The Definitive Guide to Security Inside the Perimeterby Rebecca Herold
Securing information is at the forefront of many executives' minds, and for good reason. Every day news reports document information security incidents that cost corporations significant time and money to resolve, often at the expense of their brands and reputations. Public attention has generally focused on preventing harm to networks by creating an impenetrable perimeter to keep the bad outsiders at bay. Reality demonstrates, however, that the network is highly susceptible to threats that originate within the perimeter, as well as threats that make it through a perimeter that is, in today's environment, highly vulnerable and porous and cannot feasibly be made impenetrable. The Definitive Guide to Security Inside the Perimeter describes many of these insider threats, as well as best practices for guarding against them.
Chapter 1: New Threats for the Same Security Issues
The need to secure information is a concern at the forefront of many executivesâ€™ minds, and for good reason. Every day news reports document information security incidents that cost companies significant time and money to resolve, often at the expense of their brands and reputations:
- CardSystems Solutions Inc. is poised to go out of business as a direct consequence of a May 2005 security breach in which 40 million credit card numbers stored on their internal network were accessed by attackers who defeated the perimeter security. The company announced the breach May 22nd, and on July 19th, both Visa and American Express announced that they would no longer use CardSystems Solutions.
- An angry systems administratorâ€”who alone developed and managed his companyâ€™s networkâ€”centralized the software that supported the companyâ€™s processes on a single server. He then coerced a coworker to give him the only backup tapes for the software. After the systems administrator was fired for inappropriate and abusive treatment of his coworkers, a logic bomb he had planted deleted the only remaining copy of the critical software from the companyâ€™s server. The company estimated the cost of damage in excess of million and as a result had to lay off 80 employees.
- The MyDoom worm made it past firewalls as an email attachment in January 2004. At the height of the outbreak, more than 100,000 occurrences of the worm were intercepted each hour. Cleverly disguised as an innocuous text file attachment, unsuspecting users opened the attachment and launched the worm inside their network perimeter. In 2004, MyDoom was estimated to have cost businesses 0 million (http://money.cnn.com/2004/01/28/technology/mydoom_costs/).
- An IT sector application developer who was downsized out of his job before the Christmas holiday launched an attack on his former employerâ€™s network 3 weeks after his termination using one of his former coworkerâ€™s user ID and password to obtain remote access to the internal network. He modified many of the companyâ€™s Web pages by modifying text and posting pornographic images, in addition to sending each of the companyâ€™s customers an email message letting them know the Web site had been attacked. He also included within the message the customersâ€™ IDs and passwords for the Web site. A month and a half later, the developer attacked again through the remote connection, this time resetting all the network passwords and changing 4000 pricing records. He was sentenced to 5 months in prison, 2 years supervised probation, and ordered to pay his former employer ,600 in restitution.
- An upset city government employee who did not get a promotion deleted files from office computers the day before the person who got the new position started. The subsequent investigation verified the disgruntled employee as being responsible for the incident. However, the city government officials did not agree with the police detective about whether all of the deleted files were recovered. No criminal charges were filed, and the employee was allowed to resign.
Chapter 2: Factors Working Against Securing Just the
Tribal thinking has existed for centuries within many different cultures in which members of a group, or tribe, were completely trusted to do what is right and good and those who were not members of the tribe were not trusted. There is a long history of organizations also trusting all their own members. Historically, organizations believed that trusting employees implicitly led to loyalty and better productivity. In fact, a study published by NFI in 2003 (http://www.nfiresearch.com/subpage/release/EmpLoyalty.html) stressed increasing trust, stating, â€œIt isnâ€™t the monetary rewards that build loyaltyâ€”it is the feeling of adding value, making a contribution and being trusted that matter most in building an organization of loyal employees.â€ This idea certainly reflects tribal thinking.
