This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
When consumers open an account or communicate with us, register to receive information or purchase a product from our business, it's very likely that they hand over their personal information to us as part of the process. If their information is compromise, the consequences can be far - reaching: consumers can be at risk of identity theft, or they can become less willing - or even unwilling - to continue to do business with us. These days, it's just common sense that any business that collects personal information from consumers also would have a security plan to protect the confidentiality and integrity of the information.
The threats to the security of our information are varied - from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process.
Here are some Comments to consider - and resources to help - as you design and implement your information security plan.
1. Data Integrity & Security at rest
"Data integrity is ensuring data are "whole" or complete. Data that have integrity are identically maintained during any operation (such as transfer, storage or retrieval). Put simply, data integrity is the assurance that data are consistent and correct." [DB2 universal database]
Integrity relates to validity of data it can effected by malicious change (like an attacker change an account detail in transaction or theft an identy), or could be accidental or might by programming erros
We sotred data in number of different way, Data could be Tape(as a backup), data could be in form pst files in exchange server, data could be stored online, could be in raid harddrive, could be offline site.
There is a simple explanation for this problem, but not a simple solution to completely stop it.
Pulling the wrong drive. While trying to replace a failed disk in a RAID array, a healthy disk is accidentally removed
- Reformatting a disk. During a server migration, the wrong SAN LUN is accidentally reformatted
- Restoring corrupt/old backup data. A server containing a business-critical database is deleted by mistake and is restored with a corrupt or incomplete backup prior to realising the backup is not sound
- Rebuilding a bad array. Following a multiple drive failure in a RAID array, an attempt to force the failed drives back online and rebuild the configuration is made, whereby damaging or corrupting the data on the array
- Deleting data. Files, volumes, virtual machines or a SAN LUN is deleted by accident and there is no backup or the backup is old or corrupt.
- A support engineer forgot to turn off his replication software before formatting the volumes on the primary site. Unfortunately, this mistake resulted in overwriting the backup.
Hacking & cyber crime
Verizon's Intrusion Response Team investigated 500 intrusions in 4 years and could attribute 18% of the breaches to corrupt insiders. Of that 18%, about half arose from the IT staff itself.1
Web server compromise
The most common botnet attack today is against web sites; and the fatal flaw in most web sites is poorly-written custom application code. Attackers have compromised hundreds of thousands of servers in a single stroke with automated SQL injection attacks. Legitimate sites are then caused to serve malware, thus unwittingly spreading the bot master's empire.
As the use of computers and the Internet increases daily, damage or loss to data that can occur by mishandling, hacking, or viruses is also increasing exponentially.
The risk of doing business online has intensified with the rise of:
- Hacker and virus attacks.
- Users accessing confidential company information via the Internet or private networks.
- "Always on" connections that enable easier network access for intruders.
- Viruses & Trojan Horses
Viruses are software programs, and they can do the same things as any other programs running on a computer. The actual effect of any particular virus depends on how it was programmed by the person who wrote the virus.
Some viruses are deliberately designed to damage files or otherwise interfere with your computer's operation, while others don't do anything but try to spread themselves around. But even the ones that just spread themselves are harmful, since they damage files and may cause other problems in the process of spreading.
A type of program that is often confused with viruses is a 'Trojan horse' program. This is not a virus, but simply a program (often harmful) that pretends to be something else.
For example, you might download what you think is a new game; but when you run it, it deletes files on your hard drive. Or the third time you start the game, the program E-mails your saved passwords to another person.
Note: simply downloading a file to your computer won't activate a virus or Trojan horse; you have to execute the code in the file to trigger it. This could mean running a program file, or opening a Word/Excel document in a program (such as Word or Excel) that can execute any macros in the document.
6. What's the story on viruses and E-mail?
In order to activate a virus or Trojan horse program, your computer has to execute some type of code. This could be a program attached to an E-mail, a Word document you downloaded from the Internet, or something received on a floppy disk. There's no special hazard in files attached to Usenet posts or E-mail messages: they're no more dangerous than any other file.
Verizon's 2008 Data Breach Investigations Report compiles factual evidence from more than 500 data breaches, occurring over 4 years. Verizon's RISK Team found that 73% of the breaches occurred from external sources.
Negligent SMEs get victimized if they don't install Windows patches during the same month the patch is published. But your network contains much more than Microsoft products. Your patching routine needs to extend systematically to all the applications and OS components on your network.
Power or Hardware failure
Businesses that pride themselves on being "nimble" and "responsive" oftentimes achieve that speed by abandoning standardization, mature processes, and contingency planning. Many SMEs have found that a merely bad data failure or compromise turns disastrous when there is no Business Continuity Plan, Disaster Recovery Plan, Intrusion Response Policy, up-to-date backup system from which you can actually restore, or off-site storage.
Data lost on a portable device failure
Much sensitive data is compromised every year when workers accidentally leave their smart phone in a taxi, their USB stick in a hotel room, or their laptop on a commuter train. When data is stored on small devices, it's wiser for administrators to stop thinking about what they'll do "if that device ever gets lost..." and instead, think, "when it gets lost..."
Threat # 6: Reckless use of Wi-Fi hot spots
Public wireless hot spots carry all the same risks as hotel networks -- and then some. Attackers commonly put up an unsecured wireless access point which broadcasts itself as "Free Public WiFi." Then they wait for a connection-starved road warrior to connect. With a packet sniffer enabled, the attacker can see everything the employee types, including logins. This attack is particularly nefarious because the attacker pulls the data out of the air, leaving absolutely no trace of compromise on the victim computer.
