Risk Training - Security and Technology

Risktraining.info

Security and Technology

 


Security and Technology

Back to Basics

One useful skill in Risk Analysis is the ability to step back and look at the very basics of a situation and the components of a system. This gives you the ability to question what each one does and by doing so, hopefully a good deal of basic risks become apparent.

In this section we'll do this on a very basic level just to give some ideas on what can be done, and where things lead. It also acts a good introduction or refresher on some of the basics of technology.

Although this section mainly deals with computers and networks we'll take a brief look at other areas of technology that are open to abuse and should be examined for any potential risks.

Computers and why we use them

The computer has become an everyday item these days to the extent that it would be very hard for some people and a lot of businesses to work properly without them. Because they have become "part of the furniture" their usefulness often isn't realised until something goes wrong with them.

Let's have a look at some of the basic things that we use a traditional desktop computer for:

These days, with the reliance placed on the computer, it is interesting and often quite scary to think about how easy any of these functions would be to replace within a few hours if you were left without a computer.

Networks and why we use them

These days most computers do not just sit there by themselves, if they are not a part of a proper network then it is highly likely that they will at least have a modem to allow them to access other networks.

So again, let's have a look at some of the things that we use computer networks for:

These days, the most obvious sign and immediate sign of an office computer network failing tends to be the lack of access to printing facilities; however, with Internet access becoming more and more vital to everyday business operations, a lack of Internet access may soon replace broken printing as the primary "user whinge" when a computer network dies.

The evolution of a network

To understand how basic networks work, it is worth looking at how a typical network evolves over time. In this example we will look at one way that a typical office network comes into creation and how larger networks are created from these smaller beginnings.

A "home grown" network nearly always begins when a single computer with a printer attached acquires a "mate". In terms of resources (desk space and costs) it is more practical to share a printer between more than one computer and to do this requires the computers to be networked in some way.

We are now in the situation where a few computers are all linked together and using the same printer via a simple network. What tends to happen next is that there will become a need for files used on one or more machines to be available to others. When a basic mechanism is implemented this network becomes what is called a "workgroup" - A means by which all of the computers become a group.

After a while working in this workgroup environment, it may well become apparent that all of the files would be best kept on just one of the machines so that they can be looked after more easily. This would also allow for the files to be backed up by the owner of the machine, who is probably the person who is the most familiar with the technology (or the one who has most to lose if the files are lost). If this is implemented then the machine with all of the files on it, and probably with the printers attached will become what is known as a "server". Our basic network has now evolved from a basic and unmanaged workgroup to a workgroup that contains a file and printer server.

The next step in the evolution of the network is for people to realise that the server is a valuable facility. This is usually learned the hard way when people accidentally delete files, people unplug the server or there is a disk crash leading to a loss of data. This will often bring about a number of changes to the network which may include the following:

Our network is now quite advanced and where it goes from here really depends on the structure of the organisation. In our example now, we are assuming that another department now decides that it wants to link its computers to the existing network. The new department wants access to the bigger printers, the "safe" file store and importantly, the Internet. When more than one department becomes involved it soon becomes apparent that the organisation would be better suited having its own computer (or IT) department. The IT department takes control of the server, and may put a number of smaller departmental servers around the organisation to deal with networked printers. The IT department will have responsibility for making sort the network is reliable, that printers always work, that files are always available and that different departments within the organisation are compartmentalised and secure from one another. It would be embarrassing if anyone within the company had access to the payroll systems, for example. By this point, the connection to the Internet has probably been upgraded so that it runs faster and maybe some access restrictions have been implemented to stop people abusing the link. The IT department has probably by now also implemented electronic mail which will allow the company to communicate not only internally but also with other companies.

Finally in our example company, someone in the Marketing department will probably read an article about having a company website and demand that the IT department build them one. The IT department will then either go their own way and create a server available to people on the Internet via the world wide web (a webserver) or, they will create a website on an Internet Service Provider's systems and transfer data to it as and when it is required.

Beyond traditional IT.

It is easy to fall into the trap of thinking of technology risks as just being computers and networks, there are plenty of other things that can be abused within an organisation. The following is by no means an exhaustive list but does include a few often overlooked items:

Questions you should be asking about all of these devices include:

Some common risks

This is a section that could go on for ever, however it is worth looking at a small number of scenarios, all of which actually happen a lot more than you may expect. These scenario's will highlight a number of obvious risks and hopefully will require no explanation.

