SECTION 3 ©
RSA and Cyber Crimes growing
Internet Security  Standards 
Security Policies  and  Countermeasures
Threat  Modeling &  Risk  Assessment 
Tiger Teams
Disaster Recovery Plans
weak points
Security  Processes 
  • compartmentalize
  • secure weak link 
  • use choke points 
  • defense in depth 
  • enlist users 
  • detect attacks
The Human Factor
Honey Pots
Social Engineering
IT Security Audit
After the attack
Incident Handling and Hacker Exploits"

changes last made to this page 2003 Feb 19th
 

In Section Three we will use material from the following texts
 
Chpt 8 Chpt 4 
Chpt 17
Chpt 19
Chpt 20 
Chpt 24
Chpt 21 Chpt 3

.
. Learning Objectives for Section 3

After completing this section participants will be able to

  • Substantiate, through media coverage and other resources, that cyber threats are real, and growing, and therefore need to be dealt
  • understand the meaning of, and apply the concept that "Security is a process, not a product"
  • identify the weak points of security procedures
  • describe the methodology of Risk Management
  • understand the fundamentals of social controls and culture management
  • identify the five different categories of adversaries and describe how they can be further sub-divided
  • explain to a non-IT person the difference between hackers and crackers
  • understand the obligations of organizational liability and the risks if such liability is not assessed
  • appreciate the importance of electronic "evidence" and the special requirements of leaving it untouched 
.
In addition to the textbooks selected for this course, we would identify an excellent on-line resource

This should be a prominent "bookmark" for you and in addition to the specific information from SANS that we refer to , you should, on your own, spend time on this site.
 
 

Before we begin this section, it is perhaps wise to pause and reflect on whether the precautions we are about to discuss are necessary - that is to say "why deal with the trouble of security procedures if the threat, in actuality, is not very big?"

The answer to this question is a resounding YES - the threat is real and it is growing. 

We searched for an authoritative voice on threat trends and found the  article below - this article discusses a survey conducted by the Computer Security Institute (a legitimate and credible organization) and the FBI's Computer Intrusion squad based in San Francisco. The survey concludes that cyber crimes are rising substantially - therefore the threat is real and it needs to be dealt with.
.
 
"The results of the sixth annual [2001]"Computer Crime and Security Survey," conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigations (FBI)  Computer Intrusion squad, were released mid-March [2001] with some startling findings.  "Based on responses from 538 computer security practitioners in U.S. corporations, government  agencies, financial institutions, medical institutions and universities, the findings of the 2001 Computer Crime and Security Survey confirm that the threat from computer crime and other information security  breaches continues unabated and that the financial toll is mounting," the report states."
 www.rsasecurity.com/newsletter/v2n2/cybercrime.html		 http://www.rsasecurity.com/newsletter/v2n2/cybercrime.html
.
 
. After reading the story in the RSA page about the Survey concluding Cyber Crime is growing, you should pause and reflect if 
1. Cyber Crime is growing, 
or is it also partly
2. Companies are simply getting better about detecting cyber crime.
.
Security 
Considerations
 

Proper
Procedures

 In addition to the SANS web site, Bruce Schneier's company, Counterpane, has a very extensive web site, within which is a lot of material, especially related to the topic of security procedures, which is an important theme in IEC 818
http://www.counterpane.com/ "Security is a process, not a product"

Bruce Schneier, CTO of Counterpane and
Author of the book Applied Cryptography
.
Proper
Procedures		 .
Communications & Networking, January 2003, Vol. 6 No. 1 
"Guarding against threats from within"
A careless employee is just as much of a threat as a hacker 
.
"Proper network security requires at least one (if not several) firewalls, anti-virus software and intrusion detection. That's just the technology, which is not even the most important part. Security also depends on policies and procedures, and without those, all the gadgets in the  world will not be enough.... policies and procedures are not the complete answer either. Hardware and software can  help enforce the rules and make it easier for employees to comply with them"
.
 
