Preventing Unauthorized Access
Once a determination has been made as to the location and value of an organization’s digital assets, the next step is to determine how to prevent unauthorized access or modification of this information.
One common solution is the “product-based” solution. This involves the purchase and implementation of security products such as firewalls, intrusion detection systems, authentication mechanisms and encryption tools. While all of these tools (among others) are necessary for creating a secure network infrastructure, there are no products that are “set it and forget it” type tools. It is important to recognize that network security products are only as good as the individuals who configure, monitor and maintain them.
A much more effective solution is a “process-based” solution. The Federal Financial Institutions Examination Council provides an excellent definition of the security process in its Information Security booklet, “The security process is the method an organization uses to implement and achieve its security objectives. The process is designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and to ensure accountability for system actions.”
(http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf) While this document is geared toward financial institutions, the material it contains provides an excellent approach to creating a secure infrastructure.
When organizations begin addressing network risk management issues, the tendency is to immediately focus on threats and vulnerabilities, directing resources at known concerns. While this approach is extremely logical, some time should be spent addressing preliminary issues such as where does the IT security role fit into the organization, benchmarking systems before they are compromised, allowing enough time for the IT staff to address security issues, and providing frequent training opportunities to keep up with current trends.
Getting on the Same Page with IT
The first step is that IT and IT Security should be included as part of the management process. In many organizations, the IT departments are separate entities that may report to only one member of the management team. IT issues should be integrated into the decision-making part of the business.
Monthly management meetings should include updates on the current status of the systems, any security issues that developed during the previous month, current trends and new threats that have appeared. These meetings can provide the opportunity for discussion and allow for prompt decision making regarding problems. In many organizations, the IT departments are completely isolated from the management team — usually on separate floors (sometimes separate buildings) — and the only communication between IT departments and members of management is an e-mail announcing a particular threat or problem.
IT and security professionals must learn to discuss risks from a financial perspective if at all possible. Business professionals often make decisions based on the financial impact to their organization. This can be a challenge, as technology experts have limited experience with business issues.
Another overlooked item as part of the network risk management process is benchmarking. Prior to placing a system onto the network, the standard “posture” of that system should be identified and documented.
Items that should be documented include: installed applications, open ports, running processes and services, applications scheduled to run at startup, etc. The system should be tested to ensure that the most recent patches and service packs have been installed. Tools such as the Microsoft Baseline Security Analyzer (www.microsoft.com/technet/security/tools/mbsahome.mspx) and the scoring tools provided by the Center for Internet Security (www.cisecurity.org) could prove helpful with this process.
The benefit of establishing a benchmark for systems is that it becomes much easier to identify when a system has been compromised. If a team knows how a system is configured, anomalies can be easily pinpointed when responding to an incident. Organizations should make every effort to avoid the rush to get systems into production so that the benchmarking process can be completed. Other useful tools include WinAudit (www.pxserver.com/WinAudit.htm), and PStools, (technet.microsoft.com/en-us/sysinternals/bb896649.aspx).
Another important part of the benchmarking process is generating a network map. This can be done manually or can be accomplished by using an automated tool. Knowing what devices are supposed to be on the network can prove helpful when responding to problems. During a network vulnerability assessment of a client’s network we identified a Solaris system that the IT department had no idea was connected to the network. During the ensuing investigation it was determined that the system was purchased by an engineer at a garage sale.
Tools that can be used for network mapping include the open source tool, CartoReso (cartoreso.campus.ecp.fr/) and the commercial tool LanSurveyor by SolarWinds (www.neon.com/LSwin.shtml).
The IT staff should avoid the “hack and patch” approach of only installing patches when new vulnerabilities (hacks) are announced. This does not allow for the IT staff to be in a position to monitor systems or prevent intrusions from new or undocumented vulnerabilities. In addition, many “attacks” are designed to be as unobtrusive as possible, and require close attention to the network and systems to identify them. Sophisticated attackers will not “pound at the door” trying to break in, they will take their time and find the appropriate attack vector so their efforts go undetected.
It is important to remember that the cost of preventing an intrusion is usually less than the cost of responding to an intrusion. Providing the IT department enough time to address security issues can reduce the risk of a security incident and reduce the cost of responding to one as well.