Abstract - UMSL



IT Security

Prepared by:

James Mote

Julie Schmitz

Jason Tice

Information Systems 6800

December 9, 2004

Dr. Mary Lacity

Executive Summary

In today’s high paced technology world, the notion of IT security has proven to be one of the greatest challenges to companies and the government. In a pre-9/11 world, IT security was something that every firm possessed but never really utilized in its fullest context. After September 11, 2001, the face of technology changed in the world and put tremendous pressure on IT security of all the world’s companies. The IT security budgets, teams, and vision changed dramatically while the security of every firm in the country was challenged. Additionally, IT security has been increasing in previous years due to the increased levels in security demanded by companies. On average in 2003, companies spent over $1 million on IT security[1], which was roughly 10 percent of a firm’s total IT budget.[2] To offset these large budgets are the detrimental costs of IT security breeches. In a study conducted in early 2004, the projected losses due to technology and security attacks amounted to roughly $141 billion, with denial of service attacks costing the largest portion at $26 million.[3] These staggering numbers are relatively large for companies with poor or unfavorable IT security.

Two very different firms that were dissected heavily in preparation for this literature, Human Resources Command – St. Louis (HRC) and Financing, displayed some typical trends and insight as to how companies develop IT security in the US after 9/11. Financing’s legal name was withheld at their request so as not to violate their company confidentiality agreement. Each firm is very different in many ways, including IT security aspects. For example, HRC is a government agency with stiff regulations regarding to IT security. For the most part, HRC would not divulge many questions posed to the agency strictly because it is a government entity. On the other hand, Financing was willing to address many questions regarding IT security with great detail in most cases. Despite this small shortcoming in information, both firms had solid IT security policies. In addition, each entity challenged the notion of being well prepared for all IT security threats. At HRC the greatest threat was not knowing what attacks could occur. Conversely, at Financing a proactive approach was taken to prevent attacks before they could ever occur. In all, the two different entities practiced many similar superior IT security measures.

Numerous best IT security practices arose from both research and the two case studies examined. At HRC, strong password policies and functional use of firewalls to discourage illegal sites were implemented as a way to increase technology security. In addition, a strong procedure was established to ensure proper measures for all personnel regarding network functions. A proficient virus protection application was installed on all computers and servers to guarantee the best virus protection. Lastly, professional audits were conducted to maintain that IT security was constantly verified and up to date. At Financing, some similar practices arose including utilizing strong password policies changed regularly, the monitoring of Internet access on particular workstations, and proactive security provisions. Additionally, Financing incorporated a third party expert to better evaluate system security. Another best practice implemented was the maintaining of complete system logs to facilitate recovery backups. The researched literature named several additional best practices including spending more, defining an overarching security architecture, and a comprehensive risk assessment process. In all, each of the best practices assumed at the different entities studied allowed for an increased IT security level.

What is IT Security?

The Security and Privacy Research Center defines IT security as “the process of protecting data from accidental or intentional misuse by persons inside or outside of an organization. Although information security is by no means strictly a technical problem, its technical aspects (firewalls, encryption and the like) are important. Information security is an increasingly high-profile problem, as hackers take advantage of the fact that organizations are opening parts of their systems to employees, customers and other businesses via the Internet.”[4] From this broad definition several different security issues are addressed. Such things as hackers, crackers, firewalls, social engineering, and password cracking impose on the IT security world in great numbers.

Hackers in their truest definition are people who enjoy exploring the details of programmable systems and how to stretch their capabilities. True hackers seek the weaknesses in programs and publish their findings. Many companies will hire hackers for the sole purpose of finding the vulnerabilities in computer applications before an outsider can exploit the weaknesses. On the other hand, a cracker is a hacker who uses the information he or she found within a weakness of an application or system software and exploits it. They tend to break security on a target computer system and never disclose their findings, except to other crackers.[5] Crackers can wreak havoc on firm’s systems with genuine vulnerabilities, costing firms large sums of money.

