Chapter 1: Why do I Need Security?

Page 1 of 16

Chapter 1: Why do I Need Security?

Introduction
The need for security has existed since the introduction of the first computer. The paradigm has shifted in recent years, though, from terminal server mainframe systems, to client/server systems, to the widely distributed Internet. Although security is important, it has not always been critical to a company's success. With a mainframe system, you were mainly protecting your systems from resource abuse either authorized users hogging resources or unauthorized users gaining access and using spare resources. Such abuse was damaging because system resources were costly in the early days of mainframes. As technology developed and the cost of system resources decreased, this issue became less important. Remote access to systems outside a company's network was almost nonexistent. Additionally, only the underground community had the knowledge and tools necessary to compromise a mainframe system. The development of client/server technology led to a myriad of new security problems. Processor utilization was not a priority, but access to networks, systems, and files grew in importance. Access control became a priority as sensitive information, such as human resources and payroll, was being stored on public file servers. Companies did not want this type of data to be public knowledge, even to their employees, so new technologies such as granular access control, single sign-on, and data encryption were developed. As always, methods of circumventing and exploiting these new applications and security products quickly arose. Windows NT and UNIX became the operating systems of choice during this period. During the client/server era, access into the corporate network was usually limited to a few dial-up accounts. This did open some security holes, but the risk to these accounts could be easily mitigated with procedures such as dial-back and access lists. Branch offices communicated with one another over dedicated leased lines. Then came the Internet the open access worldwide network and everything changed. Soon, the Internet was everywhere. The growth of e-mail and the World Wide Web soon led companies to provide Internet access to their employees. It wasn't long before developing an e-business initiative for your company was critical in order to stay competitive in the new marketplace. With the increased use of the Internet, information, including security information, became accessible to the masses. Because the Internet is a public network, anyone on the Net can "see" any other system on it. In the beginning, this was not a huge issue because sensitive information was not easily accessible, but, as use of the Internet grew, companies began allowing increased access to information and networks over the Internet. This approach is great for business, but also very inviting to attackers. According to alldas (http://www.alldas.org), an organization that tracks Web-site defacements, 1111 sites were defaced in May 2002 and 1126 sites in April 2002. On June 1, 2002, a total of 28 sites were listed, with another 32 showing up on June 2. As of June 25, 2002, some 58 percent of the defacements recorded by alldas.org have occurred on Microsoft Windows systems and 22 percent on Linux. The remaining 20 percent includes Sun Solaris, Novell NetWare, and open-source systems such as FreeBSD and OpenBSD. You can find the details at http://defaced.alldas.org/?archives=os. Although Web-site defacement is annoying, some people do not view it as a true security breach. Remember this, though: When an attacker has the means to modify your Web site, it is usually a trivial process to gain control of your entire network (unless, of course, you have taken these types of attacks into account when developing your security infrastructure). The Computer Security Institute (http://www.gocsi.com) in San Francisco releases an annual study called the Computer Crime and Security Survey (see Exhibit 1). Highlights of the 2002 survey include the following:

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 2 of 16

Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months. Seventy percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft, or employee "Net abuse" for example, theft of proprietary information, financial fraud, system penetration from outsiders, denial-of-service attacks, and sabotage of data or networks. Eighty percent acknowledged financial losses due to computer breaches. Forty-four percent were willing and/or able to quantify their financial losses. The losses from these 223 respondents totaled $455,848,000. As in previous years, the most serious financial losses of 2002 occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000). For the fifth year in a row, more respondents (74 percent) cited their Internet connection as a frequent point of attack than those who cited their internal systems as a frequent point of attack (33 percent). Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16 percent acknowledged reporting intrusions to law enforcement.) Exhibit 1: Computer Security Institute Figures Showing Business Financial Loss Due to Computer Attacks Total Annual Losses ($ millions) 1997 1998 1999 2000 Theft of proprietary information 20,048,000 33,545,000 42,496,000 66,708,000 Sabotage of data or networks 4,285,850 2,142,000 4,421,000 27,148,000 Telecom eavesdropping 1,181,000 562,000 765,000 991,200 System penetration by outsider 2,911,700 1,637,000 2,885,000 7,104,000 Insider abuse of Net access 1,006,750 3,720,000 7,576,000 27,984,740 Financial fraud 24,892,000 11,239,000 39,706,000 55,996,000 Denial of service n/a 2,787,000 3,255,000 8,247,500 Spoofing 512,000 n/a n/a n/a Virus 12,498,150 7,874,000 5,274,000 29,171,700 Unauthorized insider access 3,991,605 5,056,500 3,567,000 22,554,500 Telecom fraud 22,660,300 17,256,000 773,000 4,028,000 Active wiretapping n/a 245,000 20,000 5,000,000 Laptop theft 6,132,200 5,250,000 13,038,000 10,404,300 Note: n/a = not available. Attack

