Computer Security Today
When thinking about computer security today, I remember the story of the two guys in the woods who were being chased by a bear. The first guy said to the other "You know, we can't outrun this bear" and the second guy replied "I'm not trying to outrun the bear, I'm trying to outrun you".
Considering the current state of computer security in many organizations, this story applies very well. Usually the most vulnerable target is exploited by those who are trying to steal through the internet whether it be a spammer, someone trying to steal bank account information, or your social security number so they can impersonate you. There are plenty of vulnerable targets to be had. This is a sad state of security that the world finds itself in. If you don't believe it, think about the following questions:
- Applications - How secure are the applications that are public facing in many organizations?
- How many projects have computer security controls and issues included from the start?
- How many programmers are trained in how to spot computer security flaws in code?
- How many applications are reviewed by someone other than the primary programmer for coding errors?
- How many applications are tested against the most basic attacks such as SQL injection and E-mail injection attacks?
- Trusted zone - How many organizations trust their trusted zone? Is their trusted zone trustworthy? Consider the following:
- How many organizations do not block dangerous email attachments?
- How many organizations allow computer users to have administrative access?
- How many organizations train their computer users about basic computer security threats such as ways viruses may trick users into running them, ways users can be directed to hostile web sites, and many other threats?
- How many organizations check to be sure their user's browsers are configured securely? Both Microsoft's Internet Explorer and Mozilla's Firefox browser are configured to allow code to be installed on the user's computer without the knowledge of the user.
- How many security incidents have occurred on client computers in the the trusted zone last year?
- How many organizations have a set policy and procedure for preventing malware from reaching the trusted zone through laptops or other portable network devices or memory storage devices?
- How well are client computers kept updated with the latest security patches? Even as I write this article a new vulnerability with some hostile software affecting computers is spreading through the internet. Microsoft has not yet released a patch and does not expect to do so for about a week. They are telling people to be sure their anti-virus programs are updated but will all anti-virus programs catch new viruses? Therefore it is not even possible to keep computers updated well enough.
- How well are anti-virus programs kept updated at many organizations?
- How good is server maintenance in many organizations? - I believe many organizations perform better here but many have a long way to go. Ask:
- How many servers are updated regularly?
- How well trained are the administrators in secure administration of the servers? Are web server administrators properly trained in locking down Internet Information Server (IIS)?
- Are there periodic security checks of all servers for security problems such as misconfigurations or missing patches?
I believe the trusted zone should not be so trusted. Wouldn't it make some sense to protect the servers that store the bulk of the organization's data from all these security incidents and vulnerabilities that client computers are known to have? What will happen when attackers modify viruses and other malware to attack servers from client computers?
It also appears that computer security problems and cyber crime will only continue to get worse in the near future. The article 2005 worst year for breaches of computer security" mentions that cybercrime proceeds were $105 billion in the year 2004 but the "Department of Homeland Security's research budget for cybersecurity programs was cut 7%, to $16 million, for 2005."
Now add to the equation that more and more computer sharing is in demand such as applications that send RPC calls across the internet using XML SOAP (much of this demand is from the same organization that cut their research budget for cybersecurity). Also more and more wireless is in use and it has never had a consistent reasonable level of security.
Solutions and Conclusions
The obvious solution is not to be the most vulnerable target so you are not the one caught by the bear. Obviously the bear will choose the easiest target. But I recommend the following minimums:
- Management must empower their Information Technology department with the authority to implement whatever changes are required to secure organizational resources. Without that level of commitment, many of the rest of the security measures will be taken and your organizational network will never be relatively secure. These decisions must be in the hands of the technical staff with the technical knowledge in order to have any reasonable level of security.
- Review and test all applications for security flaws if not done so already - I expect applications to be attacked heavily in the next several years.
- Continue to keep all systems updated regularly with security patches and anti-virus updates.
- Training (very important) - Train your users and application programmers. Many organizations skimp on training.
- Block all dangerous email attachments and inform and train your users. Blocking the dangerous attachments will not only make your network more secure but lower your help desk costs since fewer viruses will get through. Don't take no for an answer on this issue, the risk is too great.
- Review your network infrastructure and whether it protects your data well considering the places you have historically had security incidents in your organizations. Make changes where it makes sense.
- Determine the sensitivity of your data, and consider how much damage can be done due to it's disclosure, unauthorized modification, or loss. Always back up data regularly and have a disaster recovery plan.
- Carefully evaluate new technologies that allow additional sharing of information or that may bypass traditional security controls such as XML SOAP. Be sure you have a layered security plan so one failure won't cause a compromise. Don't always consider traditional firewalls and traditional technologies as a layer of security unless you can prove it actually applies well to the new technology. For example some would like to consider a traditional firewall a layer of security when implementing XML SOAP, but I disagree with this philosophy. The traditional firewall may limit where the traffic can go but will not filter traffic at the application layer. Since any attacks through SOAP will be at the application layer, traditional firewall filtering at the network and transport layers does not apply as a layer of security. When SOAP is implemented into a network, a minimum standard must include both a good application (XML SOAP gateway/filter) firewall and application code that is well written, has had code reviews, and is thoroughly tested for security flaws.
Even if you take these and other recommended security precautions there is no guarantee of security. Your organization may be specifically targeted by another organization or person. However you should improve your odds of not being caught by the bear if you have at least implemented these basics.
Author: Mark Allen