Imagine if every time you left your home numerous would-be burglars descended upon your property and started checking every lock and window for weakness. That’s exactly the kind of security threat that computer networks face 24x7.
'If you were to put one computer on the Internet equipped with a logging tool that identified hacking attempts, you would find in a day’s time that log could potentially have several hundred registered hits,' said Greg O’Loughlin, product development manager for Global Data Systems (GDS). 'It goes on constantly. So on a typical network with dozens or hundreds of devices — maybe even thousands — you can imagine the potential for a security breach.'
What’s more, the types of network security threats are constantly changing. The security tools an organization puts in place today may be vulnerable to a hacker or worm tomorrow. ' Security is a moving target. New vulnerabilities are announced on a daily basis,' O’Loughlin said. 'So even if an organization does due diligence — goes through and finds potential security problems and keeps on top of patch updates — tomorrow is going to be different.'
Unfortunately, very few organizations have dedicated security personnel reviewing the security landscape and looking for potential threats within their networks. That’s why GDS has developed a comprehensive Security Assessment solution — to help fill this gap.
Good Guys vs. Bad Guys
The GDS Security Assessment solution enables organizations to tap the knowledge of highly trained and experienced security professionals who stay on top of all the latest security issues. These engineers come into the customer’s environment and use 'white hat' hacking techniques to find vulnerabilities — before an actual hacker does.
The solution is incredibly thorough, with testing of servers and workstations, firewalls, dialup, virtual private networks (VPNs), wireless, intrusion detection systems (IDSs) and more. In each case, GDS engineers utilize a number of tools to look for vulnerabilities in both hardware and software.
'We use both publicly available hacking tools — the free tools hackers can download from the Internet — as well as commercial assessment and scanning tools. We check for all known vulnerabilities just as a hacker would.'
It doesn’t stop there, however. The assessment team looks at the configuration of various devices on the network to ensure they are providing the intended level of security. For example, the team will analyze router access lists and the processes allowed by host-based IDSs.
Wireless networks — and the devices used to access them — are also tested for configuration problems that might open a security hole. In addition, wireless has to be tested for 'bleed off' — signals that extend beyond the building or area of controlled access.
To Err Is Human
The human element plays a major role in the GDS Security Assessment solution. Because endusers are often the weakest link in network security, the GDS team checks workstations and servers for weak passwords — or, worse, passwords that are posted in plain sight.
'We’ll actually do a physical desk check of our customers’ workstations,' O’Loughlin said. 'We’re looking for things like computers left running with the monitor turned off, which is a security risk. You turn the monitor on and you’re on the network. We also look for passwords that are written down, and we always find them. Sometimes we find them sticking on the monitor.' Social engineering is a commonly overlooked problem in security that the GDS Security Assessment solution takes into account. Many times, hackers can gain access to a network simply by asking questions and relying on people’s natural inclination to be helpful.
'We’ll interview end-users and help desk staff to get a feel for their awareness of the organization’s security policy. We might even call end-users and say, ‘This is so-and-so from the help desk. We’re remotely working on your PC and need your username and password.’ We’ll try to gather that information by posing as an employee just as a hacker would. Invariably, somebody gives it up.'
Sometimes end-users will introduce threats by circumventing network security or adding rogue components to the network. A common example is the end-user who puts a modem in his company PC so he can dial in and access files remotely. GDS looks for these unauthorized modems through a technique called war dialing.
'We set up an application to dial every phone number in the range assigned to the customer. If something answers, like a fax machine, modem or remote access server, we’ll determine what the device is then scan it for security vulnerabilities,' O’Loughlin said. 'Modems added to workstations by end-users are very insecure and not that uncommon.' The GDS team also looks for rogue access points as part of the wireless network assessment. A technically savvy end-user who has a laptop with a wireless card might add an access point without the knowledge of the IT department. These can be very insecure. According to O’Loughlin, it’s important to keep productivity in mind when implementing security solutions.
'Best practices and operational efficiency don’t necessarily work hand-in-hand. It’s not uncommon for an organization to have a security implementation that’s not based 100 percent on best practices due to operational requirements,' O’Loughlin said. 'It’s a balancing act. If we implement a security solution that reduces end-user productivity we’re causing what is in effect a business problem.
Keep Your Guard Up
The net result of the security assessment is a comprehensive set of reports that gives the customer a review of vulnerabilities. Vulnerabilities are prioritized based upon risk versus the cost to address the issue. Processes for monitoring network activity and responding to security events are recommended.
Most customers are surprised by the scope of risk their networks face.
'Generally speaking, when somebody gets hit with some sort of a security issue, it’s a surprise. They weren’t aware of it,' O’Loughlin said. 'They don’t usually understand the potential risks involved until they actually have some sort of security event that causes them to start looking at their security posture.'
And, once again, security is a moving target. An organization that is protected today may well be vulnerable tomorrow.
'Depending on the size of the customer and level of risk, security assessment may need to be an ongoing process,' O’Loughlin said. 'For example, a large hospital that has lots of sensitive data might need to actively monitor and test their security systems. A smaller organization with a lower level of risk might only need to complete an assessment twice a year.'
Would-be burglars can often be deterred by an alarm system, a barking dog, an alert neighbor. Thwarting cyber criminals is a similar, if more complex, process. The key is finding and eliminating vulnerabilities.