* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download file - ScholarSphere
Survey
Document related concepts
Access control wikipedia , lookup
Information security wikipedia , lookup
Enterprise risk management wikipedia , lookup
Computer and network surveillance wikipedia , lookup
IT risk management wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
Cyberattack wikipedia , lookup
Transcript
Are We Prepared for Cyber Armageddon? Galen A. Grimes Associate Professor of Information Sciences and Technology [email protected] Margaret L. Signorella Professor of Psychology and Women’s Studies [email protected] Penn State Greater Allegheny McKeesport, PA 15132 Michael R. Bartolacci Associate Professor of Information Sciences and Technology [email protected] Penn Sate Berks Reading, PA 19610 Abstract Have network administrators become frightened enough by the rash of cyber attacks to begin implementing routine risk assessments of their network infrastructures and digital assets (e.g., data, trade secrets, proprietary software, intellectual property, etc.)? Are network administrators aware of their levels of exposure to cyber attacks and how effective their protection strategies are? In this study we are attempting to gather data from chief security officers and network administrators on what technical security measures they have implemented to protect their digital assets, what security policies they have initiated to support those practices, and how effective their strategies are in supporting their digital assets. 1. Introduction Hardly a week goes by that we aren’t bombarded with another frightening report of the latest brash cyber attack against U.S. government agencies and companies whose names have become almost household words – Google, T.J. Maxx, The Washington Post, the U.S. State Department, U.S. Department of Defense, U.S. Department of Commerce, Microsoft, Wal- Mart, etc. Threats of break-ins are already affecting computer security executives. A report issued in January by the Center for Strategic and International Studies and the computer security company McAfee, which surveyed 600 computer security professionals in 14 countries, found that half of the respondents believe they have already been attacked by intruders, most likely initiated by a hostile foreign government. [1] This heightened sense of security is not merely paranoia. In a February meeting of the Senate Intelligence Committee, Dennis Blair, Director of National Intelligence testified that “U.S. critical infrastructure is ‘severely threatened’ and called the recent cyber attack on Google a wake-up call to those who have not taken the problem seriously”. [2] But the threat of impending cyber attacks are not merely limited to government targets in the U.S. Businesses in the U.S. are increasingly coming under attack: Max Kilger, a senior member of the non-profit research organization, The Honeynet Project, told attendees at the SOURCE Boston 2010 conference in April that cybercriminals based in emerging countries are stepping up their attacks methods, possibly by using cyber extortion to commit crimes against firms in the U.S. Similar tactics have already been documented in attacks on businesses in Russia, China and Eastern Europe. [3] Cyber attacks against utility infrastructures have already been documented. In November of 2009 the CBS News magazine show 60 Minutes aired a broadcast describing how malicious hackers disrupted the power supply of several cities in Brazil in 2005 and again in 2007. [4] So how are U.S. businesses responding to these increasing cyber threats? Are they employing the needed technological defenses? Is it enough to merely employ technological defenses? Are U.S. businesses also utilizing risk management/risk assessments to gauge the effectiveness of their technological and policy defenses? In computer security, risk management is often defined as understanding the risks to your digital assets, the preparations you take to mitigate those risks, and your ongoing security strategy to keep those digital assets secure. Now that major security break-ins are the lead stories on the evening newscasts, even the average home computer user is aware of the need for security measures such as firewalls and anti-virus protection. Network security administrators, combating much greater threats than the average home computer user, must employ a host of technological defenses such as enterprise firewalls, screened subnets, bastion hosts, intrusion detection/prevention systems, and vulnerability scanners in their attempts to keep their networks secure. But how effective are their security efforts without the use of risk management? 