Counter
measures
 
 
 
 
 
 
 
 
 
 

Counter
measures

 Responding to a security risk, or a threat of a security risk
 
. One of the things you can do is to be on mailing lists from different security related organizations
  • government security organizations
  • national industry associations
  • large security IT companies
that provide information on current threats, and remedies to deal with the threat.
The remedies sometimes involve obtaining the latest patches to use in software that has vulnerabilities..
Being on the SANS mailing list can be very useful. As this course was being prepared, the author of the course received an email from SANS about East-European hackers extorting North American businesses. To read about this real-life example, click on the link below.
www.witiger.com/ecommerce/SANwarning.htm
this link will take you to an 
example of a SAN warning		 The email is quite lengthy - however a simple summary would be that they advise companies at risk, pay attention to a "patch" that Microsoft made available in the past -and use this patch since failing to make this update will leave your system vulnerable.
For a good explanation of Patches, click on the mini-screen capture to the left
 
.
Counter
measures

Honey Pots

.click here to go to the Unit on Honey Pots by witiger.
..
Security 
Considerations
 

Proper
Procedures
http://www.esafe.com/company.html Aladdin Knowledge Systems
Internet Security Unit
is based in Seattle

From their main web site
 http://www.eAladdin.com
you can also see a link to "Glossary of terms" on their main page
Shimon Gruper is the Chief Technology Officer of  Aladdin's Internet Security Unit
Gruper has had a list of Top 10 Security Tips on Aladdin's web site for quite some time and the list is quite valuable to refer to. 

The point form list of the 10 tips is to the right.

 Was at 
http://www.esafe.com/shimonsays/index.html#top10
but this link was not active November 2000

1. The Safe use of Email Attachments 
2.Vandals in Word Documents? 
3.Setting Browser Security Options 
4.Buying Products over the Web 
5.Protecting your Personal Information 
6.What about Cookies? 
7.Are Java and ActiveX Safe? 
8.Are Plug-ins and Push Clients Safe? 
9.What about Viruses? 
10.How to handle Spam Mail 
.
 
Security 
Considerations
 

Proper
Procedures

 Security Procedures: Weak Points
 
http://www.plesman.com/eb/home.html Matthew Friedman, writing in the Plesman publication e-Business, authored an article in April 2000 about Hackers in which he said that "Security Managers are confident in the security postures of their organizations.But a recent report suggests they might not be getting the whole picture"
 http://www.plesman.com/eb/news.html
?CONTENT=news/eb020425a
Friedman explains that in Feb 2000 the publicized stories of hackers overloading some well known sites like Yahoo raised awareness of security issues but Friedman goes on to cite some experts who say not enough is being done, and more importantly, key people don't understand the implications of security vulnerabilities. Friedman notes Steven Ross, Deloitte & Touche's director of e-business technologies and security - quoting Ross "there's a feeling among the security people themselves that management doesn't understand the issues  like they do." 

Friedman's article is a very good report on the key issues and you are strongly encouraged to read it thoroughly.
.
 

Chpt 8
Risk
Management
 
 
 
 


Chpt 8
Risk
Management
 

 

 "Electronic Commerce": Greenstein & Feinman, 
Chpt 6, 1st ed.
Chpt 8. 2nd ed. Risk Management
 
 
Before you begin reading Chapter 6 in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

Greenstein page 171

"Risk Management is a methodology for

  • assessing the potential of future events that can cause adverse effects; and
  • implementing cost-efficient strategies that can deal with these risks"
. This "quote" above describing Risk Management is loaded with meaning.
1. potential refers to the effect that you are  concerned with to what degree future events can cause a big problem or little problem, if it is a little problem, then it is not a problem
2. future refers to the fact that Risk Management can't do anything for the present screw-ups in the company, it can only salvage things from happening in the future if people start to follow certain policies and procedures
3. adverse refers to the distinction between things that happen that are not a problem because no damage is caused, and things that happen that cause damage
4. cost-efficient is important because you have to relate the cost of security to the cost of the damage risk. You can't have an excess of money spent protecting information which is of less value than the cost of the protection, otherwise it would be better to take the risk that the information won't be harmed and don't protect it, or protect it with something less expensive
5. deal with the risks implies that it is not good enough to just know when bad things happen, you have to have the ability to respond and deter the existing threat, which might include intervention by police and other authorities
.
.

