|Home - Industry Article - Jun 06 Issue
Effective Ways to Decrease Cyber Attacks
By Carl E. Banzhof, Chief Technology Officer, Citadel Security Software Inc.
Today's businesses are confronted by a far broader and increasingly dangerous set of cyber threats than they were just a few years ago. New vulnerabilities are discovered each day and there seems to be no sign of them letting up. Worms, spyware, software defects, misconfigurations, unsecured accounts, and many more can cause your network to be susceptible to vicious cyber attacks. These attacks risk exposing private customer information such as credit card information to online criminals.
At the same time, businesses in almost every sector must comply with a growing list of regulatory requirements, including PCI (Payment Card Industry), Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and other regulations. These mandates and the daily discovery of new and potentially costly vulnerabilities mean that companies need a 24/7 commitment to IT security and policy compliance. Unfortunately, the stakes are particularly high for organizations whose typical security measures tend to be reactive in nature and carried out using tedious and error-prone manual processes that are poorly aligned with broader security policies.
Each year Carnegie Mellon University, in coordination with US Cert, compiles statistics regarding vulnerabilities that are identified and reported through various sources, including disclosure from software vendors and independent security researchers. Till recently there were a record 5,990 NEW vulnerabilities identified. That's a 63% increase over 2004 and the largest single year increase on record since 1999, the year statistics gathering began. Given the number of vulnerabilities that are detected each year, combined with the myriad of methods for resolving those vulnerabilities, it is no wonder that the average IT or security staff is overwhelmed in attempting to address this issue.
Five Classes of Vulnerabilities
In the realm of computer security, there are several methods for resolving vulnerabilities. Many identified vulnerabilities require a combination of remediation tactics, ranging from configuration changes to software code changes.
We have defined five classes of vulnerabilities, based upon research developed over the past four years in support of their remediation solution. Those five classes are:
Software defects can only be completely resolved through a patch or upgrade issued by the software vendor; however there are also workarounds to defects, such as removing a software component that is not necessary, denying access to the communication port at company boundaries, or other steps that may be specified by the software vendor.
- Unsecured Accounts: These are, typically, user accounts that have been left dormant or possess unnecessary privileges or weak password choices. Unsecured accounts are THE easiest target on systems and also one of the easiest to secure by enforcing good password security, periodically auditing accounts on the network to delete dormant accounts and reviewing the privileges associated with each account.
- Unnecessary Services: Many system owners will install applications or operating systems with default options. These default installations are usually the most flexible and usable configurations, but are also highly vulnerable. Remote access services such as remote desktop, telnet, default web service applications and others that are not required, should be disabled. Each unnecessary service or application on a system could potentially open a connection to the network using a port. These ports are like doors on a house – the more doors you have the harder it is to secure. By shutting down these unnecessary services it will reduce the overall attack surface of the device.
- Backdoors: Spyware, Bots and P2P (peer-to-peer) software are programs that will allow remote access and control of a computer. These, typically, are installed on systems unknowingly by users downloading rogue software applications or by systems that have already been compromised at a root level. These vulnerabilities can lie hidden in networks for long periods of time, allowing remote access to systems and data. These backdoors can be detected using common antivirus and vulnerability assessment tools and the cleanup can be quite tedious.
- Misconfigurations: This category covers a wide range of system and application vulnerabilities, that can be resolved by changing registry values or configuration files, adjusting file system permissions and other configurable parameters on a vulnerable system. Simple configuration errors, such as sample applications on web servers or default user access to sensitive applications, can result in large losses. These vulnerabilities are easy to resolve and can be policy driven, before systems are deployed to prevent security exposure.
- Software Defects: Probably the most talked about category, software defects are defects in the actual operating systems and business line software products that allow malicious activities to take place. For example, given enough time and debugging tools, the security research community can find access points in software code that allows them to inject their own code and redirect the logic flow of the program to gain access to the system or create a denial of service. These attacks are generally known as buffer overflows.
Best Practices for Mitigating Vulnerabilities
To help with the effective mitigation of risk associated with vulnerabilities, the following best practices are suggested to create a plan of attack for securing your environment.
- Create a Corporate IT Security Policy
As with any good plan, there must be policies put in place to support the business objectives combined with the technical execution details. Every organization should have in place a security policy that covers the following key components.
First, describe the items covered by the organization's IT security policy. For example, employees, vendors and offsite workers are bound by the contents of the policy. Also, specify the ownership or creator of the policy, the date that it was created and contact information for providing feedback on updates or future revisions.
Next, explain the importance of IT security as it relates to all employees and the survivability of the organization. Include statements addressing risk management of corporate data, trade secrets, as well as what could happen to the organization in the event that its intellectual property is compromised. This will provide a basic level of security awareness, as any breach could be directly related to the survivability of the organization or individual roles within the organization.
It is very important for an IT security policy to specify the various categories of IT data, equipment and processes, which are subject to the policy. For example, if you are creating a security policy for general desktop users, specify the types of hardware and operating systems that are covered. This might include additional peripheral devices as well, such as network interfaces or handheld devices. Without these specifics in the policy, it will be subject to loose interpretation when enforcement is necessary, which could prove fatal to the overall risk mitigation strategy.
Indicate, in broad terms, the responsibilities of the roles in which each member of the organization may function. This area details which groups or individuals will manage and approve the security policy, which groups will be responsible for implementing the security policy and who is affected by the policy.
Highlight levels of security through the use of standards and guidelines. Standards are security policies, which are mandatory, such as not allowing internet access to sensitive systems or preventing the installation of unauthorized software. Guidelines are suggested security steps that should be taken to prevent a security breach, such as password selection, transmitting sensitive data, etc.