companies attacked by viruses, cracked by hackers and generally compromised.

The best assumption is that everyone is a target if you are on the Internet. Are you a bank, government institution, power company, large retailer, mid sized business, part of the transportation infrastructure, small business, publicly traded company, private company or a private user? In other words if you are connected to the Internet in any way from a dialup connection to a dedicated line you are a target. The type of attack depends on what the attacker believes is on your system or what he can use your system for.

Using the Riptec report as well as incident responses from SANS (Systems Administration, Network and Security) Institute, INFOSEC (Information Security) Institute and others the following trends are apparent.

percentage%20attacks1.gif (3275 bytes)

 

Based on this information the following conclusion can be reached.

No Company that is connected to the Internet is safe from attempts to be hacked. This includes e-mail viruses and Trojan horses, malicious web sites, direct attacks to the company's computers on the Internet, attempts to hijack the companies web site and any other attempt to compromise the companies' ability to perform business using the Internet. It is simply a matter of time and percentages before any company's computers are penetrated and information stolen or the system used to attack another company.

How do I protect my company and myself?

Being aware that there is a possibility of being compromised is the first step. Don't think for one second that simply because the computer you use is safe simply because it is locked up in your office. If it is connected to the Internet in any way it can be compromised. Take a holistic strategy towards protecting your assets. Use a layered strategy to protect the people and information in your company and Defense In Depth (DID) approach.

Back to Top

What are the Liability Issues.

e-Business Partners & Customers

The real liability of being "hacked" is perhaps not what an intruder might do to your systems and data. While the loss can be significant, it is perhaps trivial when compared to the potential liability you may face if an intruder causes harm to one of your e-Business partners or a customer as a result of their penetration of your systems.

Liability Trends

The current trend in liability law is for the law to rely on information security as the means by which businesses should be able to establish a level of "trust".

New laws and regulations are beginning to require, push or create incentives for businesses to implement a level of security that establishes the legal "trust" necessary for safe, enforceable and provable transactions. Under the law, sometimes security is an option, and sometimes it is a requirement. But at all times, security has a legal role in facilitating business transactions that cannot be ignored.

The first law to recognize the legal role of security was the Uniform Commercial Code Article 4A, which governs electronic fund transfers. Proposed in 1989 and now enacted in all 50 states, this law relies on security procedures such as verification and error detection measures rather than signatures as the basis for verifying electronic transactions and apportioning liability. Since then, new laws and regulations are increasingly giving legal significance to security for a variety of reasons.

Legal Precedents

In some cases, the law literally requires security. For example;

The federal Gramm-Leach-Bliley Act, finalized in 2001, requires financial institutions to adopt a comprehensive written security plan to ensure the confidentiality of customer information.

The federal Health Insurance Portability and Accountability Act (HIPPA) requires healthcare providers to implement the security necessary to ensure the integrity and confidentiality of healthcare information (42 U.S.C. 1320d-2).

Penalties include fines and possible imprisonment.

Such regulations require businesses to;

Moreover,

These regulations put the responsibility for adopting and implementing the plan directly on the Board of Directors.

Electronic Signatures

In other cases, the law pushes businesses to implement security by providing that certain electronic transactions will not be legally binding without taking appropriate security measures.

For example, under the 1999 New York Electronic Signatures and Records Act, and some other laws in the U.S. and other countries;

Electronic signatures are enforceable in certain cases only if appropriate security is used.

Specifically, the signature must be;

Attached to the data in a manner that authenticates the attachment of the signature to the data and the integrity of the data transmitted (NY CLS State Technology Law 101).

The Model Law on Electronic Signatures, approved by the United Nations in 2001, recommends that countries adopt laws basing the enforceability of electronic signatures on an assessment of their level of reliability or trustworthiness.

Legal Benefits

Some laws provide incentives to businesses by giving them a legal benefit if they implement appropriate security. For example;

Under the 1998 Illinois Electronic Commerce Security Act (5 Ill. Comp. Stat. 175), the signer of an electronic document is legally presumed to be the person identified by the signature when certain security attributes, similar to those in the New York law, are present. Without that presumption, the source of an electronic document must be authenticated in the event of a dispute.

The Uniform Electronic Transactions Act, proposed in 1999 and now enacted in 37 states, allocates liability for a change or error in an electronic record that occurs during transmission to the party that failed to implement security to prevent or detect such errors.