Mitigating reckless use of Wi-Fi
Teach users to always choose encrypted connections. Have them connect via a Virtual Private Network (VPN). This encrypts the data stream, so that even if eavesdroppers listen in wirelessly, what they receive is gibberish.
Threat # 3: Reckless web surfing by employees
A 2006 study by the University of Washington found that the sites that spread the most spyware were (in order)
- Celebrity fan sites (such as the type that give updates on the follies of Paris Hilton and Britney Spears);
- Casual gaming sites (where you can play checkers against a stranger)
- Porn sites (coming in at a surprising third place)
Social networking sites such as MySpace and Facebook have taken the lead as virtual cesspools of spam, trojans, and spyware. Employees who surf to non-business-related sites end up inviting into the corporate network bot clients, Trojans, spyware, keyloggers, spambots... the entire gamut of malware. www.watchguard.com page 3
An example of how difficult it is for organizations to control information flow is demonstrated by how many people have accidentally sent a confidential e-mail to a distribution list when they meant to send it to an individual recipient. Another example involves some simple questions, such as how many people have unlabeled floppy disks, CDs or DVDs lying around their home or office? What's on them? What would happen if they were lost or stolen?
While many mechanisms used by employees to remove proprietary information are not sophisticated, most decision makers don't understand the threats their own employees pose. It is important for information security professionals to understand these threats and explain them to management in easily understood terms.
USB flash drives are one of the biggest threats to proprietary information. These are common and extremely useful. Many individuals reading this article probably have one in their pocket. The problem with these devices is that their small size belies the threat. These devices are about the size of a tube of lipstick and can store a large amount of data. A one-gigabyte USB flash drive costs less than $10.
Since most technology professionals are talking in terabytes, a one-gigabyte device seems like a "small storage capacity" device. But if we put this in perspective, a one-gigabyte device stores the equivalent amount of information as 694 floppy disks. It is possible to store a large amount of word processing, spreadsheet and PDF files on 694 floppy disks. If you take this one step further, a 16-gigabyte device stores the equivalent of more than 10,000 floppy disks -- all on an easily concealed and transported device. Combine this large storage capacity with the fact that it is not possible to buy a new computer without USB ports installed; it is easy to understand how data can be removed from an organization.
Explaining how much data can be removed by employees may cause management to support the control of who has the ability to copy data to a USB flash drive.
That threat includes - for several reasons -- online data storage sites. They are accessed using a Web browser and generally require no special software. Because the sites use HTTP for communication, they are difficult to block. And once data is stored on one of these sites it is accessible from any computer with an Internet connection.
An example of an online storage system is Google's Gmail. Most people aren't aware that it is possible to use the storage capacity associated with a Gmail e-mail account for any type of file. As of this writing, the amount of storage space available is nearly 5 gigabytes, which is enough space to store a large amount of data. All that is required to make use of this space is to use the Firefox browser and the Gspace add on, which can be downloaded at either http://addons.mozilla.org or http://www.getgspace.com.
Once the add on is installed, you get a "Gspace" option in the tools drop-down menu. All you have to do is click on this menu item, which takes you to an interface that looks similar to an FTP client. A user logs into Gmail, highlights the file they wish to transfer, then clicks on an upload or download arrow to accomplish the desired task. Granted, the average employee does not generally have a Gmail account and does not use Firefox as their principal browser, so it should not take much to block access to Gmail.
Even if you block Gmail access, there are numerous other sites that an employee can access to transfer data out of a business.
Unfortunately, with the desire to have access to data "everywhere, all the time" the number of these types of sites keeps growing and is difficult to track. Many organizations try to "blacklist" these sites. But the problem is that it is difficult, if not impossible, to block them all. The author was at a location that attempted to block these sites and -- while several were blocked -- it was still possible to find and access a site that offered free online storage.
For those that wish to attempt to block these sites, here is a short list of some that are currently active:
- Files Anywhere: http://www.filesanywhere.com
- BestSharing: http://www.bestsharing.com
- BigUpload: http://www.bigupload.com
- bigVault: http://www.bigvault.com
- biscu.com: http://www.biscu.com
- DropSend: http://www.dropsend.com
- ecPocket.com: http://www.ecpocket.com
- Elephant Drive: http://www.elephantdrive.com
- MyFileHut: http://www.myfilehut.com
- Savefile: http://www.savefile.com
- Xdrive: http://www.xdrive.com
- Global Data Vault: http://www.globaldatavault.com
- Online Storage Solutions: http://www.onlinestoragesolution.com
- Box.net: http://www.box.net
It is important to recognize that while many of these are commercial sites that charge for their services, most offer fully functional trials. A seven-day trial may be all that is needed to transfer hundreds or thousands of documents.
Another threat to data are "lifestyle computing devices" -- things such as cell phones, PDAs, digital cameras and MP3 players. Because these devices do not have data storage and transfer as their primary functionality, decision makers will not see them as a threat to proprietary information and trade secrets.
They should. As an example, PDAs (Portable Digital Assistants) are not just contact resource managers any more. They are fully functional computers that can send and receive e-mail; send and receive text messages; surf the Internet; and create, store and transmit Microsoft Word, Microsoft Excel files and PDF files.
And what do many organizations allow their employees to do with personally owned PDAs? They allow them to connect to corporate computers so they sync their Outlook address books. In addition, they can copy over any files they want.
