bill’s blog

IT security is an on going process and one that must be constantly adjusted for new threats. Written policies need to be created so that users of these computers know what is expected of them and what is out of bounds. Many smaller companies do not have strict guidelines; there is a certain level of trust between the end-users. However, as companies expand, they often don’t review the state of protection of sensitive data until something goes seriously wrong. More often than not this leads to the unauthorized access to sensitive data. In the 2005 CSI/FBI Computer Crime and Security Survey, it is noted that 56% of those responding experienced some form of unauthorized use of computers with the past 12 months (Gordon et. al., 2005).

Computer and network security are built on three pillars, commonly referred to by the C-I-A acronym: Confidentiality, Integrity and Availability (Lehtinen, 2006). During the course of this paper all of the three above mention attributes will be discussed in one form or another. Confidentiality is the obvious one and is covered in many different sections. Integrity is covered in the Digital ID section of Email Security. Lastly, availability is cover in Network Access via VPNs. With that said, let’s get started.

Authentication vs. Authorization

Authentication vs. Authorization is not the same thing. Authentication is proving who you are. Authorization is what you have permission to access. Smaller organizations don’t place a lot of thought into this aspect of security. Companies that start out small often times keep sensitive data distributed across the network on local computers. As the company grows it’s realized that this data needs to be backed so it’s moved to a server. Because everyone within the organization is trusted access to the server is more important than who they keep to their our “space” on the server.

Continued growth leads to moving the data from flat files to true databases. Once in the realm of database management it becomes a much more complicated thing. You can assign permissions to any SQL server object that performs an action or touches data in a database: stored procedures, views, columns, and tables. Within individual tables, you can, with some effort, assign privileges to individual columns and rows (Bond et. al., 2003). At this point, security has now passed into the hands of the software/database developer. Policies then need to be written for how authentication is written into the applications themselves.

Password Policies

Very often organizations have password-protected resources, however password policies are not created. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly (wikipedia.org, 2007). A big part of password security is employee training. Emphasizes should be put on not writing down your password, not sharing your password with anyone, and never logging in another user with your account.

Things like passwords that expire after 30 days or passwords that contain 8 or more alphanumeric characters are great starting points for shoring up security. One thing to keep in mind when setting password policies is that the more demanding the requirements the more likely it will be that employees will need to write down passwords to remember them.

One frequent job function of a system administrator is to create user accounts/passwords and resetting forgotten passwords or locked accounts. Default passwords should never be used. Better mechanisms should be put into practice for the distribution of passwords. Procedures should be put in place to insure that the person the system administrator is speaking with is truly the individual requesting the password change. Some methods are that individuals need to provide personalized questions at time of employment. These questions are then used to identify the individual as well as employee ID numbers. Calling the individual back at a know phone number rather than providing the service from a direct call in. Additionally the use of two-factor authentication such Cryptocard and RSA SecureID tokens could be used to eliminate static passwords completely.

Employees should be notified of all IT personal terminations. Employee education plays a big part here. It is not unheard for a terminated system’s administrator to call his former company, ask for an employee and proceed to extract the user’s password. With this information in hand the disgruntled employee can then use that to escalate his authority and compromise a system.

Email Security

Modern business without the use of email is unthinkable. It has become a way of life for many people. However the contents of your e-mail can be read fairly easily by anyone that is involved in sending your email across the Internet.

1. Securing email sessions with SSL – SSL or Secures Socket Layers provides encryption of your email communications. POP, APOP and SMTP all send passwords in the clear. Additionally, the content of these emails are in clear text as well. Many individuals will want to get at their emails while outside of the office. Often these individuals will want to access their emails from insecure locations e.g. Starbucks. Many people have the attitude of “Who cares… let them read my email.” Most times it’s not the content of the email that the hacker is after (though reading some people’s emails can be humorous). It’s your user ID and password they’re after. With your credentials the hacker could use them to send emails from your account. The hacker could log into your companies network. The hacker could log into your computer or the hacker could access sensitive data stored on your network. By encrypting the entire session that hacker will have a much harder time getting at that information.

2. Encrypting files and email messages – Never send important/private information by email unless you have encrypted it. And even then, think twice before sending it (itsecurity.com, 2006). Those individuals who actually do need to pass sensitive data should look at ways to send it without it’s content being compromised. Assuming that someone were to hijack you email session, if the data contained within the email is encrypted, than the data would still be safe from prying eyes. Public key encryption is an effective way of dealing with this. Public key encryption, also know as Public/ Private keys are essentially two keys, one that’s distributed to the world (public) and one that you use to encrypt your data/emails (private). The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can only be decrypted with the corresponding private key (wikipedia.org, 2007). And vice-versa.