Social engineering is a term focused on the human part of a system. A system consists of three parts: the hardware, the software, and the human part. Of these three, the human counterpart is the easiest to manipulate and cause security breeches. It is also the weakest link in any security system. Because of this, crackers prey on the human capabilities within a system.[6]

A denial of service (DoS) attack actually prevents users from using a computer service or application. A type of DoS attack involves continually sending phony, yet authenticated, messages to a targeted server, keeping it constantly busy and locking out legitimate users. The attacks are specifically used to prevent the normal flow of information through the modification or destruction of data. A password attack or password cracking is an attempt to decrypt a user’s password usually through the use of an easily created program. It involves repeatedly trying common passwords against an account in order to log into a computer system. Because password cracking programs are freely available via the Internet, many companies enforce strict password policies, including using numbers and letters and constant changing of the password.[7]

A Trojan is another example of an IT security nightmare. Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc. When the user opens an affected file, the Trojan horse runs in the background and can physically cause damage to the computer system or applications running. A virus is a program that replicates itself without being asked to. It usually copies itself to other computers or disks and creates a revolving cycle from one infected system to another uninfected system.[8] Viruses, such as the Melissa and Love Viruses, are huge threats to companies on a monetary and security level.[9]

Antivirus tools were developed to counteract the increased vulnerabilities that viruses and Trojans have. These tools are launched at the desktop or server level to halt, eliminate, and recover data ruined by viruses.[10] Despite these large measures taken to counteract malicious codes, some viruses slip through the antivirus software. Because of this, companies always attempt to enforce strict and up to date virus policies.

IT Security Trends

Because there is a growing need for an increase in IT security, several trends, or “mega-trends”[11] have developed to foster this growth. From online crime to worker mobility, there exist several areas for improvement. As companies teeter on the edge of evolving to an online storefront for many computer applications, many new high technology developments are being created. According to Dan Blum of the Burton Group (an IT advisory and service firm), “increase in online crime, compliance issues, worker mobility, service-oriented architecture (SOA) and open source technologies” [12] are some of the trends that the IT security industry is currently facing. Online hackers place tremendous fears in companies that heavily rely on online technology. The idea of a complete attack on the entire online world is something in the mind of many CIO’s. The Burton Group believes that an all out attack of malicious code could be plausible since there is an upward trend of increased vulnerability. Compliance issues are also an increasing trend in the IT security department. Many companies do not have a security compliance database to universally target challenges. In the online world that many companies heavily utilize, the Burton Group sees a trend to set compliance regulations for all companies to follow. Because workers can become more mobile than ever, and essentially work from any remote location, the notion of a more secure wireless protective policy is arising in IT security. With mobile workers come more threats to applications that utilize the Internet.[13]

On the other hand, Greg Holliday, Regional Director of Security at Crescent Real Estate Equities Ltd., believes that a more universal and compatible security management trend is developing and demanding more united controls on security.[14] "The biggest trend here at the show is how computers and IT as a whole are improving the delivery of security services,” says Holliday.[15]

Outsourcing different core activities within a firm has become more prevalent than ever, forcing many firms to jump on the bandwagon and outsource security within their company. Jay Heiser, of advisory group TruSecure, believes that as more and more companies outsource, they will continue to outsource more of their core activities, including IT security. Matthew Kovar of the Yankee Group, sees a trend in outsourcing security rise to 90 percent by 2010. In an effort to free resources to foster growth within companies, many will outsource more and more of their IT security to specialists overseas.[16] Although many firms believe that they might lose the added benefit of utilizing their own sources for IT security, that notion is downplayed by releasing expensive assets for cheaper costs overseas.[17] Because outsourcing is become a more utilized phenomenon, there is a lot of room for development in this area and IT security will play a major role in its growth.

Budgets and IT Security

According to Dr. Mary Lacity, on average a firm will spend 5 percent of revenues on information technology.[18] IT security will be a large portion of the total IT budget amount. Over 10 percent of a company’s IT budget went towards security in 2003, which was an 8 percent increase from the previous year.[19] According to CSO magazine’s Security Sensor survey, customer confidence was the main driver in the increase in security budgets, along with government regulations and compliances. [20] The foundation of IT security being a spin off of the entire IT budget has rendered a completely new idea of creating a specific budget guaranteed for IT security. With this notion lies the suggestion of letting top executives, not just the IT department, be in charge of IT security as a whole.[21]