And when an employee leaves, what steps are taken to remove this proprietary information from personally owned PDAs? Very often, nothing is done and all the employee has to do is take her PDA to her new employer, hook it up to her new computer and copy over all the data from her previous employer.
Some organizations think they have eliminated this problem by providing employees with company-owned PDAs they have to return upon resignation or termination. But all an employee has to do is copy the data to a personal computer before returning it. Once again, the data is lost and out of the employer's control.
Another mechanism used to transmit proprietary information outside of an organization is instant messaging. Many organizations allow -- and even encourage -- the use of consumer-grade instant messaging applications by employees. This poses several problems, perhaps the most significant of which is that these types of communications are not being monitored or logged. This is one reason employees will use instant messaging to bypass monitoring of their activities.
This type of activity was brought to light during the Enron investigations. "The regulatory environment tightened after government investigators examining Enron found that Wall Street energy traders used cell phones and instant messages to bypass employer surveillance of their desk phones and e-mail."1
Add to this the ability for some instant message programs to send attachments, and the threat increases significantly. Because of this threat, organizations should seriously evaluate the need to use instant messaging. Most individuals have cell phones, office phones and home phones with voice-mail capabilities, in addition to an e-mail account. Now that most hand-held devices have the ability to send and receive e-mail, is it really necessary to use instant messaging? If an organization must have instant messaging, it should use an enterprise-grade product with the ability to log or archive communications.
While most information security professionals focus on the protection of digital information, it is important to remember that it only requires clicking on a printer icon in many applications to convert an electronic file into an easily transportable paper printout.
Many organizations have restrictions on using portable data storage devices, but are silent on removing paper documents. Paper documents can easily be concealed and removed. And once paper documents are removed, they can be easily converted back into electronic documents. Reasonably priced scanners exist that come bundled with optical character recognition (OCR) software.
The significance of using low-tech methods to steal information can be underscored by the Coca-Cola employee caught with paper documents. "A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking through files and "stuffing documents into bags," officials said. Then in June, an undercover FBI agent met at the Atlanta airport with another of the defendants, handing him $30,000 in a yellow Girl Scout cookie box in exchange for an Armani bag containing confidential Coca-Cola documents and a sample of a product the company was developing, officials said."2
This problem becomes especially frightening when one realizes that many organizations allow executives to access their facilities 24 hours a day, seven days a week.
While the previous examples involve direct theft or dissemination of proprietary information, there are other indirect methods that are just as likely to cause information loss.
Passwords, firewalls, encryption, two-factor authentication and access-control lists are among the tools available to information security professionals. Other options include system audits, patch management, network traffic monitoring and penetration testing. And a range of information security training programs and certifications are available to best use these tools.
But despite this arsenal and well-trained professionals securing networks and systems, businesses cannot completely stop the flow of proprietary data, trade secrets and confidential information leaving their organizations and ending up in the hands of competitors, journalists and whistleblowers.
There are mechanisms that can be implemented to reduce data loss via these devices. On newer systems, it is possible to disable USB ports in the BIOS. While this limits data loss, it also prevents the use of other, helpful, devices. It is possible to modify the Registry (XP SP2) to make USB devices read only. Create a new key, HKLM\SurrentControlSet\Control\StorageDevicePolicies. Then create a REG_DWORD entry called "Write Protect." Set the value to "1" and USB flash drives will now be read only.
Another option that might work for some organizations is to set a Group Policy Object modifying permissions to the file usbstor.sys (located at C:\Windows\system32\drivers on a Windows XP system), allowing access to "System" and perhaps "Administrator."
Most organizations will want a more granular solution, and commercial products are available that not only control how USB flash drives are used, but also how other "portable data storage devices" are used, such as CDs, DVDs and floppy disks. Enterprise tools, such as DeviceWall from Centennenial Software, can restrict access on a time-limited basis, as well as provide logging capabilities.
Portable data storage devices are perhaps the most noticeable way employees can steal out data, although there are other, overlooked methods that are nearly as much of a risk to propriet ary information as USB devices.
Perhaps the most important mechanism is to apply the "principle of least privilege." This means that employees should have access to only the materials needed to perform their job responsibilities.
Many organizations allow employees access to all files. This type of environment is easy to support, but it provides the ability for employees to find and perhaps disseminate proprietary information that goes beyond their business need. Some organizations erroneously feel that this is not a problem because some of the materials are too complicated for everyone to understand. While not everyone will understand them, competitors certainly will.
Implement the principle of dual control. Implementing dual control means that for every key resource, you have a fallback. For example, you might choose to have one technician primarily responsible for configuring your Web and SMTP servers. But at the very least, login credentials for those servers must be known or available to another person.
Audit your web app code. If (for instance) a Web form has a field for a visitor to supply a phone number, the web application should discard excess characters. If the web application doesn't know what to do with data or a command, it should reject it, not process it. Seek the best code auditing solution you can afford (whether a team of experts or an automated tool), with emphasis on finding out whether your code does proper input validation.
Install anti-virus software from a well-known, reputable company, UPDATE it regularly, and USE it regularly.
New viruses come out every single day; an anti-virus program that hasn't been updated for several months will not provide much protection against current viruses.
- In addition to scanning for viruses on a regular basis, install an 'on access' scanner (included in most good anti-virus software packages) and configure it to start automatically each time you boot your system. This will protect your system by checking for viruses each time your computer accesses an executable file.
