Preparing Tata Power for the Coming Information Security Challenge

Shrikant H. Agarwal

TATA POWER

March 2004Information Technology Division

Tata Power Company Ltd.

Preparing Tata Power for the Coming Information Security Challenge

Executive Summary

Information in today’s world is undeniably becoming our greatest asset. As the world becomes more and more networked and dependence on online information increases, a threat to information is also increasing, making the keepers of information as “perpetual defenders”.

This report discusses the threats to information, threat agents, and information security concepts, InfoSec standards, Infosec Benchmarks, Tata Power’s InfoSec standing and areas of concern for improving the Information Security Index. We also discuss Tata Power SMI rating as measured by online test offered by humanfirewall.org, an independent benchmarking council based on ISO 17799 InfoSec Standard.

SHA

Section IInformation Value and Security

The Value of Information The value of information1 can not be underestimated in today’s world. Information could exist in the many forms such as, Technical know how, best practices, Trade Secrets, Inventions, Financial Business Plans, Project Designs, Project Proposals, the opponent’s moves etc. Information saves time, assists in quick decision making, saves money, improves quality, and improves customer satisfaction. Strategic knowledge and information can alter the course of business, fates of nations and civilizations.

Today we live in a world heavily dependent upon information. In stock markets large amount of money can be made by using information or even lost due to bad information. Administrators, rulers, and governments have always depended upon the information from spies to get an upper advantage in war and in ruling the country. Similarly, competitor secrets, plans, practices have always been eyed upon with great interest.

Today, computers are undeniably the storehouse of all our information. Also as is known, the power of information grows as a power law when connectivity increases and the number of legitimate users increase. Therefore the keepers of information create and enable networks so that more and more users can access the information. One the other hand, as a result, better connectivity attracts illegal users alike.

Information Security Principles, Trust, Risks:Security is about well-being (integrity) and about protecting property or interests from intrusions, stealing or wire-tapping (privacy - the right to keep a secret can also be stolen). In order to be “secure” that, in a hostile environment, we need to restrict access to

1Value of Information:

In 1871 the British Physicist James Clerk Maxwell proposed that a being who is able to measure the microscopic parameters of a physical system and act accordingly might be able to violate the laws of thermodynamics. This famous thought experiment raised important issues about the nature of entropy. This paradox being became known later as “Maxwell’s Demon”. Maxwell hypothesized the following thought experiment:Imagine a closed insulated vessel having two compartments and a gas filled inside. The two compartments are connected to each other through a frictionless valve such that gas molecules’ entry or exit to and fro a compartment can be controlled. Also assume that moving the valve does not require any energy. Imagine a hypothetical intelligent creature (Now Known as the Maxwell’s Demon) who sits near the valve and is able to watch gas molecules and is able to “know” or measure each molecule’s velocity. Lets us assume that the gas is filled with equal pressure in both the compartments. If the demon now decides to open the valve when he observes a molecule whizzing towards it and if the velocity is greater than a particular threshold. Also when the Demon observes a slow moving molecule, he could decide to open the valve again in order to let the molecule go on the other side. As a result, as the time goes by, we would end up with hot high pressure gas on one side and cool low pressure gas on the other. This does not violate the law of conservation of energy, but definitely challenges the laws of thermodynamics. A difference in gas pressure can then be used to generate energy. The information about the gas velocities can thus let us have a perpetually infinite source of energy or an advantage.

our assets, In order to grant access to a few, we need to know whom we can trust and we need to verify the credentials (authenticate) of those we allow to come near us and our assets. The Information Security basically is a function of the following:

Confidentiality/Privacy – This is the ability to keep things (information) private/confidential

Trust – Whom to trust and whom to not. Do we trust data from an individual or a host? Trust is highly relative and subjective. The meaning of security lies in trust. Every security problem ultimately boils down to a question of trust!

Risk – There is a risk involved in everything, however, we must accept a certain level of risk! (Always)

Authenticity – Is someone the same who he/she claims to be? Are security credentials in order? Are we talking to whom we think we are talking to?

Integrity – How correct and pure is the information. Has the system been compromised/altered already?

Non-repudiation - This means that it should not be possible for users to deny or repudiate actions carried out (hide their tracks). This gives one the possibility of monitoring and even punishing those responsible for criminal actions. It is about preserving the integrity of evidence, or forensic tracks laid by attackers.

Information security also depends upon the environment. Environments can be friendly or hostile because of

Physical threats - weather, natural disaster, bombs, power failures, etc. Human threats - stealing, trickery, bribery, spying, sabotage, accidents. Software threats - viruses, Trojan horses, logic bombs, denial of service.

Information Security must ensure that the “rightful” owner is not subjected to: Losing the ability to use the system. Losing important data or files Losing face/reputation Losing money Spreading private information about people.