It is very easy these days for a member of staff to be running their own business whilst at your premises, and on your company's time. There is often an assumption that if someone is sitting in front of a computer looking busy then they are working. This may well be the case, but are they working for you? On the simplest level, people may well just be doing a bit of casual stocks and shares trading or maybe placing the odd bet with their Internet bookies. On a more serious scale, they may well be running their own buying and selling business, using your postal services to ship goods, your printers and photocopiers to produce paperwork and your phone and email/web systems to talk to customers.

A member of IT staff or a computer-literate staff member may consider themselves hard done by or may have been made redundant or even sacked. This member of staff may well know electronic ways into your systems, may have planted "back doors" or may use their knowledge of members of staff to get a destructive virus into your systems. On their way out of the building on their last day they may also pop your computer's backup tapes into their pocket just in case they are useful in the future.

A hacker employed by your competition wants to get into your computer systems. They know very little about your organisation so the first thing they do is to have a quick look through your bins. Luckily for them a whole pile of old printed emails have been thrown away and by reading that, the hacker is able to get a pretty good idea of who a number of people within the organisation are, what they do and what their level of competence. The hacker finds a fairly naive and poorly trained user and forges an email to them instructing them to change their password to "letmein" so that their files can be backed up. The user, knowing no better does as they are told and Later on, the hacker will break into the organisation's computer systems using this users identity and the password they have provided.

A company has a good physical security policy and very restrictive access. A concerned employee wants to know what is happening with the company but they cannot gain physical access to the Finance Director's office. Luckily, they are friends with the cleaners, and ask one of them to sneak the Finance Director's laptops disk out for a few minutes, since the cleaner has access to all of the offices. The employee quickly copies the disk and gives it back to the cleaner to pop back in and nobody is any the wiser.

A member of staff waiting for some documents to print spots some interesting looking staff records sitting by the printer. Whilst they are waiting for their own printing to be done they quickly put the staff records into the nearby photocopier, copy them and put the originals back.

A member of IT staff receives some free training from a network supplier and they very nicely offer him a coffee cup, a rather stylish baseball hat and a bottle of wine. A few months later a number of network components need updating and whilst they are not the best price and they don't do the job very well, the IT staff member buys equipment from the supplier he got the free hat from; after all, it's not his money is it...?

Viruses, Worms and Trojan Horses

There is so much published about Viruses, Worms and Trojan Horses that they deserve a section of their own. This section is intended as a very basic introduction so that the risks can be understood but not as a detailed tutorial. Definitions

A virus's job is to infect as many systems as possible and modern viruses are very sophisticated and they are getting harder to detect. There are many rumours that a lot of modern viruses are created by the people who write the anti-virus software; this may well have a grain of truth in it but it may also be the case that the virus writers and the virus prevention writers are at constant "war" with one another, and it's us computer users who end up the victims.

A Virus is a tiny computer program that may or may not cause some damage to a computer system. In some ways, the damage that a virus does is secondary to it's main aim in life which is to spread to other programs and computer systems. A virus will attach itself in a fairly "innocent" way to a program or some other items and when that program is transferred to another system, it will spread itself around to other programs, thus "infecting" a new system. Some viruses do nothing at all to the actual computer other than just sit there but some will actually cause damage to files, slow the computer down or even "explode" on a certain date, wiping everything on the computer system out.

A Macro Virus is similar to a normal virus except that they travel around in documents, spreadsheets or other items that are not traditional virus-transport mechanisms. They received their name because they were traditionally transported in Microsoft Word Macros.

A Worm could well be described as a virus on steroids. Not only does a worm want to spread itself around, it will actively look for various ways to do this and some are very good at doing this. If you receive a worm via email or another means and "trigger" one, it will send itself to every address in your email, and it will often try and distribute itself to every other computer it can see on the network. Consider the spread of a worm like the famous "Iloveyou" worm, that was first reported in Hong Kong and had spread throughout the world bringing down a large percentage of company mail systems within a few hours. There is a good article about the Iloveyou worm on CNN's web site.

Finally, a Trojan Horse is often inserted into some viruses or worms. If a computer becomes infected with a Trojan Horse then it allows someone else to access that computer and its data from somewhere else usually without the real user of the computer having any idea that this is happening. Trojans are often distributed in illegally obtained software.

