Realities Of Cybersecurity

So there you are, in your office, connected to the world by an Ethernet cable or a wireless connection. Your local network and all the Internet has to offer is right there, just for you. Somewhere on that network there is something called a firewall and a VPN, anti-virus and spyware programs, and perhaps even an intrusion detection/prevention system (IDS/IPS). Security? "Hey, I'm fine. Who's going to get through all this stuff?" you regularly tell yourself. "I mean, really, who's even going to know I'm here? Hackers usually go after the 'big guys,' all those name-brand companies, right?"

But for a financial advisor holding the purse strings to many sensitive pieces of client information including addresses and Social Security numbers, banking and trust accounts, securities and other types of investments, the integrity of the information is crucial. The size of the firm doesn't matter. These days, any business can simply be compromised by hacking programs scouring the Internet for any weak systems-and that system could be yours or your clients.'

Cyber-reality
The 2006 Internet crime report (www.ic3.gov/media/annualreport/2006_IC3Report.pdf) prepared by the FBI and the National White Collar Crime Center states that the total dollar loss from "referred cases of fraud" was $198.44 million, up from $183.12 million in 2005. Keep in mind though, their research shows that only one in seven incidents of fraud is ever brought to the attention of law enforcement or regulatory agencies. In other words, actual losses are much larger.

Cyber crime, one of the components researched for the report, shows that while complaints were down slightly between 2005 and 2006, the dollar amount stolen went up.So, even with all the security systems such as firewalls, VPNs, encryption, and anti-virus software, cyber crime continues to be a more and more lucrative industry. 2007 began with a record-setting number of data breaches. TJX, the parent company of store chains TJ Maxx, Marshall's, Bob's Stores and others, revealed that it had lost 45.7 million data records from just one attack. And perpetrators may have had unauthorized access to the company's systems for as long as a year and half before the penetration was noticed. TJX had firewalls, encryption and other security systems in place during the attack. Intercepted files and compromised data are among the many risks facing a business with unsecured systems and technology.

During the summer of 2007 alone, my firm Razorpoint Security Technologies witnessed a number of large organizations (with hundreds of millions to billions of dollars in annual revenue) with very little or no security, despite ubiquitous firewalls and VPNs. In one case, we discovered two major holes in less than 60 seconds. Seemingly every day there are reports in the news of cyber crime and compromised security. I offer this as a timely reminder of how security is still far from where it needs to be. It is truly mind-boggling how in 2007, with all that has happened in the security arena to date, people still have no idea what security is or should be. Consider that every year sales of security products increase, and every year cyber crime losses increase. We must stop relying solely on security buzzwords to protect our businesses!

What Security Isn't

Security is not IT. The reality is that security is separate from IT (information technology). Because cyber security touches technology, companies mistakenly lump these duties into what are usually overworked and undertrained IT departments. The people installing your Windows updates, fixing printer jams, and getting your e-mail to work are not the ones who are skilled and experienced in effective security countermeasures. It requires a different mindset, different training. Some firms divide their IT and security departments only after learning this the hard way. What's dangerous in having them merged is that the IT staff often sees security as just another line item along with resetting forgotten passwords, finding out why your e-mail isn't getting to your BlackBerry and ordering backup tapes. Particularly at companies where technology isn't a core competency (such as law firms, health-care companies, family offices and manufacturing concerns), IT staffs usually comprise just one single individual. An outside consultant may be tapped from time to time for specific, more complex tasks, but rarely are there dedicated security resources.

With physical security, business executives and celebrities hire bodyguards with a certain level of training and experience for personal protection. Rarely, if ever, do you hear such a security professional tout the fact that he or she just purchased a new type of firearm or pepper spray. This is because it doesn't matter; it's the experience you're seeking and not the gadgets. Don't get caught fumbling around in the security products game. It is trained, experienced personnel that makes the difference.

Compliance is not security. Another thing facing businesses is compliance. Several industries have sprouted up just to help companies remain in compliance with legislation and rules such as the Sarbanes-Oxley Act, SAS 70 (the Statement on Auditing Standards No. 70), HIPAA (the Health Insurance Portability and Accountability Act), and PCI DSS (Payment Card Industry Data Security Standard). However, businesses have mistaken security jargon laced within each of these compliance standards as actual security. My firm regularly performs security assessments for companies requiring one or more of these compliance certifications. Though the companies have met their compliance criteria, we frequently find that data can be cyber attacked. You could be compliant, and yet still completely insecure.

We recently performed a security assessment on a retail/e-commerce firm with damning results. The company is a known brand and grosses more than $2 million per day through its e-commerce site alone. Because of the types of transactions it performs, it is required to remain "PCI compliant." Over the past 12 months the company has aligned its business practices to remain within the PCI compliance guidelines, and thus it feels reasonably confident about its security. However, one of the directors believed a targeted security assessment was still something required to put his mind at ease. As a known retailer, buyers generate tens of thousands of transactions on their systems every day as they seek the hottest products. Just two days into our two-week security assessment, we uncovered what could have been devastating holes in these systems. While we believed from our review that no one had compromised their systems, with a little time and effort, most if not all of its customer data (names, addresses, credit card numbers, debit card accounts, etc.) could have been in the hands of cyber thieves. Shocked, the clients now fully understood how being "compliant" did not mean that they were secure.

---

ROBOT PROGRAMS DO NOT FOLLOW DUNN & BRADSTREET REPORTS AS THEY HUNT, AND THEY DON'T CARE WHAT YOUR MARKET CAP IS.

