Current Trends

We hope that you have found this blog to be useful. New postings and updates can now be found on Altius IT's Information Security and Network Security Blog.

Thank you for visiting,
Jim

Are you Managing your E-mail Risks?

E-mail is critical to the success and operation of most organizations. Without e-mail, organizations are less efficient and can’t compete against larger, and more established firms.

Computer users are critical to the success of an organization’s security platform. E-mail threats such as spam, viruses, and phishing specifically target users and their end point devices. Hand held devices put data "on the move" and the same users that are critical to the success of an organization’s security framework now present security related risks.

E-mail systems require on-going IT management and monitoring. Not only must e-mail hardware and software be periodically upgraded, these same systems must be patched on a regular basis.

Security response
IT departments are responding to known security threats by implementing traditional security measures:

• Employee awareness - security education and training.
• Anti-malware - anti-virus, anti-spam, anti-spyware, and anti-pop up software.
• Patch management – keeping software and firmware patched and up-to-date.

However, organization management must be aware of other types of risks including risks related to transmitting information:

• Confidentiality - e-mail attachments can include confidential information such as customer lists and pricing that should not be sent to recipients outside of the organization.
• Clear text – sensitive information can inadvertently be sent in clear text.
• Traffic – e-mailing large documents creates bottlenecks and uses up valuable network bandwidth.
• Compliance – meeting regulatory requirements related to information as it is collected, stored, archived, and secured.

Risk Assessments
IT risk assessments can help organizations evaluate additional risks such as service level performance, support (technical and user), redundancy and availability, as well as fail over and contingency plans.

IT Risk Management

IT risk management includes all of the activities that an organization carries out to manage information technology related risks. IT risk management is a formalized process and includes:

1. Risk Assessment
2. Risk Analysis
3. Risk Treatment
4. Risk Mitigation
5. Risk Review and Evaluation

1. Risk Assessment (Identify Risks)
Risk Assessments identify possible sources of risk. They identify threats or events that could have a meaningful impact on the organization.

2. Risk Analysis (Impact)
Risk Analysis considers the probability and magnitude of each event. Risk evaluation compares the estimated risk with a set of risk criteria to determine the significance of the risk.

3. Risk Treatment (Risk Response Action Plan)
Risk Treatment identifies how each risk is to be addressed. Residual risk is the risk left over after implementing risk treatment steps that avoid the risk, transfer the risk, reduce the risk, or accept the risk.

4. Risk Mitigation (Risk Control)
Risk mitigation plans propose applicable and effective security controls that manage the risks. The plan should contain a schedule outling the tasks to be performed, individuals responsible for the actions, estimated dates, etc.

5. Risk Review and Evaluation (Risk Effectiveness)
Risk management plans change over time as the business evolves, as new threats emerge, as losses are incurred, and as management changes. Review the effectiveness of your approach and revise as necessary.

Risk assessments help organizations identify, manage, and reduce risks to acceptable levels.

Start with Policies

Executive management knows that they need security controls to protect the organization's sensitive information and intellectual property. Unfortunately, many businesses use an ad-hoc approach to securing information, installing firewalls, anti-virus software, and other controls without a top down planned approach to managing risks.

An Information Security Management Systems (ISMS) is a systematic approach to managing sensitive information so that it remains secure. An ISMS includes policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks.

ISMS security controls include administrative, management, technical, and legal approaches to managing risks. Policies, procedures, programs, techniques, technologies, guidelines, and organizational structures help organizations comply with industry standards and requirements by addressing information confidentiality, integrity, and availability.

Security policies are essential to an effective security system and express management’s direction and guidance to implementing, maintaining, and improving an ISMS. Security policies include access controls, managing passwords, patch management, monitoring systems, business continuity, compliance, and many other areas.

Security policy templates provide a top down planned approach to information security, helping organizations implement and improve their controls.

IT Strategy and Security

Information Technology (IT) strategy and security alignment ensures cohesive goals and results throughout the enterprise. IT strategy helps align IT to the organization, improve efficiencies, reduce costs, enhance customer service, and help the organization achieve a competitive edge in its market place.

To ensure IT and enterprise alignment, analyze the organization’s markets, target audiences, products, services, and locations where the business competes. Review the critical success factors that determine the organization’s success and core competencies that provide the organization with a niche and competitive edge. Don't forget to review government regulations and analyze your organization's relationships and alliances with strategic partners.

