Intercepted files and compromised data are among the many risks facing a business with unsecured systems and technology.
So
there you are, in your office, connected to the world by an Ethernet
cable or a wireless connection. Your local network and all the Internet
has to offer is right there, just for you. Somewhere on that network
there is something called a firewall and a VPN, anti-virus and spyware
programs, and perhaps even an intrusion detection/prevention system
(IDS/IPS). Security? "Hey, I'm fine. Who's going to get through all
this stuff?" you regularly tell yourself. "I mean, really, who's even
going to know I'm here? Hackers usually go after the 'big guys,' all
those name-brand companies, right?"
But for a financial advisor
holding the purse strings to many sensitive pieces of client
information including addresses and Social Security numbers, banking
and trust accounts, securities and other types of investments, the
integrity of the information is crucial. The size of the firm doesn't
matter. These days, any business can simply be compromised by hacking
programs scouring the Internet for any weak systems-and that system
could be yours or your clients.'
Cyber-reality
The 2006 Internet crime report (www.ic3.gov/media/annualreport/2006_IC3Report.pdf)
prepared by the FBI and the National White Collar Crime Center states
that the total dollar loss from "referred cases of fraud" was $198.44
million, up from $183.12 million in 2005. Keep in mind though, their
research shows that only one in seven incidents of fraud is ever
brought to the attention of law enforcement or regulatory agencies. In
other words, actual losses are much larger.
Cyber crime, one of
the components researched for the report, shows that while complaints
were down slightly between 2005 and 2006, the dollar amount stolen went
up.So, even with all the security systems such as firewalls, VPNs,
encryption, and anti-virus software, cyber crime continues to be a more
and more lucrative industry. 2007 began with a record-setting number of
data breaches. TJX, the parent company of store chains TJ Maxx,
Marshall's, Bob's Stores and others, revealed that it had lost 45.7
million data records from just one attack. And perpetrators may have
had unauthorized access to the company's systems for as long as a year
and half before the penetration was noticed. TJX had firewalls,
encryption and other security systems in place during the attack.
Intercepted files and compromised data are among the many risks facing
a business with unsecured systems and technology.
During the
summer of 2007 alone, my firm Razorpoint Security Technologies
witnessed a number of large organizations (with hundreds of millions to
billions of dollars in annual revenue) with very little or no security,
despite ubiquitous firewalls and VPNs. In one case, we discovered two
major holes in less than 60 seconds. Seemingly every day there are
reports in the news of cyber crime and compromised security. I offer
this as a timely reminder of how security is still far from where it
needs to be. It is truly mind-boggling how in 2007, with all that has
happened in the security arena to date, people still have no idea what
security is or should be. Consider that every year sales of security
products increase, and every year cyber crime losses increase. We must
stop relying solely on security buzzwords to protect our businesses!
What Security Isn't
Security
is not IT. The reality is that security is separate from IT
(information technology). Because cyber security touches technology,
companies mistakenly lump these duties into what are usually overworked
and undertrained IT departments. The people installing your Windows
updates, fixing printer jams, and getting your e-mail to work are not
the ones who are skilled and experienced in effective security
countermeasures. It requires a different mindset, different training.
Some firms divide their IT and security departments only after learning
this the hard way. What's dangerous in having them merged is that the
IT staff often sees security as just another line item along with
resetting forgotten passwords, finding out why your e-mail isn't
getting to your BlackBerry and ordering backup tapes. Particularly at
companies where technology isn't a core competency (such as law firms,
health-care companies, family offices and manufacturing concerns), IT
staffs usually comprise just one single individual. An outside
consultant may be tapped from time to time for specific, more complex
tasks, but rarely are there dedicated security resources.
With
physical security, business executives and celebrities hire bodyguards
with a certain level of training and experience for personal
protection. Rarely, if ever, do you hear such a security professional
tout the fact that he or she just purchased a new type of firearm or
pepper spray. This is because it doesn't matter; it's the experience
you're seeking and not the gadgets. Don't get caught fumbling around in
the security products game. It is trained, experienced personnel that
makes the difference.
