Threats to Enterprise Security

{LANG_NAVORIGIN} Enterprise Security
By: Dan Sullivan, 04/18/2005

Managing Threat Safeguards

For effective security management, multiple threat safeguards must be used in today’s network environment, and they must be applied at multiple points throughout the organization. Consider the case of content management. Documents are created, modified, and exchanged constantly within and across organizations. If documents are exchanged through emails, they are almost certainly subject to an antivirus check. More and more organizations, however, are moving to database-oriented document management systems to control the proliferation of multiple copies of documents and improve collaboration. As these document repositories are becoming an integral part of the IT infrastructure, security mechanisms, such as antivirus checks, should be included in their core functionality.

The definition of security safeguards must also expand beyond the traditional boundaries. Spam is a growing problem, and email filtering systems should be included in security management. URL filtering is not just a control to keep employees from checking sports scores during the work day. Known vulnerabilities in Web browsers can allow malicious code to execute through scripts embedded in HTML documents. Not only must security management focus on keeping the bad guys out but also keep the good guys within the organization from falling prey to new attacks.

Best Practices for Controlling the Impact of Threat
Throughout the rest of this guide, detailed descriptions and guidelines are provided for specific types of safeguards, such as access controls and Identity Management. The next chapter will include specific information about vulnerability management for Windows and Linux systems. This chapter will close with an overview of best practices for safeguarding an IT infrastructure from the threats described earlier.

Keep Antivirus Software Up to Date
Keeping antivirus software updated is a trivial task on a single machine or even a dozen. When dealing with hundreds or thousands of desktops, laptops, and mobile users, it is a different story. Develop well-defined policies to set specific standards including:

• The type of antivirus software used
• The frequency of updates
• Restrictions on remote access, for example access is denied if a full scan has not been performed in the last 72 hours and the signature file has not been updated with the latest release
• Laptop users that connect to external networks, including home networks, must run a personal firewall

Configuration and release management tools, such as Microsoft’s System Management Server (SMS), can aid with compliance monitoring, software inventory, network discovery, and reporting.

Filter for Inappropriate Content
Use comprehensive content filtering software and keep it up to date to combat the latest viruses and spammer tricks. In addition, create policies and guidelines for your organization, such as how bulk email is to be handled. Set appropriate end user expectations, and provide feedback mechanisms, such as an email address to which mail falsely identified as spam should be sent. Follow through by listening to feedback from your end users.

Configure Firewalls
Blended threats and worms are making use of vulnerable ports in organizations’ networks. Firewalls should be configured to shut down ports not explicitly needed for business operations. Doing so can help to prevent attackers from exploiting backdoors introduced through some other vulnerability or launching a DoS attack from your servers.

Personal firewalls are especially important for mobile users. Salespersons connecting their laptops to customer networks might be exposed to networks with a host of vulnerabilities that have been addressed on their own companies’ networks. One of those salespersons could unwittingly introduce a worm to the corporate network that would have been stopped by a firewall.

Use Intrusion Prevention
Both host- and network-based intrusion detection and prevention can identify malicious activity that is not prevented by antivirus and firewall systems. According to the most recent CSI/FBI Computer Crime Survey, 99 percent of respondents use antivirus software, 98 percent use firewalls, but only 73 percent use intrusion detection. Intrusion prevention provides an additional piece of the enterprise security puzzle that should not be overlooked.

Develop, Maintain, and Enforce Security Policies
Network managers, systems administrators, Help desk staff, and end users all must work from the same set of rules for security management. Policies and procedures serve to ensure that such is the case. Organizational needs will vary, but some policy topics to consider are:

• Acceptable use
• Encryption
• Antivirus
• Personal firewalls
• Audit and vulnerability scanning
• Incidence response
• URL filtering
• Email filtering
• Password policies
• Email retention
• Wireless networking

For example policies and templates, see the SANS Security Policy Project at http://www.sans.org/resources/policies/.

Integrated Response

Well-integrated multi-layered security systems are the best method for controlling threats to the enterprise. The individual pieces of the security mosaic have been described throughout this chapter. To illustrate how these pieces fit together, consider the following example of a likely security incident and how it is ideally handled.

Consider a fictional banking company, Universal Financial Services. UFS is a consumer bank with an active online banking service. The company uses layered information security, including two types of antivirus systems—one in firewalls and the other email servers, Identity Management, HIPS, and vulnerability scanning. Even such a state-of-the-art approach cannot guarantee an elimination of all possible breaches.

An employee downloads an email containing a polymorphic virus. This virus is fairly new and does not exhibit characteristics identified by the antivirus software and signatures. The virus slips past both the firewall and email based antivirus systems. The virus is actually a blended threat with several pieces of malware, including a worm, a keystroke monitoring program, and an IRC client. Once past the firewall and antivirus filters, the virus decrypts and unpacks the payload, infecting the employee’s workstation.

The IRC client executes and tries to establish a connection to an IRC channel on the attacker’s server. If successful, the IRC client will download virus updates and instructions for further actions. A personal firewall on the workstation has disabled the IRC protocols, so the attempted communication fails.

The worm attempts to replicate by exploiting a little-known vulnerability in the desktop OS. The vendor has not provided a patch for this particular vulnerability, so the worm spreads quickly to other machines on the network. The keystroke gathering program also starts to execute, attempting to find usernames, passwords, account numbers, and other identifying information. The HIPS detects unusual activity and verifies the user’s privileges with the Identity Management system. The user does not have access to applications that would generate the anomalous network traffic or monitor keyboard I/O (in a manner similar to a keystroke capture program), so the HIPS shuts down the processes. A notice is sent to the systems administrator identifying the compromised workstation. The administrator disconnects the workstation from the network, updates the antivirus software, and eradicates the malware.

Summary

Threats to information security are pervasive, originating from both outside and within an organization. The history of computer security is a series of emerging threats followed by responses of new safeguards, which are in turn, followed by a new set of threats that circumvent those safeguards. The availability of attacking toolsets exacerbates the problem by making malware development almost easy. Toady, blended threats combine multiple types of attacks into single payloads, making them more dangerous. At the same time, detecting this malware is more difficult because of techniques such as virus mutation.

The appropriate response to these threats is a unified approach to security management that uses the broad base of antivirus, firewall, and IDSs in conjunction with well-defined security policies. This type of multi-layered, integrated approach is the foundation of an effective security management regimen that will be developed throughout the remainder of this guide.

[Editor’s Note: This content was excerpted from the free eBook The Definitive Guide to Security Management (Realtimepublishers.com) written by Dan Sullivan and available from a link at http://www3.ca.com/ebook/default.aspx?sacid=60453.]














Your IP address will be sent with this e-mail

From e-mail to e-mail