To counteract the trend in increased IT security budgets is the idea of allocating a portion of the budget strictly to the prevention of current systems and hardware from breaking. Because so many CIO’s cannot justify IT spending to corporate leaders, the CIO’s have to tediously use their budgets accordingly. Despite this, security spending can follow two different approaches: spending the bare minimum to prevent IT security breeches and spending according to what will deliver the greatest return on the security investment. At a bare minimum level, the budget should allow for sufficient firewall and antivirus tools. The problem with both approaches is the technology department or IT security department justifying the intangible outcomes of spending money on security to upper management.[22]

According to CIO Magazine’s survey on the State of Information Security, the average IT budget in 2003 in North America was $461 billion. Of this, the average IT security portion was over $1 million. The survey by CIO Magazine and PricewaterhouseCoopers was derived from over 7500 upper level CXO’s in a wide range of industries from computer related businesses to healthcare. The respondents concluded that the average number of security incidents experienced in the previous 12 months was 40 while the average hours of downtime as a result of these incidents was 20. In addition, over $100,000 in losses were incurred for each security breech.[23]

CIO Magazine also conducted a 2004 Global Information Security Survey to uncover the truths about IT and security spending. The survey included the remarks from over 8100 respondents in 62 countries. From the data collected, several IT security themes were discovered. Most notably was the issue of flattened security spending in 2004. Because of this stagnant spending on security, the number of breeches had increased over the past year. Although less money was spent on security and breeches had increased, the number of hours down caused by threats and their associated costs decreased. In addition, US respondents claimed they spent less than 9 percent of IT budgets on security, while the global average was 11 percent. [24] According to the survey, biotech/biomedical, computer manufacturing, and Internet/new media spent the most amount of their IT budgets on security, while metals/natural resources spent the least amount. Surprisingly, nonprofit organizations spent the second most amount per capita, only $139 less than Internet/new media and $170 more than electronics firms.

On the other side of security budgets lies the outcome of a security breech. While spending more on security will not guarantee absolute security within a system, it will reduce the chances of losing revenues to a technology attack. Not only does spending more reduce the chances of a future attack, it minimizes the public embarrassment of an attack. According to a CSI/FBI Computer Crime and Security Survey conducted in 2004, the total loss due to security and technology attacks was $141 billion. The largest financial losses went to denial of service attacks, theft of proprietary information, insider Net abuse, and abuse of wireless networks. The survey was administered to nearly 500 computer security practitioners, yet the figures reflect the 269 that released financial figures. In all, security prevention can reduce these astounding figures for future years.[25]

Because more and more IT budgets allocate money to IT security, the problem of justifying how much money gets scheduled for security is a growing challenge. Companies are commonly moving away from evaluating security budgets based on security breeches to more practical approaches such as potential liability or exposure, regulatory requirements, and industry trends. Although this is an emerging phenomenon, 40 percent of companies relate their security budget’s justification to the crucial and expensive impact of a security breech.[26]

Risk mitigation goes hand in hand with IT security budgets. Risk mitigation may be the greatest tool to prevent security from being a liability to a company. From the end user perspective, human knowledge may be the weakest link in a company’s IT security. According to Greg Garcia vice president of Information Technology Association of America, true cyber security is a function of people, process and technology, and if any aspect is lacking, you can’t have good security.”[27]

Best Practices

In terms of best practices and recommendations for companies in the technology world, there are many companies “doing the right thing” and many “doing the thing right.” The 2004 Global Information Security Survey conducted by CIO Magazine described several best practices from an elite group of respondents. The “Best Practices Group” with average IT security budgets and fewer dollars spent on security mishaps, followed the suggestion of confidence in their firm’s security.[28] The “Confidence Correlation” proposed in the 2003 survey[29] became more definite with the results of the 2004 survey. According to the survey, the more a company is secure and confident with its security, the more secure the company was. Although this elite group of firms encountered more security breeches, the breeches caused less monetary damages and fewer down time hours.[30] Not only has confidence increased since 2003, there has been an upward trend since March 2001 according to Information Week.[31]

[pic][32]

From the Best Practices Group, a virtuous cycle emerged. The cycle stems from devoting more staff, spending more, measuring effectiveness, integrating information security with physical security, employing people more likely to comply with policies, and belief in management.[33]