This has been a fairly simplistic explanation and a number of technicalities have been left out to make the explanations easier. It should be noted that most people simply call these four different types of infection by the generic name "viruses" (or virii for pedants).

Causes

In simplistic terms, the cause of a virus is running a program that has been infected with a virus from elsewhere. A few years ago, it used to be quite simple not to get viruses, you simply didn't run any software or use any disks that you didn't entirely trust.

The problem these days is that often you don't know when you are running a program. If you put a CDROM into a machine, it will often as not run itself without any intervention. If you open up a piece of mail it may run a piece of software without you knowing, if you visit a website it may run something without you asking and sometimes, even doing something as simple as opening up a Word document will cause programs that you didn't know existed to run.

Although it is theoretically possible to try and block all the causes of virus infection; unless you understand the operation of every piece of software om your machine it really isn't practical to be sure that you can block all of the causes of viruses getting into your system.

Effects or What to look for

If you are unlucky, you will spot a virus... Some will do silly things like change words as you type them, flash things on your screen or delete random files and some will do more drastic things such as delete or corrupt all of your files.

The first thing you may know about being infected with some viruses is when you receive a phone call or an email from someone informing you that you have passed them a virus. If you are unlucky, the virus or worm may have also passed on some random (and maybe private) documents to everyone you have ever communicated with via email as well.

A lot of viruses will just sit there and do nothing but happily distributing themselves to other people's systems when they get the chance. If someone receiving a virus has virus protection they may well warn you that you have passed them an infected file.

Scale of Problem

It is not very easy to get proper statistics on viruses since a lot of people effected by them do not even realise it. Organisations like Virus Bulletin and the Wildlist Organization publish statistics that are fairly meaningless unless you are a virus expert. It is very difficult to get anyone to commit to any plain-language statistics but everyone does agree that the scale of the virus problem is "huge".

The following statistics are quoted on the NetTech Solutions site:

External Links:
NetTech Solutions.
Virus Bulletin.
The WildList Organization International.

Prevention

There are a few methods of preventing viruses, the more of these you use, the more protection you will have:

Some good and well respected anti-virus software can be found from the following external pages:

Procedures

The company Security Policy should detail procedures for dealing with viruses. Points to be addressed include:

There has to be a fine balance between staff education, making your staff realise that they have to report viruses and having a disciplinary procedure that can deal with staff that deliberately put your company at risk.

It is very tempting to "test" a virus scanner with a number of viruses. This is not really a sensible thing to do but it is natural to want to see if they do actually work. If you are going to test a virus scanner with "live" viruses, make sure it is done on a non network-connected machine and that the machine is wiped out and re-installed afterwards.

Cure

The easiest cure for a virus attack is not to catch the virus in the first place. A lot of virus infections are simply impossible to recover from. Although it may well be possible to salvage some data files the systems will often have to be completely erased, and re-installed from scratch.

Some of the virus scanner manufacturers (Sophos is a good one for this) will bring out free virus-cures that may well help to rid a system of an individual virus but bear in mind that this is only possible with some of the viruses and, by the time you have actually spotted the infection it may well be too late.

If a virus is found on a network connected machine, the machine should be disconnected from the network, a note made of what virus the machine is infected with and then the machine should be switched off and dealt with by someone experienced in virus removal.

Websites

These days a website is vitally important to a company as its presence on the Internet. The site may range from just a couple of pages with some very basic information on the company to a massive commerce enabled site that extends the full range of business to the World Wide Web.

Whilst this document is not a guide to websites, it is worth looking at some of the Risk and Security aspects of something that has this much exposure.

Hows and Whys

In real terms, a website is actually a collection of pages and programs that is stored on a webserver. A webserver is a computer connected to the Internet that can be accessed by a web browser.

A webserver can either be "in-house" which means it is on your company premises and managed by your own staff or it can be hosted by an Internet Service Provider (ISP). If your site is hosted by an ISP then your own staff or a third-party web design company will manage the content of the site but the ISP will manage the server and the network connections to it. In some cases, a whole webserver may be dedicated to a single website but if your webserver is hosted by an ISP then it is likely that a large number of websites will share a single webserver and the content of your site will probably be uploaded using a mechanism called "ftp" (file transport protocol) which is built into a lot of web design programs.