The survey information can be found at http://www.gocsi.com. You can also request a copy of the full report at this direct link: http://www.gocsi.com/forms/fbi/pdf.jhtml. The growth of e-business has made security a must-have for many companies. IDC, a leader in technology research, predicts that the market for security products will grow to $14 billion by 2005, more than doubling its current size, estimated at $5.1 billion. Even though businesses are spending billions of dollars on security products, they are not all implementing them well. A misconfigured security solution is almost as bad as not having one at all. Additionally, many companies completely ignore the most important aspects of security people and processes.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security? FOR MORE INFORMATION If you'd like to know more, here are two sources:

Page 3 of 16

Secrets & Lies: Digital Security in a Networked World, by Bruce Schneier, renowned cryptographer and security expert. Published by John Wiley & Sons, this book discusses, in a very readable, nontechnical way, the security issues we face in today's business environment. http://www.securitystats.com/ A Web site devoted to computer security statistics.

The Importance of an Effective Security Infrastructure

Security is critical in today's business environment. In addition to protecting hard assets such as servers, workstations, network components, and data, you need to protect the intangible assets of your company. Security breaches can have a profound effect on a company's reputation, branding, and general corporate image. With e-business, securing these intangible assets is critical and may be more important than protecting physical assets. You can replace and rebuild physical assets, but it is difficult, if not impossible, to rebuild a brand and corporate image. For example, the compromise of Egghead.com's systems and customer database in December 1999 might have jeopardized 3.7 million credit cards. Egghead did not respond well, neither confirming nor denying the compromise of customer credit card numbers. Customers were vocal, though, expressing concerns about the company's storage of credit card numbers on unsecured servers and claiming that they would never shop at Egghead again. If these customers had all followed through with their claims, Egghead might have suffered financially from an issue that easily could have been avoided with security vigilance. Protecting your physical assets can also provide some protection for your intangible assets, but risks still exist. What happens if a disgruntled employee sends off a rogue press release claiming that your network was attacked and that customer information was compromised? The highest levels of security on your physical assets would not protect you from this type of assault, which Bruce Schneier calls a semantic attack. Even though security is important and many technologies are being developed to help with the process of securing systems, security and its underlying technology should never overshadow the business reason for implementing security. You never want to spend more money on a security solution than the cost of what you are protecting. For example, if you calculate that the cost to replace compromised data is $200,000, you do not want to spend $1 million on a system to protect that data.

People, Process, and Technology

Security is not a single solution. Security is a pervasive, ongoing process of reviewing and revising based on changes to the business and corporate environment. It is the culmination of interaction between people, process, and technology. Schneier suggests this mantra: "Security is a process, not a product." This statement reflects how every company should approach security. Security products are only one piece of the puzzle, and implementing those products is not a one-step process. As the corporate environment changes, these products should be analyzed and reconfigured. file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm 04-Dec-07

Chapter 1: Why do I Need Security?

Page 4 of 16

Overall, security is not something you can "get." There are no out-of-the-box, plug-and-play solutions that provide you with an adequate security infrastructure. Building an effective security infrastructure requires analysis and planning along with the development of policies and procedures and a little help from security products. Policies form the foundation of your security infrastructure. (Chapter 3, "Security Policies and Procedures," discusses this topic in detail.) Policies define how a company approaches security, how employees should handle security, and how certain situations will be addressed. Without strong policies implemented in the company and reviewed on a regular basis, you do not have a security infrastructure. You might have a few security products installed, but you do not have an infrastructure because you do not have the foundation to build on. People are the next most important security component. Often, people are the weakest link in any security infrastructure. Most corporate security relies on the password a user chooses. If the user chooses his or her first name as the password, the time, energy, and money spent evaluating, purchasing, and implementing security solutions go out the window. Educating users on security awareness, and rewarding them when they follow your procedures, is a great way to build a security-conscious environment. Surprisingly, technology is the least important component of a security infrastructure. All technology does is provide you with the means to implement your policies. I am not saying that technology is not important, but it is less important than strong policies and security-conscious employees. Security must be pervasive. Every aspect of a company should be security conscious. Employees need to understand the importance of security and the role they play in maintaining an effective security infrastructure. Programmers should know how to code securely and recognize that the quickest way is not always the best or most secure way. Management should realize that security is critical to the success of the company and set an example for all employees to follow regarding security consciousness.

What are You Protecting Against?

Before beginning the process of building a security infrastructure, you need to know what you are protecting against. By understanding the types of attacks you face as well as who is carrying them out, you can better protect yourself. Design your security infrastructure to protect your system from the attacks it is most prone to receive. For example, if your company runs a high-profile Web site, you will most likely face denial-of-service attacks or attempts to deface the site. If you have sensitive corporate data, you may face corporate espionage, with a competitor trying to discover your "secrets."