Chpt 8

Culture
Management

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 174

Culture Management
 

. A key point of this whole course is that security is human based, not silicon based, and in this next part of Section 3 we will discuss an important part related to the human factor in IT security.
.
"Controls over the human factor are called social controls and managing these controls is called culture management. The human element of managing risk is the most troublesome aspect to many information technology professionals. The major risks of the human factor are
  • bad judgment
  • honest errors
  • fraud
  • virus damage"
.
 

Chpt 8

Risk
Management
Paradigm

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 176

Risk Management Paradigm
 

. It seems like a lot of management oriented books and texts like to use the word paradigm at some point or other in the course of the chapters - however in Greenstein's book it is appropriate since it is indeed an appropriate use of the word - that being a situation in which there are several interlinked processes, and the dealing with these situations is an ongoing problem. 
.
You should carefully review the pages from 176-178 (1st ed.); (2nd ed.) page 256.

The key point is that
"risk management is an ongoing process ... they key is to be proactive, rather than reactive... one objective of the paradigm is to minimize reactive solutions and seek out proactive designs"
.
Risk 
Assessment
 
 
 
 

Risk 
Assessment

 Risk Assessment
 

Risk Assessment
"How the Pros Help You Probe the Strength of Your Ramparts"
article written by Dario Forte, August 1, 2000

"Most assessments today focus on the Web user interface, Web server setup, links to company databases, and server scripts. The checks  should include planning of countermeasures regarding DDoS, defacement, and "hijacking" - the intrusion of a non-authorized third party into a two-party transaction, as recently occurred at nike.com,  bali.com, and web.net, which were deprived of their virtual identities. Evaluate the ability of the security analyst to assess Web server setup  vulnerabilities, in terms of administration privileges and software modules such as CGI, ASP, etc. This analysis is usually performed by a "tiger team," which may be made up of ex-crackers or reformed  wayward university students. Or it may consist of properly trained  security engineers."
 


Tiger
Teams		 In the computer industry, a tiger team is a group of programmers or "reformed" hackers who volunteer, or are hired, to expose errors or security holes in a web site or network. They don't simply try to hack their way in, the document the different methods and attempts they make, and then provide a report to the client to allow them to know how to fix their vulnerabilities.

"In every case, a security assessment service must provide an analysis of the effectiveness of a company's security controls. Global Integrity,  for example, recommends a periodic assessment based on a review of  current documentation, policies, and practices; interviews with key personnel; and comparisons against industry "best practices" and other  benchmarks.  A thorough review should not stop with the infrastructure. You also need  to test your defenses against social engineering - the set of techniques  used to subvert systems by exploiting human nature. One bank I studied paid no attention to managing the e-mail relationship with the system administrators. By spoofing an internal e-mail address, an intruder could contact bank employees with a request to "check the correct password," and 90 percent of the time they responded with the correct information without taking any steps to verify the sender's identity."
.

Chpt 19

Threat Modeling
and
Risk Assessment

Chpt 19

Threat Modeling
and
Risk Assessment

 Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier

Chpt 19 Threat Modeling and Risk Assessment
 

. People reading Chpt 19 may find to their amusement, that although Schneier is a brilliant security genius, he does have a sense of humour, and is not afraid to use humourous methods in getting his point across in his books - you should not be put off by this since he seems to be an example of a person who takes his work very seriously but doesn't take himself seriously.

"Threat modeling is the first step in any security solution. It's a way to make sense of the vulnerability landscape... It involves thinking about a system and imagining ... how you can attack this system".

Risk Assessment
 

. The point is, it does not mater if you are able to identify various threats and categorize them and describe them if you have no idea of the magnitude of the damage they can cause. Risk assessment is an important part of threat modeling because it is at this point that you are able to say "we know this threat "A"- but it is OK because the damage will be small; we know this threat "B" and the damage potential is large so we better deal with it".

