Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Step three: Things that turn threats and potential loss into risk

by
3rd Sep 2005
Save content
Have you found this content useful? Use the button above to save it to your profile.

Bawden Quinn LogoIn the third in this series of articles written for Business Management Zone by Stewart Twynham of Bawden Quinn, we look at 'Identifying your vulnerabilities ' things that turn threats and potential loss into risk.'

We started our journey in Step One by discussing the state of information security awareness within businesses today, why security is so important, and identify the starting point for all security professionals ' your information assets. In Step Two we explored the nature of threats and vulnerabilities, identifying some of the better known ones.

STEP THREE: Identify your vulnerabilities ' things that turn threats and potential loss into risk.

Hackers, viruses, worms, etc don't use passwords ' in much the same way that most burglars or car thieves don't bother to pick locks. They use a crowbar on the window, or a coat hanger down the door. Similar techniques work on computer systems, and are called exploits and vulnerabilities ' these make hacking into an unprotected computer as easy as breaking a window.

MYTH: We're not vulnerable ' we set passwords on everything.

Operating System / Networking Vulnerabilities
Many of the protocols (the languages spoken by computers when they talk to one another across a network) were designed at a time when only the military or very large institutions were connected to the Internet. As a result, most systems are by default too trusting, letting other systems connect with little or no authentication, releasing information that is of no use to normal users, yet could be used by hackers to leverage further access.

Furthermore, in order to make computers easier to network together, most PCs have just about every 'service' switched on by default, making most computer networks appear to the passing hacker like a well-lit Christmas tree!

Application Vulnerabilities
Some years ago, hackers realised that many businesses were becoming streetwise ' installing firewalls, closing down the 'ports' and services that make computers visible and vulnerable to attack. So they started to learn a little bit more about software, and began to shift their attention to application vulnerabilities. The principle is this ' if you can attack systems here, you change the rules ' since you are attacking systems from within. An application level exploit is a little bit like a parcel bomb ' the parcel arrives at your computer through legitimate means, but once opened it blows up.

Buffer overrun attacks (a.k.a. unchecked buffers) are one of the most popular 'application level exploits' these days ' used to great effect by the MSBLAST worm, and hence deserve some comments here. When computers accept information ' be that from something you type or something you download ' that information is stored in something called a buffer ' a small chunk of memory designed to hold a small amount of information for a short period of time.

Sometimes, you can send a computer too much information ' but the software never checks, and tries to fit it into the buffer regardless.

In the coming weeks, we will discuss:
  • Firewalls ' essential perimeter protection, and what they don't do
  • Anti-Virus protection, its limitations, and dealing with Spam
  • Good housekeeping, backup and physical security
  • Training, acceptable use policies and legislation
  • ISPs, Domains, Web design and Hosting
  • The impact of new technology ' VPNs, WiFi, Broadband, et al

An illustration: Imagine you are handed a notepad by a customer ' who asks you to make some notes. When you reach the end of the page, you turn it over ' but the pad's run out ' and instead of finding more paper underneath, you find an unrelated document complete with a blank, signed company cheque. You duly fill in your name and an amount on the cheque ' and because the customer never checks, you are soon thousands of pounds better off!

In this case, the piece of paper was acting as a buffer, and when you ran out of space, you started writing over something you shouldn't have. That's what happens inside your computer ' the buffer fills up, and the information spills over so far that it overwrites a tiny part of the memory designed to remind the computer what program it needs to run next. Done carefully, an attacker can then force your machine to do whatever they want ' in most cases without you even having to lift a finger.

Some experts feel that unchecked buffers are merely the result of very poor programming ' in reality, operating systems and applications are so complicated and diverse, future and more dangerous buffer overruns are always going to be pretty inevitable until such times as computers are designed differently. Better start heeding those warnings from Microsoft'

Social Engineering
Users are typically the 'weakest link' inside any organisation, and it usually only takes one person to do something silly ' to impact upon the entire business. The trouble is, people tend to follow instructions and like to be helpful.

In it's simplest form, an email saying 'click here' ' whereupon a virus kills your network ' is an example of social engineering ' getting people to do things they shouldn't. Social engineering can be much more sophisticated ' for example, ringing up a user, claiming to be from 'their IT support company', and then asking for passwords. Other examples include scams, such as those which have recently persuaded Citibank customers into revealing their personal details.

Untrained and unaware people will happily give away confidential information ' just make certain it's not your confidential information they give away!

Supply Chains
Many small businesses do not realise how dependent they and their systems are on their suppliers, making them vulnerable to a single point of failure. One example relates to the purchase of domain names ' which are critical if email and web sites are to function, but are often purchased on the basis of price ' from an unknown supplier thousands of miles away in a different time zone.

Should a domain name reseller or hosting company fail commercially, or be subject to a major technical failure, you will no longer receive visitors to your web site, or be able to receive (and in many cases, send) email. Domain names are difficult (often impossible) to relocate quickly ' and supplier selection based solely upon price usually ends up being a false economy.

Summary
We have discussed some of the threats and vulnerabilities that exist relating to information security. Secure businesses are aware of their specific threats, as well as the vulnerabilities that they must manage in order to manage risk. Most importantly, they keep this information accurate, complete, and up to date ' threats increase over time and vulnerabilities change ever single time you make a change to your network.

Next time: Firewalls ' essential perimeter protection, and what they don't do

You now understand the assets you are trying to protect, the threats (who and what you must protect those assets from), and the reasons why your computer systems may be vulnerable to those threats. You are now in a position to begin to understand in detail the kinds of countermeasures that can be put in place to manage risks ' first stop, the Firewall.

Previous articles

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.