Security Assessement: The First Step in Managing Network Risk

Security Assessment: The First Step in Managing Network Risk A White Paper by Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 2 of 9 Introduction When it comes to fighting cybercrime, organizations have a veritable arsenal of information at their disposal. Information about basic security weaknesses in software and networks is part of the public domain and can be accessed freely from technology watch Web sites. The SANS Institute publishes its “top” list of security vulnerabilities and issued 20 for IT administrators to watch out for. Microsoft® regularly issues announcements about security patches for its IIS server. Yet even the most informed system admin can still miss security holes in their network, and addressing the Top 20 vulnerabilities just means that they’ve missed the hundreds of others not included. Additionally, the rapidly evolving nature of networks and network devices causes many of these vulnerabilities to surface – and makes keeping up even more difficult for a typical IT admin. Many organizations lack the necessary resources and expertise to do a thorough job on assessing their network vulnerabilities. This paper explains how a security assessment provides the baseline for developing an enterprise-wise risk mediation plan. Security as a Process A good security practice should be dynamic. Rather than implementing policies and security applications as a one-time effort, companies should be continually updating and evaluating their security practices to keep pace with changes in technology and regulations. As many in the industry are well aware, security should be regarded as a process, not just as a product. The result is a consistent cycle to help safeguard against future and evolving attacks: Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 3 of 9 Fig. 1.1. Process cycle for a good security practice. What is a security assessment? A security assessment is performed with two goals in mind: to identify a company’s existing security vulnerabilities and make recommendations on improving security practices or infrastructure. Various areas of a company’s network can fall under the scope of a security assessment, but most commonly examine at least one of the following areas: • External environment – Using hacking techniques and sophisticated tools, security specialists try to “penetrate” a company’s network from the outside, usually from the Internet or remote sites. They try to determine how well a company’s perimeter is protected (routers, firewalls, hosts and other devices that connect the internal network to non-corporate networks) from external attacks. • Internal environment – A company’s security policies and procedures are compared with industry best practices and government regulations, and various audits are conducted of the overall internal network, including all devices and network applications. Internal hosts are also assessed for security vulnerabilities. Some also include audits of the physical Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 4 of 9 environment (e.g., are IT facilities kept secure?) and security training and awareness programs. More often than not, the minimum security assessment requested by companies consists of an external assessment. Many companies focus on the threats posed by outside hackers but fail to recognize the potential threats within their confines: disgruntled employees who may sabotage the network or perpetrate fraud, instigated by lax security awareness among IT personnel and general staff, and bad security practices. The FBI estimates that 71% of security breaches are incurred by authorized users. Targeting only external hackers does not offer an adequate picture of a company’s security status, so both external and internal assessments must be performed. Since a company’s security status could have a significant impact on its business, management should view the security assessment as a tool to benchmark progress and evaluate the effectiveness of new security policies and practices. As networks and regulations change, a company should revisit its security status with regular assessments to update security practices and ensure compliance with new regulations. Why outsource a security assessment? Unless a company retains qualified IT security specialists on staff, it cannot expect to conduct an adequate assessment of its network. Testing and evaluating a network’s security requires specialized knowledge and tools, both of which come at a high cost if acquired for in-house use. A company would have to invest up to $200,000 (according to NEC Unified Solutions estimates) in specialized tools, plus training and salaries averaging over $100,000 for experienced security professionals before it could conduct its own security assessment. Besides this, CISSP, GIAC and other security -certified professionals are scarce commodities that are outpaced by the growth of security needs in the Internet and network arenas. Contracting outside security specialists such as NEC Unified Solutions™ to perform an assessment would not only save a company long-term expenses but also provide the objectivity needed for evaluating a company’s network security. NEC Unified Solutions’ security assessment NEC Unified Solutions expands beyond simple external assessments to offer a comprehensive assessment that may include implementation of recommended Targeting only external hackers does not offer an adequate picture of a company’s security status, so both external and internal assessments must be performed. Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 5 of 9 security solutions at the customer’s request. NEC Unified Solutions’ Network Security Vulnerability Assessment addresses a wide scope of issues in the customer environment relative to security including policy, premise, network, business and government regulation issues (HIPAA, VISA’s CISP, etc.). Based on the customer's need, the assessment applies multiple discovery tools to detect internal and external threats. The assessment delivers the analysis of the audit with recommendations and budgetary cost estimates for mediating vulnerabilities discovered. An NEC Unified Solutions security assessment may include several or all of the following components: • Internal Assessment -Security specialists identify and exploit internal network vulnerabilities to gauge the security state of the internal network (technical assessment), as well as assess security policies against industry best practices and government regulations (non-technical assessment). The technical assessment consists of two parts: Host Security – Application servers, file, print and workstations are audited and the results analyzed for known security vulnerabilities, and compliance with policy and applicable regulations. Network Security – Typically includes routers, switches, gateways, remote access systems and firewalls. Vulnerability data is measured and recorded for each system tested, with great care not to cause disruption or interference to the systems being probed. The non-technical assessment examines the policy and procedural security controls in an organization. Business risks are expounded and compared to industry best practices (BS7799; ISO 17799). • External Assessment -Security specialists use hacker techniques and tools to penetrate a network from the outside. Vulnerability data is measured and recorded for each system tested. The external assessment determines the state of security of the company’s corporate electronic perimeter, consisting of the routers, hosts, firewalls, and other devices (and software) that connect networks to non-corporate networks. These network components generally provide the maximum exposure to outside intruders. • Security Recommendations -Based on audit results, security specialists develop specific recommendations to address vulnerabilities in network security, policies and architecture. • Proposal Plan – Security specialists take recommendations one step further and create a security plan for implementing hardware, services and maintenance. Includes a pricing model and timeline for recommended implementation. Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 6 of 9 • Implementation of Solution – According to the proposal plan, NEC Unified Solutions security personnel will install and configure security vendor solutions if customer chooses this option. NEC Unified Solutions has partnered with F-Secure®, Cisco® and Counterpane® to offer anti-virus, firewall, encryption, monitoring and many other security services. Applied in tandem, these various assessment components work to address government regulations such as the Healthcare Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act as well as industry requirements such as the VISA Cardholder Information Security Program. Below is a portion of a chart that shows how various parts of NEC Unified Solutions’ Security Assessment address VISA card regulations: Case study NEC Unified Solutions conducted a week-long security assessment at an ecommmerc company that wanted to meet a customer’s business requirement for a secure environment. In auditing the company’s security policies, NEC Unified Solutions security specialists examined the role of management in promoting security practices; existing company-wide security policies and their implementation; security of the company’s voice and data networks, critical business applications/systems and physical environment; and whether security reviews were conducted on a regular basis. Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 7 of 9 The company’s corporate network was audited against 90 security control measures (based on industry best practices), and it was found that 28 out of 55 “high-risk” measures were not being implemented. These included having no firewall separating internal network from the Internet and no additional authentication for remote user access. Without these safeguards, anyone on the Internet could easily hack into the network. During the external security assessment, NEC Unified Solutions security specialists used “hackerware,” both freeware and proprietary tools to “penetrate” the company’s network from the outside. They detected a number of major security weaknesses: Besides the lack of firewalls, they were able to easily access Microsoft domains and retrieve 50% of the passwords – including a crucial administrative password --within a brief time of password cracking. Because many security threats occur from within an organization, NEC Unified Solutions also performed an internal security assessment of the company’s network devices (routers, switches, gateways, remote access systems, firewalls) and application devices (application servers, file, print and workstations). Audit results were then analyzed for known security vulnerabilities and compliance with industry/government regulations. Many systems were not configured properly to suppress intrusions; most obvious and easily corrected are those deployed with default administrative or blank passwords. No intrusion monitoring system was in place to alert IT personnel of intrusion attempts; during this assessment, NEC Unified Solutions security specialists spotted at least 13 network devices that had been infiltrated by known Trojans. It was concluded that the company was at “extreme risk of malicious attacks from the Internet,” as well as being susceptible to attacks by disgruntled employees, on or off campus. In response to the company’s security vulnerabilities, NEC Unified Solutions recommended that it adopt the following measures immediately: o Implement a company-wide security program that includes a minimum number of industry-best practice security policies and a security awareness program to ensure employees are participating fully in the effort. o Incorporate standard security and authentication architecture and control access into the existing network infrastructure. o Implement an intrusion detection monitoring system. o Implement adequate security policies with respect to applications and users. o Keep all systems up to date on security patches. During this assessment, NEC Unified Solutions security specialists spotted at least 13 network devices that had been infiltrated by known Trojans. Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 8 of 9 o Conduct periodic security audits to ensure adherence to policies and changes in technology. The company is now taking steps to pursue a number of security implementations recommended by NEC Unified Solutions. Conclusion Simply protecting against attacks by external hackers overlooks the potentially dangerous vulnerabilities that lurk within a company’s internal network infrastructure and policies. That is why a complete security assessment of a company’s internal and external networks should be its first step in managing network risk. Using hacker techniques as well as sophisticated proprietary tools, NEC Unified Solutions’ security specialists accurately and objectively measure vulnerabilities from every standpoint (from perimeter devices to physical security and policies), so that a baseline can be established for reviewing the progress and updates of security implementations. A formal 3rd-party assessment not only helps to ensure that major security issues are addressed, but fosters confidence among customers that efforts are being made to protect their valued investment. About NEC Unified Solutions NEC Unified Solutions Inc., a leader in integrated communications solutions for the enterprise, delivers the industry’s most innovative suite of products, applications and services that help customers achieve their business goals. With more than a century of communications and networking expertise, NEC Unified Solutions, Inc., a subsidiary of NEC America and affiliate of NEC Corporation (NASDAQ: NIPNY), offers the broadest range of communications services and solution choices, flexible product platforms and applications, and an open migration path to protect investments. NEC Unified Solutions, Inc. serves the Fortune 1000 and customers across the globe in vertical markets such as hospitality, education, government and healthcare. For more information, visit www.necunifiedsolutions.com. Document Information This document is intended to provide outline information only and can change without prior notice. Security Assessment White Paper NEC Unified Solutions, Inc. © 2004 9 of 9 Other Resources “U.S. Government Computers Widely Hacked in 2000.” Newsfactor Network, April 6, 2001 “Security breach: Hacker gets medical records,” AMNews, Jan. 29, 2001. Computer/Information Systems Industry Compensation Survey 2001 FBI Congressional Statement on Cybercrime, March 28, 2000 “Risk Management and Security. “ Raytheon Company -SilentRunner. “Managed Security Services: The Future of Vulnerability Assessments.” Foundstone, Inc. Security Assessment customer report, NEC Unified Solutions. Federal Trade Commission, www.ftc.gov Health Care Financing Administration, www.hcfa.gov VISA U.S.A., www.visabrc.com