White PapersInternet Security and Business - Part Three
System vulnerability detection, prevention and responses
With the events of the 11th of September, 2001, the development of Internet access in businesses and various virus attacks such as Nimda or Code Red, businesses have reviewed their security policies. Data security has not been left out. In a context where attacks and vulnerabilities are on the increase, implementing a system vulnerability detection, prevention and response policy is more than ever an essential factor in the overall corporate information system security policy.
The vast majority of security tools available on the market are sold as a set of measures intended to prevent disease from appearing or spreading:
- Encryption prevents espionage,
- Firewalls prevent unauthorised network access,
- PKIs prevent encroachment of identities.
- Online backup allows fast data recovery and minimises down time.
In the real world, a house with armoured doors and an alarm system is equipped with protection associated with a defined period of time. Armoured doors are conventionally sold to withstand attempted entry over a determined time in minutes or hours. This also applies to safes and the principle is roughly the same for data security.
The life cycle of a vulnerability ranges from its detection to the time when a patch is available and installed. It generally takes several days to several weeks for the patch to come out and sometimes several months for it to be installed on the hardware and application installed base.
The average time required between the detection of the vulnerability, its notification and distribution is approximately three days. Therefore, continuous vulnerability evaluation is essential to maintain the security level of a business on a constant basis.
Network security monitoring
It is noted that an increasing number of businesses will progressively turn to monitoring services which are essential for an effective data risk management strategy. Information system managers must now account for investments in monitoring services for the overall management of risks associated with the information system.
In the real world, building surveillance involves several factors: door sensors, cameras to monitor outside the building or the car park entrance, a central alarm system which is activated if the sensors detect information, etc.. Building security also requires the definition of a response procedure when alarms are activated. In concrete terms, this is characterised by transmission of the alarms to a security firm or the nearest police station. Without this, the security is ineffective since no one can counter the attack in the event of intrusion.
It is possible to make a parallel with network security that requires a number of similar factors. Network security involves a series of detectors within and around the network. All network devices (routers, servers, firewalls, etc.) supply a continuous flow in data when in operation. Intrusion Detection Systems (IDS) send messages when they identify a specific event.
The first essential point is to provide a certain form of intelligence to the alarms. Network attacks can sometimes be very subtle and essentially depend on the context. To meet these requirements, it is essential for solutions to be open to all types of hardware and applications.
The set-up of an intelligent alarm requires human intervention to analyse what the software finds to be suspicious and detect the causes initiating the alarm in detail. Only experts with an understanding of the context are capable of distinguishing between harmless alerts and genuine attacks.
However, an alert alone is not sufficient. Prior definition of a security policy makes it possible to define the level of criticality of an attack or vulnerability and is based on an incident processing and escalate procedure. The most important thing is knowing how to respond. This represents the second essential point of network monitoring. There is a response to every attack. This response may be as simple as deleting an IP address, but may also require the total disconnection of the network. Once again, in this context, human intervention remains essential.
Conclusion
The risks associated with network security will continue to exist and develop. The number of tools used to generate malicious attacks on information systems is growing. In addition, these tools are available on the Internet and, as such, accessible to everyone. In parallel, hackers are increasingly young and do not have much time (around 15 minutes) to enter a system before being detected.
In view of the recent reports published by CERT, the number of vulnerabilities detected in 2001 had doubled compared to the prior years. Conversely, the significant decrease in the number of updates distributed by suppliers or publishers in 2001 is related to two facts:
- Updates undergo an increasing number of tests (hence a reduction in incorrectly developed updates or updates which do not completely resolve a problem)
- Security updates that correct several vulnerabilities at the same time are more frequent.
Given the increase in the speed at which vulnerabilities are disclosed, spot security audits are insufficient even if they are conducted on a quarterly or half-yearly basis. Without continuous information on their level of security, businesses are not protected.
While security equipment is essential, it will not solve overall Internet security problems any more than it solves security problems in the real world. Some attacks bypass the procedures implemented and new threats sometimes cause equipment failure. In spite of this, the openness of corporate information systems with the outside (customer and supplier partners) continues to rise. Information system managers need to identify attacks and must be able to respond to new types of threats.
Therefore, data security is synonymous with vigilance that involves continuous monitoring of the security level. However quickly data security technologies develop, security alarms and services will remain at the core of the problem resolution.
Automation of some tools is inevitable and facilitates the execution of some tasks, but it seems unlikely that all security-related processes will become fully automated. Therefore, the key to security lies in human intervention and analysis that is performed when alarms are transmitted.
The ideal solution consists of managing risks in an acceptable way, using technologies and procedures that do not affect the business's activities. One of the basic damage limitation measures a business can put in place is using online data backup. This ensures that, as a minimum, key business data is protected and recovered quickly in the event of loss, as the data is kept off-site in secure locations.
When an attack takes place, it is not enough to assign this management to an often overworked network administrator. The business will need considerable security-related skills to provide a rapid response to this attack. For this reason, businesses will increasingly call on specialised outside experts who will be responsible for security management and monitoring.
These different factors justify the importance of offering round-the-clock services since attacks are independent of the place and time variable.
Security management and monitoring services are a combination of experts, processes and equipment to set up a security information system environment within the business.
This commitment on the part of a service provider is an essential factor of the security service offering. This type of contractual commitment should develop on the security service market since it meets businesses' needs, guaranteeing that security management and monitoring services are carried out correctly.
