|
Introduction
The growing
availability of low cost, high speed cable, DSL and satellite Internet
access has revolutionized the Internet experience for many users.
Perhaps the greatest beneficiaries of the new affordability and
availability of high-bandwidth Internet connections have been small
business owners. Increasing numbers of small business owners are now
making use of the kind of ability to communicate and to conduct
business that was formerly the province of Fortune 1000 firms.
Broadband's
double-edged sword - Two of broadband's
biggest advantages - the higher speed of the connection and the
‘always-on’ nature of most broadband implementations - pose two of its
greatest liabilities. Properly understood, this is not a surprise.
Accessibility (read: convenience) and security are always at opposite
ends of the spectrum; anything that provides more of one inevitably
results in a compromise of the other. There is another way to think of
this: the greater the convenience associated with your system’s
connection, the more vulnerable you are to intruders and exploits. How
does high speed make you more vulnerable? An always-on connection
simply provides a greater window of opportunity to those who regard
your unprotected/under-protected system with ill intent.
A high speed
connection allows hackers to transfer malicious programs to your
system more quickly and for a variety of purposes. It's the very speed
of your connection that allows such programs to be larger and more
capable. Your high speed connection is less likely to suffer download
interruption and will offer less time for you to recognize what's
going on and intervene before an intruders' presence in your system is
a fait accompli. Examples vary widely in sophistication and
intent. There are cases where a home or office computer is essentially
hijacked or 'zombied' in order to participate with many other such
hijacked machines in denial of service attacks on commercial sites –
and all without the user’s knowledge. Other serious and
well-documented cases range from identity theft involving the use of
passwords, credit card and bank account numbers ‘harvested’ from
unsuspecting individuals’ computers to co-opting a target machine in
order to make it serve offensive ‘spam’ ads to thousands of others.
Always-on - Always vulnerable? But more than the
high speed, it's the ‘always-on’ aspect of cable, DSL and StarBand
that poses the biggest threat to your system’s security. In the case
of a dialup connection, your modem dials your ISP, you do your surfing
or emailing or chatting, then disconnect when you're finished. With
broadband, you stay connected, giving criminals and pranksters
ample opportunity to sneak in even when you aren't actively using the
'Net. Some people turn their computers off when they aren't using
them, but many don't. If your computer is sitting there, unprotected
and connected to the Internet day and night, it's the equivalent of an
open hen house surrounded by foxes.
Other high speed,
always-on connections such as dedicated leased lines (T-carrier) have
the same vulnerabilities, in theory. But in practice, those with T-1
lines are much more likely to have sophisticated firewalls and other
protection to shield them. The comparatively high cost of a T-1 line
means that most T-1 users are good-sized businesses, and those who do
have T-1s to their homes are usually IT professionals. These people
typically have a great deal to lose if their systems are compromised.
In either case, both types of user are more likely to implement high
grade firewalls and follow best practice security procedures. By
contrast, many residential and SOHO broadband users are plugged
"straight in" without even so much as a software firewall between
their computers and the outside world. This makes it easy for
intruders to do their dirty deeds. Some broadband service providers
offer DSL modem / router combinations that purport to offer firewall
protection. However, firewall implementation in these devices is
typically minimal, offering not much more than the digital equivalent
of a speed bump to enterprising hackers.
The good news is... The point all of this
is not that broadband is "bad" – it isn’t. The simple fact
of the matter is that if
you do use a broadband connection then you need to be aware of the
risk posed by its high speed and always-on nature, and then take steps to
protect yourself.
For most SOHO, that
is, small office/home office users,
implementing a good firewall and installing industrial-strength
anti-virus / anti-spyware programs is the better part of the battle. Small to moderate
sized business owners, however, face other considerations and more
serious requirements - see the
products and services area of this website for
further information.
Finally, never
assume that just because you’re running a small business or home
network that you’re not a target. The size of your installation
doesn’t mean much to ill-intentioned opportunists. Remember:
They want what you've
got.
Credit card numbers,
bank account numbers, Social Security numbers, passwords, you name it.
It doesn't matter.
They want what you've
got.
Business Data
Security Audit
As we have seen, any business
has much to gain from the use of a broadband Internet
connection. Aside from the benefits to convenient and rapid access to
information, most commercial transactions can be conducted over the
Internet and at far greater speeds. For example, credit card validation
can be faster and less costly than conventional dial-up methods.