The Dilemma of securityThe problem that we cannot get away from in information security is that we can only have good security if everyone understands what security means, and agrees with the need for security. Security is a social problem and issue, because it has no meaning until a person defines what it means to him. i.e. it is about what happens when policy is brokenAdditionally, if we make things difficult for users by imposing too many restrictions, the users will tend to work around them as per human nature.

The harsh truth is this: in practice, most users have little or no understanding of security. This is most frequently the biggest security hole.

Figure 1: Attacker Sophistication and Technologies

Threats to Information and Agents- Attackers v/s Defenders:Computer crime is becoming the biggest challenge to the modern societies. Cyber crime is all about stealing information either directly or indirectly. Anyone who assists either knowingly or unknowingly is a threat agent.

In the developed countries the biggest challenge that face law enforcement is the crimes committed using computer technology as computer hardware and access to internet is available to anyone at a very low cost. Computer crime can be divided into two categories:

a)    Crimes in which computer is used as a tool to aid criminal activity such as producing false identifications, reproducing copyright materials etc.

b)    Crimes in which computer is used as a target, and probably a tool, to attack organizations in order to steal or damage information, attack banks to make unauthorized money transactions, steal credit card numbers, and many other activities.

Threat agents have been identified as hackers [Appendix A], crackers, artificial life forms (Viruses and Worms), or insiders (such as employees and keepers of information).

Attack Sophistication vs.Intruder Technical Knowledge

High

Low1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling auditsback doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

As per a study, the earliest hackers and crackers were highly qualified computer wizards. The technical expertise of the hacker community and virus writers has however steadily declined as on Internet one can get advanced hacking and virus creating tools very easily. [Fig 1]. One can find several sites called virus labs where anyone can design new viruses using the websites’ user friendly graphical user interface and control the extent of damage intended. Figure2 below depicts clearly the lifecycle of such tools and technologies.

Computer Viruses and Worms:The 2000 computer virus prevalence survey reported 10 billion Dollars damage estimate from computer viruses. The BBC World News in the 8th of June 2000 reported that the love virus affected more than 45 million computers and it is believed that among these were the computers of the Pentagon, the CIA, and the British Parliament. The damage of this virus according to the BBC reached 8.75 billion Dollars.

Figure 2: Vulnerability Exploit Life Cycle

Internal Security Attacks:As per recent CSI/FBI and Gartner reports, the most damaging penetrations to an enterprise's security system often come with help from the inside. Gartner suggests for enterprises to keep a lid on sensitive information that could make the business vulnerable to an attack.

As per statistics, it’s not hacking that result in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that

AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Vulnerability Exploit Cycle

causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data.

Figure 3: Attacker Statistics (CSI/FBI Report)

Mobile Computing and Physical Theft of Information:With the advent of mobile computing, laptops, palmtops are becoming extremely convenient devices to process, store and carry information. However these are also popular targets of information theft. Laptops are stolen for information within then and not for the Laptop itself.

As per a CSI/FBI survey, in the US, 53% more notebooks were stolen in 2001 than in 2000. Financial loss due to laptop theft has been second only to loss due to computer virus for the last seven years running.

Internet as a Frequent Source of Attack:According to a study produced by the Computer Security Institute and the F.B.I., the Internet is a source of frequent attacks: 70% in 2001 as compared to 59% in 2000, while at the same time internal attacks dropped from 38% to 31%.

Attackers Take Advantage of EmployeesThe malicious attackers are making their way into IT systems frequently do not work on their own. Their accomplices are often unsuspecting employees of the enterprises they are targeting. Malicious attackers know that the easiest way into any system is to exploit the people that use and administer it as a source of information in order to assist them in launching the attacks.

Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, of which are more than 95% of intrusions that result in significant financial losses. The attacker can be a person inside or outside the enterprise who pretends to be someone else:

In person On the telephone Via conventional mail or e-mail Through a computer program disguised as an interesting message or a legitimate

program (Trojans).

Gartner also warns about “employees” in organizations who may have completely unlimited access (often off-hours), yet not undergo nearly the scrutiny of a "regular" employee. One of the easiest ways to get past security is to work from the inside .Such people can be involved in acts such as:

Housekeeping Maintenance and external repairs/service (phone company, construction) Temporary workers Contractors

Employees as Unwitting Victims of Social Engineering"Social Engineering", uses the age-old art of human persuasion. The employee targeted by a security system attacker is a victim of social engineering, the manipulation of a person through a combination of spying, theft and clever deception. This "art of human persuasion" takes advantage of a person’s natural tendencies - such as seeking prestige, avoiding embarrassment or merely finding acceptance – and it usually follows a simple pattern:

The attacker gathers information about his target that can be as simple as a phone number or as detailed as an organization’s structures and procedures. (For example, a user name can be gleaned from an e-mail address.)

A relationship is developed between the outsider and the employee that establishes a degree of trust. (With the user name in hand, the attacker takes advantage of a natural instinct to be trusting and successfully identifies himself as a tech support worker.)

