Vendor Voice: Security
Defense against the Dark Acts

The Internet has interconnected the world and allows us to share ideas and resources instantaneously. Unfortunately, this same technology allows hackers and viruses to attack corporate networks. Assessing the security of an information system and network is a critical component of securing a system. by Agnidipta Sarkar

It was J.K. Rowling and Harry Potter who made 'Defense against the Dark Arts' a famous subject at the Hogwarts School of Wizardry. In today's world, so replete with technical wizards who call themselves hackers, the real challenge lies in the 'Defense of the Dark Acts.' The dastardly and sinister actions by such wizards have put corporations and even nations to shame, and have cost millions of dollars in damage repair.

Dark Acts and Realms are commensurate with hacking and the hacker communities that exist today. Computer Economics estimates the global costs of downtime and clean up for the CodeRed worm was $2.6 billion, and $590 million so far for the Nimda worm. They also indicate that total economic impact annually due to malicious code attacks has been rising significantly each year. In 1998, the total damage was $6 billion. In 1999 it was $12 billion and in 2000 it was $17 billion. The speed at which these viruses and worms propagate means they have the ability to infect more systems faster, resulting in greater economic impact. Systems and facilities are thus increasingly under threat and need advanced security protection techniques. This article discusses a few techniques in Defense of the Dark Acts.

Insurgency on the Internet
The Internet has interconnected the world and produced many benefits. It is now possible to share ideas and resources instantaneously worldwide. Communication, business, government, and commerce no longer require face-to-face communication to operate. The same technology has also increased the efficiency of government and business alike. Unfortunately, this same technology allows attackers to exploit targeted systems and organizations to a degree not possible in the physical world. Although the threats in cyberspace remain largely the same as in the physical world (e.g. fraud, theft, and terrorism), they are different due to three important developments: increased profitability, action at a distance, and rapid technique propagation.

First, automation makes attacks, even those with minimal return, much more probable. For example, in the physical world an attack that would succeed one in 10,000 attempts would be insignificant due to the time and effort required for a single success. The time invested in getting a single success would be outweighed by the time invested in the 9,999 failures. On the Internet automation enables the same attack to be a stunning success. Computing power and bandwidth are getting cheaper and the number of hosts that can be targeted is growing exponentially. This combination means that almost any attack, no matter how low its success rate, will likely be exploited.

Second, the Internet allows action from a distance. The Internet has no borders and every point on the Internet is adjacent to every other point. This means that a distant attacker in Timbuktu now attacks the United States without ever leaving his or her home.

Third, the Internet allows for easier and more rapid technique propagation. Before the Internet came along, attack techniques took years to propagate. So there was sufficient time to develop effective countermeasures. Today, a new technique can be propagated in a matter of hours or days. It is now more difficult to develop effective countermeasures fast enough.

These circumstances result in the need to secure information systems and networks. Assessing the security of an information system and network is a critical component of securing a system. Security Risk Assessment for information systems is one of the most conclusive methods for validating existing security measures and procedures to ensure these are working as intended. Such assessment can also assist in identifying previously unknown weaknesses or vulnerabilities.

In this part of the world, premier security organizations have formed Security Assessment teams (Paladion Networks, KPMG, E&Y, Wipro) to help organizations mitigate risk. While this has been the traditional method of ensuring success and security of Internet endeavors planned by organizations, a more useful mechanisms is to test the security of a site by simulating a hacker attack.

White Hat Hacking otherwise known as Ethical Hacking or Penetration Testing is actually a security assessment process of the Internet infrastructure of any organization by using intrusive mechanisms.

9/11 and After
What the 9/11 disaster told the world is that advanced computer systems that ease life's little worries are under threat not only from the Dark Realms on the internet but also from forces that are non-computational in nature.

For organizations that planned a disaster recovery setup at New Jersey or elsewhere, it was 'business-as-usual'—the rest closed shop until recovery. Planning Disaster Recovery facilities requires care and technique, since such a facility is a little more than a 'hot standby.' Today's data centers are absolutely geared up with elaborate plans made for disaster recovery. Disaster recovery specifically focuses on data recovery mechanisms by creating replicas of critical business systems across locations and keeps them ready for use should such an eventuality happen.

But what most organizations need to delve more deeply into is Business Continuity Planning. BCP goes beyond IT infrastructure and server/network redundancy and covers people and process recovery too. Unexpected disasters or intentional ones badly hamper business and in such situations people and process recovery become vital.

Notification procedures and escalation procedures need to be defined for smooth transition. BCP will help organizations consider the significant impact of environmental factors in today's business, given volatility of the socio-political climate. There is a distinct need to gear up to safe guard against risks posed by unforeseen incidents of such nature.

