AIR-TIGHT, MULTI-LAYER IT SECURITY DEFENSE
SYSTEMS™
In March, two security
companies, Preventsys and Qualys, published a joint survey
revealing that a startling 52 percent of chief information
officers (CIOs) still use a “Moat-And-Castle” approach to
their overall network security solutions. In other words,
the majority of CIOs admitted that once their perimeter
security systems are penetrated, their networks are at risk.
According to the survey, a
smaller percentage of CIOs, 24 percent, said their security
was similar to Fort Knox—it would take a small army to get
through. And 10 percent went even farther to compare their
networks’ security to Swiss cheese—security holes inside and
out.
Even then, the survey
reported, 48 percent of CIOs considered themselves
“proactive” when it came to network security and felt they
had a good grasp of their enterprise’s security posture.
Today, we are facing a
globally interconnected information highway from outside of
our firewalls. We are also struggling with a much more
complicated network from the inside, such as supporting
Extranets. These include: networks connecting to our
customers, partners and vendors, Wireless Access Points (WAP),
site-to-site Virtual Private Networks (VPN), mobile-to-site
VPN and dial-up users.
More and more people are
using laptops,
Personal
Digital Assistants
(PDA) equipped with wireless adapters and Bluetooth roaming
between offices, homes and public places. In addition, many
are using the same wireless technologies and USB sticks to
exchange files, connect to Smart Phones and plug in MP3
players, passing around already weak security protection.
At the same time, security
threats are not only increasing but coming in all different
shapes and sizes. Sometimes, they will simultaneously come
in combinations, the so-called blended attack.
This means that without
being truly proactive, CIOs will be charged with spending
more and more of their days battling new security threats.
Preventsys and Qualys found that 46 percent of security
officers already spend more than a third of their day, in
some cases as long as 7 hours, analyzing reports generated
from their various security point solutions.
Furthermore, the threats
aren’t just coming from hackers any longer, who only want to
steal your information and deface your website. Worms,
Trojan Horses, Adware, Sypware, Malware, Phishing are just a
few threats that are gaining more and more ground. These
threats are so new that standard dictionaries do not even
have definitions for them yet.
Threats are also becoming
more flexible in their targets. They are no longer just
targeting computer devices. Now, any electronic device that
uses an Operating System or software application is
vulnerable. In the near future, everything from your
automobiles and entertainment centers to microwaves and home
security systems will be potential targets for security
threats.
The technology world is also
moving on to larger, more widespread threats that impact our
electricity power grids, nuclear power plants, financial
trading systems, banking systems, and varying government
networks.
All of these threats mean
more worries for IT security operations. And one thing is
for sure: The concept of traditional network perimeters,
typically secured by a firewall, is all but disappearing.
The days of using a single
perimeter network security defense are over. A new IT
Security Defense System will need to be developed to counter
the new threats. It must cover all layers of the modern
network and computing devices. And it must fight against
threats to prevent them from soaking up the productivity of
our enterprises.
A coordinated defense should
be mounted with the following layers, using different
methods and technologies in at least one, if not more, of
the layers. Try not to use just a single security products
supplier for your entire security defense system, especially
when it comes to major defense tools like firewalls.
Air-Tight,
Multi-Layer IT Security Defense Systems™ Solution Matrix
|
|
Roles |
|
Layers |
Inter-Organizations / Governments |
Organization |
People |
Technology |
|
Internet |
ü |
ü |
ü |
ü |
|
Extranet |
ü |
ü |
ü |
ü |
|
Perimeter |
ü |
ü |
ü |
ü |
|
Intranet |
û |
ü |
ü |
ü |
|
Platform / Device |
û |
ü |
ü |
ü |
|
Application & Data |
û |
ü |
ü |
ü |
|
Process |
ü |
ü |
ü |
ü |
Internet
The Internet is composed of
numerous telecommunication companies (Telco) and many
Internet Service Providers (ISPs) across many countries.
And the complications do not
stop there. Each country is governed by a different set, or
even lack, of laws regarding Internet usage.
Today’s security attacks are
usually across country boundaries just by the very nature of
how the Internet works. Thus, Internet security is a global
issue now; it’s no longer a mere regional or even a national
issue.
Unfortunately, today’s fight
against security attacks usually occur at the end-point of
the attack. It’s a no-win situation for security defense
because damage control is so limited and ineffective once an
attack has already occurred. The best defense is to bring
the fight to the source of the attack, to stop the attack
right at its source or on its path—before too much damage is
done.
Imagine that there is an
international treaty that requires every ISP to police and
stop security-related attacks whenever one is discovered.
Of course, the technology
has to be there to allow this to work.
Today, for the most part,
there is no way of stopping security-related attacks on all
levels—technology, coordination, policy and legal at this
layer.
A few next-generation ISPs
have been experimenting with it, but for the most part,
their goal is to make it run faster. Networks are no more
secure, in terms of preventing attacks at the source or on
its path, than before.
