Are trusted systems a thing of the past?

Get free weekly news by e-mailBy Dr. Jim Kennedy

The internal threat
Based on all of the hard work of IT and information security teams we are beginning to see real progress on protecting the enterprise against external threats. However, the bad news is that we need to be ready for a plethora of new challenges and risks every day. Insider threats are becoming ever increasing and will continue to do so as our economy shows a downward turn.

In fact, the US Secret Service – National Threat Center has indicated that: “The greatest information security threat facing your organization is in your office right now. It has the ability to bypass the physical and logical controls you have put into place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure.”

Always something new to be worried about
So, as we focus on trying to secure our critical data and sensitive information from the insider threat we have yet another threat to worry about.

The SANS Institute (the organization that operates the Internet's early warning system - Internet Storm Center) has recently indicated that placement of exploit code on trusted system sites is at the top of its 2008 list of cyber threats.

And apparently this has precedent as it has already been experienced to some extent. Cited in a article by Brian Krebs: “Hannaford disclosed in mid-March that unknown intruders had planted malicious software on the point-of-sale systems at some 294 stores. That malware let the attackers capture card numbers and expiration dates as the data was en route from the point-of-sale terminals to authorize transactions from shoppers.”

Hannaford is a large supermarket chain in the north-east of the US and it recently experienced a security breach where over a million credit and debit card numbers had been taken from store networks. This is despite the fact that its security organization was in compliance with the credit card industries’ PCI security standards. This breach will probably cost Hannaford millions of dollars before it is all over.

So now we (the consumer and the seller) find that the systems we need to trust in order to conduct business my also no longer deserve our trust. Are trusted systems a thing of the past?

What needs to be done?
In order to properly address this threat it means that IT and security personnel absolutely need to have a thorough understanding of all systems, programs, and data involved in its business operation.

Enterprises need a comprehensive data inventory in order to properly protect their critical information and data. It does not seem to matter whether that information is personal healthcare information of patients, credit card information of current or past customers, or personnel information. Cyber crooks want it to sell or to use directly for financial gain.

But in addition to the attention to critical and/or sensitive data the organization also needs to be properly reviewing and protecting the computing platforms and programs that are used to process that data. In order to do this an organization needs to understand all of the paths that the data takes whether at rest, in motion, or in process. And also through what third party it passes to or through.

Every program, every database, and every transaction needs to be identified and understood. Software that is developed internally needs to be scrutinized to ensure that adequate security has been designed in. All off-the-shelf software needs to be reviewed and ensured that all patches are properly maintained and up-to-date.

All programs, internally developed or purchased, need to be constantly reviewed to insure that they have not been compromised and that no malicious or exploitive code has been implanted which can compromise the system or data in any manner.

There are security programs available on the market today to accomplish the above tasks. There is software on the market which will scan and review source code under development to determine if security flaws or ‘holes’ that would allow such attacks as SQL injection or buffer overflow to take place, amongst many other types of vulnerabilities, exist in the code. These programs allow the organization to make sure that its code is safer and better designed to improve overall security.

There are also programs on the market which will allow an enterprise to take a snapshot of the program code just as it is placed into production at an enterprise. This snapshot can then reviewed every day to insure that the program code has not changed (been compromised). In this way the enterprise can feel safer about the trustworthiness of the programs that it is using to perform transactions on sensitive or financial data.

In addition, the systems themselves need to be reviewed periodically to insure that their logical or physical configurations have not been compromised or changed. These undocumented or unauthorized changes (e.g., additional IP ports opened or services started) are often the reason for breaches to what were considered ‘hardened’ systems. Vulnerability scanning on a regular but unscheduled basis are often used for this purpose. Any irregularities, unauthorized changes or security vulnerabilities can be identified and addressed as appropriate.

Due diligence and trust
Recently in the news there have been many articles about inadequacies in security that could have lead to disastrous impacts on the enterprises where they were found. At a nuclear power plant guards charged with the protection of the plant from terrorists were found to be sleeping, while on duty, on the midnight shift. At a healthcare firm, trusted employees were found to be using their system access privileges to gain entry into systems to obtain personal and financial information they would later use for financial gain. At a manufacturing firm a valued employee was found selling intellectual property to a competing firm for money and a job. And, at a bank in the south-west video cameras were placed at ATM machines by a thief to take pictures of credit cards and the keystrokes used to enter a personal pin so that later he could compromise the personal accounts of a series of unsuspecting bank customers.

In the security business we learn that trust is very important. We also learn the mantra: ‘trust but verify.’ Trust but verify is the foundation of due diligence.

Due diligence needs to become the essence and the watchword of both physical and information security programs at all enterprises in all market segments, financial, pharmaceutical, manufacturing, government, and etcetera. Especially those that want to remain out of the press as one that has experienced a data breach.

Due diligence implies that oversight is always in place. That means that a continuous review of security controls is used to insure that they are applied correctly, functioning as desired, and continue to be utilized appropriately day-in and day-out.
Security does not work in a ‘set it and forget it’ type of environment. We need to be ever vigilant and prepared to adjust, adapt, and make changes and to employ new technology where possible to aid in the protection of mission critical data.

In summary
We as corporate or governmental IT security or business continuity experts need to make sure that we are ever vigilant and that we continue to communicate with our organizational leaders so that they have the necessary information to make informed choices for the protection of critical and sensitive information. Only then will we have given them the tools they need to make an informed decision on whether they want to act now to implement adequate controls and safeguards to protect against risks or to possibly pay later in reparations and lost confidence to those whose data they have been entrusted to protect and use which has been subsequently breached.

About the Author

Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV is the Business Continuity/Security Services Practice lead and a Principal Consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of two books, Blackbook of Corporate Security and Disaster Recovery Planning: An Introduction and author of an e-book, Business Continuity & Disaster Recovery – Conquering the Catastrophic.

Date: 16th May 2008• Region: US/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help