Types of Attacks
What dangers are lurking on the Internet that you need to worry about? I have broken the attacks into three categories: denial of service (DoS), intrusion, and information theft.

Denial of Service (DoS)

A denial of service (DoS) is one aimed at depriving an organization of a resource it expects to be able to use.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 5 of 16

In today's world, DoS attacks are those that prevent you from using your computing resources, whether it be your mail server, Web server, or database server. DoS attacks are usually intentional, malicious attacks against a specific system or network. The attacker might have a personal grudge against the company or might just want to target a high-profile organization. The distributed DoS attacks against Amazon.com and CNN.com in February 2000 are the best example of this type of attack. Distributed denial-of-service attacks use a group of computers in different locations, often unknown to those systems' owners, to launch an attack against a specific target (see Exhibit 2). Exhibit 2: The Attack on CNN.com. At 4:00 P.M. PST on February 8, 2000, CNN.com users began experiencing connection problems with the site. The situation deteriorated rapidly over the next hour and a half. What was causing this problem? A coordinated attack was being launched against the site, sending millions of junk packets to the network and overloading it. The perpetrators had infiltrated hundreds, if not thousands, of systems on the Internet. Unknown to the systems' owners, these systems were zombies, waiting for a signal from the central server to attack. With the click of a button, one person managed to bring down one of the biggest sites on the Internet. CNN was not prepared for such an attack. As a result, it along with many other companies on the Internet implemented filters and other technological solutions to help detect and defend against future attacks.

Most often, DoS attacks are caused by flooding sending more data or Transmission Control Protocol/Internet Protocol (TCP/IP) packets to a resource than it can handle. One of the earliest DoS attacks was the 1988 Morris worm that brought down the Internet. An error in a piece of code developed by Robert Morris caused the code to replicate itself so fast that it consumed almost all system resources and spread to other computers on the Internet. Flooding attacks are easy to carry out, especially because programs such as Trinoo and Tribe Flood Network are freely available on the Internet. These programs allow you to create a DoS attack against a specific target. They are also key in carrying out distributed denial-of-service attacks. Other types of DoS include locking an account after a set number of failed login attempts or causing a system to reboot. An attacker might attempt, incorrectly, to log in to a user account. When the attacker has reached the failed login attempts limit (usually three), the system is unavailable for the real user until either the administrator resets the account or the set amount of time passes and the account resets itself. Because the legitimate account owner cannot log in to the system, the attacker has created a DoS. Other methods exist that allow an attacker to shut down or reboot a server, making it unavailable for use. DoS attacks also can be caused accidentally. Misconfigurations or inappropriate network use can result in unavailable resources. The use of streaming media and peer-to-peer technology such as KaZaA and Morpheus can cause a DoS, overloading network traffic to the point that legitimate business transactions cannot be processed. The Blaster and Welchia worms also created DoS attacks by consuming network bandwidth. Many methods exist to launch DoS attacks, and more are discovered every day as applications are analyzed for security weaknesses. The main types of exploits include buffer overflows, SYN attacks, and teardrop attacks. DoS attacks will be covered in more detail in Chapter 8, "Network Management and Device Security." Buffer Overflows Buffer overflows are the most common type of DoS attacks. Here, an attacker sends more data than the application's buffer can hold. When the amount of data exceeds the buffer size, the extra data overflows onto

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 6 of 16

the stack, often causing the application or entire system to crash. In some cases, the data can be carefully crafted to include machine code that will execute when it overflows onto the stack. One of the best examples of a buffer overflow DoS is the "Ping of Death" attack. An attacker sends an oversized Internet Control Message Protocol (ICMP) packet to a system. The target system receives the oversized packet, cannot handle it, and crashes. SYN Attack A SYN attack, also known as a SYN flood, takes advantage of the TCP implementation. When a connection request is sent to a system, the packet contains a SYN field that represents an initial communication request. The receiving system responds with a SYN/ACK, holding the SYN packet in memory until it receives final confirmation, or ACK (Acknowledgment), from the initiating system. Communication between the two systems can then begin. Sending a large number of SYN packets with no corresponding ACK causes the receiving system to hold these packets in memory, making it difficult for legitimate requests to go through. Exhibit 3 shows the TCP SYN/ACK communication pattern. Exhibit 3: Attackers can manipulate the TCP connection process and create a denial of service by sending large amounts of SYN packets without the corresponding ACK packet. 1. A ----------------SYN-----------------> B 2. A <---------------SYN/ACK-------------- B 3. A ----------------ACK-----------------> B

Teardrop Attack The teardrop attack exploits the IP implementation. When a packet is too large for a router to handle, it is broken into smaller packets called fragments. In order for the fragments to be reassembled when they arrive at the packet's destination, the fragment packets contain an offset value to the first packet. An attacker can put a confusing offset value in the second or later fragment packet. This incorrect value causes the receiving system to crash when it tries to reassemble the packet. The best DoS attack, of course, is to simply cut a wire. This is known as a physical denial-of-service or infrastructure denial-of-service attack.