2. Risk Management/Risk Assessment Risk Management can be defined as the process used to identify, analyze, and mitigate the risks to an organization’s digital assets, and provide strategies for sustaining the security of those assets. [5] Risk assessment involves the use of an evaluative and often functional methodology to assess the type and level of risks that an organization must mitigate. How many of these network administrators regularly conduct risk assessments to determine whether their digital assets are at risk either from internal or external intruders, and from both intentional or accidental disclosure or destruction? While network administrators take great pains to protect their networks from intruders from the outside, they frequently ignore or are unaware of the advantages possessed by intruders on the inside: Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion detection systems, and electronic building access systems are implemented primarily to defend against external threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems. [6] 3. The Risk Management Survey We are attempting to ascertain what extent risk management is utilized in organizations across the United States. We are attempting to survey more than 2000 businesses and non-profits asking if they have ever conducted a formal risk assessment of their network environment and digital assets. For those organizations that have conduced a risk assessment we will be looking to see why they conducted the assessment, how frequently they have conducted them, and if the assessment uncovered any serious vulnerabilities. For those organizations that have not conducted an assessment we would like to know why. Do they believe their network is secure and that an assessment is not necessary? Do they not have the time or expertise? Or have they not done an assessment because it is not mandated by law? Regardless of whether they have ever done an assessment or not, we would like to know if they have ever done penetration testing on their network to test the effectiveness of their defenses. Finally, we want to know the extent of their internal security measures again regardless of whether the organization conducts risk assessment or not. We want to know which of the following recommended procedures and practices they have implemented: Risk assessments can frequently uncover many of these insider advantages especially when they exist in lax policies and procedures. Some of these insider advantages can include: Improperly set or improperly maintained Access Control Lists (ACLs) Lax password update procedures at Help Desks which can allow social engineering Use of weak passwords and weak password policies Lack of or improperly maintained anti-virus software Easy physical access to file servers or server rooms Insecure wireless access points Failure to strictly monitor network access by outside contractors Do they have strict Access Control Lists (ACLs) and who can approved changes/upgrades in resource permissions How much authentication do they require before their help desk staff will reset a password Do they perform daily backups (full or incremental) on all file servers and do they utilize offsite storage Do they require users to utilize complex passwords; how frequently are users required to change passwords; how often can a previous password be reused Do they have anti-virus software installed on all users’ computers; on all file servers; how frequently do they update anti-virus definitions Are laptops equipped with software to encrypt the hard drives to prevent loss of data in the event of loss or theft Do they have policies that restrict the access, use, and location of confidential data Do they restrict user access to websites that are only business related Are all file servers located in a server room, which has restricted access Are users only permitted to use company email system for business related correspondence Do they provide educational resources to make sure their users are aware of the dangers of email spam and the potential dangers associated with email attachments that might contain malware Do they filter spam either at the network gateway, at the email server, or on the desktop Do they have secure wireless access to the network either through the use of VPNs or the use of wireless encryption (either WPA or WPA2, not WEP) Do they promptly disable/delete user accounts of employees who leave your company/organization either voluntarily or are terminated Do they strictly control and monitor access to the network by contractors to make sure they adhere to your network usage policies to avoid the accidental introduction of malware on your network Once this information is obtained we hope to have a better picture of the security posture of American organizations and how seriously they are preparing for possible incursions into their networks and disruption to their digital assets. References [1] Markoff, J., Study Finds Growing Fear of Cyberattacks, New York Times, January 28, 2010. [2] Claburn, T., U.S. ‘Severely Threatened’ by Cyber Attacks, Government Information Week, February 2, 2010. [3] Westervelt, R., Security expert predicts criminals to take cyber extortion tactics to the U.S., SearchSecurity.Com, April 27, 2010. [4] Messick, G. (producer), Sabotaging the System, CBS News – 60 Minutes, November 8, 2009, http://www.cbsnews.com/video/watch/?id=5578986n&tag=related;photovid eo. [5] Alberts, C., Dorofee, A., Managing Information Security Risks: The OCTAVE Approach, Addison-Wesley, 2002. [6] Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J., “Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1.” Software Engineering Institute – CERT, www.cert.org/insider_threat, January 2009.