Anda di halaman 1dari 12

Security for a

Faster World

In this issue:

Understanding
the Risk in Your IT
Infrastructure

Tips for
Implementing
Enterprise Security

The Technologies to
Protect a Modern
Infrastructure

Issue 1, 2012
Contents
Security for a Faster World

Contributors: Drew Robb and Paul Rubens.

2 [SEE] Understanding the Risk in Your IT Infrastructure

6 [UNDERSTAND] Tips for Implementing Enterprise Security

6 9
9 [ACT] The Technologies to Protect a Modern Infrastructure
Security for a Faster World

SEE
Understanding the Risk in Your IT Infrastructure
By Paul Rubens

W
hen hackers broke in to the network of the fray. Its very likely that some of these groups are
Atlanta-based payments-processing firm sponsored and aided by foreign governments seeking
Global Payments in early 2012, they stole to gain advantage for their countries. Vulnerabilities,
information relating to an estimated 1.4 malware and the information that is stolen as a result
million peoples payment cards. The total cost of of successful hacking attacks are actively traded on
investigations, fines, remediation and other activities underground online markets, and automated hacking kits
incurred by the company as a direct result of the security known as exploit packs are available as a service
breach was about $85 million. and can be rented by the hour. Depending on the nature
of your business and the industry it operates in you may
A few months earlier, a small UK-based cosmetics face a range of differently motivated attacks
firm called Lush found that hackers had discovered
and exploited a vulnerability in its ecommerce site. Opportunist Attacks
The company had no choice but to take its site down
effectively closing up shop and spend months Automated tools enable hackers of all types to scan
rebuilding it from the ground up. huge IP address ranges and compromise any systems
they encounter that are running software with known
Its no surprise that a large international corporation vulnerabilities in a matter of seconds. No matter what
makes a tempting target for hackers, but you may kind of industry your business operates in, you are
wonder why anyone would bother hacking the website vulnerable to this kind of attack. That means if one of
of a small cosmetics business. To answer
that question satisfactorily you need to
understand the nature of the hacker threat
and how it has evolved. While 20 years ago
hacking was the preserve of mischievous
teenagers who broke into computer
systems out of a sense of adventure, or
who wrote viruses that deleted files from
infected machines for no better reason
than the thrill of vandalism, hacking is now
a multibillion dollar, multinational industry.

Today, hacking activities are still carried


out by individuals, but small hacker
groups, politically motivated hacktivist
collectives such as Anonymous and
organized crime gangs built on the model
of modern businesses have also joined

2 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

your computers is running vulnerable software then its be specifically targeted and attacked by hacktivists. If a
more than likely that a hacker will come across it and vulnerability is found then the website could be taken
compromise it. offline or defaced with slogans promoting the activists
cause, harming both your business activities and your
If that happens then they may install an email relay and reputation.
use it to earn money by sending out spam email messages
from your network to thousands or even millions of Hacktivists may also attempt to make your website
addresses. This consumes your system resources and unavailable to your customers by overwhelming it with
network bandwidth, slowing down your IT infrastructure traffic generated automatically from many different
and making employees less productive. And if your IP sources by software designed for exactly this purpose -
addresses gets placed on a blacklist of known sources of a so called distributed denial of service (DDoS) attack.
spam by anti-spam organizations then you may find you Some DDoS attacks can be blocked by your firewall, but
are unable to send emails to many of your customers, with it is wide to discuss measures that can be put in place
serious consequences for your business. to defend against DDoS attacks with your hosting or
network provider
But hackers also use compromised machines for far more
malicious purposes than relaying spam. For example, they Criminal Attacks
can turn them into zombie systems: nodes in a botnet
that receive orders from a command and control server. But arguably, a far more dangerous type of hacker is the
This may task them with searching out and infecting more one that breaks into your network and compromises your
systems, or sending traffic to a selected victim as part of systems in order to plunder what he can find. This could
a coordinated distributed denial of service attack. be customer information, including credit card details
or account information that allows him to steal services
If your Web server is compromised then your customers or make fraudulent purchases. If customer information is
could fall victim to a drive-by attack. Your sites visitors lost, in most U.S. states you are obliged to inform your
could get infected with malware simply by visiting customers, which inevitably involves a financial cost as
your website with a vulnerable machine. That can be well as harm to your business reputation.
extremely harmful to your reputation, resulting in a loss
in customer confidence and therefore lost business Targeted and Advance Persistent Threat (APT)
and could also result in your website being blocked by Attacks
anti-virus software and search engines such as Google,
until you discover the breach and repair your server. Potentially more devastating, your company could be
targeted by rival businesses or foreign governments
Hacktivist Attacks intent on stealing confidential corporate information such
as financial records, business plans, tender documents
If you are involved in an industry or business activity and intellectual property like source code to computer
that is targeted by activists then your website could programs or designs for future products.