In order to conduct secure transactions or simply to prove to people's browsers that the site they are visiting is really yours, your site may need a certificate which is issued by a trusted certificate authority. Use of this certificate for any important transactions ensures that your site won't be hijacked by various common hacks.

A website is the most widely available view of your company that can possibly exist. Hundreds of millions of people have access to it via the Internet so it is well worth bearing this in mind and considering various high-level risks such as:

Website attacks

The glorified Hollywood image of the hacker is not at all accurate in these days of easy access to "hacking tools". Today a hacker is far more likely to be an unskilled teenager than a hero hacking for some idealistic cause.

One point that should be mentioned briefly, however, is that statistics show a hacker is far more likely to be a member of your own staff than someone from outside; this is well worth thinking about and remembering.

Because a website is on the Internet, it may unwittingly become a target for "random" hackers. A lot of website attacks are simply because a hacker has found that your webserver is vulnerable to some exploit or other and has used it to break into the site.

Once they have broken into the site, the following is an example of what may happen:

It is very easy to be paranoid about webservers and for good reason. It is not always at all easy to manage the risk of these systems effectively unless you have taken good advice you have good ongoing advice.

Another attack that is worth mentioning briefly is called a Denial Of Service attack (or DOS attack). In February 2000, a number of websites on the Internet were all hit by one large DOS attack, these included Amazon, CNN, buy.com, eBay and Yahoo. A DOS attack is annoying because it may well not be aimed at your website but you will suffer anyway, it is the Internet equivalent of an accident on a motorway which then causes a huge traffic jam that can cause problems for thousands of people. There is an article on DOS attacks here should you require more information.

Backups

Just because your website is not obviously part of your normal IT Infrastructure, it doesn't mean it shouldn't be backed up. If the server is kept in-house then it should be backed up as would any other machine and if it is vital to commercial operations then there should be another system available that can take its place.

If your systems are hosted by an ISP then it is probably not safe to assume that they will do backups - Keep your own and if you use a third-party web design company, make sure they keep them too.

It is definitely worth having a backup of the site (or at least a smaller basic site that will respond with something) somewhere else on the Internet so that if the worse happens, people will be redirected there until the main site is fixed. In many ways, this will "disguise" the fact that something has gone wrong, especially if you lie-a-little and say that the site is down for routine maintenance. This rather sneaky technique does seem to have become the standard lazy disaster recovery plan for Internet websites.

Trademark and domain naming issues

Although this is covered in the legal section, it is worth mentioning a few points on domain naming and trademarks.

A domain-name is the name by which your website will be addressed. If you are going to expensively advertise your website then it is fairly important that you have a memorable domain name that bears some relationship to your business. For example:

   http://www.risktraining.info/

Is easier to remember than something like:

   http://www.uknet.com/external/websites/user00654/

In simple terms, your domain name is the name of your choosing followed by a dot, followed by some letters (the extension) which signify either what kind of domain it is, or where in the world it is. The traditional business extension has always been ".com" (for commercial) or ".co.uk" for a UK based commercial site.

Because of the popularity of the ".com" address, it is getting highly unlikely that you will find a good one to match your business. People who sell domain names for a living would have us believe that ".net" and ".org" are good extensions for businesses and some new extensions such as ".info" and ".biz" have recently been opened up to confuse people even more.

There are also a lot of emails going around that urge you to "protect your identity on the net" by registering your name before someone else gets it. Some of these will urge you to buy a domain name in ten or twenty different countries in order to protect it but in reality, there is little need. The common sense view says to pick a name you are happy with and stick with it.

The one problem may be if you pick a name that someone else wants or thinks they have a right to. If that someone-else happens to be a large company with a lot of money then you may well be in trouble. There is very little logic in the trademark law as it applies to the .com addresses but thankfully the law governing the UK domains such as .co.uk is a bit more logical (though not much). If you can afford it, it is well worth while getting some legal advice and a trademark search before you start advertising a domain name even if you think there may be no problems with it and even if it is the legal name of your company.

For good UK advice, you can visit the Nominet UK pages or for some good legal content, visit Page Hargrave, a UK legal firm specialising in this area.


Risk Training Info. Email: info@risktraining.info
Copyright © 2002 Michael Lawrie. All rights reserved. For more information on using these documents click here.