Intrusion Attacks
Intrusion attacks, the most common type you will face, allow attackers to gain access to your systems and use your resources. Some attackers want to gain access for fun and bragging rights, whereas others want to use your systems to launch more attacks against unsuspecting targets. Numerous methods exist to gain access to a system. Social engineering preying on the weakest factor in any security infrastructure, the human is one of the most successful methods. From pretending to be a help-desk worker and asking users to change their passwords, to dressing up as the copy machine repair technician to gain physical access to a building, social engineering is effective in gaining access to an organization's systems. Other methods include trying to guess username and password combinations and using exploits in operating systems and applications to gain access to systems. Some common exploits include buffer overflows, discussed earlier in the DoS section, Windows exploits, and Web server application exploits.

Information Theft Attacks

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm 04-Dec-07

Chapter 1: Why do I Need Security?

Page 7 of 16

Information theft attacks allow an attacker to steal data from a target. These attacks do not always require that the attacker gain access to the target's systems. Most information theft attacks rely on misconfigured systems that give out more information than they should. Using Telnet to connect to port 80 on a target system will most likely tell you what Web server is running on that system. With this knowledge, an attacker can research known exploits and vulnerabilities for that specific server and then target attacks. Information theft attacks are often the first step in an intrusion attack. The most popular tool for information theft attacks is the network sniffer. With a sniffer, an attacker monitors traffic on a network, usually looking for username-password combinations. The use of sniffers is known as a passive attack because the sniffer's snooping does not require any action on the part of the attacker. Active attacks, on the other hand, do require action. Examples of active attacks are "dumpster diving" or calling up an individual at a target company and asking for information. Dumpster diving refers to the process of digging through someone's trash to find information about that person or his or her habits. Hackers and corporate spies use this technique, with much success, to find information on usernames, passwords, network design, and so on. FOR MORE INFORMATION The Hacker's Handbook: The Strategy behind Breaking into and Defending Networks by Susan Young and Dave Aitel is the book to buy for detailed information on the types of attacks you will face.

Types of Attackers
Now that you know a little about the types of attacks that you are trying to protect your organization from, you need to understand the motivation of your attackers. Some attack systems for fun, whereas others have malicious intent. Some attackers are extremely knowledgeable, whereas some just run scripts written by others.

Hackers
The term hacker is currently synonymous with malicious intent when breaking into a system. This is not the true definition of a hacker, nor does it reflect their intent. Propagated by the news media, the term hacker has come to describe someone who illegally gains access to a system to steal information or money. The original definition of hacker is someone who is knowledgeable and curious about computers. In fact, Dictionary.com defines a hacker as "One who is proficient at using or programming a computer; a computer buff." Hackers like to know how things work. They break into systems to see whether they can; they believe there is no system on Earth they cannot break into. Their intent is not malicious; they do not want to steal proprietary information or cause the company to lose money. They merely want to see whether holes exist. Hackers are hard to catch because they cover their tracks so well. Hackers often will work with a company to fix the security holes they find.

Crackers
Crackers are hackers with malicious intent. When the news media refers to hackers, they are actually referring to crackers. Crackers often make their attacks personal, defacing Web sites, creating DoS attacks, and corrupting data belonging to companies they do not like for whatever reason. Cracking is often referred to as "hacktivism" because defaced Web sites often include the political rants of the attacker.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 8 of 16

Crackers are dangerous and often hard to catch because, like hackers, they hide their tracks very well.

Script Kiddies
Script kiddies are a recent phenomenon. With the increased use and availability of the Internet, the information and exploits once relegated to the hacker underground are now available to everyone. Script kiddies are generally young males with not much knowledge but with a lot of time on their hands. Their lack of knowledge makes them the most dangerous because they blindly run scripts against targets without understanding their full impact. Script kiddies are usually noisy bragging about their attacks in newsgroups and easy to catch. This is the most common attacker you come across from the outside world.

Malicious Insiders
The biggest threat to your company's security comes not from the outside but from the inside. Disgruntled employees are a major threat because they have so much knowledge and access to company information and resources. Most companies overlook this category of attackers until they are affected by some incident. I consulted for one company that had to fire a contract programmer. The programmer saw the dismissal coming and, before he left, deleted all the production code that he had written for the company. The time, money, and effort to replace the deleted code cost much more than it would have to implement proper security policies and procedures. The best advice I can give you is to not overlook this category of threat. A fine line exists between the trust you must give your employees to allow them to perform the duties required by their jobs and the distrust inherent in a security-conscious environment. Finding that line is difficult but beneficial. Keeping employees informed, educated, and involved is the best way to prevent these attacks. Strong policies don't hurt, either.