- Virus scan any new programs or other files that may contain executable code before you run or open them, no matter where they come from. There have been cases of commercially distributed floppy disks and CD-ROMs spreading virus infections.
- Anti-virus programs aren't very good at detecting Trojan horse programs, so be extremely careful about opening binary files and Word/Excel documents from unknown or 'dubious' sources. This includes posts in binary newsgroups, downloads from web/ftp sites that aren't well-known or don't have a good reputation, and executable files unexpectedly received as attachments to E-mail or during an on-line chat session.
- Be extremely careful about accepting programs or other files during on-line chat sessions: this seems to be one of the more common means that people wind up with virus or Trojan horse problems. And if any other family members (especially younger ones) use the computer, make sure they know not to accept any files while using chat.
- Do regular backups. Some viruses and Trojan horse programs will erase or corrupt files on your hard drive, and a recent backup may be the only way to recover your data.
Ideally, you should back up your entire system on a regular basis. If this isn't practical, at least backup files that you can't afford to lose or that would be difficult to replace: documents, bookmark files, address books, important E-mail, etc.
Mitigation for lack of planning
Certainly if you have budget for it, hire an expert to help you develop sound information assurance methodologies. If you don't have much money to work with, leverage the good work others have done and modify it to fit your organization. The SANS Security Policy Project offers free templates and other resources that can help you write your own policies. For more, visit http://www.sans.org/resources/policies/.
Mitigating malicious HTML email
Implement an outbound web proxy. You can set up your LAN so that all HTTP requests and responses redirect to a web proxy server, which provides a single choke-point where all Web traffic can be monitored for appropriateness. The web proxy won't catch an inbound malicious email, but if a user on your network clicks a link in that HTML email, that will generate an HTTP request that the web proxy can catch. If the user's HTTP request never gets to the attacker's booby-trapped web site, your user does not become the victim.
Mitigating data lost on portable devices
Manage mobile devices centrally. Consider investing in servers and software that centrally manage mobile devices. RIM's Blackberry Enterprise Server can help you ensure transmissions are encrypted; and if an employee notifies you of a lost phone, you can remotely wipe data from the lost Blackberry. Such steps go a long way toward minimizing the negative impact of lost devices.
Mitigating reckless web surfing
Implement web content filtering. Use web filtering software such as WatchGuard's WebBlocker. Web filtering solutions maintain databases (updated daily) of blocked URLs in scores of categories. More categories means more nuance. Such tools help you enforce your Acceptable Use Policy with technology.
Invest in patch management. Patch management software will help you scan your network, identify missing patches and software updates, and distribute patches from a central console, greatly increasing your chance of having your entire network up-to-date.
Build an inexpensive test network. Even reputable companies can slip up. Therefore, we recommend installing a patch on a test system and seeing how it behaves before deploying it throughout your network. If you don't have a test network now, the next time you replace outmoded desktop computers and servers, hang onto them and dedicate them to being your test network.
- Network Data transit Threat and security (Email) : The often misunderstood issue of encrypting data in transit versus data at rest. Kevin Beaver provides insight on why data transit is not the top security risk and offers advice on how to focus your time, money and effort.
- Data in transit -- especially data traversing the Internet -- is not the big security risk it's made out to be. However, it seems that most organizations and security product vendors are still focused on securing data as it travels across the wire. I often hear things like, "we're using transport layer security (TLS) on our e-mail gateway so everything's encrypted and safe as it goes across the Internet" and "our Web site is highly secure because it uses 128-bit encryption when clients connect to it." It won't hurt to secure these types of communications if you desire, but it's not the best way to lock down your organization's crowned jewels.
- From a hacker's point of view, data at rest -- the data in your databases and file systems stored on your NAS, SAN and file servers -- is what's much more attractive. It's where the "money" is -- that is, credit cards, social security numbers, intellectual property, financial information and so on. The things we can't afford to lose are what the malicious hackers and rogue employees are trying to take from us.
- The belief that you must secure data in transit in order to be secure likely predates Ethernet switches, when it was much easier for someone with prying eyes to capture all network traffic with a network analyzer (a.k.a. sniffer). Nowadays, it's really not that easy to sniff traffic off the wire. It takes the right expertise and physical access to the network -- usually the computer room or wiring closet where the backbone Ethernet switches are installed.
- Don't get me wrong, data in transit is certainly not without its vulnerabilities, and network managers who want to encrypt internal network traffic are not crazy, especially if they want to get a percentage point or two closer to "guaranteed" security. Attackers can convert Ethernet switches into hubs via address resolution protocol (ARP) spoofing/poisoning attacks by running a program such as dsniff or ettercap. This allows them to plug in a sniffer anywhere on the network (not just directly into a switch) and see all traffic with ease. I suppose there's also the highly unlikely chance an attacker will break in and install a sniffer and glean network traffic remotely.
- But even with these risks, those types of hacks are simply not happening enough for this to be at the top of your security priority list. The bad guys are going to go down the path of least resistance to get to their destination and that certainly isn't sniffing network traffic.
- For whatever reasons (most likely resistance to change, added system complexity, fear of a drain in server processing power and costs involved), we're not seeing much of a shift in our way of thinking. There is still a hugely disproportionate amount of effort being placed on preventing that once-in-a-blue-moon occurrence compared to common sense security protecting data at rest.
