IT Manager's Handbook: Getting Your New Job Done (54 page)

Malware
Prevention

Antivirus software has long been a cornerstone of protecting the IT environment. Antivirus solutions are available for workstations, servers, e-mail gateways, and even handhelds. By downloading the latest pattern and signature files regularly (see the section
“Ongoing Maintenance”
on
page 221,
later in this chapter), an organization can protect itself against the latest release and developments of viruses. Many organizations will employ virus solutions from multiple vendors as a way of strengthening their defenses further.

Antispyware solutions operate very similarly to antivirus solutions, with signature and pattern files that have to be updated regularly. However, many antivirus solutions now include antispyware functionality as well.

Antispam solutions for your e-mail gateway can do more than just reduce the amount of nuisance e-mail. These solutions can provide protection by preventing e-mails that include security risks, such as phishing attempts,
worm
s, and viruses. Malware prevention solutions can prevent third-party tracking of user activity, as well as stopping unnecessary slowdowns in individual systems and servers.

Ongoing Maintenance

In addition to access reviews, as mentioned earlier, there are activities that should be performed regularly by security administrators to identify and minimize risks.

Log, Account, and Access Review

As stated earlier, IDs that haven't been used for a predefined period of time should be disabled or deleted. Many systems can report when unsuccessful login attempts have been made; these logs should be reviewed and investigated. System logs should be reviewed for those events and incidents that could identify security threats.

Accounts that have special privileges should be reviewed a few times a year to confirm that the need for the special privilege is still valid and justified.

After discussion with other departments (e.g., Legal, Audit), shared areas of the network (places where multiple users have read and write access) may be regularly purged of files that haven't been accessed in a while. (Not only does this free up space, but it might also remove files with confidential information that users placed there by mistake or are no longer needed.)

Software Patches and Updates

Security administrators should check with their software vendors regularly to obtain and apply any updates or patches that close security holes. Processes should exist for checking the environment regularly to make sure that systems are current and for ensuring that unpatched and unprotected systems can't connect to the corporate network.

Following Microsoft's lead, many vendors now have a set schedule for releasing patches. This allows IT departments to set schedules for testing the patches and implementations to the production environment.

Pattern files updates (for antivirus, antispam, intrusion prevention/detection) are usually released on a much more frequent basis than software security patches. It's common for these files to be updated several times a day, or more. Because of the frequency of these updates, these systems have to be set to regularly download and install the updates as they are released.

IT Managers can use various tools and configuration options to manage the distribution of updates to servers and workstations. These allow the IT department to determine if updates should be automatically installed (an increasingly popular and recommended method) or only after they've been tested and validated by the IT department. Similarly, the tools can help you see which devices have the most current updates and which are behind.

Encryption, Keys, and Certificates

Encrypting data is one of the most effective methods for keeping data secure (especially if combined with other security practices). Among the most popular solutions for using encryption are:

•
Public Key Infrastructure (PKI)

•
Digital certificates

•
VPN tunneling

•
Secure Sockets Layer (SSL)

•
Pretty Good Privacy (
PGP
)

•
Encryption standards like
AES

•
E-mail encryption

•
Disk and tape storage encryption

Reports of security breaches due to lost backup and to missing or stolen laptops have become almost commonplace. (The website
www.privacyrights.org/data-breach
maintains an ongoing list.) As such, many organizations are now implementing encryption as a way to limit their exposure when data are lost. Encryption of any sort of mobile media is growing dramatically—this includes tapes, laptops,
USB
drives, and handheld devices. Careful testing must be done before implementing encryption solutions to see how/if it impacts users, operations, and applications.

Network Access Control

In a typical IT environment, when users are prompted for IDs and passwords by an application, they are already on your network. So even if they can't get into the application, they already have access to your very sensitive network. Network Access Control (NAC) is a technology solution that controls who gets access to your network. In short, the user/device can't access any part of your environment until the NAC confirms that it should. Some NAC tools, as well as some remote access solutions like VPN products, allow you to set policies such as requiring that devices must have current OS patches, and must be running current anti-virus software before being allowed to connect to the network.

Staffing

Because many of the IT staff have elevated access privileges, it's important to make sure that the staff members themselves aren't security risks. Many companies and organizations do background checks on IT staff members and include specific requirements, accountabilities, and responsibilities related to security in their job descriptions. Consider familiarizing your staff with various security standards and certifications:

•
CISSP Certified Information Systems Security Professional (CISSP) is a certification for professionals in the computer security field responsible for developing information security policies, standards, and procedures and managing their implementation across an organization. Other security certifications include SSCP (Systems Security Certified Practitioner), CAP (Certified Authorization Professional), and CSSLP (Certified Secure Software Lifecycle Professional).