Industrial Espionage
Industrial espionage is a rapidly growing Internet business. Companies will hire attackers to break into competitors' systems to gain information on new product releases, financial standing, contracts, and so on. Some attackers will break into a system, steal critical data such as a proposal for a new real estate development, and sell it to the highest bidder. These attackers are highly skilled and well paid, so they are difficult to catch. The best defense against all these attackers is to implement a well-planned, effective security infrastructure. By the end of this book, you will be able to achieve that goal.

Security as a Competitive Advantage

Believe it or not, security is not the necessary evil most people make it seem. In fact, security has gotten a pretty bad rap in the past. A properly implemented security infrastructure can become a competitive advantage, providing protection to corporate assets that set the company apart from its competitors. Think of it this way if you and your main competitor are looking to launch e-business initiatives, the company with the stronger security infrastructure will be more successful. Why? First, the company with the weaker security infrastructure might be more reluctant to launch e-business projects because it is concerned with security and does not know how to adequately protect itself. Second, and more commonly, the weaker company will completely ignore the security aspect of online business and then wonder why it suffered a successful attack against its systems. This inattention could lead file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm 04-Dec-07

Chapter 1: Why do I Need Security?

Page 9 of 16

to the compromise of critical sensitive data maybe customer credit cards or business bank account numbers and the subsequent loss of customers. The company with the stronger security environment can more safely launch an online business initiative, knowing that its corporate security infrastructure is strong enough to protect it. If its systems do happen to be compromised, the business has a response plan in place to minimize the damage. Ideally, you want to develop your online business initiative with security in mind from the beginning. It is easier and cheaper to implement a security infrastructure in the early stages of a project than after the fact. This book will show you how to build a strong infrastructure and give you that competitive advantage.

Choosing a Solution
When developing a security infrastructure, you must make several key choices at the beginning to define the approach you will take. These are almost religious arguments to some, with zealots on both sides of the fence. I cannot recommend a specific decision because each environment is unique, but I can give you the best information to help in your decision-making process. Whatever you decide, just make sure it is the right decision for your company.

Buy vs. Build

The oldest of all information technology (IT) decisions, buy versus build, has caused some heated arguments in many companies. The decision is no different in the security world. Generally, this decision is made on a solution-by-solution basis. Do you want to buy or build a firewall? What about an intrusiondetection system (IDS)? With today's shortage of security professionals, buying will be the most likely choice. Some companies, though, have special needs that can be met only by a custom-built system. Others have the knowledge and resources in-house that allow them to build the solutions they need. I recommend performing a thorough analysis of all current market products to see whether any of them fit the needs of your company. If none of them contains the needed features and functionality, building is the way to go, provided you have the required knowledge and resources, or at least the means to pay for them. If you can find a product that fits your needs, compare the cost of buying the product to the cost of building your own. Some people are not comfortable using commercial software for security solutions because they do not like relying on an unknown third party for such a critical component of their company's infrastructure. They cannot view the source code to see whether vulnerabilities exist, how the application was programmed, and so on. Buying commercial software, though, does provide you with some protection. If the product does not function as advertised or has major security flaws, you might have grounds for legal recourse against the vendor. If you build a solution with a programming flaw that allows an attacker to gain complete access to your network, the only person you can blame is yourself. Another option in today's environment is open-source software. Look at this as a compromise between the hard-and-fast buy-or-build decision. With open-source software, you have access to the source code, and you have a body of developers continuously upgrading and improving the application. Best of all, opensource applications are often free or much less expensive than their commercial alternatives. One drawback to open-source software, though, is the lack of support. Some companies are beginning to support open-source products for a fee, but there are still those that have nothing more than a README file

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 10 of 16

or manual page. The open-source community is often helpful in this respect. Numerous mailing lists exist that can put you in touch with experts who can help you.

Open Source vs. Closed Source

Open-source software has become a viable, cost-effective solution for many organizations. With enterprise applications available for free or at very low cost, most companies cannot ignore this option, but is it right for you? Open-source software has its advantages, but it also may have its disadvantages, depending on your needs. First, open-source software generally does not have a single entity supporting the product. Many opensource projects are hobbies or side projects for developers. Some companies, such as Red Hat, Covalent Technologies, and Silicon Defense, have taken open-source products and commercialized them, and are selling professional services and support. To many organizations, this approach provides the one feature open source lacks for their environment consistent, available support. Second, many users feel open-source software is difficult to use. This stems from the fact that most opensource software has been developed for the Linux/UNIX platform, which most people in today's Windows world, with the exception of tech-savvy administrators, are not familiar with and do not feel comfortable learning. Things are changing in this area, though. Linux developers, especially Red Hat, are focusing on making their products more user-friendly and integrating more easily in Windows environments. Is Linux on the desktop not far behind? We take a closer look at this issue in Chapter 14, "Client Security." The debate rages on as to whether open-source software is more secure than closed source. Closed-source software takes the "security by obscurity" approach. End users cannot view the source code of closed-source products, so vulnerabilities are harder to find. When security holes are identified, some vendors react better than others. Most organizations work with individuals to create fixes or patches for the identified problem. A few companies, though, tend to ignore the issue and deal with it only when absolutely necessary, such as when the vulnerability is made public. With open-source software, the code can be inspected and tested by anyone. Developers usually make patches available quickly after vulnerabilities are identified. I am a big fan of open-source software, but I don't feel it works well in all environments. Carefully evaluate your needs before making a decision. FOR MORE INFORMATION For more information, go to http://www.cio.com and read the CIO magazine article discussing the "Build/Buy Battle" from a business perspective.

