> Cover Story> Full Story
CTO you are responsible for the safety of your company's crown
jewelsthe information that's used for business transactions.
That itself is more valuable than any infrastructure or asset
in your organization. Information becomes sensitive if it
is accessible in a controlled manner to selected peoplekey
executives in the company or to customers (via the Web).
Security consultants tell us the first step to security is
"identifying the assets" and then working towards
protecting them. But you would also want to determine the
security strength of your systemhow vulnerable is it
to external and internal threats? It's a lot like checking
the locks and bolts on your doors and windows at home. That's
where Vulnerability Scanning/Risk Assessment comes in. So
how do security consultants go about doing this?
Avinash Kadam, who heads the Assurances & Global Services
division at MIEL e-Security, says the evaluation should be
based on security standards such as ISO17799 and BS7799.
are number of steps to assure a company's securityfirstly
check all its controls (procedural controls, administrative
controls, technical controls etc). The second step is to move
into attack mode and check if every control, procedure, or
product is configured or implemented properly. The third step
is to do an audit."
The Mumbai-based MIEL e-Security audits against certain benchmarksfor
instance it checks if the company has the right policies in
place, or if they have a proper information management system.
first do an internal audit for the company. Then an external
agency certified by ISO does audit and certification,"
says Kadam. "We follow the ISO17799 information security
management standard which gives 10 distinct domains and has
Infrastructure and Security Consulting Practice (ISeC) at
Infosys Technologies has done audits for more than 20 customers
both in India and abroad. ISeC also follows security standards.
security consulting practice follows standards laid out in
BS7799 and the COBiT recommendations. Many of these have also
been independently audited by few of the Big 5 consulting
for their integrity," says S.
Soundararajan, Head-ISeC, Infosys Technologies.
Apart from following such standards, security consultants
may take a different approach and devise their own methods
for security audit.
Says K.K. Mookhey, CTO, Network Intelligence India, "The
client may either be unsure of his need for security, or he
is convinced that he needs a solution. We conduct a Penetration
Test (ethical hacking) for those who are not convinced. The
penetration test may not reveal all the vulnerabilities, but
it might indicate some major holes. We do vulnerability assessment
only for those who are convinced that they need security.
For this, we test every element of the networkthe servers,
workstations, hubs, switches, routers, topology, etc. We see
what rules are already in place and what business functionality
needs to be followed. The assessment generally leads to a
security policy that provides a managerial perspective. A
policy states what is allowed or disallowed.
The implementation of the policy leads to deployment of security
are various tools available for Vulnerability Scanning/Risk
Assessment and some are available as freeware on the Internet
(See Table on page 28). The Cybercop scanner from Network
Associates (NAI) for instance checks the system against a
database of 750 vulnerabilities, and generates reports. The
software identifies holes in the network and gives reports
in a graphical format indicating high, medium and low-risk
cases. Vendors like NAI also offer security auditing services.
do security audits for companies worldwide. In India we do
this through our various partners who have been certified
and trained on our products, and who have our consulting license,"
says Vishwajeet Deshmukh, Country Manager, Network Associates.
"There are two types of security audits that are done:
one is for Vulnerability Assessment and the other is for Network
Securityby which we gauge the efficiency and performance
of a network."
Brian Pereira can be reached at firstname.lastname@example.org
of the distributed enterprise l Physical security risks l
Logical access risks - Flimsy passwords - Irresponsible users
- Poorly defined access control policies l Technology risks
- Weakness of communication protocol - Weakness of Operating
Systems - Weakness of programming practices - Weakness of
Cryptography l Social engineering risks l Risks of automated
and remote attacks Source: MIEL e-Security Pvt. Ltd.
Step 1 : Study & scope the IT architecture &
components for assessment
Step 2 : Determine the boundary of analysis
3 : Identify asset owners & schedule tasks
4 : Impact analysis for Active scans, which includes assessment
of Service(s) or Server(s) scans in online production.
5 : Plan for Downtime & Contingency, if applicable
6 : Estimate the scan process, based on the complexity
of the target network(s) and host(s)
7 : Define the scan Policy for each target. Scan Policy
to define the level of scan - Information gathering, Policy
checking, Port scanning, Password analysis, Attack stimulation
8 : Scan the targeted network(s) and host(s), based on
the defined scan policy
9 : Collect the scan results and analyze for security
loopholes, configuration errors, default installation settings,
overlooked setups, password quality, firmware/software revisions,
patch fixes, security policy violations etc.
10 : Submission of Assessment Reports with suggestions
and recommendations to fix the vulnerabilities
OF ENTERPRISE SECURITY
few years back, a conversation on security solutions was generally
limited to Antivirus products or security features within
the operating system. Today security solutions are available
for every stage of the network. These can be broadly categorized
as Vulnerability/Risk assessment tools, Firewalls/VPN, Intrusion
Detection Systems, Authentication/Access control, Antivirus,
and encryption. Further, these solutions are separately available
for Servers, Desktops and Wireless devices.
10 Security lapses or vulnerabilities:
1. Security threats and risks are not analyzed prior to selection
of security technology and design
Corporates fail to deal with the awareness and operational
aspects of security
Lack of robust security policy definition or non-adherence
to security policies
Absence of non-periodic security audits of IT infrastructure
Lackadaisical implementation of physical security - Easy physical
access to Data centers & critical IT assets
Misconfiguration of servers - Default options in installation
procedures of operating systems and applications, which can
be hacked easily
Password User accounts with No Passwords or Weak Passwords
- Leads to password cracks with easy guesses
Failure to block unauthorized access to application ports
- Unwanted TCP ports are open in Application Servers
Lack of availability of data foot prints due to non-existent
or incomplete logging and backup of data
Improper Virus prevention procedures - Lack of timely update
of periodic virus signatures
made by Users
Opening unsolicited e-mail attachments without verifying
their source and checking their content first
Failing to install security patchesespecially for
Microsoft Office, Microsoft Internet Explorer, and Netscape
Installing screen savers or games from unknown sources
Not making and especially, not testing backups
Using a modem while connected through a local area network
Mistakes made by Senior Executives
Assigning untrained people to maintain security and providing
neither the training nor the time to make it possible to
learn and do the job
Failing to understand the relationship of information security
to the business problem
Failing to deal with the operational aspects of security:
making a few fixes and then not performing the necessary
action to ensure the problems stay fixed
Depending primarily on a firewall alone
Failing to realize how much money their information and
organizational reputation are worth
Authorizing reactive, short-term fixes leading to problems
Mistakes made by IS Department
Connecting systems to the Internet before hardening them
Connecting test systems to the Internet with default accounts/passwords
Failing to update systems when security holes are found
Using telnet and other unencrypted protocols for managing
systems, routers, firewalls, and PKI
Giving users passwords over the phone or providing configuration
information without authenticating the requester
Failing to maintain and test backups
Running unnecessary services, especially ftp, telnet, finger
Implementing firewalls with rules that don't stop malicious
or dangerous traffic-incoming or outgoing
Failing to implement or update virus detection software
Failing to educate users on what to look for and what to
do when they see a potential security problem
Providing users with too many usernames & passwords
and making things difficult for the user to manage
Source: Bangalore Labs