What 9/11 has also taught us is that security should be viewed as a continuous ongoing process. Organizations that provide Preventive Security Consulting lead customers into creating more systems and procedures to manage, monitor and review security systems and facilities on a continuous basis. Preventive Security measures include security procedure management, vulnerability management, security appliance management, policy compliance, audit log analysis, event analysis, incident handling and incident forensics—all rolled into one. Preventive security is the most evolved and complex security service today. Clearly, none of these activities can be achieved in isolation. More because threats are no longer restricted to coming from the Internet. Websites like www.securityfocus.com, www.cert.org, www.iss.com/xforce and similar sites regularly publish advisory information regarding latest vulnerabilities, which needs to be scrutinized to determine which vulnerability is relevant.

Organizations that offer Preventive Consulting services keep abreast with these happenings to protect their customers. According to the latest industry reports, as much as 80 percent of the Dark Acts happen within organizations. While it is very easy to say this, countering such threats is a very difficult and serious issue. The key disabling factor is the employee trust mechanism. Too much caution will breed discontent and too little is dangerous—and finding the right balance was very difficult till now. Today, leading computer vendors are forming alliances to help customers achieve this.

The Art of Managing Identities on the Web
Identity Management, covers both Public Key Infrastructure (to create and issue Digital Certificates) and Single Sign on technologies to uniquely identify the end user over the wire, and at the same time provide enhanced access to legitimate users. A successful industry venture that plans to include more leading IT vendors is the Liberty Alliance (www.projectliberty.org). Though Liberty Alliance began as a counter-measure to Microsoft's .Net strategy, today it is one of the largest movements that is generating awareness about creating identities over the Internet.

Businesses that accept transactions via the Web can gain a competitive edge by reaching a worldwide audience, at a very low cost. But the Web poses a unique set of security issues, which businesses must address at the outset to minimize risk. Customers will submit information via the Web only if they are confident that their personal information, such as credit card numbers, financial data, or medical history, is secure. In person-to-person transactions, security is based on physical cues. On the other hand, consumers have come to accept the risks of using credit cards in places like department stores, because they can see and touch the merchandise, and make judgments about that store. On the Internet it is more difficult to assess the authenticity of a business. Also, serious security threats have emerged.

By becoming aware of the risks of Internet-based transactions, businesses can acquire technology solutions that overcome those risks. While more countries are developing rules, regulations and laws to provide means to enhance e-business, Web transactions are slowly going to depend on Digital Identities. As per the IT Act 2000 in India, the Digital Certificate of any individual in India may contain up to 27 fields and even specific data to uniquely identify that person. However, the single biggest factor hindering the true benefit of the Internet of being omnipresent is the fact that these rules and regulations are only limited to certain countries. But there is a movement and almost every country is trying to evolve its own IT rules. The need of the hour is one common body that will govern Identity Management.

Customer focused Security
However, as more and more security technologies get commercialized, the security requirement will start becoming more acute and more specialized. Till recently organizations assumed a firewall to be the beginning and end of security. But awareness has happened. Today, security requirements of organizations have begun to expand and as more organizations extend their business to the Web, these requirements will continue to increase.

Perimeter security technologies are focusing more on the end customer. VPN Technologies are moving into the client-less VPN domain, while ensuring that the encryption technology remains intact. More security vendors have begun offering SSL Acceleration in order to speed up secure e-Business transactions. Portal software vendors are offering VPN on demand. More organizations are developing cheaper Firewall Appliances which work tremendously fast. Checkpoint Technologies provides Secure XL a software solution that they claim will enhance performance on a Linux system, even faster than the appliances available today. Digital certificates can now be carried on USB tokens. Even better implementations offer the digital certificate on demand, provided the end-user has been identified by a two factor authentication device like a token.

All this is good news. But the bleak part is that while the protection technology has evolved, the attack is now more sophisticated. It is no longer fashionable in the Dark Realms to use a Ping of Death to bring down a site, more because most organizations have begun to disable ICMP (Internet Control Message Protocol). So what do our wizards do? Today Blended Threats are taking the world by a storm. You eliminate one, another emerges.

Perimeter security is more challenging in light of this, and integrated solutions are the order of the day. Symantec, a leader in perimeter security solutions, recently released an integrated security appliance (called Symantec Gateway Security), which comprises of a firewall, intrusion detection, an antivirus engine, content filtering, and VPN—all in one sleek appliance.

All this gives one a very confused feel about what Security Architecture to adopt. Architecture design is usually offered as a niche service by most security companies, and this is specific to the business plans of organizations.

Security Architecture Design is a specialized activity and is best left to experts. Over and above individual product certifications, SANS (GIAC Certification), ISACA (CISA certification) and (ISC)2(CISSP), have created the benchmarks for security knowledge in the world. Most leading security vendors in the world treasure employees with such certifications.

Agnidipta Sarkar is a Practice Manager in the Business Continuity/Risk Management Practice for the Wipro Consulting Division of Wipro Infotech.