- Given the insecure configurations of Web applications, operating systems and networks in general, it's a lot easier for the bad guys to gain access to data at rest than try to obtain access to the network long enough to install and run a sniffer. On top of that, an attacker would have to capture enough packets, sift through the contents and hope that he's captured the right packets at the right time to find that proverbial needle in the haystack. He or she would certainly see a ton of non-confidential packets that wouldn't really matter.
- But wait! Let's step back and look at the bigger picture here. If you've got a person inside your building -- either electronically via a remote hack or physically due to poor physical security -- you've got a much bigger security problem on your hands!
- Focus your efforts and spend your money on security controls that will have the greatest impact. Some safeguards to consider protecting your data at rest are database encryption (think third-party encryption appliances, add-on software, SQL Server 2005, etc.), host-based IPS, whole-drive encryption for laptops or other physically insecure systems, as well as common sense file access controls on shared data.
- Try to look at what matters from a real-world perspective (this is happening all the time) rather than from a theoretical perspective (well, this could possibly happen if the stars are properly aligned). Perform a mini-risk analysis in your mind -- ask yourself what the chances are of someone accessing and gleaning your organization's sensitive data in transit versus hacking a Web application, gaining direct database access or simply performing a text-based search for the good stuff directly off your hard drives. The chances of the latter happening are much greater.
The use of e-mail in Our organizations for business purpose has become an important critical function. That is why the information carried by such emails is very important and focusing on various intrusions is a challenging task for every organization. That is why; this is a high-risk security area that without proper safeguards can leave the door open to intruders to access an organization's information.
In addition to security concerns, proper use of e-mail & the internet is the responsibility of every employee. Careless use can subject you and other users to malicious software attacks
You may already know that email is not a perfectly secure communication medium; however, it might surprise you to learn just how inherently insecure email can be. Messages thought deleted can still exist in backup folders on remote servers years after being sent. Hackers can read and modify messages in transit, use your usernames and passwords to login to your online services, and steal your identity and critical information!
As the amount of crucial business conducted via email increases, so does the amount of Spam, viruses, hacking, fraud, and other malicious activity. Unless precautions are taken, email can leave you and your business open to escalating security and privacy risks. What are these risks?
II. Email Threats:
Eavesdropping: In the usual way that people send, read or download Internet email, all message content (including usernames and passwords) is transmitted between their personal computer and email servers in easily accessible "plain text". This means that anyone who can intercept this flow of information can read youremail and obtain your usernames and passwords; this is referred to as eavesdropping.
It is surprisingly easy to eavesdrop. Often the culprits are others in your organization, individuals at your Internet Service Provider (ISP), or even other clients of your ISP. Simple eavesdropping attacks, like tapped phone lines, lay all of your critical communications wide open to attackers. Worse, these attackers can access your accounts, send email messages appearing to come from you, and steal your identity, all by simply obtaining your usernames and passwords and other confidential information in this way.
Privacy: Did you know that your physical location can often be determined fairly accurately just by examining the email messages you send? Recent legislation allows your ISP to read your email without your permission, and data backups made by email providers and ISPs may be kept indefinitely without your knowledge. With such potential for malicious activity, taking measures to maintain your privacy is more important than ever.
Privacy afforded to your communications, to the data you entrust to your service providers, and even to your physical location is as critical as protecting your communications from eavesdropping, as a lack of privacy is equivalent to allowing people to "eavesdrop" on you and/or discover your actual address.
Spam and Unwanted Email: While Spam is technically not a privacy or security issue, the sheer quantity of Spam today (reports currently indicate that around 70% of all email is Spam) decreases productivity and dramatically increases the cost of email use. Spam filtering also poses the potential loss of legitimate email while attempts are made to weed out unwanted messages.
Viruses and Worms: These malignant entities, though almost as prevalent as Spam, are infinitely worse. viruses and worms can take over your computer, send your private information to attackers, destroy your hard drive, bring your computer to a standstill, or disrupt productivity in general. They are a threat to your privacy and make you suspicious of legitimate email.
Email Bombs and Other Attacks: "Email bombs" occur when you receive an immense number of email messages in a very short time. Dictionary attacks are generated by spammers trying to discover valid email addresses at your organization by sending email to thousands of different addresses. Floods like these can bring your email service to its knees, fill up all your email storage space, and result in the loss of legitimate messages and business.
All of these threats are significant individually; together they pose a serious, on-going, and escalating problem. How can you take advantage of email technology while mitigating your risk from these and other negative factors? And, how can you keep the costs to your organization reasonable?
Threat #3: Directory Harvest
DHA can net a spammer thousands of corporate email addresses in just a few minutes. These addresses are compiled and sold to other spammers worldwide; companies who have had their email addresses harvested are vulnerable to an ever-growing amount of junk mail. Unwittingly, a company's own mail servers can compound the network traffic problem by generating thousands of bounce messages in response to invalid email addresses. The increase in activity creates traffic spikes that are essentially self-inflicted denial-of-service attacks that can completely shut down mail servers. By the time log analysis identifies a suspect IP address barraging an email server with invalid delivery attempts, the valid addresses have long been harvested. The sobering reality is that on average, 10 percent or less of SMTP connections handled by corporate mail servers are legitimate email. Postini estimates that 30 to 40 percent of inbound SMTP connections through the corporate mail gateway can be traced to DoS and DHA attacks. These threats can overwhelm mail transfer agents (email servers) to the point of shutdown. As shown in Figure 2, that traffic is over and above the amount of spam and virus email.