Compliance is not security. Another thing
facing businesses is compliance. Several industries have sprouted up
just to help companies remain in compliance with legislation and rules
such as the Sarbanes-Oxley Act, SAS 70 (the Statement on Auditing
Standards No. 70), HIPAA (the Health Insurance Portability and
Accountability Act), and PCI DSS (Payment Card Industry Data Security
Standard). However, businesses have mistaken security jargon laced
within each of these compliance standards as actual security. My firm
regularly performs security assessments for companies requiring one or
more of these compliance certifications. Though the companies have met
their compliance criteria, we frequently find that data can be cyber
attacked. You could be compliant, and yet still completely insecure.
We
recently performed a security assessment on a retail/e-commerce firm
with damning results. The company is a known brand and grosses more
than $2 million per day through its e-commerce site alone. Because of
the types of transactions it performs, it is required to remain "PCI
compliant." Over the past 12 months the company has aligned its
business practices to remain within the PCI compliance guidelines, and
thus it feels reasonably confident about its security. However, one of
the directors believed a targeted security assessment was still
something required to put his mind at ease. As a known retailer, buyers
generate tens of thousands of transactions on their systems every day
as they seek the hottest products. Just two days into our two-week
security assessment, we uncovered what could have been devastating
holes in these systems. While we believed from our review that no one
had compromised their systems, with a little time and effort, most if
not all of its customer data (names, addresses, credit card numbers,
debit card accounts, etc.) could have been in the hands of cyber
thieves. Shocked, the clients now fully understood how being
"compliant" did not mean that they were secure.
ROBOT PROGRAMS DO NOT FOLLOW DUNN & BRADSTREET REPORTS AS THEY HUNT, AND THEY DON'T CARE WHAT YOUR MARKET CAP IS.
We're Not a Target
Along
with the security myths about firewalls, VPNs, etc. comes a myth about
how small businesses are immune from attack. All too often we'll hear,
"Well, we're not a target. We're not a big bank or anything. Who's
heard of us?" The reality is that 80% of all attacks are now automated.
Carefully crafted robot programs (aka "bots") continuously roam the
Internet looking for vulnerable systems. These bots do not follow Dunn
& Bradstreet reports as they hunt, and they don't care what your
market cap is. All they need is to find a vulnerable system, and then
they dive in. Bots are agents that serve to make the networks of cyber
criminals' stronger. It is from these infiltrated systems that
criminals can launch lucrative attacks while cloaking their identities.
Large numbers of bot-infested systems working together in concert are
referred to as "bot networks" or "botnets." Anyone who has ever
received a spam e-mail can thank a botnet.
In addition to
building botnets, attackers break into medium-sized and small
businesses, and even individual home computers, for other reasons. Some
of these are:
- Ransomware:This
means they steal your files and then sell them back to you. Or the
criminals encrypt the files on your systems and then sell you the key
to decrypt them.
- DoS (Denial of Service): The
attackers send traffic to your systems (file servers, mail servers, Web
servers, etc.) making them so busy they can no longer perform their
intended functions. A payoff makes them stop. And yes, people do pay.
- Identity Mining: This
is when attackers steal identities from your systems. Maybe your
identity or maybe those of your employees. It takes just one successful
theft for an attacker to commit a crime and cloak his or her identity.
- Money Theft and Laundering: Patient
criminals can use compromised systems to transfer funds using your
business credentials, or even use your accounts to launder money.
- Botnets and Stealth Attacks:As
mentioned previously, your systems could be woven into a network of
other compromised systems for the purpose of launching attacks against
other businesses and individuals. When connections are traced by law
enforcement, the trail leads to you, not the cyber criminal.
- Domain Hijacking and Man-In-The-Middle Attacks:Without
ever touching your network, attackers can exploit DNS (domain name
system) servers or domain registrars to reroute traffic meant for your
business. The attackers can proxy all of your business's Internet
traffic through their servers. Your business appears to be functioning
normally, but in reality the attackers are monitoring all
transmissions. This includes information that is encrypted with
SSL/HTTPS.