Chpt 19, page 301
"It's not enough to simply list a bunch of threats, you need to know how much to worry about each one of them. This is were risk assessment comes in. The basic idea is to take all the threats, estimate the expected loss per incident and the expected number of incidents per year, and then calculate the annual loss expectancy (ALE)"

Risk Assessment and Estimating Security Costs

"Some risks have a very low probability of incidence. If the risk is a network intrusion by an industrial competitor out to steal the new design plans, the expected loss per incident might be $10 million but the number of incidents per year might be 0.0001 - there's a 0.1% chance of this happening per year. This means that the annual loss expectancy (ALE) is $10,000, and a countermeasure costing $25,000 isn't such a bargain".
.
 

Chpt 6

Disaster
Recovery
Plans

 "Electronic Commerce": Greenstein & Feinman, Chpt 6 Risk Management page 178

Disaster Recovery Plans

You should carefully review the pages from 178 - 181.

Good Planning involves considering the following objectives

  • assessment of vulnerabilities
  • prevention and reduction of risk
  • creation of cost-effective solutions
  • minimization of business interruption and assurance of business continuity
  • securing alternative Internet access modes
.
 

Chpt 4

"Who"
- from where comes the threat
 
 
 
 
 
 
 
 

 


Chpt 4

"Who"
- from where comes the threat
 
 
 
 
 
 
 
 
 
 
 

 


Chpt 4

"Who"
- from where comes the threat

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 4 Adversaries
 

. Schneier's fourth chapter in the book is a very good presentation of the whole panoply of "bad guys" in internet security - you are strongly encouraged to read every word in the entire chapter since dealing with threats successfully depends on a decent understand of what and who the threat is.

Schneier's premis for this chapter, and one we agree with, is that threats in the online world are similar to the offline world - the only difference is that in the online world the tools are faster and the magnitude of the damage is proportionately higher.

Schneier begins the chapter by categorizing adversaries in several ways. Adversaries can be differentiated according to their

  • Objectives
  • Access
  • Resources
  • Expertise
  • Risk
1. Objectives can vary, they can include people trying to
  • inflict raw damage
  • obtain financial gain
  • access information
  • patriotism
  • political purposes


2. Access. People trying to obtain access can be further subdivided into the following categories (according to Tim Richardson)

  • insiders
  • associated and affiliated persons
  • complete outsiders and strangers
Schneier cautions "insiders are not necessarily employees. They can be consultants and contractors...". During the Y2K scare, many people with suspect expertise were given wide access to IT networks in hopes that they could fix the bugs in time.
3. Resources. Adversaries can be categorized according to whether they have money, or know how, or ideally both
  • financial
    • large amount of money
    • restricted amount of money tied to returns
  • technical
    • sophisticated with appropriate equipment
    • amateur (script kiddies)
4. Expertise.  Adversaries can be categorized according to whether they know a lot, or a little about how to infiltrate your networks and damage your company
  • comprehensive
    • advanced
    • beginner
  • specialist
    • advanced
    • beginner
5. Risk. People who are distinguished by the degree of risk they will take are categorized by a function which is equivalent to the reward they seek less the cost of being stopped.
  • terrorists - accept a high degree of personal risk
  • criminals - accept the risk of jail time
  • wealthy adversaries - accept the risk of losing a lot of money (hiring criminals and terrorists)
. It was author Bruce Schneier who wrote the preceding 5 categories in his book in Chapter 4, it was Prof. Tim Richardson who wrote the further subdivisions and annotations describing the breakdown.

A summary of the "participants" in the IT threat community

  • hackers and crackers
  • lone criminals
  • malicious insiders and disgruntled employees
  • industrial espionage
  • press (offline and online)
  • organized crime
  • police, regional and national
  • terrorists
  • national intelligence agencies
  • information warriors
    • a relatively new word to describe a military person who works at undermining the target's ability to wage war by attacking their information or network infrastructure
    • Schneier notes that in 1999 NATO targeted Belgrade's electric plants - in retaliation, Serbian hackers attacked hundreds of U.S. military and NATO computer sites
.
 