If you are involved in an industry or business activity


that is targeted by activists then your website could be
specifically targeted and attacked by hacktivists.
3 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

This type of information is often stolen as a result of a Security Intelligence


targeted attack known as an advanced persistent threat
(APT) attack in which a team of hackers uses a variety of To protect against all the kinds of attack mentioned
methods to compromise your IT infrastructure and keep above - opportunist, hactivist, criminal, targeted and
the security breach hidden for as long as possible so APT - its vital to know what threats you are up against.
that they can continue to exfiltrate information without Research organizations such as HPs TippingPoint DVLabs
detection for a period of months or even years. can help in this regard by finding vulnerabilities in
software before hackers do, as well as analyzing malware
To perform these attacks, hackers may carry out samples found in the wild to understand the underlying
detailed research on individual employees. Once software vulnerabilities they exploit.
this reconnaissance has been done they may be sent
tailored emails - apparently from other people in your While the vendors of the vulnerable software are
organization - designed to fool them into revealing useful informed so that a security patch can be produced,
information such as login details and passwords, or they DVLabs creates vulnerability filters that are delivered
may resort to stealing a laptop from a key employees car automatically to your intrusion prevention system (IPS)
or home. to protect your applications, network devices, Web
applications, virtualization systems and operating
Such thefts can have devastating consequences for systems until the vulnerability is patched by the vendor
the business concerned in terms of loss of competitive concerned.
advantage, and therefore lost potential sales. There is
also the chance that hackers modify data left on your TippingPoints ThreatLinQ security intelligence portal
system, causing serious disruption to your operations can also help businesses of all sizes reduce unnecessary
long after their attack has been detected. business risks by providing information and detailed
real-time analysis of the current threat landscape and any
Mitigating These Security Risks Using a Multi- new, emerging threats. You can use this information to
Layered Approach ensure that any security gaps are spotted and covered
by adding new IPS filters or determining necessary policy
Given this level of business risk inherent in your IT changes.
infrastructure, what can you do to mitigate it? Since there
is no single solution to security, a multi-layered approach Intrusion Prevention Systems
is advisable.
HPs TippingPoints intrusion prevention system (IPS)
range includes next-generation IPS systems, IPS
switch modules and IPS appliances including an SSL
appliance that inspect your network traffic to detect
threat patterns or signatures (including those supplied
by DVLabs ). They also detect suspicious activity on your
network by comparing traffic at a given time to baseline
or normal traffic. While an IPS is recommended for
companies of all types, running one is particularly
important for companies that may face targeted attacks
or APTs. Thats because an IPS is likely to detect unusual
movements of information or requests for information
from suspicious sources. If malicious activity is detected

4 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

then the IPS can take action, including blocking or can also give you visibility into internal threats such as
stopping suspect traffic and instantly alerting your database breaches and fraud, risks from application flaws
security staff. and configuration changes. By sifting through millions of
log records to find critical events and presenting them
Software Vulnerability Elimination to you in real time via dashboards, notifications, and
reports, it helps you prioritize and manage security risks
Moving up a layer, software like HP Fortify Software in your infrastructure quickly and easily.
Security Center can help you eliminate software security
risk by preventing or fixing security vulnerabilities in your Security Risk Management Dashboards
applications before they can be exploited by hackers.
It can secure both your in-house, custom-developed For a complete overview of enterprise risk it can
applications and software bought from third-party be helpful to use a security intelligence and risk
vendors, including desktop, mobile and cloud-based management platform like HP EnterpriseView. This can
applications. This provides vital protection against more analyze vulnerability and risk assessments and combine
determined criminals or hackers who may target your them with a model of your business by correlating
organization by probing for vulnerabilities in your custom devices with business services. By doing this it lets you
developed applications, or in specialist applications from quantify the risk to your business, view the security
vendors that you have bought in. posture of individual parts of your business (like website
sales) and show you how these vary over time.
Fortify works in two fundamental ways: Entirely eliminating security risks in your IT infrastructure
simply isnt feasible, and that means you have no
Carrying out static and dynamic security testing alternative but to mitigate them. Ultimately the best
to find vulnerabilities and critical problems in your way to do this is by understanding the nature of these
conventional, mobile and web applications. (HP risks, and employing appropriate software tools like the
Fortify on Demand enables you to test the security of ones discussed here to manage them as effectively as
any application as a service, without any software or possible.
hardware to install.)