---

We're Not a Target

Along with the security myths about firewalls, VPNs, etc. comes a myth about how small businesses are immune from attack. All too often we'll hear, "Well, we're not a target. We're not a big bank or anything. Who's heard of us?" The reality is that 80% of all attacks are now automated. Carefully crafted robot programs (aka "bots") continuously roam the Internet looking for vulnerable systems. These bots do not follow Dunn & Bradstreet reports as they hunt, and they don't care what your market cap is. All they need is to find a vulnerable system, and then they dive in. Bots are agents that serve to make the networks of cyber criminals' stronger. It is from these infiltrated systems that criminals can launch lucrative attacks while cloaking their identities. Large numbers of bot-infested systems working together in concert are referred to as "bot networks" or "botnets." Anyone who has ever received a spam e-mail can thank a botnet.

In addition to building botnets, attackers break into medium-sized and small businesses, and even individual home computers, for other reasons. Some of these are:

• Ransomware:This means they steal your files and then sell them back to you. Or the criminals encrypt the files on your systems and then sell you the key to decrypt them.
• DoS (Denial of Service): The attackers send traffic to your systems (file servers, mail servers, Web servers, etc.) making them so busy they can no longer perform their intended functions. A payoff makes them stop. And yes, people do pay.
• Identity Mining: This is when attackers steal identities from your systems. Maybe your identity or maybe those of your employees. It takes just one successful theft for an attacker to commit a crime and cloak his or her identity.
• Money Theft and Laundering: Patient criminals can use compromised systems to transfer funds using your business credentials, or even use your accounts to launder money.
• Botnets and Stealth Attacks:As mentioned previously, your systems could be woven into a network of other compromised systems for the purpose of launching attacks against other businesses and individuals. When connections are traced by law enforcement, the trail leads to you, not the cyber criminal.
• Domain Hijacking and Man-In-The-Middle Attacks:Without ever touching your network, attackers can exploit DNS (domain name system) servers or domain registrars to reroute traffic meant for your business. The attackers can proxy all of your business's Internet traffic through their servers. Your business appears to be functioning normally, but in reality the attackers are monitoring all transmissions. This includes information that is encrypted with SSL/HTTPS.

Thinking Security

It should be noted that any recommendations regarding security should be implemented as part of a cohesive, well established policy and process. Merely making a technology purchase or clicking a check box does not by itself make for anything resembling effective security.

Some recommendations for configuring and maintaining effective security:

• Control: End users should not be allowed to run or install unauthorized programs. An "authorized list" of software should be created and maintained for everything from laptops to servers. A seemingly difficult task, but I can assure you, from five-person companies to Fortune 100 corporations, those who can successfully implement this company policy will not have a security breach, they will only read about somebody else's misfortune in the paper.
• Encryption: Encrypt data by default. Whether it is the hard-disk level, on the server or in a shared folder, data should be encrypted with little or no user intervention. One of the biggest reasons for data leaks is stolen laptops with unencrypted hard drives.

• Firewalls: Ensure you have a strict rule base in your firewall that blocks unnecessary traffic coming in as well as going out. Remember, hackers know people have firewalls, yet cyber crime continues to increase, in part because many kinds of attacks can break through firewalls. Monitor your firewall traffic regularly as well. This can help uncover malicious activity.
• Passwords: Bad passwords are still the bane of the security industry. Countless systems have been breached simply because the passwords have been correctly guessed. Choosing a "strong password" can prevent someone from guessing it, and it can make it more difficult for a hacker to "crack" it using specialized software. A complimentary white paper on password best practices is available at www.razorpoint.com.
• Software Updates: A large number of security holes can be patched simply by installing vendor software updates. Regularly available updates are released for operating systems, servers, routers, switches, cell phones, PDAs, etc. Remaining current on patches helps keep systems secure. Some systems even allow this process to be automated.
• Wireless: Most of what you've probably heard about wireless security (or insecurity) is true. While tech nologies such as Bluetooth and Wi-Fi are very useful, they can also be wireless beacons of disaster. First, leave Bluetooth disabled when it's not in use. Similarly an 802.11 wireless card, only needs to be active when in use. When you are using your wireless network card you want to ensure that the security features such as WEP (wired equivalent privacy), or WPA (Wi-Fi protected access) are always enabled. But because WEP and WPA keys can now be cracked in a matter of minutes, you'll want to be sure to use an additional third-party VPN or encryption tool to secure your wireless traffic.
• Awareness: From the CEO to the receptionist, everyone is responsible for security. Awareness is probably the most cost-effective security measure there is. Ensure that everyone in the company is working with your security policy in mind. A simple addendum to an employment agreement and regular company reviews help considerably when you're trying to keep security on people's minds.
• Regular Security Assessments: Regardless of the size of the organization, a regular security review is the most comprehensive way of determining whether systems are vulnerable or, even worse, if they have already been compromised. Security assessments, or "penetration tests," review your systems from the point of view of someone looking to do you harm. This is truly the best way of knowing if your security initiatives are working.

Not A Product

"Security is a process, not a product" is a famous adage in the security industry. It is very true. While there are numerous products to buy out there, none are effective in preventing an attack if there is no thought process behind their use.

Security considerations that should be contemplated are: Where do we need security? Where could we be vulnerable? What type of security do we need? How will this security be maintained and monitored? Are there assets we are trying to protect? Who needs access to these assets and for what reasons?

This is how to begin a security thought process, which should be reviewed and updated regularly. Buying a "Firewall/VPN combo" appliance online is not where you start.