3. Use of Digital Signatures – Often we want to be sure that the email we are getting is really from the individual that sent it. Additionally there will be times when it’s important for the recipient to believe that the email really came from you. This is where digital signatures come into play. Again public/Private keys can be utilized for this. A message signed with a user’s private key can be verified by anyone who has access to the user’s public key, thereby proving that the user signed it and that the message has not been tampered with. This is used to ensure authenticity (wikipedia.org, 2007).

The big problem with using Public/Private keys is trusting that the public key really came from the person it says it’s from. Verisign and Thwarte are two of the most recognized authorities when it comes to secure transactions on the Internet. Verisign is probably most recognized for its SSL certificates for e-commence transactions on the Web. They also offer Personal Digital IDs. They charge a nominal fee for this service. Thwarte on the other hand offers this as a free service. Additionally, an organization can create there own certificate by becoming it’s own CA but there is a significant cost involved with that.

Network Access via VPNs

The reality (is) that most of your better employees now take their work home and on the road. Companies have successfully used IT to both blur and dissolve the lines between the office and the home (Schrage, 2006). Use of VPNs can greatly enhance the protection of information. VPN’s can be used in a number of different ways:

1. To provide remote users access to internal resources securely – Telnet, POP, and HTTP sessions all send passwords as clear-text. Wireless networks are open networks. Anyone sharing the wireless AP can set up a sniffer, grab packets and view passwords and data for that matter. They can read it as clearly as reading a book.

2. To connect remote sites together securely – One of the really nice security aspects of VPNs is that all traffic that goes through the tunnel is encrypted. This can be leveraged to off set the cost of leased telecom lines such as Frame Relays. One thing to keep in mind is that the traffic is still going out over the Internet so SLAs are extremely important and redundant lines must be taken into consideration.

3. To protect separate out internal networks – This one is less used but could serve a very often-overlooked security aspect. VPNs could be implemented within an organization to separate out networks. Financing could have their own network; HR could have theirs, which should all be separated from the normal internal network. While extra work would be required to set-up such an infrastructure the security upside would far out-weigh the effort.

Written policies should be put into place as to who required access to what and from where. Additionally, VPNs should be secured further with the use of using either a one-time password authentication or with the use of public/private key systems.

Conclusion

One thing to keep in mind, while it is essential to have the policies in place it’s equally important to have upper managements backing. Security specialists rank management support of security policies as the most important factor in corporate security, according to a report by security certification body ISC2. After management backing, the specialists see persuading users to follow established policies as most important to effective security (Goodwill, 2006).

References

Bond, M. J., & Robinson, E. (2003) Security for Microsoft Visual Basic .NET. Redmond,WA: Microsoft Press

Goodwill, Bill (2006, October 31), Management must back IT security, say experts. Retrieved Feb. 25, 2007 from http://search.ebscohost.com/login.aspx?direct=true&db=cph&AN=23193798&loginpage=Login.asp&site=ehost-live

Gordon, Lawrence A., Loeb, Martin P., Lucyshyn, William and Richardson, Robert (2005), 2005 CSI/FBI Computer Crime and Security Survey, Retrieved Feb. 25, 2007 from http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf

Lehtinen, R., Russell, D. & Gangemi, G.T. (2006). Computer Security Basics, (2nd Edition). Sebastopol, CA: O’Reilly

Schrage, Michael (2006, October 15). Digital Subversives, Retrieved Feb. 27, 2007 from http://www.cio.com/archive/101506/subversives.html

Unknown (2005, July 25). Headline Archives, Retrieved Feb. 27, 2007 from http://www.fbi.gov/page2/july05/cyber072505.htm

Unknown (2006, November 20). Hacking Email: 99 Email Security and Productivity Tips, Retrieved Feb. 29, 2007 from http://www.itsecurity.com/features/99-email-security-tips-112006

Various (2007, February 10). Password policy – Wikipedia, the free encyclopedia, Retrieved Feb. 29, 2007 from http://en.wikipedia.org/wiki/Password_policy

Various (2007, February 25). Public key cryptography – Wikipedia, the free encyclopedia, Retrieved Feb. 29, 2007 from http://en.wikipedia.org/wiki/Public-key_cryptography

In the years following 9/11, IT security has made some significant changes. While viruses and worms still play a major role in PC security threats, new trends have been seen as to what really constitutes IT security. There is no one simple cure for every aspect of security. Money alone cannot be thrown at the problem. User education must also play a part in security information. Eugene Spafford, a professor at Perdue University once said, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

Originally, the Internet was a fairly open place shared amongst government contractors and education institutions. It was a very trusting place. As with anything else, the bigger it gets, the more it attracts unscrupulous individuals. Systems needed to be secured. Computer security as a discipline was first studied in the early 1970s, although the issues had influenced the development of many earlier systems such as the Atlas system and MULTICS (Bishop, 2002).

