Vulnerability Assessment Systems - Essay Example

Interoffice Memo 17/2008 Alberto Ginastera, CEO Eze, CISO RE: Duplication of efforts - VAS and IDS ______________________________________________________________________________ Question 1: Duplicated Efforts Up at the St Gregory Country Club, my friend Walter "Wally" Gropius was telling me about how they use intrusion detection systems at MalaFide Corporation where he's the CEO to identify all attacks on their computer networks. So before I approve this request for vulnerability assessment systems, I'd like to understand why we are duplicating efforts here. As I understand it, the VAS just does the same as the IDS only a bit earlier, so why do we need both Seems to me that if either the VAS or the IDS is doing its job right, we only need one of them. Can you give me your analysis on this by tomorrow morning Thanks. Mr. Ginastera, I've prepared an analysis about the use of vulnerability assessment systems and intrusion detection systems in your company, just like you asked me. You specifically asked whether the use of both systems will be a waste of resources and a duplication of efforts. My analysis suggests that VAS and IDS have separate internal functions for the security of the computer systems and both must be a part of a computer system for complete security control. Vulnerability Assessment Systems Vulnerability assessment systems are those security scanning tools that assess level of threat that can penetrate a system. The main job of such tools is to scan networks, servers, firewalls, routers, and applications and report system vulnerabilities. "Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies". (Becker, 1999) New threats are discovered each day thus the vulnerability assessment tools must be updated regularly. Any new weaknesses such as security flaws and bugs would need to be patched in the system so that no holes left for malwares, viruses, spywares etc. to infect the system. Another feature of a vulnerability assessment system is that it generates reports which can tell a user what and where weaknesses exist and how to fix them. (Becker, 1999) Intrusion Detection Systems Vulnerability assessment is the first step in securing the system from threats by taking appropriate security precautions and patch-ups. However, new threats are raised everyday and some might pass through the vulnerability precautions. Therefore the next logical step is to "monitor the system for intrusions and unusual activities". Intrusion detection systems automatically raise the alarm in case of a security breach and inform the Computer Incident Respond Team for their help. "By analyzing the information generated by the systems being guarded, IDSs help determine if necessary safeguards are in place and are protecting the system as intended". Important to note here is that IDS don't protect the system, they just pinpoint the location of the attack and collect the information related to the attack and the attacker. (Becker, 1999) IDS tools are used by the CIRT to generate both technical and management reports since it provide background information on the type of attack and the attacker. IDS can also give recommendations to the management about the courses of action to take to seal the breach. (Becker, 1999) Example The difference can easily be understood by the following example. Vulnerability assessment just checks how susceptible a person is to catching a cold in winters. The vulnerabilities that the system can find is that not enough warm clothes are worn and heater is not being used. The intrusion detection system checks that cold air in hitting the person directly which may be harmful, and the point of intrusion was the chest of the person. So a person gets the information from the vulnerability system that he needs to have a heater and wear warm clothes and from the intrusion detection system the person finds out that since the chest wasn't covered enough with warm clothes, the infection needs to be cured at this point. I hope you understand the difference in functionality and usefulness of both systems and why both of them should be implemented in the organization for a more secure system. For more information regarding this topic, I'm available for help at my desk. Feel free to drop in at any time. Interoffice Memo Date: 1/17/2008 To: Benjamin Britten, CIO From: Eze as CISO Re: Fundamental problems in risk management ______________________________________________________________________________ Question 2 I've been concerned about fundamental problems that your presentations over the last several months have been skating around. First of all, you keep emphasizing vulnerabilities, threats and risks, yet in fact there's very little known about the reality of these risks. We don't have reliable statistics about rates of occurrence of different security problems; we don't even have similar environments in which such statistics could be applied if we had them. Secondly, all of security suffers from the problem of extinction: in the absence of reinforcement, defensive or protective behavior eventually decreases and disappears. Disaster recovery planning, for example, deals with rare events, so actual incidents are relatively rare. How can one cope with these depressing realities of information security How do we respond to skeptics among our own staff who claim that security is a shell game in which we use fear, uncertainty and doubt to con people out of resources better spent on more immediate investments I really need your help on this because I'm being hammered in the Board meeting by the other C-level executives. Mr. Britten, I understand your concern regarding the skeptics in your staff who don't realize the security threat that information technology poses to an organization and even an individual. Invading the privacy of a person by taking pictures from a cell phone camera is as real as a person's job. Manipulating the images can have serious repercussions that known people in the industry especially celebrities have to face today. So what stops a person from illegally copying all the data from your company through a virus and selling it your competitors The answer is 'The level of security employed in