Chpt 4

"Hackers"
"Crackers"

a subtle
distinction

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 4 Adversaries

"The word Hacker has several definitions, ranging from a corporate system administrator adept enough to figure out how computers really work to an ethically inept teenage criminal... The word has been co-opted by the media and stripped of its meaning. It used to be a compliment, then it became an insult. Lately people use "cracker" for the bad guys and "hacker" for the good guys."

Schneier page 43

"I define a hacker as an individual who experiments with the limitations of systems for intellectual curiosity or sheer pleasure; the word describes a person with a particular set of skills and not a particular set of morals"
.
 

Chpt 17

The
Human
Factor

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier

Chpt 17 The Human Factors
 

. If we said "read Chapter 17 thoroughly because it is really important", we are not implying that the other chapters aren't important - rather, it is a key theme in understanding the whole ECP 1220 course.

In Chpt 17, Schneier goes to great length to explain the weaknesses in the human side of IT security, and this should be absorbed fully by you.

Schneier
page 256

"Information never stays in computers; it moves onto paper all the time. Information is information and, for an attacker, information in paper files is just as good as information in computer files. Many times paper in trash is more valuable than the same data in a computer: It's easier to steal and less likely to be missed. A company that encrypts all of its data on computers, but doesn't lock its file cabinets or shred its trash, is leaving itself open to attack."

Human Weaknesses

page 258
"One danger of computerized systems is that they make mistakes to rarely that people don't know how to deal with them. It's the "This computer never makes mistakes, so you must be lying," mentality. The fact is that computers make all sorts of mistakes all the time"

Social Engineering

page 266-268

"Social Engineering is the hacker term for a con game: persuade the other person to do what you want". Schneier discusses various examples of social engineering over a few pages. It is a term that can be found throughout the web related to IT security situations. You could earn some class participation / contribution marks by finding some specific examples of social engineering used in some hacking situations, which have been reported on by the media, and make a summary of what happened, and email this to the professor running the course.
.
 

Chpt 20

Security
Policies and
Countermeasures

 Secrets & Lies: Digital Security in a Networked  World
by Bruce Schneier
Chpt 20 Security Policies and Countermeasures

Schneier
page 308

".. every organization needs a security policy for its computer network. The policy should outline

  • who is responsible for what
    • implementation
    • enforcement
    • audit
    • review
  • what the basic network security policies are
  • and why they are the way they are."
"The security policy is how you determine what countermeasures to use"
.
Deterrence

 
 
 
 
 
 
 
 

Deterrence

Chpt 3, page 98
in Principles of Information Security by Michael Whitman and Herbert Mattford
 
. In the three steps to Security Policy
  • Prevention
  • Detection
  • Reaction, Countermeasures
Deterrence is a big part of Prevention because if your deterrence is strong enough, and backed up by Countermeasures] then there will be a smaller number of people try to hack you since you are a "harder target" than another potential victim and they will simply stop attempting to get in your system and look for an easier victim.

WTGR
.
Whitman and Mattford say that
"Deterrence is the best method for preventing illegal or unethical activity. Laws, policies and technical controls are all examples of deterrents. However it is generally agreed that laws and policies and their associated penalties only deter if three conditions are present.
  • Fear of Penalty
    • The individual desiring to commit the act must fear the penalty
  • Probability of Being Caught
    • The individual has to know there is a strong possibility of being caught
  • Probability of Punishment Being Administered
    • The individual must believe that the penalty is severe, that they will be caught, and that they will actually receive the penalty
       
      . The details of deterrence must be worked in to any development of a Security Policy otherwise the consequent actions have no "teeth"

      WTGR
    .
.