Threat #5: Internal Policy
An often overlooked class of email security threats concerns email that may violate corporate HR, legal or IT policies or industry regulations. For example, companies establish internal policies to enforce HR rules against the inappropriate use of language and content, such as profanity or sexually explicit terms, in internal or external company communications. These policies protect employees from a hostile work environment and protect the company from the risk of employee lawsuits.
The universality and ease of use of email make it a threat to intellectual property, so email policies are established to enforce rules against the disclosure of confidential company information or enforce compliance with industry security, privacy, and ethical practice regulations. Since email can also carry fun but timewasting content like MP3 and JPG files, companies may also establish policies to monitor email attachments for appropriateness to business activities.
Phishing remains a big problem for banks and other financial institutions. It also poses a problem to large online companies, such as eBay and PayPal. Sophos measured the number of phishing emails targeting these two organizations in 2007, and found that during the first quarter of 2007, 59 percent of phishing campaigns targeted at least one of them.14
In the first quarter of 2008, however, Sophos has recorded a massive decrease in the number of campaigns targeting eBay and PayPal. PayPal has been the target in slightly over 15 percent of phishing campaigns, while eBay has accounted for just less than 4 percent of all campaigns. Heightened user awareness may be responsible for phishers looking elsewhere to lure in unsuspecting victims to bogus websites. Computer users need to remember to be vigilant when entering confidential data online, and only to do so from a fully protected computer.
Method For Securing E-mail
There are various methods used in securing e-mail today. Although this process is continuing to evolve, the major current standards are secret codes, digital signatures, S/MIME and various plug in systems. Digital signatures perform a function in the electronic world similar to the function paper signatures in the real world. Since the private key of any function or entity is know only to key's owner, using the key is view as constituting proof of identity. This is a message encrypted using a user's private key, it can deduced that the message sent directly by the user. Critical to proper of public key's ability to match specific key to owners. To that end, public certificate are used. Another well known provider offer certificate are thawte (http://www.thawte.com) and verisgn ( http://www.cibcverisign.com). These certificates of authority bind public keys to specific entities and allow for a third party to validate this binding. Encryption can be used to check for tampering and forgery through a technique called digital signatures, or encryption using the sender's private key. To alert the recipient in case of tampering, the security program generates a mathematical summary of the message, called a hash.
The new S/MIME standard is attempting to add interoperability to the decryption standards. Consequently, you don't have to have to be running the same software. Smime programs are interoperable. A message encrypted by one S/MIME compliant program can be decrypted by any other S/MIME program. Federal law currently regulates strong encryption algorithms and restricts their export. S/MIME has seen the greatest vendor support of late, with companies such a Netscape Communications, Network Computing Devices, Qualcomm, and FTP Software pledging to include S/MIME in forthcoming versions of their e-mail packages.
For now, S/MIME remains an industrial strength standard that is a de facto industry standard. In the meantime you can use a third party product like Pretty Good Privacy's PGPmail to encrypt your e-mail as long as your correspondent uses the same product. Layering is another method of securing communications. The issue with layering is where to provide security in the layer. By far the more popular session layer protocol is the Secured Sockets Layer (SSL) a protocol for transmitting private documents via the Internet, first introduced by Netscape in late 1994. SSL is layered beneath application protocols such as HTTP, Telnet, FTP, Gopher, and NNTP, and layered above the connection protocol TCP/IP. This strategy allows SSL to operate independently of the Internet application protocols. With SSL implemented on both the client and server, using a combination of public keys and symmetric cryptosystems to provide confidentiality, data integrity, and authentication of the server and the client. There are also several plug-in products for Microsoft Windows messaging Internet email programs that support S/MIME and LDAP. When they become wide spread, Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Internet e-mail security will be the norm rather than the exception. Plug-in enterprise security solutions that gives users secure access to information where ever it resides in the enterprise. It allows information technology executives to future proof network security by implement security today while planning migration paths. Customer can protect investments in security technology by relying on their new products dynamic current product family that hopefully articulate a migration path that incorporates future standards and technologies.
VII. Proposed Standards
Although there are many commercial standards attempting to become the industry email encryption standard, currently there is no industry wide accepted standard. Major standards being proposed currently are MIME Object Security Service (MOSS), PGP/MIME, and Privacy Enhanced Mail (PEM). PGP and PEM are the original standards for securing e-mail. PEM was an early Internet Engineering Task Force (IETF) standard. PGP is not a IETF standard, but is probably the most popular security schemes in use for text messages. This product was designed to sidestep RSA 's monopoly on public encryption. The newest version will use other non RSA based encryption and authentication standards and will allow users to designate a trusted third party for authentication digital certificates, Although it still maintains the web of trust scheme as well.
H1. Excessive User Rights and Unauthorized Devices
Some attacks cannot be effectively prevented by technical controls alone. Unwary users can be enticed to do unsafe things. Clever users can find unsafe ways to get things done, unintentionally exposing their employers to multiple threats. To prevent such threats from exploiting these weaknesses, administrative controls are needed to supplement technical and physical controls.
In time, technical controls may be able to enforce policies that proscribe user behavior; but until this is achieved, periodic reviews are essential in order to ensure that administrative controls are effective. It is also essential to establish a process that will detect these violations and ensure that any non-compliant system is brought back to a state of compliance in an efficient manner.