Thinking Security
It
should be noted that any recommendations regarding security should be
implemented as part of a cohesive, well established policy and process.
Merely making a technology purchase or clicking a check box does not by
itself make for anything resembling effective security.
Some recommendations for configuring and maintaining effective security:
- Control: End
users should not be allowed to run or install unauthorized programs. An
"authorized list" of software should be created and maintained for
everything from laptops to servers. A seemingly difficult task, but I
can assure you, from five-person companies to Fortune 100 corporations,
those who can successfully implement this company policy will not have
a security breach, they will only read about somebody else's misfortune
in the paper.
- Encryption: Encrypt
data by default. Whether it is the hard-disk level, on the server or in
a shared folder, data should be encrypted with little or no user
intervention. One of the biggest reasons for data leaks is stolen
laptops with unencrypted hard drives.
A
SIMPLE ADDENDUM TO AN EMPLOYMENT AGREEMENT AND REGULAR COMPANY REVIEWS
HELP CONSIDERABLY WHEN YOU'RE TRYING TO KEEP SECURITYON PEOPLE'S MINDS.
- Firewalls: Ensure
you have a strict rule base in your firewall that blocks unnecessary
traffic coming in as well as going out. Remember, hackers know people
have firewalls, yet cyber crime continues to increase, in part because
many kinds of attacks can break through firewalls. Monitor your
firewall traffic regularly as well. This can help uncover malicious
activity.
- Passwords: Bad passwords
are still the bane of the security industry. Countless systems have
been breached simply because the passwords have been correctly guessed.
Choosing a "strong password" can prevent someone from guessing it, and
it can make it more difficult for a hacker to "crack" it using
specialized software. A complimentary white paper on password best
practices is available at www.razorpoint.com.
- Software Updates: A
large number of security holes can be patched simply by installing
vendor software updates. Regularly available updates are released for
operating systems, servers, routers, switches, cell phones, PDAs, etc.
Remaining current on patches helps keep systems secure. Some systems
even allow this process to be automated.
- Wireless: Most
of what you've probably heard about wireless security (or insecurity)
is true. While tech nologies such as Bluetooth and Wi-Fi are very
useful, they can also be wireless beacons of disaster. First, leave
Bluetooth disabled when it's not in use. Similarly an 802.11 wireless
card, only needs to be active when in use. When you are using your
wireless network card you want to ensure that the security features
such as WEP (wired equivalent privacy), or WPA (Wi-Fi protected access)
are always enabled. But because WEP and WPA keys can now be cracked in
a matter of minutes, you'll want to be sure to use an additional
third-party VPN or encryption tool to secure your wireless traffic.
- Awareness:
From the CEO to the receptionist, everyone is responsible for security.
Awareness is probably the most cost-effective security measure there
is. Ensure that everyone in the company is working with your security
policy in mind. A simple addendum to an employment agreement and
regular company reviews help considerably when you're trying to keep
security on people's minds.
- Regular Security Assessments:
Regardless of the size of the organization, a regular security review
is the most comprehensive way of determining whether systems are
vulnerable or, even worse, if they have already been compromised.
Security assessments, or "penetration tests," review your systems from
the point of view of someone looking to do you harm. This is truly the
best way of knowing if your security initiatives are working.
Not A Product
"Security
is a process, not a product" is a famous adage in the security
industry. It is very true. While there are numerous products to buy out
there, none are effective in preventing an attack if there is no
thought process behind their use.
Security considerations that
should be contemplated are: Where do we need security? Where could we
be vulnerable? What type of security do we need? How will this security
be maintained and monitored? Are there assets we are trying to protect?
Who needs access to these assets and for what reasons?
This is
how to begin a security thought process, which should be reviewed and
updated regularly. Buying a "Firewall/VPN combo" appliance online is
not where you start.
Gary
Morse, a 27-year veteran of the security and technology Industries, is
the president and founder of Razorpoint Security Technologies Inc. in
New York. More information is available at www.razorpoint.com.
