Hub & IT Security

The recent popularization of virtualized environments adds a new layer of complexity to the security picture. Businesses are just beginning to comprehend the security implications of these environments. To tackle these security issues, many organizations adopt a security approach that addresses vulnerabilities through security policy and systems designed to protect the integrity of the IT infrastructure. This approach recognizes that the integrity of the IT infrastructure may be easily compromised by malicious attacks from external sources, but often lacks a means of addressing compromises that originate from within the organization through both intentional and inadvertent employee actions. And ironically, the very systems responsible for providing security—the firewalls, intrusion detection systems, and others—often go unmonitored.

Configuration control solutions play a critical role in an organization’s security approach, starting with configuration assessment of all systems and devices, including those with the primary function of protecting the computing environment and data. Software assesses the infrastructure against established, consensus-based security standards, providing a scorecard that security, compliance and IT operations staff can use to get the infrastructure into compliance with security standards—even with virtualized machines as part of the environment.

Environmental challenges

Those whose job it is to protect the security of the organization’s IT infrastructure work within an ever-changing landscape. Challenges arise from Internet connectivity, e-commerce, a global workplace, virtualized environments, and the ever-increasing complexity of today’s enterprise network. Top that with people who inadvertently introduce risk to the infrastructure and individuals out to cause mischief or trouble, and it’s obvious that security professionals have a big job on their hands. Some of the major challenges security professionals face are discussed below.

In the past, the line between what is inside versus outside the organization was fairly clear. By connecting to the Internet though, businesses connect to the public networks of the entire world, exposing business infrastructures to the possibility of exploitation by thousands of people in the outside, online, global community. VPNs, extranets, tunneling, and the many technical aspects of e-commerce and the Web make it virtually impossible to support a truly contained network, further blurring the line between what constitutes inside and outside the network. IT must continually contend with integrity drift—the movement of the IT infrastructure away from a known and trusted state. Factors leading to integrity drift include a departure from the homogenous environments common in the past to environments that include a wide diversity of platforms, applications and processes. Mergers and acquisitions also add layers of unanticipated complexity.

Virtualized environments

Virtualization of the computing environment is a more than a passing fad. Virtualization allows organizations to do more with fewer physical machines and to realize tremendous cost-savings if these virtual environments are well managed. However, virtualized machines introduce numerous possibilities for security compromise. They increase the number of entry points and connections for attackers to zero in on per physical machine, and virtual machines can easily be brought online and offline in a short timeframe with little or no oversight from IT. In addition, disk images of virtual machines are extremely portable, meaning that employees can easily copy a disk image, email it or save it to a file, and take it off site. Whether introduction of risk through these environments is intentional or accidental, keeping track of these machines and the vulnerabilities they introduce is an issue security professionals cannot afford to ignore. The organization now requires a whole host of security related products to reduce risk of system compromise. Security professionals need time and training to achieve optimal results with these security products, and they also need to know how to use security information management solutions—tools that help them manage the numerous security products. And of course, they now need to ensure that these management product themselves do not introduce risk.

With the numerous data security breaches in recent years, standards and regulation-developing bodies such as the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), and the Defense Information Security Agency (DISA), have developed and issued security and standards that amount to best practices for security. Whether voluntary or mandatory, organizations should achieve compliance with these standards to optimize their security posture. In fact, as the line between who is responsible for what increasingly blurs between IT governance, IT risk management, and IT compliance, many organizations are beginning to realize that by addressing regulatory and compliance requirements, they end up improving their organization’s overall information security posture.

Security compromise

More and more, organizations are beginning to see that risk to the IT infrastructure’s security stems from poor judgment by employees, failure to follow established processes, and sadly, intentional sabotage by dissatisfied employees. Inadvertent or ill-advised employee actions tend to manifest themselves in poorly configured applications, servers, routers, and access levels—a host of potential misconfigurations that typically compromise the integrity of the computing infrastructure. While according to a recent analyst report, misconfigured systems introduce more than 65 percent of security vulnerabilities, both the usual and sometimes not so- usual suspects command attention. Misconfigured systems present potential vulnerabilities and introduce unnecessary business risk, making configuration integrity fundamental to a sound security strategy.

Misconfigurations can occur from experimentation, accidental employee actions, allowing security fixes to get out of date, failure to periodically review risks and policies, and changes in services and service level offerings.

An effective security policy explicitly states the risks that a business foresees and discusses how to address those risks. Such a policy also sets implicit standards of practice that must be adhered to. If an organization does not have a security policy, has an outdated or inadequate security policy, or fails to enforce its policy, then unnecessary risk may be introduced through employee misconduct, experimentation, hacking, and other improper actions.

With more organizations leaning toward virtualizing a significant portion of their computing infrastructure, security experts are beginning to see the critical implications of these virtualized environments to their security posture. Meanwhile, viruses, worms, denial-of-service attacks, web-defacement, and hacker penetration are still common issues that lead to downtime and loss of reputation and business, especially when publicized by the media.

