OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: InfoSec News (isn_at_c4i.org)
Date: Tue Dec 31 2002 - 03:02:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    http://www.computerworld.com/securitytopics/security/story/0,10801,77132,00.html

    [The Art of War by: Sun Tzu
    http://www.amazon.com/exec/obidos/ASIN/0195015401/c4iorg - WK]

    By Yona Hollander
    DECEMBER 30, 2002

    Sun Tzu, a legendary Chinese strategist born more than 2,000 years
    ago, taught the importance of knowing both your enemy and yourself:
    If you know the enemy and know yourself, you need not fear the result
    of a hundred battles. If you know yourself but not the enemy, for
    every victory gained you will also suffer a defeat. If you know
    neither the enemy nor yourself, you will succumb in every battle.

    -- Sun Tzu, in The Art of War, Chapter 3, Verse 18

    Truer words were never spoken when it comes to information security.
    To succeed, you must know your enemy as well as your own strengths and
    weaknesses. The following are six issues of which executives should be
    aware to protect their systems.

    1. Know Your Enemy

    The faceless external attacker often plays the villain role in the
    traditional information-security drama. While such external attackers
    exist and are a real threat, internal misuse presents a much greater
    risk and must not be ignored. To truly know your enemy, you must
    consider and understand both external and internal threats.

    2. Understand External Enemies

    By definition, external enemies attempt to attack you from outside
    your corporate boundaries. These attackers may be teenagers in their
    parents' basements, miscreants in other countries or credit card
    thieves, among others. External enemies attack your enterprise for
    various reasons; some are more malicious than others.

    Many external attackers resemble joy riders who steal cars for the fun
    of it. These attackers target your network to show off their skills
    and expertise to their peers. While they often have little malicious
    intent, they can cause vast amounts of damage to your systems.

    Politics motivate other external attackers. They may want to deface
    your public Web site and use it as a venue for their political
    messages. Such political defacements occur relatively frequently,
    numbering in the hundreds per year.

    Other motivations include theft, fraud, corporate espionage and even
    cyberterrorism. External attackers must be clever to infiltrate your
    perimeter defenses, but experience has shown that such infiltration is
    possible and, in some cases, even easy.

    The external threat includes individual attackers manually probing and
    penetrating your networks, as well as highly automated attacks such as
    worm programs. For example, the Code Red worm attacked and compromised
    hundreds of thousands of hosts around the world in a matter of hours.
    Skilled attackers can create such worm programs with little effort.
    The threat from worms continues to grow, and protecting your systems
    against them is crucial.

    3. Defend Against Internal Enemies

    Many traditional security approaches concentrate on building and
    protecting a hardened perimeter to protect against the external
    threat. This approach would be sufficient if all enemies were
    external. In reality, concentrating on the perimeter only builds a
    false sense of security while leaving your organization vulnerable to
    attack and misuse by those who can hurt you most: insiders.

    Insiders know what your most valuable information assets are, where
    they're stored and how to access them. An insider at a credit bureau
    drove the success of the recently apprehended identity theft ring that
    stole millions of dollars from individuals around the country.

    Not all inside enemies are full-time employees of your company.
    Contractors, temporary workers and former employees may have
    privileged access to your systems with little control over or
    oversight of their activities.

    4. Know Yourself

    In the context of information security, knowing yourself implies
    understanding your systems and staff as well as the security risks
    associated with both. If you don't know your own points of
    vulnerability and risk, it's difficult to protect yourself. Again, too
    frequently information security initiatives focus on external forces
    and neglect internal systems, vulnerabilities and threats. Judicious
    use of risk analysis tools and background checks can significantly
    improve your knowledge of your company.

    5. Be Aware of Regulations and Consequences

    Serious consequences exist for ignoring security. The regulatory
    climate for information security and privacy is increasing. The
    Gramm-Leach-Bliley Act, the Health Insurance Portability and
    Accountability Act and various other federal and state regulations are
    raising the security bar for corporations by requiring minimum
    security standards to be in place. Companies that don't comply will
    face significant penalties in the future.

    For example, a new law in California (effective July 1, 2003) requires
    businesses that own databases to disclose security breaches if certain
    personal information was or may have been compromised. Californians
    can bring civil actions for actual damages and injunctive relief
    against entities that fail to comply with the law.

    Businesses also face the possible loss of customer confidence and
    revenue in the face of a successful attack against their systems.
    Egghead Software's widely publicized security breach led to a
    precipitous drop in its stock price and revenue; the business never
    recovered, and Egghead closed its doors not long thereafter. Customers
    will not buy from companies that they do not trust.

    6. Protect Yourself

    Rather than solely relying on perimeter defenses, such as firewalls,
    to safeguard your enterprise, protect each critical server and data
    store against misuse. By protecting valuable information assets
    directly, you achieve protection against both internal and external
    threats. Proper protection includes using technology products (such as
    intrusion prevention, antivirus and access control software) as well
    as sound security processes (such as security policies and risk
    analyses). Using products and processes together to secure each
    critical asset yields the best protection.

    Referring to warfare, Sun Tzu taught long ago the importance of
    knowing your enemy as well as knowing yourself. Information security
    is no different. Failure to understand the threats to your business
    and your ability to counter those threats could be catastrophic to
    your organization.

    Yona Hollander is vice president of security management at Entercept
    Security Technologies, an intrusion-prevention software company in San
    Jose. He is part of Entercept's Ricochet Team, a specialized group of
    security researchers dedicated to identifying, assessing and
    evaluating intelligence related to server threats.

    -
    ISN is currently hosted by Attrition.org

    To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
    in the BODY of the mail.