- Not Anymore, Continued
- Threats
- Known Vulnerabilities and Known Exploits
- Targeted Threats
- Critical Systems and Threats
- Countermeasures
- Regulatory Issues
- Technology
- A Word About the Long Term: IPv6
- The Organizational Security Posture
- What Parts of Constant Vigilance Should I Outsource?
- What to Keep
- Who to Seek
- You Have Just Charted a Course: Let's Set Sail
This chapter is from the book
This chapter is from the book
This chapter is from the book
Countermeasures
Usually, for every threat there is a pretty effective countermeasure. Some countermeasures are built in to your regular software and its patch regime. There are multiple third-party countermeasures that save you time and agony, and security technology is evolving on the hardware, software, systems, and managed services sides. It pays to have a policy in place that is designed to stay fresh on all fronts in an organized way. Moreover, you should consider how countermeasures can boost ROSI.
Instant messaging provides a handy object lesson in how countermeasures can provide ROSI. It also exposes a problem symptomatic of companies that do not yet practice constant vigilance. In any work environment, instant messaging can offer a handy mechanism for employee theft of intellectual property, enabling the attachment and sending of it wherever the employee wants. Moreover, it can be a huge time waster.
I have seen instant messaging at its worst, and I have worked with companies where it was used to make fun of management in real time during corporate conference calls. I have also seen employees send company-sensitive data to their home or to their friends because they knew that even though the corporate e-mail was monitored, there was no system in place to track instant messages.
On the flip side of such flagrant abuse, I have also run a global business where instant messaging was a critical time- and money-saving tool. With the time zones around the world, instant messaging is a cheap and easy way to get real-time information passed around the world. I had all my leadership teams use instant messaging at the office and at home so that they could be reached as needed. It was a lot cheaper than provisioning global Blackberrys to everyone, there was no training required, and it was deployable around the world within an hour of our decision to use it. People who say instant messages do not have a place in the office are probably the same ones (or their children) who told us that desktop PCs were just toys and would never become a workplace solution.
It is tough for a company's existing, global security system to track instant messaging, and because of this internal threat, an instant messaging backlash has persisted in many corporations. In many organizations, the technology group might see someone using instant messaging on a network port (say port 64) and think, "Ha! Shut it down." This is generally considered to be a solid practice. However, instant messaging has figured this out, and in response, it has installed a clickable option that asks users whether they would like to hunt down another available port in a network through which to get access. A user clicks, and instant messaging zooms up and down the company firewall, looking for a way in. When it finds one, previously closed "port 64" is dumped in favor of wide open "port 2048."
Taking it a step further, when the technology group discovers instant messaging operating on its new port, it might decide it is time to take an extreme countermeasure—it shuts down IM throughout the entire organization. Seems logical. However, in the current global business environment, this action could prove Draconian. Remember, technology is supposed to enable productivity and enhance communication. In this instance, wouldn't it be great to let the right people use IM for the right reasons and stop the wrong people from using it for the wrong reasons?
Countermeasure constant vigilance ensures that you understand what innovations exist that can map back to your business requirements while delivering fiscally responsible solutions that reduce risk. In the case of our instant messaging dilemma, a countermeasure does exist. Developed by British-based HyperScape Security, netREPLAY is a tiny appliance that you attach to your network that enables you to track every system that is unscanned by your existing, major security systems. If netREPLAY finds anybody using instant messaging, it will lock on it and look for sensitive information being transmitted through it, automatically shutting off access should it detect suspicious activity. This small appliance will cost you a few thousand dollars. Over time, however, it could you save you millions by allowing your organization to re-enable instant messaging and communicate in real time, increasing productivity and the bottom line.
External threats—those that originate outside the company—require another form of countermeasure vigilance. In February 2004, one such menace—the distributed denial-of-service attack (DDoS)—afforded an effective contrast in constant vigilance related to external threats and their countermeasures. MyDoom was a targeted virus that carried a DDoS aimed at international software provider SCO Group, Inc. A variant known as MyDoom.b—bug-plagued but no less serious—carried the same attack to Microsoft. In late January, both companies braced for the storm and commented on their respective countermeasures in veiled, yet revealing terms.
SCO spokesperson Blake Stowell spoke to the technology tabloid eWeek: "Every security expert talking about this and the ones we are talking to say this is really real and needs to be taken seriously. This will probably be the biggest test our company has seen from the Web site standpoint ever."2
In the same article, a Microsoft spokesperson commented, "While [we are] unable to discuss the specific remedies [we] are taking to prevent the reported DDoS attack, we are doing everything we can to ensure that Microsoft properties remain fully available to our customers."3
On February 1, MyDoom slammed into SCO, and, according to eWeek, "The SCO Group Inc. confirmed that by midnight EST, a large-scale, DDoS (distributed denial-of-service) attack had rendered its Web site completely inaccessible."4 SCO.com was useless, and service interruptions began. The article continued, "SCO will not be defending itself against the attack though until Monday. Spokesperson Stowell explained, 'We don't expect many real site visitors on not only Sunday, but Super Bowl Sunday.' Stowell goes on, 'We have seen this coming and do have plans in place to address it on Monday morning. If Plan A doesn't work, we're ready with Plan B, and then with Plan C.'" It is important that plans not be created in real time or days before the threat, and SCO seemed to have been caught with its guard down.
Two days later, MyDoom.b careened into Microsoft. eWeek's lead read, "Microsoft Corp.'s main Web site showed no ill effects from the scheduled denial-of-service attack generated by computers infected with the MyDoom.b virus."5 The company would not reveal its countermeasure in the article, but its message? Microsoft hadn't sweated the attack. Somehow, it thoroughly understood the level to which they needed to be prepared for attacks of this nature. It had deployed the correct countermeasure to address MyDoom.b.
The suspense is killing you at this point. You want to know what I think the killer "anti-Doom" was. I will say that Microsoft, as a part of its global corporate security strategy, is a customer of—you guessed it—Akamai. When Microsoft chose Akamai to host some of its Web presence, it had done its homework. It knew that Akamai gets more than 30 billion hits a day and controls more than 10 percent of the Internet's traffic.
The SCO and Microsoft contrast underscores how your global security team must identify, evaluate, and apply new countermeasures that can keep you running smoothly and securely.