WindowSecurity.com Newsletter of November 2011 Sponsored by: SolarWinds
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
1. Cyber Security – a few thoughts!
Attempting to explain Cyber security may be intricate, it is a complex topic and explaining the whole picture in few words is no easy task, but I find it helpful to use metaphors when explaining complex scenarios. In fact, I would like to share the approach used by Dr. Warren Axelrod in his online journal called Cybersecurity and the Critical Infrastructure: Looking Beyond the Perimeter.
If you are purchasing a new vehicle, most probably you will want to purchase one with the best safety features including seat belts, air bags, compressible front and rear sections, and other extra features that add value to the overall safety of the vehicle. Basically, you would go for the options that give you the best means of protection while you are driving. The same goes with Cyber security. Security aware individuals and organizations would secure their internal assets and networks as best as they can, so that any information within their networks is protected.
Let’s go back to the vehicle metaphor, and think how secure the vehicle would be if there were no highway controls, no drivers’ tests, and no monitoring and response by law enforcement! I can include other regulatory requirements, such as regular state vehicle inspections and other highway checks. No matter how well protected the vehicle may be from the inside, it would still be unsafe to drive it in insecure highways filled with outlaws roaming about.
Gratefully, that’s not the case in the transportation world or at least in civilized countries. There are highway rules, traffic signs, speed cameras, tested vehicles and law enforcement by the respective governments. But who is responsible for controlling and managing security in cyber space? There is no single entity that is responsible for protecting the whole of Cyber space. On the other hand, there are ongoing efforts by major governments and international private organizations to coordinate Cyber security activities. For instance, last month member states from the European Union and the United States tested a coordinated approach to fight a fictitious cyber threat.
What can private entities do to help out?
More comprehensive IT risk assessments and mitigation techniques - Think outside the box. Today’s threat landscape requires organizations to manage risks beyond their network perimeter and stop threats before they reach the network. A proactive mechanism known as upstream security offers the potential to increase the security and assurance of organizations. For instance, if your organization is prone to DDoS attacks and you decide to put in place a control mechanism, then consider mitigating such attacks at a location where bandwidth is abundant. There are third-party providers with massive bandwidth which can stop DDoS attacks, saving your entire organization and others sharing the same bandwidth from downtime!
A broader perspective of security training – Employee training and awareness programs should be set with a wider perspective of security rather than just dealing with organizational practices. Educate your users to follow security best practices everywhere, especially where and when they are most vulnerable. If users are accustomed to security best practices at their homes, at the airport, at an Internet café and other public places, then most likely they would transfer the habit wherever they are. Some may question why an organization should train a user on how to safely use a public computer while he or she is on a holiday. Perhaps the user might only end up with a compromised personal email account when using a public computer while on holiday but the consequences could be much worse if the user accesses sensitive company information from a public computer while on a business trip. Some users may take home sensitive files to continue their work using a vulnerable home computer and this is yet another reason why proper employee training is needed. Greater investment in security training and awareness has indirect benefits and surely needs to be considered by organizations.
Analyze threats and past incidents – It is absolutely necessary to handle security incidents and resolve them in the shortest time possible, however, do you perform a retrospective exercise after an incident has been resolved? The reactive part is important but the proactive part is gradually becoming equally important as more and more intrusion detection/prevention systems are being circumvented by new malware. Proactive tasks may include, analyzing data from which an emerging threat can be identified (recording patterns), lessons learnt from recovered incidents, and understanding the root cause of incidents (there are instances where an incident is solved but its root cause could not be easily identified). Organizations may not have the time at hand to perform intensive research projects but any knowledge gained while they are reacting to real threats should not be wasted. For instance, if your organization discovers a particular malware or any malicious activity then make sure that you let others know about your discovery and possibly post such information within a community as described below.
Participate in state or private security programs and initiatives – Organizations should allow their IT staff to participate in network information security related initiatives and programs. Training is good and necessary, however, hands-on experience is something that takes time to build and these programs may give that extra experience which may become handy when a threat hits your organization. Try to find a program that fits your bill. Programs and initiatives may take the form of building a security related tool or creating a conceptual idea, where you can benefit from the knowledge of experienced participants and researchers working together on the same project. For instance, in the UK organizations can join a community-based service where members can receive and share up-to-date advice on security threats, incidents and solutions. It is called the Warp program and is provided by the national government. Members can share a collective view of issues and solutions from peers within the community, which could include benchmarking to support better decision making. If participating in a security program is out of the question, then try to participate in security related forums, be active and don’t only remain an observer. The concept of sharing security related information without exposing any private data is the way forward to fight cyber criminals.
Adhere to recognized international security standards – If your organization is bound with regulatory compliance and has achieved some form of accreditation such as PCI or ISO then it can be said that the organization has certain procedures, controls and policies in place. But if your organization is not bound with any regulations or does not have the time and money to get certified, then should it ignore security procedures and best practices? No matter how small the organization or limited the funds may be, every entity could follow best practices and procedures as explained in an established framework such as COBIT or ITIL. The creation of security policies, minimum security measurements, best practices, incident management, security controls and other elements of a well-recognized IT security framework can be customized according to the entity needs and then there’s no need to re-invent the wheel. It is a known fact that cyber criminals attack SMEs due to their lack of security controls and measures!
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you’re more than welcome to e-mail me at email@example.com
See you next month! – George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
Get yourself acquainted with the best security sources out there, such as:
4. Latest Security Exploits and Concerns
5. Ask George a question
Hi, I know that Remote access is a cool feature but the security risks are too high. At work, users are pushing hard to get access to internal resources remotely, but I don’t want to create a weak spot in my network’s security, any ideas please before my boss approves?
Hi T Vita,
There is a way to provide a safe channel over the Internet and give your users access to the internal network remotely but remember that any solution you put in place has its weaknesses too. I suggest using a VPN (Virtual Private Network) which can be easily set up through a VPN server or service on an existing machine with access rules set accordingly on the perimeter firewall/gateway. Depending on your solution, users may need to install a VPN client and some solutions support remote access from mobile phones as well. The important part of the setup is to make sure that your VPN server is configured to allow only what is needed and disable/block all the rest. Enable logging, check activity and replace users’ passwords on regular basis. Make sure to disable users’ accounts when they leave the company or their right to access the network remotely is revoked. Make sure that all users’ machines connecting over a VPN have up-to-date antivirus protection and enforce strong passwords and multi-factor authentication. These are the kind of policies and security measures you would need to work on when deploying a VPN solution.