Another case revolves around more efficient inventory management as a
function of the integration of a business’ point-of-sale system with
suppliers’ purchasing systems. Knowledge of customer purchase data can
be used to drive advertising and promotions tailored to known customer
preferences. Employee use of, and access to business systems raises still
other security and safety concerns. All of this raises the
security stakes for the business owner.
Business
data security consists of far more than the implementation of a decent
firewall. Good security is a combination of the right software running
on the right hardware and a set of policies and procedures designed to
maintain that security. Good security also incorporates plans to
respond to incidents of all types.
One
size does NOT fit all
No two
businesses are alike; two bakeries, for example, can vary widely in
terms of their business practices and customer base even though both
may be selling muffins, donuts and espresso. A thorough security audit
is the first step towards identifying and understanding the business’
risks, vulnerabilities and requirements. With this knowledge, it then
possible to move forward with an action plan.
StarLAN Consulting Services
has the expertise and experience necessary to evaluate your business
and deliver a clear and concise plan for a more secure business. The
first step typically consists of a security audit.
Security
Audit: An Overview
The word
"audit" can send shivers down the spine of the most battle-hardened
business owner. It means that an outside organization is going to
conduct a formal written examination of one or more crucial components
of the business. Financial audits are the most common examinations a
business owner / manager encounters. This is a familiar area for most
business owners: they know that financial auditors are going to
examine the financial records and how those records are used. They may
even be familiar with physical security audits. However, they are
unlikely to be acquainted with information security audits;
that is, an audit that assesses the confidentiality, availability
and integrity of an organization's information assets.
An
information security audit is one of the best ways to determine the
security of your business's information without incurring the cost and
other associated damages of a security incident. Given the potentially
high cost of an incident, the time to conduct such an audit and to act
on its findings is before the incident happens – not after.
What is
a Security Audit?
You may
see the phrase "penetration test" used interchangeably with the phrase
"computer security audit". They are not the same thing. A penetration
test (also known as a pen-test) is a very narrowly focused attempt to
look for security holes in a critical resource, such as a firewall or
Web server. Penetration testers may only be looking at one service on
a network resource. They usually operate from outside the firewall
with minimal inside information in order to more realistically
simulate the means by which a hacker would attack the site.
On the
other hand, a computer security audit is a systematic, measurable
technical assessment of how the organization's security policy is
employed at a specific site. Computer security auditors work with the
full knowledge of the organization, at times with considerable inside
information, in order to understand the resources to be audited.
Security
audits do not take place in a vacuum. They are part of the on-going
process of defining and maintaining effective security policies.
This is not just a conference room activity. It involves everyone
who uses any computer resources throughout the organization.
Given the dynamic nature of computer configurations and information
storage, some business owners may wonder if there is truly any way to
check the security ledgers, so to speak. Security audits provide such
a tool - a fair and measurable way to examine how secure a site
really is.
Computer
security auditors perform their work though a variety of means -
personal interviews, vulnerability scans, examination of operating
system settings, analyses of network shares and historical data. They
are concerned primarily with how security policies - the foundation of
any effective organizational security strategy - are actually used.
Here are just a few of the key questions that a security audit should
attempt to answer:
- Are passwords difficult to crack?
Are they changed on a schedule?
- Are there access control lists (ACLs)
in place on network devices to control who has access to shared
data?
- Are there audit logs to record who
accesses what data?
- Are the audit logs reviewed?
- Are the security settings for
operating systems in accordance with accepted industry security
practices?
- Have all unnecessary applications
and computer services been eliminated for each system?
- Are these operating systems and
commercial applications patched to current levels? Are there
policies and procedures in place to manage that?
- How and where is backup media
stored? Who has access to it? Is it up-to-date?
- Is there a disaster recovery plan?
Have the appropriate responsibilities been defined and delegated?
Has anyone ever rehearsed the disaster recovery plan?
- If cryptographic tools are in place
to govern data encryption, have these tools been properly
configured? Who is responsible for their use? Who holds and
maintains the keys?
- Have custom-built applications been
written with security in mind?
- Have these custom applications been
tested for security flaws?
- How are configuration and code
changes documented? How are these records reviewed and who conducts
the review?
These
are examples of the kind of questions that can and should be assessed
in a security audit. In answering these questions honestly and
rigorously, a business can realistically assess the security of its
vital information. Remember that the goal of a security audit is
twofold - identify existing and potential weaknesses, and craft
policies and procedures necessary to deal with them.
|
