Strategies for disaster avoidance

Pro

1 April 2005

It seems that every couple of months or so the media is awash with reports of a new virus, or the technical journals are warning of new vulnerabilities in applications and operating systems. With so much happening in the area of information systems security (ISS), one might be forgiven for thinking that security is a loosing battle punctuated by endless patches and updates. While this is not necessarily the case, security is a relative term and measures that might be appropriate for one business are not what might suit another. Security requires an examination of each situation before appropriate actions are can be determined, and even then measures like firewalls and anti-viral software are only part of answer.    

Business benefits of a secure information system:

  • A good overall security strategy will reduce downtime and keep your business infrastructure functioning and making money.
  • Reduced and managed threats from information fraud or theft.
  • Short recovery time in the case of attack or disaster.
  • Cost effectiveness: With steps taken tailored to protecting your core services from the most frequent attacks, money is spent only where necessary.

The right approach

Mike Small, divisional vice president of security with Computer Associates, advocates a holistic approach. While each company must look at their own situation to identify what is critical for them, everyone who approaches information systems security must consider wider issues than connectivity, firewalls and virus attacks.

“Technology is only part of the answer,” says Small, highlighting an important issue. If your business is well secured against external attack by hackers and viruses, what happens if an employee on the inside simply walks out with your sensitive information? Firewalls and intrusion detection systems should be a part of a wider strategy that takes into account both internal and external threats and plans for a response that allows you to carry on with your critical services. “What has to be secured is the process,” says Small, emphasising that security is an attitude as much as a technology.

Proper standards

A good place to start for an overall view of what is required in information systems security is British Standard 7799. Under a range of headings, BS7799 describes both the physical, technological and procedural aspects of a coherent security strategy. The standard begins by emphasising the need for a company policy for security that should be applied to all information. It goes on to detail the correct approach to physical access, personnel security, access controls, network management, business continuity and auditing. While all aspects may not apply to all situations, it is a good outline from which to construct a strategy for you business.

Irrespective of which source of security information you might go to, the first step is always the same, examining your own business to see what are the critical services you need to be able to fulfil to keep your business going. This may require examination of issues such as invoicing, order receipt and despatch and communications. The simple fact is, if your security strategy, while under attack from say a virus, does not allow you to perform the basic services of your business, then it has failed in its primary function. Once you have identified your business’s critical services, then you must plan your procedures around those services, tailoring the technologies you employ to your needs and your budget.     

Risk assessment

An essential part of this strategy is assessing risk and reducing it to manageable levels. Mike Small indicates that there are three common reasons behind security compromise:

  1. Mistake
  2. Misuse
  3. Malice

Mike Small quotes a Computer Associates study that indicated undocumented changes and ill performed updates of servers are among the most common reason for failure. Once again, a strong procedural guideline would prevent almost all of these types problems. With a documented procedure for logging all changes or updates to servers, and with only those personnel trained to do so carrying them out, these problems can be kept to a minimum, but the best protection against mistakes lies in a good back up regime. Digital tapes, DATs, or higher capacity Digital Linear Tapes, DLTs, offer huge storage capability with tens of gigabytes being stored on one tape. Regular back ups of critical data with offsite storage of media can mean that your servers, desktops or databases can be restored to a good configuration in minutes or hours.

Mis-use most often manifests itself in the form of employees browsing the Internet inappropriately during work hours or using e-mail for personal communication. However, it is important to point out that these may not always be classed as mis-use, certain companies allow their employees unfettered Internet access and e-mail. If you wish to curb these activities though, policies backed up by technology are the answer. Make employees aware of usage policies for the Internet and e-mail for their respective roles within your company.

Usage can then be monitored using various software packages to either block Web content of a certain type, or to monitor email for inappropriate content. Bruce Hopkin, information security services manager with KPMG, recommends that companies maintain policies relative to their own needs. If your company’s reputation would suffer from reports of potentially offensive material being seen in the office environment, then steps need to be taken.

Malicious attacks

Where malice is the reason behind a compromise, it breaks into two areas, the casual and the determined. Casual means someone who is simply looking for a vulnerability to exploit. This would be most often the case with external attackers who scan the Internet for networks or machines that are vulnerable, just to see if they can get through. With a determined attacker, this may be someone who has singled out your business for some reason, but the response should be the same.

If your security strategy is up to the task, the casual attacker should be deterred by good defences showing no common vulnerabilities. The determined attacker should also be frustrated to the point where they realise that this will not be an easy target and move on or give up. Unfortunately though, malice can also be the reason behind internal attacks too. However, with procedures in place to limit access to sensitive and valuable data, combined with technological safeguards, malicious attack, from the inside, can be kept to a minimum.