Single Vendor vs. Best of Breed

Will you choose security products from one single vendor or select best-of-breed products from multiple vendors? Each choice has its pros and cons. With a single-vendor solution, such as Cisco Systems or Check Point Software Technologies, you have to deal with only one vendor and might receive deeper discounts based on the amount of product you purchase. Administrators have to learn only one vendor's product line, and many lines provide a common administrative platform, making administration much easier. On the other hand, a single-vendor solution might not provide you with the best security solutions. The vendor's firewall might fit your environment perfectly, but its IDS might not have the features or capability your company needs. Additionally, the common features of same-vendor products might increase your security risks. If an exploit is released for the vendor's products, you might be susceptible to attack and have no mitigating controls in place because all your products are affected. A good example is a firewall exploit that gives access to the administrative program. If this program also controls your intrusion-detection and access-control programs, you are powerless until the vendor releases a fix. Best-of-breed solutions give you the opportunity to select the security solutions that best fit your

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 11 of 16

environment. This solution might cost more than the single-vendor option because you are buying a small amount of product from a number of vendors; economies of scale do not work in your favor. Additionally, administrators will have to learn about numerous products. Misconfigured servers are one of the biggest security problems in a company. Misconfigured security products are even worse, and they are likely to crop up in a best-of-breed environment. It is difficult for an administrator to fully understand all the nuances and quirks of security solutions from a variety of vendors, so the products might not be properly configured, leaving your network and systems susceptible to attack. FOR MORE INFORMATION Visit http://www.networkcomputing.com to read the Network Computing feature reviewing several integrated security suites.

In-Source vs. Outsource

A recent phenomenon in the security world is the ability to outsource your security needs. Services range from monitoring firewall and intrusion-detection log files to controlling your entire security infrastructure, plus everything in between. These companies are often referred to as Managed Security Service Providers (MSSPs). Although MSSPs are relatively new (the first company appeared in 1998), technology research firm the Yankee Group (www.yankeegroup.com) expects this market to grow to $1.7 billion by 2005. The decision to outsource is largely based on the security resources and knowledge available to you. If you have a strong, dedicated security staff, you might consider keeping everything in-house. If you do not have security resources but feel security is critical to your business, you might want to outsource the entire function. Most people fall in the middle, though, keeping the majority of the work in-house and outsourcing the functions in which they are weakest, such as 24/7 monitoring of IDS logs or their firewall configuration. Some people, including myself, have issues with outsourcing security functions. Security is a sensitive area allowing proprietary data to fall into the wrong hands can be detrimental to a company. Choosing to outsource security functions is a decision that should not be taken lightly; each prospective vendor should be carefully examined. Be sure to read the "Questions for an MSSP" section to see what you should ask a potential outsourcer.

Questions for an MSSP

The following questions should be answered to your satisfaction by a potential MSSP. If you have any doubts about the answers, choose another service provider. The last thing you want to do is worry about your company's security service provider. Select a vendor with a strong reputation and with which you feel comfortable. How are personnel screened? Are background checks performed? Who will have access to my network and systems? Do you provide 24/7 coverage? What days do you not operate? Do you hire "reformed" crackers? Is my data commingled with other clients' data? How will alarms/triggers be handled? What is your response in the event of an attack? Do you provide incident-response services? Is there an additional charge for such services? What is your guaranteed response time?

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security? How long do you retain data? Can I have the data retained longer? Does this cost extra? Where and how is the data stored? Is it encrypted? Who can access it?

Page 12 of 16

What recourse do I have if I find evidence that one of your employees did something inappropriate on my network or systems? What is your breadth of service? What services do you provide? Can I contact your reference accounts? What is your company's financial situation? Some MSSPs require you to buy their equipment or support only a specific vendor, usually Cisco or Check Point. If you currently do not use these products, you might incur a large capital outlay to get the infrastructure that is compatible with the MSSP in place. If this is not feasible for you, try to find an MSSP that supports your currently installed products. After the decision to outsource is made, determining exactly what you need to outsource is even harder. If your resource needs do not require full outsourcing of the security group, start slowly, having the vendor monitor IDS systems and perform periodic vulnerability scans. If that goes well, look into adding more services, such as Virtual Private Networks (VPNs), access control, policy development, and architectural design. Another option to consider is co-location facilities, such as AboveNet (http://www.abovenet.com) or Metromedia Fiber Network (http://www.mfn.com). These companies provide remote hosting facilities for your computing environment. In some cases, either as included with your contract or at an additional cost, they can provide security services. FOR MORE INFORMATION http://www.crystalpc.com provides a checklist for evaluating potential collocation facilities. http://www.isp-planet.com contains an in-depth look at some of the available managed security service providers.