Security professionals face at least two fraud-related risks that impact e-commerce businesses: bogus payment and liability due to theft of customer payment data such as credit card details. Perhaps the broadest, yet mildest form of threat, is lack of security awareness amongst employees which can lead to leakage of proprietary data through personal emails and vulnerability to con artists and “social engineering” schemes. With data at the heart of today’s business, a company’s ability to compete and survive depends upon the integrity of its IT infrastructure—an infrastructure that is increasingly vulnerable to unintentional misuse and malicious attacks. A proactive security strategy is one approach many organizations employ to help plug the organization’s security holes.

Proactive security strategy

In a proactive security approach, a company may deploy many data security technologies to address the sources of security risk and fulfill specific security objectives and functions. However, many of these security approaches fall short when it comes to dealing with attacks or compromise that come from within the organization. Tripwire shores up many existing security technologies—firewalls, authentication solutions, and others—through its configuration assessment and configuration audit and control. so organizations can get IT infrastructures into a known and trusted state, and keep them there.

A firewall is a system or group of systems that enforces an access control policy between two networks. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Usually, a firewall’s purpose is to keep intruders out of your network while still letting you get your job done. The firewall’s configuration is the mechanism for enforcing policy and imposes that policy on everything behind the firewall. Unfortunately, a firewall is only effective if it is configured properly. What’s more, firewalls can’t protect against attacks that don’t go through them; they only detect intrusion attempts from outside the firewall. That means that internal attacks, where most security risk originates, are never a part of the firewall equation. In addition, firewalls can only detect and protect against known vulnerabilities.

Antivirus

Antivirus companies have made virus protection the bestknown defense against network invasion. Certainly, no proactive security strategy is complete without it. However, virus protection software works primarily by looking for known virus signatures, coming from the outside in. That is why virus definitions must continually be updated—the software won’t find what it hasn’t been told to look for. Nor can it report file changes not associated with virus signatures. Tripwire software complements antivirus solutions, assisting in system or file recovery caused by viruses undetected by an antivirus solution. For example, many worms change or delete Windows Registry values—changes that would be nearly impossible to detect if a user didn’t know where to look. With Tripwire, a user can quickly detect exactly which registry entries were changed or deleted and replace only those files that were affected.

Authentication

Authentication is the process of determining whether someone or something is who or what they claim they are. The most common form of authentication, logon passwords, can often be forgotten, stolen, or accidentally revealed. To provide stronger security, passwords are often combined with tokens to provide two-factor authentication. To gain access, users must correctly identify both elements (token and password). If an individual steals legitimate authentication information, that person can access the enterprise network without anyone knowing. Tripwire software complements all forms of authentication by identifying any changes to a machine—changes that may have been introduced by an individual or a program without access rights. For example, an attacker could steal the token and password to access a machine from a person with legitimate access rights. The attacker could then access the machine or server and plant a backdoor program that allows them to continue to access the machine undetected. If the attacker returns the token to the person he or she stole it from, no one even knows the server has been accessed. The attacker then later returns to compromise and/or steal critical company files.

Intrusion detection

Intrusion detection systems (IDS) send alerts or notifications when someone attempts to gain unauthorized access to the datacenter. Two primary kinds of intrusion detection systems exist:
• Host based – software that monitors a system or application log files and responds with an alarm or a countermeasure when a user attempts to gain access to unauthorized data, files, or services
• network based – software that monitors network traffic and responds with an alarm when it identifies a traffic pattern as either a scanning attempt or a denial of service or other attack.

Intrusion detection is a vital facet of proactive security; however, when an intrusion occurs, it will not tell you how data has been compromised, what’s changed on your system, or what your data baseline was before the attack. In addition, an IDS does not look for internal threats. Only integrity assurance software like Tripwire monitors data for change, whether initiated internally or externally, regardless of the cause or motive.

Security information management

Security Information Management (SIM) products centrally manage security data from other security products, analyzing the data, correlating attack patterns across a network, and providing users with actionable information. A security product is only useful if the user understands the information it provides and understands how data from one security product can be used in conjunction with another security product. A SIM gathers together and presents the information in an understandable way, providing an extremely valuable higher-level view of the company.

Digital video surveillance

One often neglected part of a layered security solution is digital video surveillance of servers, network devices and data centers. Integrating digital video surveillance security with data security measures provides a well-rounded approach for protecting a company’s critical IT infrastructure. Some video surveillance solutions can send images electronically over a wired or wireless network to centralize all computer security monitoring.

In today’s environment, organizations connected to the Internet must be more vigilant than ever. Networks are scanned for vulnerabilities many times a day. Viruses and worms abound. Virtualization opens up new vulnerabilities. And the threat of cyber terrorism looms. Addressing these challenges is, and will continue to be, part and parcel of protecting the security and integrity of the IT infrastructure. Knowing that, many security professionals take a proactive security approach that helps them prevent, detect and respond to security incidents. In this approach, they implement security products designed to address one or more of these specific challenges.

Login box