H.1a Unauthorized and/or infected devices on network
The best efforts to secure an information system are futile if users connect unauthorized devices to the network or to a computer system. A rogue wireless access point can be an open door to any malicious individual wanting to gain access to the network. A personal laptop connected to a corporate network can introduce whatever malware infecting it onto the network. Unsecured corporate laptops that have been connected to an unsafe public networks will eventually bring back all the malware they have collected to be shared with the entire organization. Thousands of computers have been compromised by attacks where the laptop's owner is specifically targeted in order to infect the laptop with a Trojan horse that "calls home" once it has been connected to the corporate network. This allows an outsider full access into a previously secure network. The same goes for an outsider able to connect an unknown device onto the corporate network, this could simply be a laptop or a higher risk issue like a wireless access point.
Policies must address such issues as rogue devices and infected systems in order to ensure adequate protection of the corporate computing infrastructure, but without verification policies are usually ineffective. Network access control has become an important tool to address such issues. Continuous monitoring of data flows and network connections can immediately identify unauthorized devices. In addition, network access control systems can detect malware as well as ensure that patches and malware signatures are up to date. They can then segregate systems which do not meet the policy and place them in quarantine until they have met corporate standards defined in the policy.
H.1b Excessive User Rights and Unauthorized software
Unmanaged software introduces multiple risks for the corporation. That software may contain security vulnerabilities, and users may not be sufficiently informed or motivated to apply patches regularly. Furthermore users (or people using their computer without corporate approval like children or spouses) can install software which, without the users' knowledge, contains malware which could lead to a network or data compromise. Users may also install software providing functionality (e.g. peer-to-peer file sharing) that invites new vulnerabilities into the network environment. Those responsible for information security should consider implementing policies, and associated detective and corrective controls, to mitigate such vulnerabilities.
Organizations are vulnerable if users are granted sufficient rights which allow them to install software themselves in an uncontrolled fashion. It can also lead to pirated software being installed on corporate systems which opens another range of issues from a legal perspective. In order to address this, it is essential to enforce a policy of limiting user rights to the least privilege required to perform job related duties. This will in fact eliminate issues relating to malware, potentially unwanted programs and pirated software being installed by the user himself.
- http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ top^
H2. Phishing/Spear Phishing
Online Identity Theft
Identity Theft is the phrase used to describe an action where a person uses the identity of another to fraudulently obtain credit, goods, services, or to commit crimes. Examples of these crimes are bank and credit card fraud, wire fraud, mail fraud, money laundering, bankruptcy fraud and computer crimes. With the advance of the Internet, the traditional fraud schemes became magnified, in particular with Online identity theft crimes.
The word "phishing" was first used around 1996 when hackers began stealing America On-Line accounts by sending email to AOL users, that appeared to come from AOL. Phishing attacks now target users of online banking, payment services such as PayPal, online e-commerce sites, and web-based e-mail sites. Phishing attacks are growing quickly in number and sophistication. In fact, most major banks in the USA, the UK and Australia have been hit with phishing attacks.
Spear phishing is a highly targeted phishing attack. Spear phishers send e-mails that include information about staff or current organizational issues that make it appear genuine to employees or members within a certain company, government agency, organization, or group. The message may look like it comes from your employer or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords or tell recipients to download malicious attachments from an infected web site. Spear phishing has become one of the most damaging forms of attacks on military organizations in the US and other developed countries. Attackers gain user name and password information and then break in to ex filtrate sensitive military information.
A newer form of phishing replaces a web site with a telephone number. In this form of phishing, an email tells you to call a specific number where an audio response unit, at the end of a compromised voice phone line, waits to take your account number, personal identification number, password, or other valuable personal data. The person/audio unit on the other end of the voice phone line might claim that your account will be closed or other problems could occur if you don't respond.
H2.2 Affected Operating Systems
Phishing is a social engineering technique that targets users. While various application add-ons can provide some defense against phishing techniques, all operating systems can be considered equally affected because the attack target is the end user. There is a natural human instinct to trust; phishing attacks attempt to exploit this. While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy: ultimately it is the end user that is tricked into providing information to the phishers.
H2.3 How to Determine if You Are at Risk
Phishing mostly uses social engineering techniques to ensure success. Awareness of such techniques can diminish the chance of being in risk of such attacks.
Identity thieves may also use computer intrusions into organisations such as online businesses to gather large amounts of credit card or other identification information. They may also attempt to harvest information that is available on public Internet sites; do not expose too much information about yourself or your family members (e.g. addresses and phone numbers) to community web sites such as MySpace, Orkut and Facebook
H2.4 How to Protect against Phishing Attacks
Since phishing attacks are aimed at users, user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness.
Less effective, but still valuable methods include:
- Do not mass e-mail your customer base with web links directed to your site or any other website. Doing so teaches your customer base to accept such emails as normal.
- Do not use your authentication credentials, or other non-public personal information, to authenticate your customer base.
- Log identifying information for any system changing user information online.
- Be sure to report all incidents of fraud to a law enforcement agency.
- Anti-Phishing Software: Applications that attempt to identify phishing content in both e-mail and web sites usually integrate with web browsers and e-mail clients. Several options exist:
- NetCraft Toolbar: available for both Internet Explorer and Firefox
- Google Safe browsing: available for Firefox
- Ebay Toolbar: available for Internet Explorer
- Earthlink Scamblocker: available for both Internet Explorer and Firefox
- Geotrust Trustwatch - available for Internet Explorer, Firefox, and Flock
- McAfee SiteAdvisor - available for Internet Explorer and Firefox
- User Education: One of the best strategies to combat phishing is to educate your users of current and all new phishing attack methods, and to make them knowledgeable on what to do in the event of a phishing attack.
