By Tammy J. McInturff

The threat from hackers is growing, with damage possible from within and from outside of your company. Having the right security program can keep you from falling victim to hackers and cyber-terrorists. However, this program must be able to keep up with the constantly changing threats. Knowing the current trends can help ensure that you have the right security program to keep your company safe.

At the LOMA Systems Forum, Tina M. LaCroix, chief information security officer, Aon Corporation, and Jason A. Witty, CISSP, director Global Security Architecture, Aon Corporation, discussed the trends and protection strategies for business problems related to information security risk management.

LaCroix believes that in today’s down market, the right information security program can help give your company a competitive advantage. Having the appropriate information security program can also support your reputation, demonstrate compliance to local and federal regulatory statutes, improve system uptime and employee productivity and ensure viable long term e-Commerce. "Our clients, contact renewals and any other engagements we are looking at from our business to business side are asking very detailed questions about how we handle our security program," LaCroix said. LaCroix spends a lot of time with her peer group outside of the insurance and financial services industry and all of the Chief Information Security Officers (CISOs) and repressors of security that she has talked to are facing the same problems. So it is important that you have a program that you can communicate clearly and that you can support operationally.

The people in your organization’s security team have to protect everything at your company. "A hacker, whether it is somebody from inside or outside of your company, only needs to find one hole or one vulnerability to exploit and you become the victim of a security breach," LaCroix said.

Witty, who researches information security statistics in his spare time, offered a number of alarming statistics. "There is a 64 percent annual rate of growth in security attacks," Witty said. "This is an interesting statistic because few, if any companies have an IT budget for security that is increasing 64 percent per year or an IT staff level increasing 64 percent per year. This statistic came from Symantec, who has a 24/7 security monitoring service that they sell to about 400 plants around the world. They glean that data out of the monitoring that they have in place. Symantec also reported that the average security conscious company experienced 32 attacks per week over the past six months."

For those looking for statistics on the cost of information security breaches, they may find these hard to obtain. "One of the hardest things to try and put a thumb on is how much security breaches really cost, because you’ve got soft costs, possible brand issues, shareholder issues, trust issues and liability issues. So, there is no real good measurement for how much a particular security breach costs. However, there are definitely some hard costs that can be measured. These can be calculated by analyzing how long it takes to implement a patch, and how long it takes to recover the system that was compromised," Witty said. "According to the UK Department of Trade and Industry, the average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000."

"My favorite statistic," Witty said, "came from the December 2002 issue of LOMA’s Resource magazine and was actually very timely. The statistic stated that, ‘identity theft related information is selling for $50 to $100 per record.’ The same time that statistic was published, I was meeting with the U.S. Secret Service in Chicago. They have an electronic crime task force that they encourage the private sector to get involved with. Basically, they hold meetings to talk about what the Secret Service is doing and how to protect yourself, and how they can help you protect yourself. One of the things they talked about at this meeting was the increased threat of identity theft. There are two reasons why identity theft is rising. One is that public information is selling for $50 to $100 per record on the black market. So if you’ve got an employee base of 10,000 people that data is worth $500,000 to $1,000,000 to somebody that would steal it. The additional advantage for thieves is that you are not going to know that the information was stolen until somebody or some percentage of your employees start having unusual charges on their credit cards."

Witty discussed ten security laws laid out by Microsoft. "The number one security law is that there are no silver bullets. Technology is not going to save you in everything. There is a much bigger piece to security than just the technology piece. The second security law, according to Microsoft, is that security isn’t about risk avoidance, it is about managing that risk. So you have to really treat security issues as any other risk management business issue," Witty said. "The third law is that the most secure network is a well-administered one. The next law is that there really is someone out there trying to get your password. The fifth law states that, eternal vigilance is the price of security. So if you want security, you are going to have to always be vigilant about whatever you are doing—whether that is having a good password, always knowing who you are talking to on the phone, or applying patch in a timely manner. It is all errs vigilance in order to get 100 percent security. The sixth law states that, it does not do much good to install security fixes on a computer that was never secure to begin with. In other words, if somebody got into your system, it is not your system anymore. You need to rebuild it. If you don’t keep up with security fixes, your network won’t be yours for long, states the seventh law. Security only works if the secure way also happens to be the easy way. The ninth law is that nobody believes anything bad can happen to them until it does. The final law is the difficulty of defending a network is directly proportional to its complexity. That means driving consolidation, which has a really nice fringe benefit of driving down costs. The main point is, if you were to properly secure one infrastructure that might cost you $100,000 and if you had 50 across the world obviously that would be much more expensive, than if you pick five strategic places and spend that money well at five locations and insure service."