Providing you with a secure software development


framework, enabling you to track, fix and report on
vulnerabilities through a centralized management
server as it is developed.

Security Information and Event Management

At a higher layer still, security information and event


management (SIEM) systems such as HP ArcSight
Enterprise Security Manager are an important defense
for medium and large companies that face attacks from
many different sources - particularly criminal or targeted
attacks, but also more opportunistic ones. Thats because
they can provide you with an overview of security
incidents and alerts generated by your devices and
applications caused by malware and hacker activity. They

5 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

UNDERSTAND
Tips for Implementing Enterprise Security
By Paul Rubens

A
security breach can be a major catastrophe
for any organization, but large enterprises
are especially at risk. While small businesses
are not immune to security risks and
attacks, large enterprises are bigger targets. Enterprise
data breaches get press attention, affect thousands of
customers or former customers and often have a trickle-
down effect on other businesses or partners.

When it comes to security, the bigger they are the harder


they fall. Thats because the consequences of a security
breach or a targeted attack can include:

Major business disruption and loss of revenue

Theft of confidential data such as proprietary


information, future product plans or financial data
that can lead to permanent loss of competitiveness or
business advantage

Destruction or alteration of valuable data

Virus and other malware infections, which can carried out by Ponemon Institute. The average per-
have unknown consequences. Once infections are incident cost in 2012 may well turn out to be higher still.
discovered there is a loss in productivity as resources
have to be devoted to removing the infections and So what are the best practices for protecting your
bringing the disinfected or rebuilt systems back in to corporate data, keeping intruders and malware out
service. of your network, and protecting against disgruntled
employees who may attempt to use their access
Loss of customer data, with significant consequent privileges to compromise your systems? You may find
costs and harm to your corporate reputation these tips helpful to consider:

In sheer financial terms the cost of a single security Know what you are managing. Its only possible to
breach is usually very significant: in 2011 the average start implementing a complete enterprise security
per-incident cost for U.S. companies was $5.5 million strategy when you know exactly what it is that you are
without taking lost future sales dues to a negative change trying to secure. That means conducting an inventory
in competitiveness or reputation according to research of corporate IT assets including servers, desktop

6 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

and laptop computers; mobile devices including to an acceptable level. Security can almost always be
smartphones and tablets; internal, third-party and improved, but the question is always whether it can
cloud-based applications and databases; storage be done in a cost-effective manner: you dont need to
resources; and networking devices. There are plenty apply platinum-level security to public data. Although
of tools and management systems available that all four of these steps are important, the last of these is
include asset auto-discovery, which can help you carry the one that is the hardest to carry out. Thats because it
out this inventory exercise. involves implementing the entire security infrastructure
software and hardware -- that will actually keep your
Categorize your data as either public, internal or business secure. This may include:
confidential. This involves deciding which data your
company stores is available outside the organization A firewall and other perimeter security systems to
(public), which data is meant only for use inside separate your corporate network from the Internet
the organization (internal) and which data is highly
confidential, such as intellectual property or customer Malware scanners to prevent malicious software from
information, or otherwise critical to the business getting on to the network hidden in email, instant
(confidential). Its also important to establish where messaging or Web traffic
and on which platforms all this data is stored.
An intrusion prevention system (IPS) to detect
Leverage Risk Assessment and Threat Modeling to malicious, suspicious or simply unusual activity on
ensure efforts are spent in the right places. Given your network and to take steps to prevent such
the complexity of most organizations, and the sheer activity leading to a security breach
number of overall vulnerabilities, its important to be
able to prioritize risks in order to determine what gets The use of authentication and encryption systems to
remediated and when. Key to any successful security prevent unauthorized access to networks, computers
organization is the knowledge that you cant fix or data stored on them
everything overnight and the ability to focus attention
on the things that present the most danger to the For smaller businesses, a lot of this functionality can
organization. probably be achieved with a unified threat management
(UTM) appliance, which provides basic firewall,
Mitigate the risks by applying appropriate security antimalware and IPS services. An alternative is to engage
controls to each data category. Security costs money, a managed security service provider (MSSP) to configure
and that means that ultimately security is about risk and manage your security devices and provide log
management: ensuring sufficient controls are applied management as well.
to each data category to reduce the risk of a breach

Security costs money, and that means that ultimately


security is about risk management: ensuring sufficient
controls are applied to each data category to reduce the
risk of a breach to an acceptable level.