Finding Security Employees

In today's tight marketplace, finding knowledgeable, qualified security employees is difficult. Plus, after you find someone and get the person up to speed on your systems and infrastructure, she or he may be able to get a new job on the open market for a higher salary. If you think this sounds ridiculous, think again. I changed jobs twice in one year, each time increasing my salary 50 to 60 percent. And colleagues with much less experience than I have were offered jobs I turned down and were paid the same salary the company was offering me. With the economic slowdown, these situations are not as prevalent, but they can still occur. Some companies will hire anyone with security knowledge, often just to claim that they have a dedicated security person on staff. I came across this attitude at one company that I worked for. The company had strong promise and seemed truly interested in building a solid security infrastructure. As I made recommendations and attempted to implement policies and procedures, I met with resistance. Management was fond of talking about security and how important it was. However, when push came to shove and it was time to open the wallet to file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm 04-Dec-07

Chapter 1: Why do I Need Security?

Page 13 of 16

implement some security technologies as well as to modify work habits to follow the new security policy (such as removing POP3 e-mail access to the corporate mail server over the Internet), things were different. If you need to hire a security expert, carefully analyze why you are hiring that person. Are you really concerned about security, or are you just trying to make the venture capitalists and other investors happy? If you are not truly concerned with security, you might spend more money recruiting and hiring an expert than it is really worth. So, let's assume you've decided to hire a dedicated security expert. Before retaining an executive search firm or posting job descriptions on Dice.com or Monster.com (two leading Internet job sites), take a little time to think about exactly what role the security expert will take in your organization. Are you looking for a general security specialist, reporting to the chief executive officer (CEO) or chief operating officer (COO), to help build a security infrastructure? Are you looking for someone knowledgeable in code reviews to analyze your product for weaknesses? Are you looking for a firewall or incident-response specialist to analyze log files and search for attempted break-ins? Or do you want to hire someone to try to hack into your networks and find vulnerabilities? When you understand what you are looking for and the role the security specialist will hold in the organization, you can better target your recruiting to find the best fit for your company. A good place to start looking is the Big 4 consulting firms: Deloitte & Touche, Ernst & Young, PriceWaterhouseCoopers, and KPMG. Each firm has a security group with a wide variety of experience. If you are looking for a less-experienced individual, start at local universities. Not many colleges offer degrees in security programming, but many offer at least a course or two to teach the basics. You will find at least a couple of computer science majors who have spent a great deal of time teaching themselves about security. With the wealth of information available in books and on the Internet, a driven and motivated individual can learn a lot. Additionally, the National Security Agency started the Centers of Excellence in Information Assurance Education Program to help fill the growing demand for information security professionals. Schools participating in the program include James Madison University, offering an Information Security Master of Business Administration (MBA); Florida State University; and Carnegie-Mellon University. A complete list of participating universities is available at http://www.nsa.gov. Through an anonymous $10 million donation, Johns Hopkins University is creating the Information Security Institute to provide a "holistic approach to the many issues encompassed by information security." Eventually, the university hopes to offer a master's degree program that mixes policy, technology, and law. Other universities might follow suit, making it easier to find nonsenior, knowledgeable security experts. FOR MORE INFORMATION Check out the Johns Hopkins Information Security Institute at http://www.jhuisi.jhu.edu/. The big question, though, is deciding whether to hire "reformed" crackers. Some crackers claim they have been reformed and want to work in the corporate world, using their immense knowledge for good. Others just want to capitalize on their knowledge and make a lot of money. This issue causes another great debate in organizations, similar to "buy versus build" discussions. Each organization needs to make its own decision regarding crackers. We will discuss some of the issues here to help you in your decision-making process. The first thing you want to do is analyze the individual's background. Was this person hacking networks as a teenager simply to see whether he could, or was he stealing information and selling it to competitors or blackmailing the company, threatening to make sensitive information public if demands were not met? Was the individual hacking five or ten years ago, or recently? A large government agency hired a hacker to secure its network. Besides working slowly, reporting only one or two vulnerabilities a week to keep the money rolling in, the "consultant" posted the vulnerabilities on hacker Web sites. The agency did not know this was occurring until one of its security administrators recognized one of the postings on the hacker Web site. This agency has since implemented a policy of not file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm 04-Dec-07

Chapter 1: Why do I Need Security? hiring reformed crackers.