Today, to a certain extent, the security of personal computers is taken for granted. Procedures have been put into place that gives the end-user a certain sense of comfort when using their computers. Patches and software upgrades have given them a sense that operating systems and applications manufactures are proactive when dealing with security concerns. Many end-users have the attitude that if their machines have the latest patches and virus definitions then their machines are secure. This often is not the case.
Two different trends that seem to be at the top of many lists are application usage and data protection. Each has very different problems that need to be addressed and each has very different solutions that need to be implemented.

Application Security deals with the use of how software is restricted, implemented and used in an environment. Software such as GoogleDesktop, BitTorrent and the various different instant-messaging applications have fairly large security concerns. Massive and continued adoption of IM and P2P will expose organizations to new threat vectors. Organizations need to secure and control these disruptive technologies (Thatcher, 2006). A big part of security is controlling information flow. These applications distribute information. So any security policy should identify these types of applications and define acceptable use polices.

Data Protection is another IT issue that has to be addressed. Identity theft has become a media buzzword in the past few years. VPNs, data encryption, firewalls and IDS systems all play a big part in minimizing the risk of having one’s indentity stolen.

VPNs or Virtual Private networks allow for private information to be sent via public insecure networks. Leased lines such as Frame Relay or MPLS networks can be very costly to maintain. The use of these encrypted tunnels allows for passing of passwords (often sent as clear-text) and company sensitive information (client’s credit card numbers) to be passed over the Internet with a high level of comfort that your data will be safe from interception. The average loss of a computer security incident for all sizes of business is over $100,000 (Ban & Heng, 1995).

The recent theft of a hard drive data from the Department of Veterans Affairs illustrates how vulnerable data truly is. VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals (va.gov, 2007). The data on the hard drive was unencrypted. Additionally, the individual was not authorized to have the data. Had proper procedures for accessing the data been in place and had the data been encrypted the loss could have been mitigated.

Protection from hacking attempts is another area that needs to be considered. While this is nothing new, it still rates at the top of the list when considering security implementations. A recent example of this is the attack against UCLA. This is a perfect example of why it is important to continually monitor your network. The hackers were able to access a sensitive database. The database–whose purpose was not described in UCLA’s statements–contained names, Social Security numbers, dates of birth, home addresses and contact information, but not banking and credit-card information nor driver’s license numbers (Lemos, 2006). In the case of UCLA, the initial hacks that allowed the thefts access to the data happened a year before it was found out. Firewalls and IDS (Intrusion Detection Systems) could have alerted staff members well before the hackers got to the level where the data was stored.

Security implementations are an ongoing process. Just because you’ve thrown the money at solutions and educated your users doesn’t mean the threat goes away. The threat will always be there and you must continue to minimize your exposure. Ultimately, data and systems security are an ever-changing environment. Systems need to be updated constantly to thwart off any new threats. Log files need to be monitored constantly. The authorization rules need to be put in place to allow only specific people to access sensitive data.

Lastly, employee education is also a big part of this. Not only are computers the sources of information loss, people are as well. In his book, The Art of Deception, Kevin Metnick made it quite clear that people too actively being preyed upon. Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms Phishing another social engineering practices both when using the Internet as well as answering the phones.

References

Ban, Lim Yew and Heng, Goh Moh, Computer Security Issues in Small and Medium-sized Enterprises, Singapore Management Review, Vol. 17, No. 1, Jan 1995, pp. 15-29.

Bishop, Matt (2002, June 30). History of Computer Security
Retrieved February 23, 2007, http://csrc.nist.gov/publications/history/

Coffee, Peter (2006, August 14). Security Success Depends on Good Management
Retrieved February 24, 2007, http://www.eweek.com/article2/0,1895,2001478,00.asp

Lemos, Robert (2006, December 12). UCLA alerts 800,000 to data breach
Retrieved February 24, 2007, from http://www.securityfocus.com/news/11429

Spafford, Eugene H. (2006, December 18). Gene Spafford’s Personal Pages: Quotable Spaf , Retrieved February 23, 2007, from http://homes.cerias.purdue.edu/~spaf/quotes.html

Thatcher, Chris (2006, January). Top Security Trends for 2006
Retrieved February 22, 2007, from http://www.csoonline.com/read/010106/caveat010906.html

Unknown (2007, February 10). VA Update on Missing Hard Drive in Birmingham, Ala.
Retrieved February 23, 2007, from http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1294