Defending the Enterprise
An attack on the Border Gateway Protocol (BGP) could create a black hole on the Internet. The Department of Homeland Security stated that a few subverted servers recently enabled an attack on some of the Internet Domain Name System (DNS) root servers and threatened to disrupt service for many users. The risk from cyber-attacks from hackers is rising. The hackers of today are highly determined, patient, adaptive and well-funded.
The threat to businesses has never been greater, and gaps in the infrastructure provide opportunities for malicious, relentless, 24x7x365 attacks from professional hackers worldwide. This applies to all industries and sectors.
Businesses worldwide lose $3 billion yearly in productivity due the need to test, clean and deploy patches to computer systems.
These are examples of blended attacks that are based on threats from viruses and worms. A virus attaches itself to an executable file, while a worm spreads through memory and disk space. Information Week reports that a successful virus strike costs individual businesses from $100,000 to $1 million a year in cleanup and related costs.
Threats today do have a real and immediate impact on business revenue and costs. Each year, the Computer Security Institute and the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad conduct and publish the “Computer Crime and Security Survey.” The trends established in the 1990s continue:
- 90 percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the past 12 months.
- 80 percent acknowledged financial losses due to computer breaches.
- 44 percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.
- As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000).
- For the fifth year in a row, more respondents (74 percent) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33 percent).
- 34 percent reported the intrusions to law enforcement. (In 1996, only 16 percent acknowledged reporting intrusions to law enforcement.)
Respondents detected a wide range of attacks and abuses. The following is a small sample of attacks and abuses:
- 40 percent detected system penetration from the outside.
- 40 percent detected denial-of-service (DoS) attacks.
- 78 percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software or inappropriate use of e-mail systems).
- 85 percent of respondents detected computer viruses.
For the fourth year, CSI asked some questions about electronic commerce over the Internet. Here are some of the results:
- 98 percent of respondents have Web sites.
- 52 percent conduct electronic commerce on their sites.
- 38 percent suffered unauthorized access or misuse on their Web sites within the past 12 months. 21 percent said they didn’t know if there had been unauthorized access or misuse.
- 25 percent of those acknowledging attacks reported from two to five incidents. 39 percent reported 10 or more incidents.
- 70 percent of those attacked reported vandalism (only 64 percent in 2000).
- 55 percent reported denial of service (60 percent in 2000).
- 12 percent reported theft of transaction information.
Understanding Types of Attacks
Systems that exist on a network may be subject to specific types of attacks. There are several types of attacks that businesses are vulnerable to. These include:
- Denial of Service (DoS) or Distributed Denial of Service (DDoS).
- Insider attacks.
- Malicious software, such as viruses, worms, Trojan horses and backdoor programs.
For example, in a masquerade (also referred to as “spoofing”), one entity pretends to be a different entity. An entity can be a user, a process or a node on the network. A masquerade is typically used with other forms of an active attack such as replay and modification of messages. (A message is a packet or multiple packets on the network.)
Hacking and attacking are rising significantly, with the profile of the attacker changing as a consequence of better funding and easier access to tools and resources.
A replay occurs when a message, or part of a message, is repeated to produce an unauthorized effect.
Modification of a message occurs when the content of a data transmission is altered without detection and results in an unauthorized effect.
Denial of service occurs when an entity fails to perform its proper function or acts in a way that prevents other entities from performing their proper functions. This type of attack may involve suppressing traffic or generating extra traffic. The attack might also disrupt the operation of a network, especially if the network has relay entities that make routing decisions based on status reports received from other relay entities.
Insider attacks occur when legitimate users of a system behave in unintended or unauthorized ways. Most known computer crimes involve insider attacks that compromise the security of a system. The techniques that might be used for outsider attacks include wiretapping, intercepting emissions, masquerading as authorized users of the system and bypassing authentication or access-control mechanisms.
Malicious software refers to viruses, worms, Trojan horses and backdoor programs. Malicious software either performs negative behaviors or is used by attackers to further their goals of attacking enterprise networks and systems.
The threats are real. To confront these threats, businesses must protect their infrastructure and critical systems and networks by deploying appropriate safeguards. These will typically be a combination of administrative, physical and technical safeguards.
Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect enterprise information and to manage the conduct of the organization’s workforce in relation to the protection of all sensitive information.
Physical safeguards are physical measures, policies and procedures to protect the organization’s vital systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Technical safeguards refer to the technology and the policies and procedures for its use that protect and control access to information, systems and transactions.
The key components of a secure infrastructure include technologies in two key areas of security: defense and trust.
Examples of defense-based security technologies include:
- Firewall systems.
- Intrusion Detection Systems (IDS) and malicious software detection.
- Secure Virtual Private Networks (VPNs).
Examples of security technologies that enable trust include:
- Encryption, for example, Public Key Infrastructure (PKI).
- Strong authentication, such as biometrics, authentication tokens and smart cards.
Finally, security policies and procedures provide the blueprint required to identify the security architecture to defend vital business assets and information. Documentation and updates of all critical assets and polices is vital in order to maintain the security of the enterprise.
Security is only as strong as the weakest link, and all gaps in the business infrastructure are opportunities for malicious attacks. Securit