Managing Security Threats & Vulnerabilities for SMEs

Managing security threats and vulnerabilities in assets are two fundamental challenges for SMEs. Vulnerabilities in assets are weaknesses in assets or the absence of security procedures, technical controls, or physical controls that
could be exploited to harm or predispose assets to harm [1]. Harm to assets occurs in various forms, such as interruption, destruction, disclosure, modification of data, including denial of service. For example, in 2001, the Code Red incident exploited a buffer overflow in a library module of Microsoft Windows' Internet Information Server. This allowed it to infect hundreds of thousands of computers [2], causing millions of dollars of damage. The Slammer [3], MSBlast [4], and Sasser [5] worms all exploited known vulnerabilities in computer systems.

There are also accounts of security threats (for instance, Computer worms) used as attack agents in denial of service (DoS) [6], and distributed denial of service (DDoS)[7] attacks. These types of threats affect the confidentiality, integrity, reliability and availability of computer network services.

In this respect, what ways can security be properly managed in an Enterprise? What may provide valid and appropriate options? Answers to these questions are provided in the article.... Please download a copy from this link. Your comments are useful and highly appreciated, please leave a comment. Thanks.

This discussion is shown in a presentation, please download the presentation in DPF.

References:
[1] Computer Security Handbook: The NIST handbook, Special
Publication 800-12, pp.62
[2] D. Moore, C. Shannon, and J. Brown (2002) “Code-Red: a case study on the spread and victims of an Internet Worm”, Proceedings of the ACM/USENIX Internet Measurement Workshop, France, November, 2002
[3] C. C. Zou, L. Gao, W. Gong, D. Towsley (2003), “Monitoring and Early Warning for Internet Worms”, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, October 27-31 2003
[4] Microsoft Security Bulletin MS03-026, (2003) “Buffer Overrun In RPC Interface Could Allow Code Execution (823980)”, July 2003: [Online]:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
[5] W32.Sasser.worm (2004), April 2004: [Online]: http://securityresponse.symantec.com/avcenter/venc/data/w32.sass
er.worm.html
[6] CERT/CC (2001), “Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL Redirecting is enabled”; [Online]: http://www.kb.cert.org/vuls/id/544555,

Security Awareness (SA002-09): Intrusion Detection Systems

Intrusion detection systems (IDSes) are used to monitor systems and networks for security policy abuse, compromise and abnormal behaviour. Different types of IDSes exist, such as host-based, network-based and hybrid.

Host-based IDSes are installed on systems such as PDAs, Laptops, workstations, PCs and servers to monitor system behaviours.

Network-based IDSes are appliances that monitor the entire network for policy violation, network behaviour and abnormal traffic thresholds and ongoing malicious activities.

Giving the nature of recent attacks on end user systems, such as PCs, laptops and also due to the growing proliferation of viruses and computer worms, it is a recommended best security practice for end users to install personal intrusion detection systems on their laptops, workstations or PCs. In as much as it's a good security practice to have a personal IDS installed on an end-user system, but it is a waste of time if an IDS log is not checked and analysed regularly. It is important that IDS logs are regularly checked and analysed.

To enhance the security posture of systems and networks, the following is recommended:

1) Spend time to check IDS logs and alerts, this will help you identify ongoing activities and attacks that may have happened undetected.
2) Identify resources that are frequently seen on the logs and what this event is about.
3) Set your IDS to be always on.
4) Configure your IDS to always inform you about a software download or a request that is about to change registry settings.
5) Configure your IDS to always inform you when a request that is about to change registry settings.
6) Configure your IDS to always alert you when a certain threshold is reached or exceeded.
7) Configure your IDS to automatically download latest signatures or patches; this will enable your IDS to remain up to date with software development.

Enterprise-wide Security Attack Detection

With the growing number of security incidents, a requirement is to provide adequate security protection to computer networks. To protect computer networks from security attacks, a current approach is to deploy countermeasures, such as firewalls at the network perimeter, intrusion detection systems (IDSes) within the network and virus scanners on end user systems. Whilst these countermeasures provide a degree of protection, they struggle to detect emerging security threats. Emerging security attacks appear to be distributed and coordinated, while the defences offered by these countermeasures operate in isolation from one another. Each countermeasure possesses only fragments of evidence about the overall state of the network and consequently its response may be both delayed and limited in scope.

To accurately detect enterprise-wide security attacks that are perceived on various networks today or on multiple complex security domains an integrated security framework is proposed, discussed and tested. This innovative security framework is well presented in this book – “Security Framework for Attack Detection in Computer Networks”. This well written book is highly recommended for all security practitioners, analysts, consultants, engineers and decision makers at various levels.

Understanding Risks to Cloud Computing

A major concern with the cloud is that the cloud provider offers the software, platform and infrastructure to the user. On top of that, the actual data/information of the user also resides with the provider. The risk with this model of service is that users risk having their information abused, stolen, unlawfully distributed, compromised or harmed. What is the guarantee that the user’s information/data is not sold to her competitor? What ethical constraints exist to prohibit, prevent or protect the user in this new model of service? Another important risk to consider when using the cloud is with the ownership of the information or data residing on the provider’s system. When a user puts her information in the hands of the provider, what control has the user over the data? Its confidentiality or integrity.

When we consider small to medium-sized organisations or end users, one can discuss risks associated with cloud services pretty easily. What happens to the government, the enterprise in relation to the cloud? Can the cloud be used for government marked information? For example, ‘strictest in confidence’ document, say for the CIA, MI5 or the MoD. I certainly do not think so, especially at this current stage of the cloud. In this respect, maybe cloud computing is not ideal for all facets of the society. Certainly, I can’t imagine any organisation with security in mind who would hand strictest in confidence, on ‘in confidence’ information to the cloud, without a second thought.

Again, whose security policies are used for operating the cloud? Is that of the enterprise, the government or the MCSP? If the policy is the end users’ then how would the MCSP marry diverse security policies from myriad heterogeneous users of very diverse background, from diverse countries and of very diverse legal and socio-cultural value systems.

What of data location? The data an end user had created on an MCSP’s system, where does this data reside? Location of end user data is of great importance. For example, the EU Border legislation (Safe Harbour) stipulates countries where EU private and personal data can and can not reside, which borders it can and can not traverse. With the infrastructure as a service, the cloud provider can use dynamically localised infrastructures that exist outside the EU or US terrorises. This may contravene or abuse fundamental privacy and legislative issues, especially if the end user was not away of where her information is stored. This applies specifically to EU and US customers, SMEs, government and Enterprise who may wish to use the cloud for delivering service, and I believe other countries have other legislation that should be considered when using the cloud. Some kind of information can be easily abused with cloud computing, for instance personal medical data (health record data) are subjected to strict compliance act such as HIPPA. A significant concern is that personal medical data can be easily circumvented with SaaS or IaaS models of the cloud. These highlights some inherent risks that exist with cloud computing.