Legal Guidance Today

Most laws provide little guidance on the subject of how much security is enough, nor do they require companies to adopt particular technologies. These laws often state only that security must be;

It remains to be seen whether mere penetration of a company's defenses will establish the legal inadequacy of those defenses.

Future Trends

The trend is unmistakable: Security will be the key to creating enforceable and trustworthy electronic business transactions. No security, no deal.

 

This Link Displays an example of possible Case Law regarding Due Diligence Liability.

Back to Top

Return on Investment.

Most companies network administrators are saturated with work on printer problems, new users, new applications and failed systems. Adding security to the current burden without increasing staff leaves little time to dedicated security tasks. The skill sets involved in security range from operating environments and network protocols to applications. This wide range of experience makes it difficult to find people with broad enough skill sets to accomplish the security goals.

Security ROI is like an insurance policy. To justify the investment in security simply think in terms of leaving the keys in your car or leaving the house or your business or bank account wide open with a sign outside that says "Come take me I'm free." In actual monetary terms it simply boils down to;

Below is a rule of thumb table of the investment associated with providing a business reasonable security coverage.

Key Benefits

In-house Minimum Effort

In-house Best Effort

Outsource-Managed Security

Security Staff

1 employee

5 employees required for 24/7/365 coverage

Outsource Engineering Staff

Design and architecture

Based on time and experience

Ranging in experience from somewhat experienced to experienced

Experienced to Expert

Monitoring

Maybe and only between 8am and 5pm

24X7X365

24X7X365

Administration and upkeep

8am-5pm with no notification

24X7X365

24X7X365

Backups and applications mirroring

Depending on Software and time

Daily or real time

Daily or realtime

Vulnerability testing

Light if any

Quarterly

Quarterly

Evaluation of new security solutions based on changing business requirements

None

Regular review

Regular Review plus experience from multiple companies

 

Key Investment

In-house Minimum Effort

In-house Best Effort

Outsource-Managed Security

Salaries /Benefits

65K+25% Benefits and administration

80K Avg. +25% benefits and Administration per employee

N/A

Dept Manager

25% time at 80K salary

75% time at 90K salary

N/A

Training

2.5K

2.5KX5 Employee

N/A

Hardware

2.5K for PC

2.5K X5 PCs

N/A

Software

$0.00 Use Freeware intrusion detection tools etc.

$25K for commercial software license

N/A

Total Annual Investment

$106.25K

$597.5K

Small to Large Contract

$35K-200K or 1/3

 

Back to Top

Network Threats

Network threats are just that, they reside on the network.  What most Lan Administrators forget is that the threat is not only on what's trying to get in from the outside but what may be inside their network trying to compromise other machines or get out to report back to the attacker.

Reconnaissance: Techniques used to gather technical information about your systems.

Threat - While not destructive in themselves, these information gathering techniques give hackers what they need to actually
attack your systems. Preventing these types of activities is the best defense.

Unauthorized Access Attacks that use valid passwords, services, etc. to gain unauthorized access to your systems.

Threat - Attackers can access your systems often without anyone noticing and steal/destroy information (often over
extended periods of time), or cause denial of services by crashing your systems, sometimes beyond the ability to simply
restart.

Denial of Service These attacks interrupt the operation of your systems by overloading their network links and/or processors, or by simply crashing the system.

Threat - Loss of access to services and systems by customers and employees.

Data Manipulation These attacks are accomplished by recording, modifying, and replaying the contents of ongoing
network traffic to gain access to your systems or by falsifying the contents of network packets to confuse your systems.

Threat - Unauthorized access to your systems, theft/destruction of data, Denial of Services to customers and employees.

Back to Top

Workstation Threats.

Workstation threats threaten one of the 3 most important assets any company can have. Like a pyramid they are at the bottom and represent the largest number of devices in direct contact with your employees on the network. They are the backbone of getting things done and like servers and routers which constitute the other two parts of the triangle form an integral part of the triad of defense in depth. Some of the attacks listed below are only found on Microsoft and specifically targeted at Outlook and Exchange mail platforms while others are common across all platforms.

 

Viruses & Worms

Trojan Horse Attacks

Direct Attacks

Back to Top


Copyright GreenRiver Communications Inc.. All rights reserved.