The number of security breaches continues to rise at an alarming rate. "In 1988 there were only six computer security incidents reported to CERT/CC and just a few years later in 2002 there were 52,658. That is reported alone, these aren’t monitored by somebody or an accurate number of incidents that actually happened," Witty said. "These are 52,658 separate things that people actually reported to CERT." CERT is the incident response group for the Internet. Part of the reason these numbers continue to grow is because it is getting a lot easier to hack into systems. "To get a virus on your PC you used to have to get it on a boot floppy, put it in your PC and boot off of it. You had to get it in some kind of executable that had replicated itself using the machine. Now that viruses can be spread through the Internet and e-mail, where it used to take days, weeks, or even months for a virus to propagate to hundreds or thousands of systems, now it can take seconds."

It has become so easy to hack into systems that virtually anyone can do it. "In 1988 you really needed to be a clever person to break into a system and the amount of damage you were doing was typically only to a single system. Over time people started releasing all this information so that other people could see it. More people started quality checking other people’s code that they were releasing and tools started getting a lot better," Witty said.

There are many different types of hackers and different motivations for attacking systems. "One of the biggest problems is bored IT folks," Witty said. "You’ve got people trying to out do each other, in addition to hactivists, terrorists, and disgruntled employees."

Another type of hacker is the identity thief. This is a growing trend because of the cost of the information and the payout value that a thief can get for stealing that data. "You also have to worry about Mob sponsored hacking, which is increasing. It is one of the things that the Secret Service and the FBI are talking about a lot now," Witty said. "There are actually foreign Mafia and Mob individuals paying for some 14-year-old to try and break into Web sites."

There are Web-based hacking tools available that allow people to try and break into your e-commerce sites. "These tools are very easy to use, the hacker simply inputs information into the form fields, such as a username file, password file and a URL. Then he tells it where to start and hits go," Witty said.

Some hacking tools also work at the session level. "When you login to a Web site you don’t have to login to every single page because there is an associated session variable with the fact that you’ve logged in, your browser just presents that session variable back to the server every time," Witty said. "What hackers try to figure out is if those things aren’t random, then all you have to do is just start randomly throwing session variables at the Web server. Eventually, you will find one that is currently active and take over that session." The session hacking tool is also very easy to get and easy to use. This tool goes through a number of session variables all at once and presents them back to the hacker, who can go through these and figure out exactly what a random piece is and load that into the rest of the tool.

There are many of these tools; they are well written and well documented. "The Web site www.packetstormsecurity.org has tens of thousands of these tools that you can download," Witty said. "So if you are a bored 14-year-old that wants to show off for somebody or a terrorist all you have to do is go through and select what operating system and package you are trying to get into, and you’ve got a tool for it."

Hacking tools are easy for anyone to find. Some simple Google searches can give you an idea of how many tools are out there. Searching for the word "hack" on Google.com brings up 11,400,000 hits. Of course not all of these will be hacking tools; some may be reports of companies that have been hacked. Searching "hack" plus "crack" comes up with over a million sites on Google and looking up "hacking tools" gets 694,000 sites.

Is it legal for people to post these tools? It seems odd that people can write up these tools and tell you exactly how to break into systems. "In 1988 a philosophical question started about full disclosure," Witty explained. "The question was if a person knows about a security vulnerability should he tell you about it and allow you to fix it, or should he not tell you because somebody else might find out and use that vulnerability against you."

Witty explained that, after a long discussion and several years of rational reasoning the argument came to the conclusion that it is better to tell the public that there is a vulnerability out there. The idea was to first tell the vendor, then allow a reasonable amount of time before telling the public. This way the vendor can release a patch for it and then make a public announcement. This process is still in place today. The vendor is given anywhere from 15 to 90 days to release a patch and the person that found the hole doesn’t release a tool until after there is a patch.

