A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part One

 The University of Georgia network security system fight off 80,000 to 90,000 potential attacks daily. At the Bank of New York, sensors catch millions of security "events" in a month and "we don't even treat the scripts that run out there or worms flowing across the Internet at any point in time as an incident because they are not entering the network," notes Eric Guerrino, the bank's head of information security.

With all the threats floating around in the cyberjungle, how do you sniff out a serious Information Technology security breach? The best defense requires a mix of technology muscle and human interpretive skills. Detection systems are essential tools, but it's up to professionals to make some informed distinctions.

I have put together five steps that you can take under consideration when evaluating your home or business computer systems. These steps will be presented as a two-part article outlining each of the five steps. Now, let's begin:

Step No. 1: Let the Bells and Whistles Alert You about the Initial Attack

The Bank of New York's incident-response team sizes up threats based on some critical calculations: the probability of imminent attack, the probability that an attack will succeed once attempted and the potential damage of the attack if it proves successful; the location of the potential targets, the host operating systems and their associated vulnerability to the attack; and the sensitivity of the data residing on affected devices.

What gives an organization the best chance to safeguard itself? The critical elements include multiple levels of traditional and emerging security monitoring tools; an analysis system capable of crunching copious amounts of event data; and the ability to process observations from employees and customers.

Firewalls and intrusion-detection systems are the old reliables of detection technology. Standing at the intersection of internal networks and the public Internet, firewalls are the established first barrier to external attacks. Intrusion-detection systems, which joined the security force in the late 1990s, monitor networks for suspicious activity. Intrusion-prevention systems go a step further, monitoring traffic and then initiating an automated response, such as dropping a particular packet of data.

Old-school intrusion-detection systems identify threats based on the signatures of known attacks. But some new threats are too nimble for that: So-called "zero-day" attacks occur at the same time a vulnerability is discovered, leaving no time for the creation and distribution of signatures.

To address this, security teams have supplemented signature-based systems with behavior-based detection technologies, which establish a baseline of normal network traffic. The systems then search for anomalous patterns, for example, traffic coming from a network at a time when no one should be using it, helpful in flagging previously unknown types of attacks.

In responding to zero-day exploits, their biggest concern, Bank of New York deploys hundreds of intrusion-detection and intrusion-prevention sensors that record events on a daily basis. Its intrusion-detection/prevention systems shield the bank from the vast majority of exploits, and only a fraction of the events warrant a security-breach investigation.

The University of Georgia also uses an intrusion-detection/prevention combination. The university operates a Security Operations Center that monitors its intrusion systems around the clock and also minds firewalls, virtual private networks and other security products.

Step No. 2: Follow the Threat to Its Source

“When an alert shows up on a security manager's console, it's as if someone set off an alarm”, says Morrow, the Chief Security and Privacy Officer for Electronic Data Systems Corp. The security group's first question is obvious: Where is the problem? But finding the answer requires ingenuity. There's no single surefire method for finding a security breach and nailing down its scope.

The task is still more art than science. Event logs generated by firewalls and early warning intrusion-detection/prevention systems give security analysts one route of inquiry. And the demand for tools that help correlate the mass of security data held by the various systems is growing. Security experts advise looking at security information and event management software, which helps security managers detect incidents, for clues that may help identify the source of the attack as well.

Security personnel need information beyond the alert itself. A good security information and event management system will archive logs from different security devices, routers and operating systems. A security information and event management system's data gives the security team direction; after that, they must still physically find the affected system.

While corporate security groups chase down incursions when they happen, they've tried to become more proactive, looking for and fixing weak spots before attacks occur with the help of vulnerability management tools. Like intrusion-detection sensors and firewalls, these tools may feed into security information and event management systems and configuration engines.

Many organizations scan for vulnerabilities on a regular basis, allowing security personnel to determine which systems are vulnerable to attack and patch accordingly.

Step No. 3: Implement An Incident Response Plan at Home and at Work

When a security incident occurs, it's the information technology security group's job to respond. Among the group's first assignments: Determine whether an alert represents a serious incident or a false alarm. Security managers may call upon internal experts or external help from antivirus vendors and various intelligence services, which provide reports on computer security threats.

UPS subscribes to a number of such services and maintains a strategic relationship with an antivirus vendor. The relationships help UPS stay on top of the threat environment, which puts the company in a position to react ahead of time.But the knowledge flows in both directions. When UPS discovered a variant of the Zotob worm, the company notified its antivirus vendor. Zotob achieved notoriety in August 2005 when it hit CNN and The New York Times, among others.

An alert that reaches full-blown incident status triggers an organization's response plan-assuming it has one. Security experts say large enterprises typically do maintain some type of formal response plan, though incident response varies widely. Some response plans, governed by extensive steps and checklists, become so choreographed that they are almost restrictive. The other extreme is no choreography, which results in a "mad dance." The best fit? Follow a middle path. The University of Georgia follows established incident-handling protocols, based on documentation from the National Institute of Standards and Technology (NIST) and the SANS Institute.

NIST's Computer Security Resource Center publishes a range of security policy guidelines, some of which touch on incident response. The SANS Institute, in conjunction with the Center for Internet Security, offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures and checklists. ISO 17799, which provides guidelines for security management, also covers incident management.

At some organizations, a computer incident response team (CIRT) puts the response plan into action. The corporate security chief generally heads the CIRT, but some companies prefer to tap an experienced outsider to manage response activity, so that one person doesn't wear two hats in a crisis.

The CIRT team consists of I.T. security specialists, either internal or external, and people with other areas of expertise. Miracle says CIRT usually includes desktop gurus, server managers, and help-desk representatives. The CIRT members' responsibilities are determined in advance. "In real time, you can't have people arguing ... that you can't shut that server down," Miracle explains. He adds, "Some companies hire consultants to help establish roles and get different groups across the organization to buy into the plan."

While the CIRT team may have broad influence, its physical reach may be limited. To address this issue, the University of Georgia's security group has deputized security liaisons in each of the institution's 14 colleges. Each college has a different security parameter, but through the use of institutional policies, standards and processes, the university has been able to set a security baseline. A security liaison also represents the university's administrative users.

For malware cleanup, an organization may choose to reload a fresh software image rather than delete the offending code. More companies choose such "brute-force methods" because they find it less arduous than potentially spending hours cleaning infected files from a system.

Brute force or not, cleanup comes to a halt when an incident calls for a forensics examination. During an ongoing network attack, the organization must decide whether to let the incursion continue to aid its investigation or cut it off to minimize damage. Technology and business leaders must weigh whether the investigative process outweighs the risk to the network.

Sometimes it's strictly a business decision, but criminal cases may involve external authorities such as the FBI, or state authorities. Because organizations may lack the specialized staff to investigate computer crime, forensics is frequently outsourced. Banks, for example, handle most response tasks internally, but may call in a forensics specialist if an incident looks like something that might lead to litigation. An event such as theft of service could spark a forensics investigation, but could also be treated as an employee matter if the theft occurs internally. Some banks have a retainer-like contract with a forensics services firm that gathers evidence and maintains the chain of custody.

While investigation and remediation activities continue, incident responders, ideally, keep lines of communication open with key constituencies. The CIRT team, for instance, notifies line-of-business managers of a problem so they can inform their customers.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVII, Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator