Business Case for an Information Security
Infrastructure
By
Timothy S. Rosenberg, Esq.
White
Wolf
Consulting
White
Wolf
Consulting
As companies and institutions seek to maximize the benefits of increased network connectivity, little thought, is being applied to the business and financial losses that could arise due to inadequate security. The concept and practice of Information Security (INFOSEC) was once the sole concern of our Nation’s Armed Forces and Intelligence Agencies. This is no longer the case. Private companies and organizations must now tackle the INFOSEC issue to ensure network uptime, service delivery, privacy and legal requirements, and prevention of data/services theft, and more.
This document sets forth the reasons and processes for the development and deployment of an Enterprise-Wide Information Security Infrastructure.
To understand the reasons why an INFOSEC practice is essential to a successful networked business, you must first understand something about the technology of networks and the threat agents that are arrayed against you. Once the basic foundation is present, losses can be associated with the identified threats. Further, depending on the nature of the protected data, your IT practices may full under state or federal regulation. Therefore after identifying losses, we will take a look at legal duties and responsibilities as well as possible legal exposures. This document closes with general recommendations for the building of an INFOSEC Infrastructure.
Most companies feel as though they are not an attack target. Frequently we hear the question “We are not a military, government or major Website, who would want to hack our computers?” The answer is simple, you have unprotected resources that can be used for a variety of malicious purposes. Further, without adequate security in place your resources are easy targets. Automated scanning programs can find active hosts, even if you are not advertising them through conventional domain name registration.
As an easy target, your IT resources could be used to attack other high profile sites. This is a common method and was used in the Distributed Denial of Service attacks launched earlier this year against Amazon.com, Buy.com, CNN, eBay, Excite and Yahoo!. Similarly, your unprotected computers could be used to store stolen credit card numbers or child pornography. Such tactics have been used before in an effort to hide illegal activity.
Lastly, security equals uptime. Proactive security measures enable your organization to reduce your exposure to many types of attacks and compromises that will take systems offline. Systems are pulled offline for any of the following security reasons:
· Forensic analysis of compromised systems
· Rebuilding of compromised systems
· Being the victim of a Denial of Service attacks
· System confiscation because it contains evidence needed for a criminal investigation
These are drastic examples. However, like the practice of disaster recovery, it only takes loosing all your data once to ensure future investment in off-site backups and redundancy.
As of the writing of this document, no third party organization has yet been sued for being used as an attack platform against another organization. Many feel that this test case will occur in a matter of time. The issue here is whether or not your organization has a duty of care to the victims of a cyber-incident where another uses your company’s computers for the commission of the incident. As the INFOSEC industry moves toward standardization of technology and practices and cyber-incidents continue to grow in volume and severity, a standard will have to emerge. The only real question is who gets to be the test case? Further, depending on the nature of the data or systems that are compromised, there are other legal issues that must be considered.
Some of the data that your organization is entrusted with is personal and private. Typically, this is Human Resource information such as health insurance claims, salaries and garnishments. Examples of private data that should not be widely disclosed:
· Claims for prescription drugs that readily identify the person and ailment such as AZT which is used for the treatment of AIDS
· Credit history and background investigations that are filed as part of your hiring process
· Insurance claims for mental illness or drug/alcohol dependency reimbursement
Keep in mind that it is not only your employees’ information that you safeguard, but also that of their spouses and children. If such sensitive information is compromised and widely distributed or used to discriminate, there could be serious privacy or other legal consequences. As more data becomes stored and cross-referenced it is imperative that policies, procedures and technology be deployed to keep you and your employees safe.
Service level agreements and Non-Disclosure agreements are contractual duties that outline service availability and confidentiality of data. Neither of these can be assured without Information Security. Denial of service attacks and system compromises result in system downtime, sometime for hours or days. If you are unable to provide service, subscription fees may have to be returned. Similarly you could face a possible class action suit by all your service subscribers for lost revenue (in the case of on-line trading) or bank fees (on-line banking is down and bills cannot be paid on time).
Non-Disclosure agreements guarantee that the parties to the agreement will not reveal certain information such as trade secrets or R & D info, to unauthorized third parties. Without adequate measures in place, there is no method to prove that data was not copied, removed, altered or emailed to a competitor. Any one of these scenarios could be a breach of the NDA and expose your organization to legal action.