Chpt 24

Security
Policies and
Countermeasures


 

 

Chpt 24

Security
Policies and
Countermeasures


 

 

Chpt 24

Security
Policies and
Countermeasures

Chpt 24

Security
Policies and
Countermeasures

 Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier

Chpt 24 Security Processes

Following his axiom that security is a process, not a product, Schneier opens Chapter 24 saying that

page 367
"Technology alone cannot save us. Products have problem, and they are getting worse. The only thing reasonable to do is to create processes that accept this reality, and allow us to go about our lives the best we can. It's no different from any other aspect of our society".

The Principles of the Security Process which is presented by Schneier p. 367-374 
 
  • compartmentalize
  • secure weakest link
  • use choke points
  • defense in depth 
  • fail securely
  • leverage unpredictability
  • embrace simplicity
  • enlist users 
  • assurance
  • question
  • detect attacks

  • compartmentalize
    • don't put all the vulnerable assets in one location, divide things up so attackers have to make more of an effort to "capture" the critical information
  • secure weakest link
    • the weakest link is where the attack is most likely to take place so make sure countermeasures are applied here, and not just at the strong points
  • use choke points
    • limiting the places people "can go", and forcing users into a narrow channel makes it easier for monitoring traffic, etc. to spot unusual activity that could be the beginnings of an attack
  • defense in depth 
    • a universal security principle is to make security strong from the initial point of contact, all the way back to the vulnerable target
    • "example: a network protected by two firewalls, one each at two different network ingresses, is not defense in depth ... a network protected by two firewalls, one behind the other, is defense in depth: an attacker has to penetrate one firewall and then the other in order to attack the network
  • fail securely
    • Schneier trys to explain that is a system fails, it should do so in a way that does not release information, or money etc. in the process of failing, it should just shut down
  • Leverage unpredictability
    • don't give people information they do not need to know, it will make an attack more difficult if they have absolutely nothing to go on
  • embrace simplicity
    • if a system is as secure as its weakest link, then the fewer number of links, the better!
  • enlist users 
    • users have to be incorporated as assets. "Security measures that aren't understood and agreed to by everyone, don't work
  • assurance
  • question
    • Schneier advises to constantly question security, assumptions and decisions
  • detect attacks
    • "It's not enough to put up a firewall... you need to detect attacks"
    • you have to detect attacks in order to know if your security is working, and how it might need to be strengthened according to the type of attacks you are receiving
You should also read the section in Chpt 24 on Counterattacks
 
. Schneier makes that point that a good deterrent to criminal behaviour is the threat of getting caught and punished. One of the things hackers count on is their believe, rightly or wrongly, that they cannot be caught easily, or they will be out of the legal jurisdiction of the entity they are attacking. Schneier recommends that effective counterattacks, through legal means, be taken up as a dis-incentive to hacking in the future.
.


Chpt 21

Security
Policies 

 Creating a Security Policy

"The Basic Approach to Developing a Security Policy"

Provding computer security goes far beyond worrying about hackers and viruses. Most threats to data and resources come from internal users"

To develop a security policy you need to perform the following steps

  • What is "at risk" - Determine the resources that you are trying to protect - what is vulnerable, where do you have weaknesses that can be exploited
  • Who are you at risk from - Determine from whom you must protect your assets
  • Is the threat imminent - are we really at risk - Determine the likelihood of the threats
  • Protect yourself - what measure can be implemented to protect the risks
  • Review the processes commensurate with changes in the threat environment
.


Chpt 21

Security
Policies 

 Creating a Security Policy

"The Basic Approach to Developing a Security Policy"

  • Who are you at risk from 

    • - Determine from whom you must protect your assets
What is at Risk How is it at Risk
Web site Username and Password
Corporate Intranet Encryption.
Email. Training.
Human Resources data. Hours of Operations, limiting access.
Sales Information. Backups.
R&D and Intellectual Property Restrict Access.
Handheld communication. Virus detection.
Company databases Security Audits
Software Piracy Firewalls
E-commerce Operations Digital Signatures
Video & Voice Conferencing Call-back Modems for Remote Access
Finance & Accounting Data Smart Cards

this table comes from page 638
.