There are several alarming trends right now according to Witty. One is that some hackers have stopped telling people. Instead, they are finding these vulnerabilities and exploiting them; so there are no patches for them. There is also a trend to exploit services that you have to use, such as e-mail and the Web. Hackers use those services against you by riding tunnels back in. Another trend is to initiate an attack from the inside. "There are actually tools now where somebody can gain access to one of your facilities. They can actually drop something on your network that will make an outbound Web request," Witty said. "It looks just like a Web browser to your firewall, intrusion detection, and your proxy. But it is actually going out there and saying, ‘does anyone want to connect to me?’ and this allows an attacker to connect."

These are further reasons why you want to have a very comprehensive information security program to be able to prevent things like this from happening. "There really are quite a few different ways of getting into a system and of course there is a lot of increased hacking for hire at the moment," Witty said.

However, you don’t have to be a victim. "There is hope on the horizon and you can mitigate enough risk, often enough so that you don’t fall prey to these types of vulnerabilities and exploits," La Croix said. "You would be hard pressed to find an information security program that is perfect. Remember information security isn’t just an IT issue. It is not just technology that is going to remedy and reduce the risks companies face in protecting their information. You know next to our people, our biggest asset is our information. It takes a multi-prong approach between IT functions and business functions. You have to come up with a program that will impress how you handle the data, which is where we typically make our money and earn our reputations."

LaCroix explained that there are required security controls in multiple levels, some technical and others nontechnical. The nontechnical includes, the policy, processes, how and when you do things, your standards, and guidelines—all of which are critical components of a well-structured security program. Of course there are also levels of technology that are critical to your security program, such as the application, presentation, session, transport, network, and data link. "Look across your technology enterprise and make sure that you build the right mitigating controls at each of these levels. You need to have applications with access control limitation, so that when you are presenting data you are only presenting the minimal amount of data for the transaction, your session level and your transport data principle," LaCroix said. "Security needs to be addressed within each one of these levels because this helps to take the people factor out." The more of these layers that you can cover securing your data, the less your exposure is going to be.

If you haven’t upgraded your system recently, then it is probably at risk. "Back in 1995 you could have firewalls and desktop antivirus and have relatively guaranteed protection. Hopefully you have been gradually building your security posture, by adding some proxy servers, additional layers of antivirus, and URL screening," LaCroix said. "If you haven’t then your job is going to be a lot more difficult and you are going to have more exposure."

"We have chosen the ISO 17799 standard set in which to frame our security program," LaCroix said. "In each company one of the most important things you can do is assess where you are today. So as you begin to think about framing a security program, define what you need to do and prioritize that list. We have ten categories which fit together to make up our security program. They are security policy, security organization, computer & network management, personnel security, compliance, classification & control of assets, environmental & physical security, system development & maintenance, business continuity planning, and system access controls." Using the framework of these ten categories you can easily communicate across your business partners and clients.

According to LaCroix, your security risk management program should also include, governance and sponsorship by senior management, staff and leadership education, implementation of appropriate technical controls, written enterprise security policies & standards, formal risk assessment processes, incident response capabilities, reporting and measuring processes, compliance processes and ties to legal, HR, audit, and privacy teams.

Following these will help make the transition easier, but LaCroix says don’t expect to be popular if you are the person responsible for putting a new security plan in place. The new program will cost people money and change the way they do their jobs. You will be treading on territory that is brand new for most people and difficult to understand for some, so make sure you have support from your senior management.

Staff and leadership education is important because your staff needs to know what is expected of them under your new or existing security program. So it is critical that you have some means of communicating that and teaching people. Also, your enterprise security policies and standards need to be documented, but more importantly they need to be communicated, understood and agreed upon by everyone, all the way down to the general user community.

Your risk assessment processes and your incident response capabilities are critical as well. You will have incidents; it is just a matter of how many, how often and what types. It is very important that you have a process by which you will be responding to these incidents. La Croix has found that it is very beneficial to work across functionally though her organization to somewhat sell the security idea, because much of the organization has a very vested interest in seeing the security program put in place.

If you do business with a software vendor ask them what their program is for quality assurance within their organization. You want to be sure they can develop secure products and that what they are shipping to your desktop comes to you secure. You can think about outsourcing, but remember it can be pretty expensive and onerous to put a whole security program in place at one time. LaCroix recommends that you come up with a three- to five-year strategy for putting your security program in place. Make sure you do a baseline assessment as to where your company is and what you need to do, because you are going to have to prioritize what you do, when you do it, and how you do it. Think about selectively outsourcing some of the services that require 24/7 attention.