Policy is an essential part of any successful INFOSEC practice. Much like Acceptable Use policies governing corporate email and Internet use, you must have a comprehensive INFOSEC policy document. This works to protect you, your employees and your customers. As you deploy technology solutions to secure your Enterprise, you will begin to discover security holes and exploitations. The question most asked is, “Now what?” A well-developed Policy will answer that question. Such a policy will allow for:
· Termination of an employee who has hacker code or attack scripts installed on their system.
· Disciplinary action against employees found with password crackers
· Proper escalation and mitigation of damage in the event of a cyber-incident
· Possible documentation of due diligence and reasonable care in event of a lawsuit
The remainder of this document sets forth reasons and technical explanations for the creation of an Enterprise INFOSEC Business Practice. By now, we hope that you have a general understanding of the importance of such an undertaking. A robust INFOSEC practice is essential to the continued success of any business.
There are several risks to your business that arise from the deployment of information technology across the business space. Different infrastructures yield exposures of varying concern and threat. This section will provide definitions and examples, of different network topologies. This is to provide a baseline of knowledge and a state of the threats and risks arrayed against your orgniaztion.
Generally speaking, there are three major types of ‘Nets, Intranet, Extranet and Internet. The ‘Nets are distinguished by access, purpose and location. Each ‘Net has certain information security (INFOSEC) risk vectors associated with it.
Intranets are typically private networks deployed inside a company that is primarily used by employees, inside contractors and on-site consultants. Access is restricted to those inside a company. An Intranet’s purpose is to facilitate communication and share computing resources within the company. The Intranet and the services it provides are usually within full control of the company and reside on company owned property. An Intranet may provide employees access gateways to the Internet.
The Internet is the public, worldwide collection of networks. Access is only restricted by connection; meaning, all one needs is a connection to the Internet to gain access. Its purpose is wide and varied and can be used for just about anything. Because of its general accessibility by the public, the Internet is made up of servers and networks that reside outside of a company’s Intranet. Your Internet resources may or may not be located on company owned property and the company may or may not have complete command and control over the same resources.
An Extranet can be classified as the extension of a company’s network to other businesses or customers. Access is usually granted on a ‘needs’ basis as the Extranet typically shares sensitive business data with suppliers, vendors or partners. The purpose of an Extranet is usually to enhance communications between companies in an effort to streamline the business processes, reduce cost and increase market leverage through partnerships that would otherwise be impossible or improbable without an Extranet. A company usually owns and controls only one side of Extranet communications, their own. Extranets sometimes move information over the public Internet, thereby relying on others to provide service uptime, security and infrastructure.
Each of the three ‘Net types have different security concerns and risks. Whole books have been written describing types of threats and risks and exposures. For the purposes of this document, we are focusing on three general types of Threat Agents: Compromises, Theft of Data or Service, and Denial of Service.
A compromise occurs when an unauthorized user gains access (usually Administrator or Root account access) to a computer system, or when an authorized user escalates their privileges beyond that which they are legitimately allowed. In the INFOSEC industry it is generally accepted that once a system is compromised, the only way to fully recover is to rebuild the entire machine from scratch. Once a system has been compromised, the malicious user is able to:
· Make changes to web pages
· View and alter sensitive databases such as payroll, patient, HR, and accounting
· Attack and compromise any other machines that ‘trust’ the compromised server
· Attack other machines outside your organization
· Download sensitive, private patient data or proprietary data such as customer lists and pricing schedules.
· Destroy or delete company data
· Encrypt company data and hold for ransom
· Extort money from the company in exchange for silence about the compromise
· Extort money from the company in return for data or system resources
This risk includes not only the more traditional form of physical theft, but also unauthorized use of your IT data and/or services. Unauthorized use of your IT resources includes using your Internet connection for illegal activity and storage of illegal or unapproved files on company servers. Theft can occur from either internal disgruntled employees or external actors. There is a very real threat from both. Other examples of IT Theft include:
· Theft of hard-drives with R & D information, customer lists, production databases
· Using your servers for attacking other companies (i.e. the Distributed Denial of Service Attacks against Yahoo.com, Cnn.com, etc.)