7 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

Larger enterprises, as you might expect, have more Security services. Some security partners can assist
decisions to make. Enterprises should look for a security with fast implementations, upgrades and tuning and
partner that can supply the basic infrastructure discussed system health checks. If you prefer not to become
above, expert deployment advice and professional involved in the day-to-day operation and monitoring
services, as well as additional monitoring features and of your security infrastructure, a security partner can
services such as: also carry this out as a managed service. Such services
may include some or all of: perimeter and network
A security information and event manager (SIEM) security monitoring; insider threat monitoring; log
platform to monitor and report on relevant security management; and data loss monitoring.
events and logs. A SIEM platform like HP ArcSight
Security Intelligence can analyze and correlate millions There are no easy fixes to implementing enterprise
of log records of events such as logins, logoffs, file security and its a job thats never finished. Start by
accesses and database queries occurring across your understanding what you have and the extent to which it
infrastructure to highlight possible critical incidents. needs to be protected, implement your protection and
These incidents are then presented through real-time continue to gather data to aid your security efforts.
dashboards, notifications or reports.
When youre looking for a partner to help with your
HP ArcSights Enterprise Security Manager (ESM) is enterprise security efforts, look for a vendor that
able to understand who is on your network, what data provides all of the tools you need, as well as services.
they are accessing, which actions they are taking with Most find that developing an ongoing relationship with
that data and how that affects business risk. It can one vendor provides a better experience on every level
then apply techniques such as pattern recognition than integrating a number of point solutions that arent
and behavioral analysis to detect and manage designed to work together.
incidents to prevent damage using a built-in workflow
engine.

A business-centric risk management platform


to identify risks to the business that originate in
your IT infrastructure. A risk management platform
such as HPs EnterpriseView provides you with real-
time graphical and report-based identification of
these business risks by aggregating data from risk
assessments, vulnerability assessments, security
configuration management monitoring, and security
event correlation.

Protection for your cloud-based resources. If you


have a significant amount of virtualized resources or
operate a private cloud in your data center then you
will need a security solution that is designed to work
with virtualization. ArcSight, as well as HP Fortify
Software Security Center and TippingPoint network
security hardware and software are all designed to
work with VMware virtualization and cloud software.

8 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

ACT
The Technologies to Protect a Modern Infrastructure
By Drew Robb

T
he New York City Police
Department has 35,000 sworn
officers to protect its population.
The Prefecture of Police in Paris
has 34,000. The Tokyo Metropolitan Police
Department has 43,000. Those numbers,
however, pale in comparison to the number
of professionals working to keep information
secure.

More than 80,000 people hold the Certified


Information Systems Security Professional
(CISSP) certification from ISC2 (The International
Information System Security Certification
Consortium, Inc.) of Palm Harbor, Fla., and that
is the just the tip of the iceberg. ISC2 Executive
Director Hord Tipton says there are about 2.2
million IT security professionals worldwide, the
size of the Chinese army, with a need to double
that number in the next three years.
laptops, home computers, tablets and smartphones
But as any successful general could tell you, winning a for company business. There are wired and wireless
war requires more than just getting weapons in peoples networks. Customers and vendors interact with backend
hands, it is a matter of strategy. systems to conduct business. Printers, industrial
equipment, phone systems and security cameras are built
You need to take an overall holistic view of with Internet access.
cybersecurity, not simply what to put in place but how
to put it in place, says Richard Zaluski, President and The nature of the threats has also changed. What were
CEO of the Center for Strategic Cyberspace and Security once major attacks such as the Melissa virus seem mild
Science (CSCSS) in London. compared to what is out there now. People are no longer
attacking for fun, but for profit or to do lasting harm.
Changing Threat Structure Stuxnet, speculated to come from teams in the U.S. and
Israel, destroyed as many as 1,000 centrifuges at Irans
At one time it was good enough to protect the perimeter Natanz nuclear facility in 2009 and 2010. In March, a
with a firewall and then use antivirus software to track Cambridge University researcher, Sergei Skorobogatov,
down whatever managed to make it inside. That is no found that the military-grade ProASIC3 A3P250 chips,
longer adequate. To begin with, there is no longer an designed in the United States and manufactured in
easily defensible perimeter. Employees use their own China, had a backdoor deliberately built into them. In