- Two Factor Authentication: Include other non-password authentication mechanisms when possible.
- Anti-Phishing Working Group http://www.antiphishing.org/
- 3sharp study Gone Phishing: Evaluating Anti-Phishing Tools for Windows http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf
- VoIP Phishing Scams http://blogs.pcworld.com/staffblog/archives/001921.html
- The Ghost In The Browser; Analysis of Web-based Malware http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
- Phone phishing: The role of VoIP in phishing attacks http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1193304,00.html
- Phishing and Spamming via IM (SPIM) http://isc.sans.org/diary.html?storyid=1905
- Suspicious e-Mails and Identity Theft http://www.irs.gov/newsroom/article/0,,id=155682,00.html top^
H3. Unencrypted Laptops and Removable Media
Loss of laptops and removable media has become a major liability for corporations and government agencies as well as for general consumers. All too frequently, a major loss of personal or identifying information is traced back to the loss of a single laptop or piece of removable media.
In the past, personal data was stored in paper records or on centralized systems. With growth in computer storage, it is possible to store large amounts of personal information on laptops, desktops, or portable media. This portability places data at a greater risk of loss or compromise, both from malice and simple human forgetfulness. Since removable storage devices are designed specifically for portability, they also tend to be easy to lose or misplace.
Since portable storage devices are often shared between machines, they provide a potent vector for malware propagation. Users often share media between enterprise and personal systems, providing an obvious opportunity for viruses and other malware to spread between networks and physical locations.
H3.2 How to Determine If You Are At Risk
Every company has some data that must be protected: trade secrets, personally identifying information about employees, human resources and payroll data, sales data, price sheets, contacts, customer databases, and so on. In the absence of active controls that ensure all portable devices and removable media are encrypted and accounted for, some risk of loss is present. Here are questions that can help determine the level of risk:
- What policy is in place regarding moving sensitive data onto removable media or portable computers?
- What encryption is installed and used on laptops, portable computers, and removable storage?
- What controls are in place to track access to sensitive data in order to determine inappropriate data transfer has taken place?
- What controls are in place to make sure all storage devices are shredded (or wiped) so the data is no longer accessible or recoverable when disposed of?
H3.3 Mitigation Strategies
- At the most basic level, a written security policy regarding portable computers and removable media is necessary. This policy should be reviewed and approved by senior management. If at all possible, the policy should mandate the encryption of all data on portable computers and removable media.
- Should a full encryption policy prove impossible, attempts should be made to provide file system or disk-level encryption for certain files. If such a strategy is employed, careful analysis must be undertaken: operating systems and applications often store working and temporary data in unusual locations that may be outside of the encrypted areas of the system. Care must be taken to avoid a false sense of security when only partial encryption is employed.
- There should be a clear policy as to which systems will have encryption: all systems or some subset of systems. The security policy should mandate that sensitive data is only placed on systems with effective encryption. Of course, some validation method should be employed to ensure that systems actually conform to the written security policy.
- Decryption methods and tools, including encryption keys, should be known to a limited set of individuals. However, under no circumstances should data decryption capability be limited to a single individual, as loss of that individual will be just as catastrophic as loss of the encrypted data. Encryption key sharing and escrow strategies should be employed.
- For removable media, the written security policy should dictate who may use such devices, the nature (type and sensitivity) of data that may be stored on them, if they may be taken outside of the enterprise environment, and possibly the specific types and models of removable media that may be used.
- Once a policy is in place, the organization should choose level and manner of compliance control to be implemented. This could range from no technical control (reliance on policy) up to the deployment of specific software packages and policies that restrict the ability to mount removable media.
- Safeguards should be in place to notify technical staff when sensitive data is transferred to removable systems or media. This is a non-trivial task and one that often helps drive the choice between full disk and partial disk encryption solutions.
- Often the loss of a device containing sensitive data is the fault of third parties such as contracting firms, rather than the enterprise that owns the data. To mitigate this risk add specific requirements for encryption of data and data storage to contracts with external firms that have access to sensitive data.
H3.4 References :
- Use Group Policy to disable USB, CD-ROM and Floppy Disk http://support.microsoft.com/kb/555324
- Listing of breaches of personal information http://www.privacyrights.org/ar/ChronDataBreaches.htm
- Listing of State Laws about disclosure after the loss of personally identifiable information (PII) http://www.vigilantminds.com/files/vigilantminds_state_security_breach_legislation_summary.pdf
- In February, Bank of America lost unencrypted backup tapes being shipped on a commercial airplane; data included details for more than a million customers. http://tinyurl.com/4jvbz
- In April, Iron Mountain lost its fourth shipment of backup tapes in 2005 - this time containing data about 600,000 current and former employees of Time Warner. http://www.networkworld.com/news/2005/050605-timewarner.html?rl
- In June, Citigroup announced that back-up tapes being sent via UPS were lost in transit; data including Social Security numbers on 3.9 million consumer lending customers were lost. http://www.networkworld.com/news/2005/060605-citibank.html?rl
- In November, Marriott International realized that some back-up tapes for its Vacation Club were missing; at the end of the year, it announced that the lost or stolen tapes contained credit-card and Social Security number data on 206,000 clients and also on some employees. http://www.washingtonpost.com/wp-dyn/content/article/2005/12/27/AR2005122700959.html
Loss of Laptops
Loss of USB drives
Loss of backup tapes