Frequency

The word attack though, most often raises the spectre of a hacker in some far off room with malicious intent, and while this is a risk, it may not be the greatest danger. Fran McGowran of the information security team with Enterprise Risk Services in Deloitte & Touche, lists the common dangers in order of frequency as:

  1. Virus Attack
  2. Accidental Damage
  3. Malicious Internal Attack
  4. Malicious External Attack

Viruses

For small businesses in particular, a virus attack can be costly and time consuming and while often the virus itself may only eat up bandwidth or tie up processor time, the cumulative effect can be very damaging. Bruce Hopkin highlights that an inappropriate response can often be as damaging as the virus. In the case of the Code Red virus, for example, Hopkins says that even though files were not overwritten, the constant bombardment from infected servers could crash uninfected servers through denial of service. In this way transactions could be lost and time wasted as reboots took place. In this manner, a cumulative effect can build up to make a badly managed system or network more susceptible, beyond the direct effects of a virus payload.

Innovation within the world of viruses does occur, but most are variations on a theme and common tools are very effective at keeping them at bay. Anti-virus software generally comes in two forms, the centrally deployed type that runs from a server and the desktop type which runs from a single machine. Where a business consists of maybe three or four machines, the desktop type is sufficient, each machine looking after itself. Where there are many desktop and notebook PCs and file or Web servers, it may be necessary to look at a centrally deployed package that can be configured to remotely scan other machines. This type can also be configured to download automatic updates from the Web.

The best anti-virus software in the world can become useless if not updated. As new threats emerge, your software must be able to meet them. Most packages, from the budget end right up to enterprise level, offer either a free update system or a year’s free subscription to an update service. Regular scans of machines combined with regular updates to virus definition files, provides a high level of resistance to viral attack.

Antiviral software is available to suit all budgets. Packages such as Norton AntiVirus, McAfee, PC-Cillin, all provide excellent protection for the small business of home office and are suitable for desktop or workstation protection. For network protection packages such as Trend’s Office Scan or Sophos offer both gateway and PC protection with auto update facilities.

Accidents

Protection against accidental damage centres on a good back up regime, however, procedural protection is also important. An example would be in relation to sensitive and valuable information. Questions should be asked for example, about who needs access to what to do their job. Not all employees are going to need access to your customer list, or financial details. In this case, steps should be taken to allow only those who require this information to access it. This would immediately reduce the level of availability to those who may abuse it. This is known as a “default deny” type of policy. This also provides a level of protection against the internal attacker. Even if an employee attempts malicious activities, by limiting access to vital data and files, the extent of such attacks a can be limited.

External threats

External attacks are best combated with a firewall. A firewall provides a first line of defence between a potentially hostile network, like the Internet at large, and your business network. A firewall allows for the filtering of traffic from the outside world, often in conjunction with an intrusion detection system, to prevent unwanted or hostile communication. It can be an application deployed on a computer or it can be a purpose built machine.

A firewall generally allows for zones to created within a network which can have different rules applied to them. A typical example would be a company that had an always-on Internet connection such as a leased line or DSL connection such as Eircom I-stream. A firewall would be the first device hit by external traffic. Governed by programmed rules, the firewall would then decide whether the traffic meets the rules and therefore forward it, or to bar it.

The firewall would also use a set of rules to determine what traffic can pass between its internal zones, which are know as Demilitarised Zones or DMZ. By doing this, areas with varying levels of security can be created behind a single firewall, with an application being the placement of a web server in a more open zone than the internal workstations and desktops.

For the small to medium sized business, a software firewall is often sufficient. Free versions are bundled with most major distributions of the LINUX operating system, such as Red Hat or Suse Linux. Commercial packages are also available at a reasonable price from personal firewalls such as BlackIce or ZoneAlarm to Norton’s small or home office pack Internet Security. All of these packages offer a range of services to monitor and protect against external threats. For the larger applications, firewall devices, often called bricks, are available. Such devices provide similar but expanded capabilities, but in the past were expensive.

Colman Morrissey, of security products distributor Espion, advocates a new to market product called Fortinet. From under a EUR1000, a Fortinet appliance firewall can provide the kind of protection previously seen in much more expensive solutions. Offering Antiviral, Firewall Web filtering, Intrusion Detection and Traffic Management in one unit, the Fortinet has various models offering up to 3Gb in bandwidth. Another offering from SonicWall is aimed at the remote tele-worker. Offering VPN and firewall services, the Tele3 TZ allows easy access for remote users into secure corporate networks. The Tele 3 SP then is an instant firewall for those on the move. Aimed at people who need to log into their network remotely from hotel rooms or conference centres, it can connect through broadband or dial up with all of the security of traditional firewalls.

Recovery

With even the most stringent security possible, compromises may occur to your critical services. This may not always be in the form of attack, it may be through natural forces such as flood or fire. This is the time to bring into action your Business Continuity Plan. A continuity plan should be drawn up to take into account those situations where there are varying levels of failure in the tools normally employed to fulfil critical services, for whatever reason.

For example, if connectivity to the Internet was lost, could customers still be contacted. If servers or PCs were down, are paper copies of invoices or order forms extant for use through fax or post. In the event of your premises being unusable for whatever reason, can your business relocate for the period, or were disaster to strike, are backups of critical data kept offsite, ready to be deployed on replacement machines to restore your critical services in temporary premises. All of these contingencies are part of a continuity plan to allow you to react swiftly and efficiently in the face of an inconvenience or outright disaster.