· Storing stolen credit card numbers on company servers
· Dialing-in to desktop computers for after-hours web-surfing
· Use of your servers to crack or brute force attack encrypted files or passwords
Simply put, for whatever reason, the requested service is not available at the time of the request. Some examples of a ‘service’ that is at risk are:
· Telecommunications
· Web pages
· Email out/in bound
· Internet connectivity
· Database services
· Network logins and network applications such as word processors and spreadsheets
· Printers
· ANY and ALL data or information transferred across the affected network
Some sources of Denial of Service include:
· Power outages
· Digital attack across the network (i.e. Trinoo and other Distributed Denial of Service attack programs)
· Telecommunication cables being cut or brought down by construction, accidents or the weather
· Hardware failure
· Human error
It is important to point out the one thing the above items have in common: All of the above risks impact your ability to do business, in some making it completely impossible to conduct business. With that in mind, we must now focus on real losses that can result in being victim to the above risks.
There are very real losses associated with being victim to a poor or non-existent INFOSEC policy. In the most broad terms, companies can loose revenue, incur extra costs, be the victim of computer crime, be in violation of state or federal law, and possibly be sued for not addressing information security threats and risks. Before discussing specifics, there are some general items that relate to exploitation of all risks. One of the largest losses resulting from malicious activity is time. One might argue that it is a system administrator’s job to respond to security issues. That practice is only partly true. A system administrator’s primary responsibility is the day to day care and feeding of the network infrastructure. They should certainly be involved in the security process, however, once an ‘incident’ is suspected, here are the additional burdens on a system administrator’s already limited time that will result:
· Is the incident a defect in the hardware/software or is the result of human intervention?
· If the incident is the result of human intervention, was the action intentional or accidental?
· If the incident is accidental, it must be corrected immediately, are there proper backup/restore procedures tested and in place?
· How much data, business, or revenue was lost and what will it take to replace it?
· If the incident is intentional, where did it originate from, inside or outside the company?
· What is the extent of the damage? Was data stolen, servers compromised or systems crashed?
· Depending on current state and federal laws, the incident could be a crime, if so, should law enforcement be notified?
· Are other systems vulnerable to the same risk?
· If law enforcement is involved, or you wish to pursue civil litigation, the system must be preserved; a proper evidence chain is necessary; and the system must be taken off-line and replaced.
All of these issues must be addressed and answered. The only way that an incident will be handled correctly is by full-time INFOSEC personnel. Otherwise, the responsibilities will fall to personnel who do not have the time, the training or the resources to resolve the issue in a timely and effective manner.
The loss associated with this risk depends on what, exactly, is compromised. Some real world examples include:
· HR data is compromised and viewed by the wrong person; there could be invasion of privacy, or the distribution of your salary to the whole company.
· A server is compromised and used to attack another company. There are potential downstream liability or standard of care issues.
· Research or project data is compromised, thus violating possible contracts for non-disclosure
· Web site is defaced thus resulting in loss of reputation, trust, and possible revenue.
· Financial or consumer data is stolen which is then used to commit fraud or other white-collar crimes against the company or individuals
· Telecommunication resources are compromised and used to make free international calls. As a result, your cost to do business increases. You may have to offset the cost of the calling bills because you may not be able to prove fraud or illegal activity.
The primary losses resulting from theft of data or services is replacement and the downstream liability of wide distribution of the sensitive data. If data has been removed or destroyed through theft it must be replaced. Replacement means downtime. Even the best of backups are not instant. Further, it is not enough to simply replace the data on the system is was stolen from. If the data has been taken once, it stands to reason it will be taken again, if possible. Therefore downtime means significant loss of revenue and, if prolonged, chagebacks of service fees for violation of Service Level Agreements. Just as you take measures to prevent theft of your property, you must take similar measures for your data.
Without proper INFOSEC monitoring, the loss from theft can be financially staggering. If employee records are deleted and deemed unrecoverable, what then? It does not matter if flood or a disgruntled employee destroys the data. The bottom line is that it is gone. You stand to face:
· Loss of Trust. If you cannot be trusted to keep information secure, your customers will go elsewhere.
· Potential Lawsuits arising for inadequately protecting sensitive data
· Confiscation of servers if they contain evidence of a crime
A successful denial of service attack has a great impact into an organization. Nearly any service can be affected. Here are some services that can adversely affect a company’s ability to do business:
· Web based services – the Internet is being used more and more to generate revenue and extend a company’s presence. If you are using a web server to provide interfaces into business information, a DoS attack will render you unable to deliver the service. The end result is that you will be unable to provide ANY service or content until the problem is rectified
· Email services – Email is used more and more frequently to respond to critical issues. It is possible to completely shut down email servers and prevent inbound and outbound email from being processed. Bottom line: that critical email may not be received in a timely manner.