•
ISO 17799
is an internationally recognized information security standard that establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

•
ISO 270001
is the international information security standard against which organizations can seek independent certification of their Information Security Management Systems.

Additional information about security standards appears in the section
“Methodologies and Frameworks”
on
page 238
of this chapter.

Security
Incident Response

You should establish procedures for dealing and responding to security breaches. Of course, the type of breach may dictate different types of responses. For example, a rampant virus is going to require a different level of response and urgency than discovering that some phishing e-mails made it past your anti-spam solution.

Many organizations create a formal
Security Incidence Response Team
(
SIRT
) to respond to security breaches. A SIRT can be composed of individuals from all areas of the organization and are often on 24-hour call. They are responsible for protecting an organization's critical IT assets.

Depending on the circumstances, the situation may call for:

•
Examining log files and alerts.

•
Contacting your vendors for assistance in identifying the problem and then determining how to address it.

•
Shutting down certain resources, services, and network components until the problem has been identified and resolved.

•
Notifying senior management and the user community. In a heavily regulated industry (such as banking) you may need to involve Legal and HR as well.

•
Changing all passwords.

•
Notifying law enforcement.

•
Performing a security audit.

In all cases, every incident should be documented in a postmortem report. Such a postmortem will usually contain:

•
A chronology of events, including actions taken, from first sign of the problem to resolution

•
Identification of what procedures, tools, resources, and so on worked well

•
Identification of what items did and didn't work as expected

•
An analysis of the root cause of the problem

•
A plan to address and correct the problems and issues identified as a result of this incident

A summary of the postmortem, without too much IT jargon, is often provided to management. This summary is usually welcomed by upper management, as it documents the how and why of what happened and an action plan to ensure that a similar event doesn't occur again. A postmortem document can be an effective summary for senior management, which demonstrates that IT security is taken very seriously by your team.

8.4 Types of Threats

The range of possible threats to your business and your information is very, very large. And it changes daily. The most important point about understanding different types of threats is to know that you must constantly stay on top of them. You must have the latest patches, and you must upgrade the operating systems to the latest versions. You don't need to become a guru, but you must either stay up to date or task others with doing this.

Malware

Malware is a category name to define software that causes problems. This can include viruses, adware, and spyware. Malware can degrade system performance, expose confidential information, distribute spam, etc. Specific types of malware include:

•
Macro viruses.
Viruses that use commands (macros) in application files (e.g., Excel and Word) to replicate themselves and do damage.

•
Worms.
Self-contained programs that replicate themselves usually via the network or e-mail attachments.

•
Adware.
Software that installs itself on a workstation for the purpose of displaying ads to the user. Users often unknowingly install adware when they download applications from the Web.

•
Spyware.
Software that monitors a user's activity, often to collect account numbers, passwords, etc. Spyware often works in tandem with adware as the ads shown may be related to the activity detected by the spyware. Like adware, spyware is also frequently installed by the user unknowingly when downloading applications from the Web.

•
Trojan horses.
Programs that appear to be legitimate, but in fact are malicious.

•
Backdoor Trojans
:
Trojan horse programs that allow a hacker to control your computer remotely.

•
Page Hijackers
:
Akin to the purposes of adware, they covertly redirect browsers to specific web pages.

•
Rootkits
:
A set of modifications to the operating system that is designed primarily to hide malicious activity. Because the rootkit software essentially resides in a modification of the operating system, it's extremely difficult to detect, and it also continually checks on itself to see that the compromised files are still compromised and reinfects as needed. In addition to being very difficult to detect, they're equally hard to remove.

•
Key loggers
:
Small applications that reside on a computer to record key strokes. These are used to capture passwords and confidential information (e.g., credit card numbers).

Of particular concern with malware is what is known as a
Zero-Day
attack, which is malicious code that takes advantage of a security vulnerability before there's a fix for it. In some cases, the malicious code is released even before there is public knowledge of the vulnerability.

Phishing and Social Engineering

Phishing is the process of trying to obtain confidential information (credit card numbers, passwords, social security numbers, bank account numbers, etc.) by fraudulent means. The perpetrator sends out e-mail messages that appear to come from well-known companies and websites. The e-mails will mimic the legitimate company's logos, text style, etc. Typically, the e-mail tells users that there's some problem with their account and that they need to log in to confirm or verify some information. The e-mail contains links to sites that can appear virtually identical to the site it claims to be. If successful, the user will click the link and be fooled into entering the information.

Websites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and nationwide banks (although the practice has now filtered down to local companies too). When phishing is successful, not only will it result in financial loss for the victim, but it could also result in identity theft. The U.S. government has developed a site,
www.onguardonline.com
, to help educate individuals about protecting themselves from Internet fraud.