Audit

The final word on security strategies must be “Audit”. Security measures must grow with your business and as such, constant auditing to ensure that the measures not only meet the threats, but also meet your business requirements, is the only way to ensure that your strategy remains effective. Too many companies — both large and small — spend money on a solution or strategy only to leave it unchecked and unchanged. Auditing must be initiated and continued for as long as you do business.

The world of information security need not be a minefield fraught with unknowns. Planning, examination of your needs and the right tools for the job, can ensure that even in the face of attack or disaster, your business can keep going. The key though is to look at all aspects of the problem. The holistic approach should mean that you are as protected from without as within, ensuring continuity of your critical services.

 

Security in action — Case in point:

Michael Associates

Michael Associates is a successful communications company specialising in PR and training. Managing director Michelle Thomas said that anti-virus protection was a vital concern. With so much information being sent via e-mail and the Web to television, magazines and news agencies, the threat of a viral infection was great. An early brush with a virus, though dealt with efficiently, led Michelle to look at the over all situation.

With offices in Dublin and Donegal, with three networked PCs in each and two laptops that regularly move between, Michael Associates employs DSL ‘always on’ Internet connectivity from Eircom in the form of iStream. As various tools were required to secure both offices, Michael Associates opted for Norton’s Internet Security package. Comprising anti-virus, firewall, intrusion detection and content filtering tools, the package provides a high level of protection for small businesses. Personal firewalls and desktop anti-virus are combined to allow full Internet and email access for employees.

In conjunction with these tools, procedures were adopted such as Password Management which requires passwords to be changed every week and with a recommended combination of 6 mixed alpha-numeric characters. Back ups are taken from a DAT drive with tapes rotated and kept offsite.

In the case of complete disaster, Michael Associates has an agreement with its supplier, Mainline Solutions, to provide replacement machines on which to deploy their back ups, ensuring that downtime can be reduced to a minimum and thereby keeping critical services running.

Mercury Worldwide Express

Mercury Worldwide Express is a Dublin based courier company. Though technically a small company, the nature of its work requires enterprise level security. Guru Brasad, chief technical officer, said that from the company’s inception, security was of paramount importance, with no room for a reactive approach for the thirteen desktops and two servers.

“We use all channels of communication, from radio to the web and require a very high levels of security”, said Guru. Though currently employing ISDN Internet and data connectivity for its main office, it is ready for DSL when it is rolled out to its location. Mercury uses a Windows based network with a redundant server system. The main servers are hardened by disabling all non-essential services and are protected by a software firewall.

Internally, strict controls are employed to protect against attacks and inadvertent damage. All floppy disk drives are disabled and a virus package is run centrally from a server that updates itself automatically. Internal users must change their password every fifteen days under strict requirements. No password can be used that has previously been used in the last six changes and the password must be made up of at least eight characters with two digits and two special characters.

Intrusion detection software is used too, with regular reviews of the logs to determine the effectiveness of the firewall programming. Regular audits review and refine the company’s procedures. A redundant server mirrors the primary server and runs the back ups of the main server. A UNIX-based Web server is waiting for when a DSL connection becomes available to host the company’s own Website.

With a comprehensive approach, Guru says that the web server should be easily integrated into the current security regime with minimal risk, allowing Mercury take in house more of their IT needs.

 

Security strategy essentials

1. Updates

Most Operating Systems, Applications and Anti-Virus packages require updating. This is often free and companies invest a lot of money to make it user friendly. Keep everything up to date and make sure these updates are regularly done with all updates recorded.

2. Planning

Develop a coherent plan that meets the needs of your business. Create a business continuity plan for various disaster scenarios from virus attack to flood and fire. If necessary, prepare temporary, alternate premises and ensure that you have something that you can deploy your back ups on.

3. Audits

Regularly review and audit your security strategy. What works now, may not work so well in one, two or five years. Regular audits will see if your measures are working and where improvement is required.

4. Back up

Back up your data. Regular back ups mean that in the event of disaster, you have a valid copy of all data from which to either restore or start again.

5. Simple rules

Ensure that passwords are managed and maintained. Do not allow floppy disks from outside to enter the network. Do not allow machines to be removed from the premises for repair except when being carried out by a reputable supplier.

 

Security toolkit for your small business

1. Anti-virus protection

Update frequently on all desktops or in conjunction with a centrally deployed package.

2. Firewall

Protect against external attacks and regulate internal traffic.

3. Intrusion detection

Regularly check logs of intrusion detection software to assess if attacks that reach your firewall are getting through.

4. Back up

Back up regularly to allow you to restore to a good configuration. Ideally, back ups should be stored offsite.

5. Printed procedures

In the case of disaster, have a printed copy of all procedures to allow you to properly execute them in the case of disabled computers.

06/03/2003

Read More:


Back to Top ↑

TechCentral.ie