Remember, almost any service can be shut down; telephone, power, cable, computer networks. What services are critical to your daily business functions? What is in place to keep the services up and available or to provide alternatives in case of failure?
There are any number of actions that will exploit existing holes in systems, applications and operating systems. Depending on operating system and security practices in place, systems are vulnerable to any and/or all the following attack methodologies
Trojan Horse Programs - applications that appear legitimate but in fact hide attack code allowing any number of activities including: password theft, file up/downloading, take over of attached PC cameras, installation of other malicious code, complete system compromise. Examples include Back Orifice 2000 and Girlfriend
Virus - code that infects target machines and does any thing from corrupt documents to encrypting all the data on your hard drive. Examples include the Melissa and LoveBug viruses.
Poor Password Policies - by not educating employees on proper password choice, your systems, applications and possibly even the network is open to anyone who can easily guess or ‘brute force’ the password. There are several programs freely available on the Internet that can be used to guess or brute force the password on an account using a dictionary file or other more sophisticated methods. Password attack programs include L0phtcrack (cracks NT passwords) and Crack.
Server Applications - Some applications, if incorrectly configured, or even just installed, can be used to exploit system vulnerabilities. For example, some database applications such as Sybase, Microsoft SQL and Oracle have default username/password combinations that are widely known. This account information together with the use of default stored procedures could lead to system take over. Further, some web servers can open a server to attack and exposure. In June of 1999 a simple application was released on the Internet that could be used to attack and compromise a Microsoft NT server running Internet Information Server (Microsoft’s web server). This attack would easily penetrate the firewall and expose the protected NT server.
Denial of Service Programs - These are easy to use applications that are freely available from the Internet that can be used to launch any number of denial of service attacks against networks, routers, and servers. Examples include the distributed denial of service attacks such as trinoo and Tribe flood, as well as the more well known synflood and ping flood attacks.
Again, there have been whole books written which are nothing more than a collection of attacks, exploits and vulnerabilities, some of them over 800 pages in length. These books are readily available in bookstores and the Internet. Web sites such as Rootshell (www.rootshell.com) and Packet Storm Security (packetstorm.securify.com) have enormous collections of scripts, applications and documents that can be used to exploit risks in routers, servers, applications, etc., etc. The list above is merely a very short collection of some major attack methods. Other risks are exploited through mis-configured servers, unprotected routers, trusting vendor or partner configurations without testing and unmonitored firewalls.
It is difficult to provide concrete data to show trends of risk exposure based on network implementation. Not all incidents are reported and not are all detected or classified correctly. Large scale Intranet deployments with no connection to the Internet or an Extranet are not vulnerable to outside attacks originating from the public Internet. However, such a large Intranet will be open to any attack from inside the company. Inside attacks come from disgruntled employees, employees looking to take proprietary data to competitors, consultants, and any others that have physical access to a computer with a connection into the Intranet.
Networks connected to the public Internet are of course exposed to a user base numbering in the tens of millions. The more connections your company has to the Internet through dedicated connections (T1 and T3 lines) and desktop modems, the greater your exposure to risks originating on the Internet. Similarly, the threat increases with the greater the reach of your Extranet deployment. Depending on the implementation, an Extranet extends your resources into another’s network. You may be inheriting their risks as well.
Regardless of choice of Intra, Inter, or Extra-net, it is imperative that you educate yourself and your employees on the risks inherent in that choice. Proper INFOSEC practices and procedures can greatly reduce exposure to risk and the resulting loss. Current network maps, INFOSEC policy assessment and testing should all be in place to aid in risk reduction.
As you can see, INFOSEC is a complex and time-consuming endeavor. Traditionally, the responsibility for security has fallen on the shoulders of operational systems administrators. As networks become more complex and the number of offered services increases, the practice of system administrator as security officer is no longer feasible. With limited time in the day, a system administrator will always choose operational uptime and customer support over security. To be successful, there must be dedicated, full-time resources for Information Security. The following is a general model for the development of an Enterprise-Wide Information Security Infrastructure:
· General Management
· Current Security Posture
· Penetration Test and Network Infrastructure Review
· Personnel Review
· Policy Review
· Policy Development
· Technology Deployment
· Vulnerability Assessment Tools
· Intrusion Detection Tools
· Training
· Audit and Update
· Emergency Response