Chpt 21

Security
Policies 

 this comes from page 639

Determining who is using each resource and who should be

"As you examine each resource, you must clearly define who can use your system and resources. The policy should explicitly state who is authorized to use what resources in what ways and what times. Many hacker break-ins occur during off hourse. By simply restricting off-hours access you can protect many assets"
.

. It may sound insulting to hard working loyal employees, but the reason corporate security has grown so much in the past few years is due to the fact so many people have been laid off - if you lay off a lot of people, the left over people have to work harder - they become resentful and frustrated, and also fear being laid off themselves - there are an increasing number of people venting their frustrating and anxiety by sabotaging the company they work for because loyalty has become eroded. Corporate security is done by engaging outside firms instead of having internal security which could be compromised by association and familiarity. The security is looking for threats to the company from within - these threats are more troublesome because the damage that can be caused it potentially much greater than an outsider. One of the ways you limit potential damage from insiders is to restrict inside employees from areas in which they have no business. You also make sure you restrict them from accessing vulnerable resources outside of regular hours.

WTGR
.
.
 

Why You Should Do an IT Security Audit
 
 
 
 
 
 
 
 
 

Why You Should Do an IT Security Audit

 .
. Financial Audits are done for several reasons - one reason is obvious, so you know how much money your organization has made, and how much you have spent - so you may therefore do some planning to either make more money, or cut expenses.

Security Audits operate on the same principle. 

  • You need to evaluate your prevention methods, techniques and procedures to determine if there are any weaknesses, and if weakness are present, how do you further protect your resources at risk. 
  • Security audits can also be used to evaluate how effective you may have been at Security Detection - so that you may know if your prevention did not work, how what resources were taken, or compromised. 
  • Thirdly, Security Audits can also be used to ascertain how well your Countermeasures are working at fending off penetrations and identifying hackers and the damage that might have been caused.
WTGR
.
.

How to Do an IT Security Audit		 .
"How to Do an IT Security Audit"
By KATHLEEN MELYMUKA , FEBRUARY 03, 2003
. While the following points will give you some guidance, a Security Audit for an enterprise "at risk" should be done by a person who has a genuine understanding of security issues and also the technical competence to evaluate the threats. Such professionals do exist but they usually charge a high fee and many Canadian companies, who usually try to skimp on security costs, will try to do the audit themselves.

WTGR
.
"If you're the IT manager at a small  to midsize business, it's only a matter of time until you're asked  to do an IT security audit. Even in a larger company, if security is decentralized, you may be the go-to guy in IT. You're neither a security expert nor an auditor, and resources are tight. How will you  begin and where will you go from there? First, don't panic. "People sell themselves short," says Jay M.  Williams, senior vice president and chief technology officer at The Concours Group, an IT consulting  firm in Kingwood, Texas. "For the most part, security is common sense."
.

How to Do an IT Security Audit		 .
. The following list comes partly from K. Melymuka's Feb 2003 article on  www.computerworld.com and partly from Witiger's own security experience. Witiger has experience with Security Audits.