Page 14 of 16

Another area to consider is legal ramifications and insurance claims. If you hire a supposedly reformed cracker and something happens she spreads your corporate secrets to the world, for example what recourse do you have? If the hacker has a criminal record that you knew about, your company might be held liable. Additionally, your insurance company might not honor any loss claims associated with the reformed cracker. From a business perspective, hackers might not understand all the problems a vulnerability can cause. Yes, they understand that they can exploit the vulnerability and make the company lose money or customers, but they may not clearly communicate to management the business processes affected by the vulnerability, exactly how these processes can be affected, or what countermeasures are needed to protect the system from these vulnerabilities. Finding network and system vulnerabilities is much different than securing them. Another tactic hackers often take is to find a vulnerability in your network and then say that they can be hired to fix it. Personally, I would not trust these individuals to fix any problems on my network for fear that they would set up backdoors and either use my system to launch attacks on other networks or just wreak havoc on my own network. If this happens to you, immediately contact the local authorities or the Federal Bureau of Investigation (FBI) and hire a reputable security firm, such as Ernst & Young or ArcSec Technologies, to perform a detailed security assessment of your network. FOR MORE INFORMATION If you'd like to read more about hiring hackers, you'll find an Information Security Advisor article at http://www.advisor.com, a SecurityFocus article at http://www.securityfocus.com, and an InformationWeek article at http://www.informationweek.com.

The Layered Approach

Before diving into a discussion on building and maintaining a security infrastructure, I want to explain the approach I take in this book. In general, this book works from the outside in, meaning that first it describes how to secure the perimeter and then it keeps focusing inward until all your servers, hosts, and applications have also been secured. What this approach accomplishes is to enable you to develop a layered security posture, or defense in depth. Layers are important because they add levels of protection. If one layer is breached, you have multiple layers beneath it to continue protecting your valuable assets. For example, if an attacker manages to compromise your firewall, you still have your IDS and host security to protect you from a full network compromise. This gives you the opportunity to focus your efforts on the firewall issue instead of worrying about what other systems have been compromised. Exhibit 4 demonstrates this layered approach. Exhibit 4: The layered security approach provides additional security assurances that one system compromise will not bring down your entire network.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 15 of 16

Many people like to use the analogy of a castle when discussing security. Lance Spitzner, a well-known expert in security circles, has put a lot of thought into this analogy. (You can read his papers at http://www.spitzner.com.) Besides the obvious similarities, such as the comparisons between a firewall and a castle moat (letting only authorized traffic pass) and between IDSs and a sentry standing guard inside (alerting everyone to the presence of unauthorized or unwanted traffic), Spitzner takes this analogy one step further. Castles are static targets that do not move, much like company networks. Attackers know where you are and know you will not change your location, at least not very quickly. It is also difficult to preemptively strike an attacker because you do not know when, where, or how the attack will occur. Just as in the security world, you are always on the defensive. The better defenses you have, the better prepared you are. Always remember, though, that security is not foolproof. The possibility of compromise always exists. Often, it is just a matter of time before a successful attack occurs. I always start security measures from the outside (perimeter) of an operating system and work toward the center because I do not want to leave servers and hosts unprotected. If you start from the inside and work out to the perimeter, you leave servers and hosts unprotected for a period of time. With an initial perimeter layer implemented, you at least have one umbrella layer of security in place, which is much better than having nothing at all. The remainder of this book focuses on how to implement these layers and how they work together to create a security infrastructure. When properly implemented in your environment, this infrastructure should be strong enough to protect you from the majority of attacks made against your network. I start by discussing how to define your requirements. You need to understand what you are trying to protect and why you are trying to protect it. What traffic do you expect to have? What do you expect your traffic load to be? By defining your requirements, you can design an infrastructure catered specifically to your environment. Next, I discuss policies and procedures. As the foundation of any security infrastructure, security policies are critical to the success of any security initiative. After explaining the security policies, I move on to a discussion of the technology and security solutions needed to implement those policies. First, I focus on basic security technologies, such as encryption and authentication, that can exist at all layers. After that, I discuss architecture in general and then start moving from the outside layers inward. I begin with a discussion of perimeter devices, such as firewalls and screening routers, IDS, and remote access solutions. Next, I move inward and discuss host and server security as well as considerations for application development. Finally, I discuss the most important component of the security infrastructure: ongoing reviews and maintenance. Providing a security infrastructure for your business is not a static one-time project. It is a dynamic, ever-changing process that must be continually monitored and updated.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07

Chapter 1: Why do I Need Security?

Page 16 of 16

At the end, I put everything together and show you a few variations you can use depending on the nature of your business. We also examine the technology choices you can make. By the time you finish reading this book, you will understand the components you need in your security infrastructure as well as how they work together to provide a strong, layered defense for your company's data and resources. You will also know the specific security technologies available and which ones fit best in your environment.

file://C:\Documents and Settings\Vaio\Local Settings\Temp\~hh4060.htm

04-Dec-07