[pic][34]

The survey concluded with the six secrets that other companies should adopt in order to be more confident with security and follow the virtuous cycle to improve IT security as a whole. The following IT security measures and practices were prevalent in each of the Best Practices companies: spend more, separate information security from IT, conduct a penetration test, create a comprehensive risk assessment process, define an overall security architect, and establish a quarterly review process.[35]

Overall, the Best Practices group was well prepared for most, if not all, security breeches. As previously stated, IT security incidents were up, but the cost and downtime associated with the incidents lowered over the past year. This may be due to the human management part of security. Many CIO’s and IT managers are aware of the security threats posed in today’s technology savvy world, and can anticipate the problems that arise. CIO’s are becoming more knowledgeable at managing and mitigating IT security incidents and risks. Two security practices that were uncovered in the increasing management of security threats were improved disaster recovery combined with incident planning and end user knowledge. These practices combined proved to minimize damage to a firm with a security breech.[36]

[pic][37]

Government Regulation Regarding IT Security

In light of the accounting scandals at Enron, WorldCom, etc., federal legislation was passed requiring formal documentation of all processes where securities are exchanged. Additionally, process documentation must be audited annually to insure it remains current. Major changes to business processes, including IT security, may require more auditing. This government regulation, called Sarbenes-Oxley Act or SOX for short, was implemented in 2002.

Several different compliance issues developed regarding SOX. However, these compliance issues have some positive and negative consequences for companies that must follow the regulations. Because SOX is federal law, it helps to avoid legal action for mishaps. It also prevents corporate fraud to further insure overall economic stability and improve public and shareholder image. On the other side of the regulation are several small disadvantages. Because following the legal ramifications of SOX is time consuming, additional auditing tasks are required increasing the workload for existing resources. With this come additional costs for auditing slower product delivery time. On the face of it, SOX becomes somewhat of a nuisance for incorporation into IT security. On the other token is the fact that it drives corporate America to be better aware of IT security and other business aspects.[38]

Case Study: Human Resources Command- St. Louis

The Human Resources Command- St. Louis is a government agency dedicated to supporting the Human Resources Life Cycle for the Army. With over 1.5 million customers, the HRC workforce is comprised of roughly 65 percent civilians, 30 percent Active Guard-Reserve soldiers, and 5 percent Active Component soldiers. Of the military workforce, most officers are Majors and most non-commissioned officers are Sergeants First Class. HRC is located in a 65-acre facility in Central St. Louis County. It is headquartered in Alexandria, VA with Enlistment Records and Evaluation Center in a facility in Indianapolis, IN. An interview was conducted with HRC’s Information Assurance Officer in October 2004 to collect information about the company.

HRC was first established in 1944 on 4300 Goodfellow Avenue and was first known as the Demobilized Personnel Records Branch. This organization was designated to store and manage records of all active service members transitioning back to civilian life after World War II. In 1956, HRC was moved to its present location off of 9700 Page Avenue. In 1971, the Reserve Component Personnel Center at Fort Benjamin Harris merged with the St. Louis Center. In 1985, the Army Reserve Personnel Center or ARPERCEN was formed to serve both current and retired Army Reserve soldiers.

After a formal activation and reorganization in October of 2003, HRC was formed as a coupling of the U.S. Army Reserve Personnel Command and the US Total Army Personnel Command. The main focus of HRC is to reduce the layers of personnel within the Army and create a better working environment for the Army. The vision of HRC in general is to

“integrate and coordinate military personnel systems to develop and optimize the utilization of the Army's human resources in peace and war. HRC also performs all personnel management functions for the distribution, development, retention and transition of active duty soldiers, mobilized Reserve component soldiers, and those on extended tours of active duty, temporary tours of active duty, or retired recalled to active duty.”[39]

HRC’s main focus is in the human resources arena for the US Army. HRC is responsible for aiding new recruits, current reservists, and active soldiers within the St. Louis area. HRC is responsible for the human relations aspect of the Army including mobilization, demobilization, AGR (active guard reserve), career guidance, and retirement. The abundance of information that passes through HRC is most notably due to the fact that many soldiers utilize the agency for guidance within the Army. HRC is responsible for these soldiers and the procedures, such as security clearances, and requirements that all soldiers must abide to.