the computer networks'. Statistics Trend Micro, a leading anti-virus and system security product developer estimates that in 2003 PC Viruses cost businesses approximately $55 Billion loses. MSN estimated that ID theft costs banks $1 billion a year by people taking home loans and credit cards with fake IDs. CERT/CC announced that in 2002 that the vulnerabilities in computer systems doubled with such reported incidents increasing from 21,756 in 2000 to 52,658 in 2002. If these simple statistics don't move your staff members, then I've got an even alarming one. US Defense, considered as one of the best in the world, had 25,000 attempted intrusions into defense systems in 2000.Of those, 245 were successful causing major problems inside the defense to protect military assets. (SS, 2008) The problem with today's systems is that the employees take the system security for granted. Like in the case with US Defense, it was found that 96% of the successful attacks could have been prevented had the users followed protocols. If such a breach can happen inside the fortified US military system, then just imagine where a small organization fares when it comes to system security. (SS, 2008) Cost vs. Benefits Most people realize that risks exist at some level, however they fail they realize that these risks are greater and closer to them then they know. An argument relating computer security is the justification of costs involved. Since most of the work done in an organization in electronic, all the data, files and information, public or private, is stored on the computers. Thus all the business knowledge is on computers and without these computers, the organization will be nothing. Even if a confidential file/letter/document is intercepted by the wrong people, an organization can be heading towards disaster. Solutions To recover the data lost is another headache. Therefore a strategic guide in the form of a Computer Incident Response Team is advised to be inducted in every organization where crucial information is stored on computer systems. Having vulnerability assessment and penetration assessment tools combined with intrusion detection tools must also be a part of a computer system. Obviously operating such a system is expensive and this cost in hard to justify if intrusions are rare, however a simple answer exists for justification. The answer is 'without expenditure we wont be running our security system and without a security system we wont have confidential competitive information on our computers and without information on our computers, we wont be doing business as we do today'. (Becker, 1999) I hope to have convinced you and hopefully your staff members about how real a security threat is and how even a single intrusion into the system can destroy the organization. If you further need any help or information, please feel free to contact me during my working hours. Interoffice Memo Date: 1/17/2008 To: Charles Ives, CFO From: Eze, CISO RE: Backups ______________________________________________________________________________ Question 3: I've been trying to get my fifteen-year-old son to make backups at home on the computer that he uses for all his homework, but he just laughs at me and says, "Oh Daaaaad" while rolling his eyes the way kids do at that age. He claims I can't know anything about backups because I'm "only an accountant." He says that computers don't break down any more and that I'm worrying for nothing. I wondered if you have anything handy that I could give him that explains the reasons why he should be careful to do backups and what would make sense for him. He does a lot of writing (he's the editor of his high-school yearbook and contributes to the poetry and literature journal every month) and also does a tremendous amount of research for his class papers (he's gotten As on all five of them this term!). I hope this isn't too much of a bother for you, but I'd really appreciate your help. He would really listen to anything you say. Thanks again. Mr. Ives, Thank you for trusting me to impart this knowledge to you and your son. Honestly speaking your son has a point when he say says that computers don't break down nowadays. However the systems are as reliable as you make them. Since humans are unreliable, anything made by them is unreliable thus experts advise that all hardware and software should be backed up at least five times. For users of such hardware and software, it is imperative that all work should be backed up in separate locations since for the home users, the product is often more useful then the software and hardware. (BA, 2000) Statistics Ontrack provides a list of major causes of losing data (KO, 2000) 56% because of hardware or system malfunction 26% because of human error 9% because of software corruption or program malfunction 4% because of computer viruses 2% because of natural disasters rest is because of other factors Example Just take an example of a power failure. In our times of technological advancement, power shut downs, blackouts or load-shedding is almost unheard of. However recent blackout in the US, caused major uproars and problems for the citizens. If something like that happened in your city and everything running on electricity would be shut off. Let's assume your son was working on the final version of the school yearbook and suddenly power goes off and all the effort your son had put into the work got erased since his computer got shut unexpectedly. To say the least, this would have only erased the work that was being done when the power was shut. If for some reason the power comes back on and it hikes above the maximum level that your computer can sustain, then it would cause damage to the hardware making the computer useless. All the data and research would evaporate in a blink causing massive loss to your son's reputation. The problem with computer hardware is that there are very few signs when the system will crash. It will go down without any warning and refuse to function. If you are in the middle of something really important, and you don't have any backups, a system breakdown can cost you dearly. (Melnick, 2007) Solutions People ask 'what is the solution to safeguard the computers against these rare