WTGR
.
How to Do an IT Security Audit
  • Join a security research organization, or trade association 
    • that provides emails and updates on risk situations and how to handle the risks
    • it is also helps if they have courses and training sessions
  • Talk to your staff to ask their opinions about the business functions and property and resources they feel which is the most vulnerable to security threats.
  • Risk - proportionate to your industry.
    • in reality, few companies have extremely tight data security requirements. If you're in the nuclear power business, you're right at the top, but if you're in baked goods,  nobody's looking to knock off the Keebler elf.
  • Manage executive expectations.
    • Prepare management for the work that will be required of them  to assist you ... because they'll need to help correct any faulty policies and practices  that are uncovered. 
  • Map it out. Sometimes drawing a diagram with the links and labelling resources at risk will allow you to make connections, literally, which can be part of a plan to reduce the vulnerability
  • Consider security tools. There is software that can scan your network and produce a list of  areas of exposure. 
  • Prioritize. All vulnerabilities are not created equal
    • Some fixes are worth the time spent, and some are not. Identify  critical information assets by figuring out which could put the company out of business if they were compromised or damaged
  • Focus on internal controls. 
    • The five basic  internal security controls are 
      • authorization, 
      • identification of users and systems, 
      • authentication,
      • integrity (including backups, checks and balances on data) 
      • and monitoring
  • Policies and procedures
    • Check that you have reasonable security policies and procedures in place... then make sure that your company's reality matches what you have on paper. 
  • Put it down on paper. 
    • Document clearly what the vulnerabilities are list these against the costs of  prevention and detection to determine if the cost of security is greater, or less that the cost of the risk
    • Make sure the document is short, and focused, to ensure it is read and understood by the employees and managers involved in implimentation
  • Use a professional
    • Companies with complex security needs may have a legal obligation to protect customer or patient privacy, it probably makes sense to contract an IT security firm.  An outside firm can perform the audit, establish compliance guidelines and help to create security documentation or simply validate  that you did your risk assessment correctly and haven't missed anything. 
.

Organizational
Liability

 
 
 
 
 
 
 

Organizational
Liability

 

 "Organizational Liability and the Need for Counsel."
Chpt 3, page 110
in Principles of Information Security by Michael Whitman and Herbert Mattford
 
. In the following section, we are not "giving legal opinion" - that is something that only qualified lawyers can do. Our purpose is to define some relevant terms and introduce the reader to a vulnerabilty that must be considered. If that vulnerability ends up a "situation", the company could be in serious trouble if no contingency was considered.

WTGR
.
These are the following terms we will deal with
  • Liability
  • Restitution
  • Due Care
  • Due Diligence
  • jurisdiction
"Liability is the legal obligation of an entity. Liability extends beyond a legal obligation or contract; it includes liability for a wrongful act and the legal obligation to make restitution or compensation for the wrong".

"The bottom line is that if an employee, acting without authorization of the organization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for action. An organization increases its liability if it refuses to take strong measures [to prevent harm caused] known as due care. Due care is honoured when an organization makes sure that every employee knows what is acceptable or not acceptable behaviour, and knows the consequences of illegal or unethical actions. Due diligence requires that the organization make a valid effort to protect others and continualy maintain this level of effort."

"With the global impact of the Internet, those who could be potentially injured or wronged by an organization's members could be anywhere. Under the U.S. legal system [and in Canada too] any court can impose its authority over an individual or organization if it can establish jurisdiction - jurisdiction being the court's right to hear a case in its court if the wrong was committed in its territory or involving its citizenry.
...

After
the 
Attack		 "Cracking cybercrime 
Don't touch electronic evidence until you call in the cops or a cyberforensics expert."

is the title of an October 1998 article in Network World written by Deborah Radcliff 
 http://www.infowar.com/LAW/law_110298a_j.shtml

"Thou shalt not bungle computer evidence intended for a court of law"
 

. This is a rather old article, by internet timeline standards, but the message is just as relevant and you are encouraged to read the original online version. We have made some summary points below.
.
"Crimes committed via computer leave distinct evidence trails. If you so much as access, download or open suspect files, you could taint the evidence and render it inadmissible. That type of activity alters backup files and system logs and overwrites date and time stamps... Draft a contingency plan for when cybercrime strikes and take the proactive measures ... regularly print and save log files from critical servers. Establish a tamper-proof backup system to capture activity and audit trials."

FYI, the SANS Institute offers training and courses on " Incident Handling and Hacker Exploits"

Some of the courses are given at conferences, others are online.
..
.
Online for the preceding material
 QUIZ online

1. If asked to describe "from where threats come", could you answer with a list categorizing adversaries in five ways?
2. If you were challenged to give an specific example of how a hacker penetrated a system, could you provide one? Sometimes people know threats are a problem but they have an easier time believing it if you can provide a real example.
3. Could you explain to a non-IT person what a tiger team is and why you might need to use one?
4. Would you be able to speak about at least 5 of the Principles of the Security Process which is presented by Schneier