Prevention
One of the most publicised risks to information systems is that of unauthorised access - often called hacking.
Minimising the Risks
The risks of unauthorised access are best managed with a combination of:
Defence Strategy
A company may have purchased all recommended tools for minimising the risk of unauthorised access, but without a defined strategy for managing them, they can be ineffective.
For example, who is responsible for checking log files from these tools? How often are the tools updated? How often are they reviewed to ensure that they are meeting all of your needs?
A defence strategy should clearly define all available resources, including personnel, software, technology, etc.
Like any other strategy, people need to have access to it and roles need to be clearly defined.
The best way to establish a strategy is through risk analysis. A sound understanding of risk will give guidance on the wide range of solutions available to deal with unauthorised access.
Technology Tools
Security technologies are used to manage access, and prevent unauthorised access. They include:
- Firewalls
- Intrusion Detection Systems (IDS)
- Virus and content scanners
- Vulnerability assessment
- Patches and hotfixes
- Hardening operating systems and applications
Firewalls
A firewall is a device or system that provides a secure gateway between two networks - for example, your company network and the Internet. They are designed to keep unauthorised users out, and private information in.
Firewalls can be in the form of:
- A software package that is installed on a server/host system
- An appliance or a network device
- A feature of some other network device (such as a router)
There are also personal firewalls that do the same job but only protect one system, such as a laptop or PC.
Firewalls ensure that network traffic of certain types (or from certain applications) is allowed to pass from one network to another according to a set security policy. It can prevent network-based attacks that are often targeted against systems.
Amongst other tasks, firewalls can:
- Log connection attempts and traffic
- Authenticate users trying to make network connections
- Inspect network packets and track the state of connections to ensure they are behaving as expected
- Inspect application traffic, for example, e-mail viruses or web pages
- Protect internal networks by performing Network Address Translation (NAT)
By preventing unwanted access to your network, the risk of an information security breach is greatly reduced.
A firewall cannot:
- Prevent attacks from the Internet on defined protocols.
- Block dial-up attacks to remote access servers and modems within your network
Intrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) act as 'burglar alarms' for a network or system. They can identify someone 'casing' the environment, detect the 'rattling of doorknobs' to see if the house is unlocked, hear the shattering of glass as entry is gained, sound the alarm and call the police. They can also monitor and log forensic evidence to support any legal case.
There are two types of IDS system:
- Host based
- The IDS is installed on servers to identify activity and anomalies and report on server specific problems or activity. This is akin to virus defence software, except the IDS is looking for behaviour rather than patterns in files
- Network based
- The Intrusion Detection System (IDS) 'sniffs' the network to watch traffic, stop or 'snipe' intruders, and report on suspicious and unusual activity
IDS can be deployed in a number of ways depending on the aim or purpose of the system. It can protect key internal servers, identify Internet-based attacks and monitor network access points.
You should consider installing an IDS if you:
- Have suffered a security breach within the last twelve months
- Run a website for transacting business
- Want internal partitioning of your network
- Have a high-profile organisation liable to attract malicious attacks
- Have an unattended remote site with ISP links
- Already outsource part/all IT operations
- Connect to clients/business partners
- Have no permanent, full-time security staffing capability
Virus and Content Scanners
Scanners remain the most popular type of virus defence software used today. They contain detection and disinfection information for most known viruses.
Scanners tend to be easy to use and are capable of identifying a virus.
The main disadvantage of scanners is that they need to be kept constantly updated with the latest virus information in order to remain effective.
Vulnerability Assessment
Vulnerability assessment uses scanning software that checks for known security flaws. These are stored in a database, and your system is scanned to check if any exist.
This means that the vulnerability scanner can only find the problems it already knows about. It can't find new ones.
You need to ensure that such scanners are kept up to date with the latest problems by downloading regular updates (much like virus scanners).
Shareware Scanners are freely available on the Internet. Some specialists use these scanners as the sole basis for their vulnerability/penetration tests, with no supporting analysis.
As scanner reports may generate false positives and negatives, this is not an effective use of time and effort. They are most effective when used as the basis of a vulnerability assessment, not the totality of it.
A number of vulnerability scanners exist, including:
- ISS (Internet Security Scanner)
- Nessus
- NetRecon
- Sara
- CyberCop
Patches and Hotfixes
Most software vendors have websites that provide patches and hotfixes and all systems should be patched to the level recommended by the vendor. Unpatched systems are like an open window into your business.
Many commercial operations and hacker sites provide online databases of known vulnerabilities and exploits.
The Common Vulnerabilities and Exploits project (CVE) assigns a unique code number to each known vulnerability.
Hardening Operating Systems and Applications
Hackers are always looking for weak spots. You can reduce these by building your systems using recognised configurations.
Operating systems contain a vast number of settings, features and options. If these are set incorrectly they can lead to easy attack and compromise.
Many default settings are open, insecure or switched off. Security standards must be defined and implemented for all hosts. These will vary for different operating systems.
Systems should be regularly audited against the intended/documented configuration. You may wish to consider automating the implementation/auditing process. This can be done by:
- Using a 'golden CD'
- Using a script
- Group policies under Win 2K
- Using a third party security audit tool
Useful websites for further information:
Please note that inclusion of companies/organisations in these pages does not reflect any form of endorsement by BERR. Links are given because sites may provide information/services that you may find useful. This is by no means a definitive list and you are advised to research any company and products carefully prior to purchasing goods or services.
| Company | Website Address (URL) |
| Unix | |
| Windows 2000 | |
| Others | |
| www.nist.gov |
User Vigilance
There is no more effective security control than an informed, vigilant workforce. Computer systems are best at running repetitive tasks but people are much better at detecting the unusual.
Training and educating staff is perhaps the most cost-effective way of managing your information risks.