IT strategy should consider important information applications and technologies. Analyze important competencies to create and achieve the organization’s vision and strategy. Review your resources, risks, conflict resolution, responsibility, business partners, IT management, service providers, and project selection processes.

IT strategy should include quality control and network security audits that help provide IT and executive management with appropriate feedback mechanisms.

Top 10 Windows Vulnerabilities

By understanding Windows based vulnerabilities, organizations can stay a step ahead and ensure information availability, integrity, and confidentiality. Listed below are the Top 10 Windows Vulnerabilities:

1. Web Servers - misconfigurations, product bugs, default installations, and third-party products such as php can introduce vulnerabilities.
2. Microsoft SQL Server - vulnerabilities allow remote attackers to obtain sensitive information, alter database content, and compromise SQL servers and server hosts.
3. Passwords - user accounts may have weak, nonexistent, or unprotected passwords. The operating system or third-party applications may create accounts with weak or nonexistent passwords.
4. Workstations - requests to access resources such as files and printers without any bounds checking can lead to vulnerabilities. Overflows can be exploited by an unauthenticated remote attacker executing code on the vulnerable device.
5. Remote Access - users can unknowingly open their systems to hackers when they allow remote access to their systems.
6. Browsers – accessing cloud computing services puts an organization at risk when users have unpatched browsers. Browser features such as Active X and Active Scripting can bypass security controls.
7. File Sharing - peer to peer vulnerabilities include technical vulnerabilities, social media, and altering or masquerading content.
8. E-mail – by opening a message a recipient can activate security threats such as viruses, spyware, Trojan horse programs, and worms.
9. Instant Messaging - vulnerabilities typically arise from outdated ActiveX controls in MSN Messenger, Yahoo! Voice Chat, buffer overflows, and others.
10. USB Devices - plug and play devices can create risks when they are automatically recognized and immediately accessible by Windows operating systems.

Security assessments help organizations identify, manage, and reduce their risks.

Top 10 Hacker Tools

By understanding how hackers gain access to systems, organizations can stay a step ahead and ensure information availability, integrity, and confidentiality. Listed below is Altius IT's list of the Top 10 Hacker Tools and Techniques:

1. Reconnaissance. Hackers use tools to get basic information on your systems. Tools like Netcraft and PCHels to report on your domain, IP number, and operating system.
2. Network Exploration. The more information the hacker knows about your system the more wanys he can find vulnerabilities. Tools such as NMap identify your host systems and services.
3. Probe Tools. Some tools were initially designed to be used by system administrators to enhance their security. Now, these same tools are used by hackers to know where to start an attack. Tools like LANguard Network Scanner identify system vulnerabilities.
4. Scanners. Internally, sniffer tools analyze network performance and applications. Hacker reconnaissance tools such as AET Network Scanner 10, FPort 1.33, and Super Scan 3 scan your devices to determine ports that are open and can be exploited.
5. Password Cracker. Password tools are used by security administrators to find weak passwords. These tools may also be used by hackers. Password crackers include LC5, John The Ripper, iOpus Password Recovery XP, and LastBit.
6. Remote Administration Tools. Tools such as AntiLamer and NetSlayer are used by hackers to take partial or complete control of the victim's computer.
7. Backdoor. Backdoor tools and Trojan Horses exploit vulnerabilities and open your systems to a hacker. KrAIMer and Troj/Zinx-A can be used by hackers to gain access to your systems .
8. Denial of Service (DoS). Denial of service attacks overload a system or device so it can't respond or provide normal service. Hackers use tools such as Coldlife and Flooder overload a system.
9. Recover deleted files. Once hackers are inside your perimeter, they can use tools like Deleted File Analysis Utility to scan your hard drive partitions for deleted files that may still be recoverable.
10. Web Site Tools. Hackers use tools such as Access Diver and IntelliTamper to index your web site pages and directories. These tools can download your site to the hacker's local hard drive. Once on his system, the hacker analyzes the web site to identify and exploit security vulnerabilities.

Security Assessments help organizations identify, manage, and reduce their risks from hackers and their emerging tools.