9 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

September 2012, Japanese government websites were six of those involving more than one million patients
attacked, apparently from China, in retaliation for a each. WikiLeaks has released millions of documents from
dispute over ownership of the Diaoyu Islands. In October governments, businesses and individuals.
2012, the U.S. Secretary of Defense, Leon Panetta, said
that the Shamoon virus, which wiped files on computers And dont forget the field of corporate espionage,
at Persian Gulf oil and gas facilities owned by Saudi where confidential data is stolen to copy designs, poach
Arabian state oil company Aramco and Qatari natural personnel or otherwise gain competitive advantage.
gas producer RasGas, originated in Iran. It is estimated
30,000 computers in Saudi Arabia alone were destroyed If you have a cutting edge product you may be on the
in the attacks. radar of a number of organizations, both domestic and
foreign, as well as national players who see competitive
The most destructive scenarios involve cyber actors intelligence as a valid form of business development,
launching several attacks on our critical infrastructure at says Zaluski.That can occur at a number of levels and
one time, in combination with a physical attack on our can impact your intellectual property, which can damage
country, Panetta said at the timer. The collective result your very existence as an organization.
of these kinds of attacks could be a cyber Pearl Harbor;
an attack that would cause physical destruction and the From Tactical to Strategic Security
loss of life.
The broadening range and complexity of cyber attacks
Not all such attacks are politically motivated. In 2008 means that organizations need to rethink security
a disgruntled network administrator set up a password measures. It is not enough to deploy the same old
giving him exclusive access to the City of San Franciscos solutions, you need a comprehensive approach.
computer systems, and locking out the rest of the citys
employees. Organizations want security products that work well
together, can be managed easily across IT devices and
Then there are all the attacks that are done for financial cut cost, says Naveen Hegde, Senior Market Analyst,
gain. Thieves no longer need to break into vaults to IDC Asia/Pacific in Bangalore, India.The threats are
access the cash. Visa and Mastercard; Citibank and evolving rapidly, and the security solutions that an
Bank of America; Britains HSBC; Switzerlands Credit organization implements play a major role in the success
Suisse and Julius Br; and Belgiums Belfius; have all had or failure of the organizations overall security strategy.
customer data stolen.
Given the ever-changing nature of threats, it is impossible
On top of those are the attacks done to secure and to build a security infrastructure that will be absolutely
release, or threaten to release, confidential data. The U.S. secure, within budget and doesnt cripple business
Department of Health and Human Services lists about operations. The key is to identify what are the critical
500 data breaches involving the medical records of more business processes and then adapt the security systems
than 20,000,000 patients, just since September 2009 to the business needs.

The most destructive scenarios involve cyber actors


launching several attacks on our critical infrastructure at one
time, in combination with a physical attack on our country.
10 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
Security for a Faster World

There is no point in just lumping everything together units, regions and processes that would be affected.
in a group and hoping for the best, says Zaluski. You Finally, HP EnterpriseView Security Intelligence and Risk
have to segment and you should do that by application Management (SIRM) Platform provides a business-centric
business group, etc., keeping networks, servers and view of all security and business service assets, mapping
applications that should be separate separate. the IT devices to the business services they support.

HPs Enterprise Security Services provides a These HP Enterprise Security tools provide security
comprehensive set of tools and services to give security personnel with the tools and data they need to move
personnel the 360 degree view they need of critical from a tactical to a strategic approach, allowing them to
systems and make it easy to manage and reduce risk. concentrate on those risks and threat that will produce
Since you dont know what threats will be coming next, the most harm to the organization.
HPs TippingPoint Next Generation Intrusion Protection
System (NGIPS) uses context awareness and content Organizations need to be able to demonstrate to their
awareness, geoLocation, reputation awareness and customers and regulators that it has an effective security
other technologies to identify and block malware. posture and the ability to meet stringent compliance
The HP ArcSight Logger collects information from any requirements, says Hegde. As organizations continue
system or device that generates log data and places to increase their remote employee access, as well as
it in a centralized high-performance repository for distributed partner access back to their networks, a
processing, searching, analysis and reporting. The proactive security approach that enables organizations
ArcSight ESM platform correlates the log data to users, to leverage cloud, mobility, big data and more is a
applications and business processes, so any threats requirement.
or risks can be related to the individuals, business

11 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.