In military terms, IT Security is associated with Information Assurance. Information Assurance is:

“the protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users. It also includes those measured necessary to detect, document, and counter such threats. Army Regulation 25-2 designates Information Assurance as the security discipline that encompasses communication security, information security and control of compromising emanations.[40]

The Information Assurance Office hierarchy is as follows:

[pic]

The Information Assurance Office provides centralized information assurance management and controls security administration support to Human Resources Command (HRC) St. Louis. The Information Assurance Manager is responsible for overall IT security, while the Master Sergeant verifies security clearances, conducts training and approves or disapproves new account requests. The Captain or Assistant Information Assurance Manager currently drafts and submits all security policies. There are four General Service (GS) grade civilian workers assigned to this office. They perform various tasks in support of the Information Assurance Manager. One is in the grade of GS-13, one GS-12 and two are in the grade of GS-11. The GS-13 updates security patches and ensures Army Computer Emergency Response Team (ACERT) Compliance. The ACERT conducts and synchronizes operations across the computer network in support of the U.S. Army to ensure the availability, integrity, and confidentiality of the information and information systems used by commanders worldwide. The GS-12 is responsible for system security authorization agreement and networthiness certification. Networthiness certification includes a myriad of tasks on a fourteen page checklist. After all tasks on the checklist have been completed, then a network test is conducted to ensure networthiness certification. These test results are forwarded to higher headquarters to ensure compliance has been completed. One GS-11 is responsible for investigating computer forensics and assists in system updates & security patches. The other GS-11 is responsible for semi-annual training of all employees, verifying security clearances, processes new account requests and assists in investigating computer forensics.

[pic]

In order to gain system access, all military personnel and some civilians, depending on their assigned position and/or grade, must have a security clearance. Of those civilians without security clearances, the rest must have a National Agency Check or a NAC. All employees must at a minimum have a pending clearance or pending NAC prior to gaining system access.

There are four common end user problems identified. They are as follows: 1) pornography sharing which includes not only physical viewing of illicit materials, but the transfer via e-mails of those materials. 2) Running businesses on government time is another issue. Some civilians and military personnel at HRC have used government computers and e-mail accounts for personal business. 3) Another end user problem encompasses the unauthorized use of illegal software from instant messaging services to online games. Illegal software is defined as any program loaded by the end user that did not originally exist prior to installment at the workstation. 4) The final common end user problem is the sharing of logons/passwords between employees. Although these problems do exist, they are found to only occur within a small number of the employee population. These types of violations identified are not widespread and do not found to occur on a daily basis. Each of the above practices are listed are unacceptable at HRC.

The five main concerns of IT security at HRC are as follows: 1) Information security training, 2) purchasing automation equipment without proper authorization, 3) leaving computers on 24/7, 4) having a qualified Information Assurance Manager that complies with all rules & regulations and 5) working knowledge of the system architecture and operating system. Ensuring all end users/employees are kept abreast of the latest threats are top priorities of the Information Assurance Office. Personnel within large commands have their own budgets. Although rare, there have been occasions where new computer equipment has been purchased and set up for use. However, no prior coordination was made with the Information Assurance personnel to get this new equipment approved for use within the network system. End users leaving computers on at the end of the work day without logging off prevents periodic system updates from taking full effect on their system. Having a proactive Information Assurance Manager to enforce all rules & regulations is the key to having the best IT Security Program. Having an Information Assurance Manager who is not proactive is a potential threat within itself. Lack of pro-activity by the Information Assurance Manager could produce catastrophic results. The last concern is knowledge. Knowledge as a threat is best explained as anyone with working knowledge of the system architecture & operating system can be considered a potential threat.

The computer security model utilized at HRC is the Bell-LaPadula Model. It was developed by the U.S. military in the late 1970’s and is known as a multi-level security system. This model is one of the earliest and most famous computer security models that provide a framework for handling data of different classifications. The model is a set of subjects, a set of objects and an access control matrix. The permission of any interactions between any subjects and objects is based on their individual security levels. There are usually four security levels, (unclassified ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download