Chapter 3: Multi-Dimensional Enterprise-Wide Security
Multi-dimensional security involves protecting the information assets and associated resources within all areas of an enterprise and in compliance with all regulatory, policy, and contractual requirements. It places protection at not only the perimeter, as has historically been the norm, but also wherever information is stored, processed, or transmitted. Multi-dimensional security involves more than just technology solutions; it also utilizes operational, administrative, and human forms of protection to help reduce the risks to information wherever information can be found.
At a high-level, a multi-dimensional security program includes the use of:
- Protection strategies
- Risk analysis and assessment
- Security policies, procedures, and standards
- Audit and validation
- Simplifying complexity
Using multi-dimensional security reduces the risk of a security breach, secures data flows throughout the transmission path, reduces the impact and cost of compliance audits, protects against insider attacks, and demonstrates due diligence.
Chapter 4: The Value of Zoning
Zoning to secure valuable resources is nothing new. The concept of creating security zones has been around for centuries. For example, countries have divided their lands into regions and applied military security protection to each region based upon the regional characteristics, value, population, and other various factors.
Security zones are also used to help protect valuable resources against acts of terrorism or other targeted violence. For example, airports mitigate their risks through the use of security zones. They divide the airport grounds, airspace, and facilities into specific zones in order to protect the critical sections of the airport from unlawful interference and to more easily manage the zone areas. Certain security controls apply within each zone. These may include actions such as establishing and maintaining barriers to protect the zoned area, restrictions on entry, and so on. Typically, an airport has an airside area and a landside area. The critical aviation operations are generally included in the airside area, where security is more tightly regulated. These zones may be established for a range of reasons, including the control of people movement, prevention of interference with aircraft, and restriction of access to critical facilities.
Chapter 5: Layered Security
Using just one tool or performing just one activity will not accomplish an effective information security program. An effective information security program consists of many layers. Using many different layers of many different types of security will most effectively protect the enterprise from the attacks and threats that exist from all directions and in all ways, both malicious and accidental, to information resources. This layered defense is often compared to the layers of an onion, creating many different types of security layers that must be penetrated before the target at the core of the onion (your critical information infrastructure) can be reached. Such layering establishes a more reliable security posture; if a failure or breach occurs in one layer, it will not compromise the other concentric layers.
Chapter 6: Tools in the Zones
Organizations must manage information security in multiple ways throughout the enterprise and as appropriate within each of the identified security zones. Network security management must effectively manage access to information assets and establish rules that network users must follow, limit access to network information resources to only those that have a business need for the access, and create notifications whenever incidents and inappropriate actions occur. Powerful security safeguard tools must be implemented within established security zones to make the zones effective. When determining the security tools to implement, keep in mind that most reported information security incidents basically stem from three business weaknesses:
- Poorly implemented security measures revolving around improper access controls
- Lack of encryption
- Trusted insiders purposefully or accidentally accessing, using, or damaging information resources
Chapter 7: Managing Internal Security
A comprehensive and effective information security program and supporting infrastructure is much more than just hardware and software components. Although most organizations wish there were such a thing, there is no magic information security silver bullet. Effective information security management requires the implementation and coordination of many components. Success requires vigilance by the information security group.
In addition to the motivations for individuals to compromise an enterprise information system discussed in Chapter 1, there are the mistakes and actions resulting from being uninformed that put an organizationâ€™s information and network assets at risk. Managing enterprise-wide information security is a much larger and challenging task than just the subtask of managing the security of the network perimeter. Information security is a process, not a one-time achievement.
Chapter 8: The Recipe for Security Within the Perimeter
The past seven chapters have discussed the myriad reasons why organizations must address security within the perimeter as diligently, or even more so, than they approach security of the perimeter. This chapter will boil all this information and advice down into an information security recipe for effectively addressing security within the perimeter. With this in mind, this chapter reviews the key concepts within each chapter, then identifies the key actions organizations need to takeâ€”the information security recipeâ€”to ensure the entire enterprise is secured within the perimeter.