We are still years away from
developing ways to stop the attacks at this layer. And the
reasons for this don’t as much lie in technical issues as
they do in political and legal issues. It’s a lack of vision
seeing this as a way of stopping security-related attacks on
the Telco, ISP and government levels.
Extranet
Businesses and government
agencies are increasingly using the Internet as a way of
communicating with each other via Virtual Private Networks (VPNs)
or simply via TCP/UDP/IP protocols. And many more are still
using traditional Frame Relay or Point-to-Point private
networks to connect to their business partners, customers
and vendors. For all of these, security issues not only
circulate around the threats of the Internet, but also from
connections that agencies don’t have 100 percent control
over.
Many businesses are using
these types of connections without really understanding the
risks. What most don’t understand is that standard practices
and certifications are less likely to govern these
connections. The security measures are usually decided by
the parties involved, but there is never enough attention
paid to the connections. A great many of today’s Extranets
are not being protected with firewalls, monitored or audited
routinely.
Perimeter
While a perimeter is usually
referred to as the router or firewall connecting to
Internet, there is no single definition for the word
“perimeter.” When it comes to security, the perimeter for
one organization may be different than the perimeter for
another. Generally, when talking about security, the
perimeter is the boarder, or the first line of defense.
For most organizations, the
perimeter should be the edge routers and firewalls that
connect them to other organizations. For some departments
within an organization, such as legal, human resources or
finance, the perimeter could be routers or firewalls between
those departments and other departments.
For a laptop, the perimeter
is its connections – USB, Firewire, Modem, Wi-Fi, Ethernet.
To a certain extent, floppy disks, CDs, everything and
anything that connects or carries data from outside sources
can act as the perimeter.
Intranet
The Intranet is a general
term that organizations use to describe their internal
networks, which can be Local Area or Wide Area. The
importance of the Intranet is larger than ever. In today’s
Intranet, not only is computer data being carried through
networks, but also but voice and video data. At this layer,
for the most part, there is next to no security within the
Intranet. The conventional wisdom is to assume that the
firewall at the perimeter is protecting it.
But nothing can be further
from the truth. Actually, more damages originate from behind
the firewall than outside the firewall.
Many more security measures
can be deployed at this layer than are commonly used. At
this layer, the focus is mostly on transportation security
and control over routers and switches that can be monitored
and programmed to react to unusual situations. Everything
that can be done at the Internet layer can be done here and
more.
Unlike the Internet, a
single organization has 100 percent control over the
Intranet. But given that computers and other electronic
devices are becoming more mobile, it is no longer true that
the Intranet is always using trusted devices. It is not
very hard to turn on one’s laptop using a wireless
connection to get onto an organization’s Intranet without
being authenticated. It is even easier to plug one’s laptop
into a network connection in a conference room of any
organization and get onto the Intranet unchallenged.
Most organizations do not
implement well thought-out outgoing security defenses and
controls. This essentially gives hackers a free ride.
Platform / Device
The most basic
requirement here is to “harden” the operating systems by
disabling unused capabilities and ensuring that the latest
patches are applied. There are many OS hardening guidelines
available online. But when we talk about operating systems,
many people think of Windows, UNIX, Linux and the like. What
most do not realize is that there is a similar Operating
System in most people’s cell phones and PDA.
OS hardening
is easier said than done. The difficulties come from the
numerous operating systems and versions of operating
systems. Furthermore, security patches are coming out on a
weekly basis or even more frequently. It is next to
impossible to protect this layer without some sort of
automation and the help of an operating systems supplier.
We are seeing
more and more defenses placed at this layer with
platform-device level firewalls and more closed default
operating system installation. Others are working on
“sand-box” technologies at this layer, trying to protect the
“gold,” since the platform-device level is the last layer
between your data and anyone trying to get to it.
Application &
Data
Software
applications are where most people do their work and “see”
data that otherwise would be meaningless. Most of us would
not be using computers if it weren’t for software
applications. There are two major types of software
applications: Applications that are run on server, server
applications and applications that are run on desktop
computer client applications.
Software
applications are everywhere we go. But even today, the
majority of software applications & data on computers still
don’t have effective built-in security, especially on the
client side. Almost all data files can be open by the same
applications or even different applications, regardless who
actually owns or created the data files.
The same rings true with tape backups and all data files
stored on individual computer hard disks, which all
organizations use. I venture to say that 95 percent or more
don’t have the proper security protection on them.
Process
As anyone who plays defense
would tell you, your strongest defense is your weakest
link. For any of the above layers to work, the glue is the
Process. Processes with all parties involved that can integrate each layer of defense
in cohesive, Air-Tight, Multi-Layer IT Security Defense
Systems are key. Look to Processes that span global
boundaries based on common laws and rules of engagement that
serve the common good. Look to ones that protect the global
economy and the freedom of information sharing, while
protecting the privacies of the people using these public
networks.
By
Benson Yeung, Senior Partner
Benson Yeung Biography
Back to Top