threats'. The solution is not simple yet it is important to take measures to protect your system. For sudden power shutdowns, a device known as the UPS or Uninterrupted Power Supply should be attached to your computer. Stabilizers should be part of computers where power fluctuations are common. You should protect your system hardware and system files by using anti-virus software. Also install applications that are certified and come from a reliable source. And lastly to emphasize on this, backup your files and documents in a separate system every once in a while. In case you to purchase computer safety devices, I can recommend a few to you. If you require further assistance from me, I'm available 24/7 on my cell phone and you are always welcome to drop by. Interoffice Memo Date: 1/17/2008 To: Anton Webern, COO From: Eze as CISO Re: Delay in establishing CERT ______________________________________________________________________________ Question 4: Hi there! It was great having you over to supper last week and Betsy really enjoyed meeting your partner. We look forward to seeing you again soon, perhaps with Bob and Najeela too. Actually though, we have a problem with the Computer Emergency Response Team business we've been working on this month. Some of my people who were involved in the initial meetings are being called back for second and third interviews and they are complaining that nothing is actually happening. We thought we'd have the CERT up and running within a few weeks - after all, how hard can it be to respond to computer incidents I'd really appreciate your help in preparing an explanation of what's going on and what kind of reasonable timeline makes sense so we can reset expectations in the operations group and maybe throughout the organization. Thanks. Mr. Webern, I thank you for inviting me to the supper last week and I'm looking forward to them in the future, maybe at my place. Now as for the delay of implementing the CERT in your organization, I assure you that the implementation is on schedule according to my analysis. You must understand that CERT is not an easy job at all. From my experience in the industry, a proper and complete implementation of CERT requires commitment and resources to design the strategy for emergency times. First of all, the company policies regarding the security would need to be identified and communicated to the staff. Often, the policy documents are not available and sometimes policies are undocumented and are in the form on company norms. Thus they have to be first documented and understood. (RHE, 2004) Selecting Human Resources - Biggest Challenge Next when the time of selecting the human resources comes, most people are reluctant to accept the job and responsibility. Convincing these people and selecting the most able employees for this job is extremely difficult and time consuming. Since people who are trustworthy and reliable are needed for such a position, not all people who want to volunteer for a position in CERT are acceptable. In some cases some external human resources are also recruited. In such a case time is lost in negotiating the financial payments for hiring the person. Additional people need to be kept for backup in case someone in the team doesn't show up when a need arises. Next the selected people have to be trained and briefed about their responsibilities. This consumes even more time as a strict guideline needs to be followed for quick response hence more training. Another important point with a CERT is that in reality it is a team, thus it needs to function as one when a need arises. To make the team members oriented with the task, test-sessions are held which imitates the real security threats which the team has to respond to. (RHE, 2004) The emergency plan requires prior permission and access to the computer facility when an emergency occurs. The team should be given access codes and all knowledge about the system beforehand. However this is critical information and must be kept secure for others. It is therefore imperative that the members of the team are trustworthy and the company can rely on them for the security of the system. Company Position By the looks of it, your company is in the initial stages of developing a CERT by interviewing many employees and appraising them according to their skills and reputation for employing them in the team. From this point onwards, the real strategy and guide will be prepared which should take approximately 6 months for testing and application. Please remember that computer system protection is the objective here thus only the best ad only the most reliable people have to be selected. There cannot be any shortcuts here as the security of the system depends on this team. The delay in the implementation is therefore necessary and should be considered as a precautionary time against system intrusions in the system. It is important that you communicate this information about the importance of reliability to all employees. If you need my help further on this topic or system security related topic, I'm available on weekends on my personal landline. Works Cited 1. BA. (2000). HARDWARE Reliability. Retrieved January 17, 2008, from Ba-Education: http://www.ba-education.demon.co.uk/for/hardware/reliablity.html 2. Becker, B. T. (1999). RISK ASSESSMENT TOOLS AND PRACTICES . Retrieved January 17, 2008, from FDIC: www.fdic.gov/news/news/financial/1999/FIL9968b.doc 3. CERT/CC. (2007). Vulnerability Statistics. Retrieved January 17, 2008, from CERT: http://www.cert.org/stats/fullstats.html 4. KO. (2000). Understanding Data Loss. Retrieved January 17, 2008, from On Track Data Recovery: http://www.ontrackdatarecovery.co.uk/understanding-data-loss/ 5. Melnick, B. (2007 ). Warning Signs of a Computer Break down. Retrieved January 17, 2008, from Johnz PC Hut: http://www.johnzpchut.com/tech_articles/Warning%20Signs%20of%20a%20Computer%20Breakdown.htm 6. RHE. (2004). Creating an Incident Response Plan. Retrieved January 16, 2008, from Red Hat Enterprise Linux: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-response-plan.html 7. SS. (2008). Most Requested Security Statistics. Retrieved January 17, 2008, from Security Statistics: http://www.securitystats.com/ Read More