Top 10 Wireless Network Risks

Many organizations are installing and implementing wireless networks. To help business managers make informed decisions, Altius IT provides this list of the Top 10 wireless network risks:

1. Bandwidth Stealing – Outside intruders can connect to wireless access points. By using the Internet connection to download music, games, and other software, they reduce employee productivity.
2. Criminal Activity - An unauthorized user can use the Internet connection for malicious purposes such as hacking or launching Denial of Service Attacks.
3. Masquerade – By using the Internet line, an intruder “hides” under protective cover and appears to be a part of your organization.
4. Litigation Risks – Organizations are at risk if the intruder is doing illegal activity such as distributing child pornography. If the criminal activity is discovered and investigated, the origin of the attack will be traced back to the organization.
5. Reputation - An organization’s image and reputation is at stake if the wireless network was used as the initial access point to hack into restricted government networks.
6. Financial risks - Most ISP's not only reveal customer information to the authorities to assist with legitimate criminal investigations, but also hold the organization responsible for any and all activities related to the Internet connection.
7. Confidentiality – Wireless networks tend to be connected to in-house private networks. This may allow an intruder to completely bypass any hardware firewall protective devices between the private network and the broadband connection.
8. Evil Twins - Most new laptops include the ability to connect to wireless networks. Laptop computers may accidentally connect to fake (“evil twin”) networks. Employees believe they are connected to the authentic network however they are actually connected to a fake network that steals ids, passwords, and other confidential information.
9. Clear text – Some network information is transmitted in clear text and is not encrypted. Once inside your network, an intruder can install a network sniffer and gain access to confidential information without the victim’s knowledge.
10. Information Sensitivity – Not all data has the same sensitivity. Due to the risks involved with wireless networks, confidential data such as client lists, trade secrets, etc. should not be stored on or accessible by wireless networks.

Security Assessments help organizations identify, manage, and reduce their wireless network risks. For more information please visit us at http://www.altiusit.com/.

Suite or Best of Breed?

When choosing an enterprise security solution for your organization is it better to choose an all encompassing security suite from one vendor or select the best software in each class even if it means using a number of different vendors?

Security software tends to come in modules with each module protecting against a specific type of threat. Different types of Internet threats include:

• Viruses, worms, Trojans
• Spyware
• Adware
• Spam

Organizations such as Symantec, Trend Micro, McAfee and others offer security suites that protect against a wide range of threats. By using a security suite from one vendor your organization:

• Reduces IT time - dealing with one vendor reduces IT time to install and maintain the software.
• Reduces administrative time - by purchasing from one vendor, your organization reduces your number of vendors, checks produced, approvals needed, etc.
• Reduces conflicts - in theory, by purchasing a security suite from one vendor, the vendor has tested its code and has fewer software conflicts.

There may be downsides, however, to limiting your security software to one vendor:

• Single point of failure - should the security suite not function as designed (software expires, not licensed, bug or error in the code, etc.), your organization may be vulnerable to a wider range of threats.
• Best of breed - by choosing a security suite, software modules from the chosen vendor may not be up to par with competing packages. For example, a security suite from a specific vendor may offer overall protection, however one component, say anti-spyware, may not offer the same level of protection as a best of breed anti-spyware software package.

Risk assessments help provide answers to questions such as "Should we purchase a security suite from one vendor or purchase security software modules from a number of different vendors?" Risk assessments identify an organization's assets, threats to the assets, vulnerabilities that exist as a result of the threats, and the resulting impact on the organization. The risk assessment helps priortize risk areas so that the organization can make an informed decision when deciding between one vendor's security suite or electing best of breed software packages from a variety of vendors.

Don't Forget Physical Security

Many business executives are concerned about protecting their sensitive data and intellectual property. They ask IT to address threats to these assets by implementing firewalls and anti-virus solutions to protect the organization's electronically stored information. What many executives don't know is that their major risks come from internal threats.

Employees already have a sign-on ID and password to the network. By having this basic information, your staff already has access to resources such as customer data and email. However, the greatest risk may be physical access to IT systems.

By having physical access to data centers, servers, backup tapes, laptop computers, flash drives, etc., employees can inadvertently, or on purpose, damage or destroy sensitive data. Contractors, service providers, and other personnel may also be granted physical access to sensitive data.

Altius IT recommends that a physical security review be performed on a regular basis:

• The first step in the physical security review is an inventory of your assets.
• Then determine who has physical access to the assets.
• Evaluate access and the risk to the organization.
• Make changes as appropriate.

In many cases, it may make sense to bring in an outside consultant who specializes in this area, both to protect your sensitive assets plus ensure that your organization is minimizing its legal liability risks. The International Association of Professional Security Consultants (www.iapsc.org) has many members that can assist you. Or, contact us and we'll refer you to someone who can help.