The attacker maneuvers his target into revealing information or performing an action that he would not normally do. (The innocent and “helpful” employee reveals his password.)

The attacker obtains his objective often leading him to successfully execute the cycle once more. (With user name and password in hand, access to one level of the enterprise’s system is complete. From within that level, more information is easily gathered. This allows the attacker to approach another employee and establish a trusting relationship).

Section IIStudying Attacker Behavior- Statistics

Once we have identified the attackers, it is a good war tactic to first study the enemy behavior and prepare for the battle. However as many experts cite, information keepers will continue to be defenders as attackers would be always one step ahead.

CSI/FBI Computer Crime and Security Statistics:FBI has been conducting computer security surveys periodically since 2000. As per a recently published FBI survey, following findings are of interest:

1. The risk of cyber attacks continues to be high, and even organizations which have deployed a wide variety of security technologies can fall victims to significant losses.

2. Percentage of these incidents reported to law enforcement agencies are surprisingly low, therefore the attackers may believe that their odds against their being caught and prosecuted are low.

3. Percentage of organizations reporting some form of cyber abuse is same as the previous years the losses reported from these incidents have lowered.

4. Theft of proprietary information caused greatest loss amounting to 70 M$.5. Denial of service is the second most expensive computers crime loss amounting to

65.6M$.6. Virus incidents reported as 82%.7. Insider abuse reported as 80%8. There is a wide resistance amongst the organizations in hiring reformed hackers to

detect vulnerabilities.9. Interestingly, one in every ten organizations do not use any extra physical

precautions to protect their computer assets (specially locked rooms, locking cables for laptops)

10. IDS technologies are used by 73% of the organizations11. Biometrics technologies are used in 11% of the organizations12. Organizations using advanced security measures such as biometrics are more

likely to use leading edge technologies such as file encryption, digital IDs or certificates.

13. Internet is being quoted as the increasingly frequent point of attack.14. Theft of proprietary info has been the costliest of all the losses. This is due to an

economy’s high dependence on technical know-how.15. Top sources of attack-

a. Independent Hackers - Highestb. Disgruntled employeesc. Competitors.

16. Top Types of attacks experienceda. Insider abuse - Highest

b. Virus and Worms c. Laptop Theftsd. denial of service

17. Top losses due to attacks experienceda. Virus and worms - Highestb. Laptop theftsc. Net abused. Denial of service

18. Actions taken by organizations experiencing abuse- a. Patched holes - Highestb. Did not reportc. Reported to law

19. De-facto Security Technologies used a. Anti virus software (99%), b. Firewalls (98%)c. Deploy some form of physical security for information access (such as

Access control 92%)

Section IIIInternational Information Security Standards

StandardizationStandardization is a tactic in the battle against disorder and chaos. Agreement about standards is a useful starting point for talking about security. Standardization leads to predictability and predictability leads to trust.

The main risk to computers is the people who come into contact with them: networked users. To minimize the effects of users on the system it is necessary to introduce security mechanisms.

The Orange BookThe Trusted Computer Security Evaluation Criteria (TSEC) Orange book was the first attempt to try to specify a standard for security management in the US in 1967. Although concentrated on national security issues, the recommendations were also of general applicability.

Information Security Standard BS 7799 and ISO 17799 BS 7799 and ISO 17799 are a set of best practices for information security, designed to help organizations better manage their information security systems. An IT Governance based on ISO 17799 guidelines specializes in helping organizations, in both the public and private sectors, to plan and implement Information Security Management Systems that are capable of certification to BS7799. 

A BS 7799 certification service is also available for various organizations. ISO 17799 guidelines based on BS 7799 standard and provide a good reference document. BS7799 consists of 10 Security Domains and a set of 127 rigorous controls. An organization following the BS guidelines can thus make sure of rolling a good security process. The opinion is however divided whether organizations should get the BS 7799 certification. The certification is expensive and time consuming, and there is no guarantee that a certified organization will not be hacked. Surprisingly, several agencies we discussed with, offering BS 7799 certification were themselves not BS certified! As a general trend, ISO 17799 certification is generally sought after by organizations which are seeking outsourcing contracts from overseas and inland as it makes them likely candidates for projects.

Nonetheless, The BS 7799 and ISO 17799 undoubtedly provide an excellent guideline for organizations intending to attain comfortable level of information security.

BS 7799 is organized into 10 sections:

Security policy - This provides management direction and support for information security

Organization of assets and resources - To help you manage information security within the organization

Asset classification and control - To help you identify your assets and appropriately protect them

Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities

Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information

Communications and operations management - To ensure the correct and secure operation of information processing facilities

Access control - To control access to information Systems development and maintenance - To ensure that security is built into

information systems Business continuity management - To counteract interruptions to business

activities and to protect critical business processes from the effects of major failures or disasters

Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement An organization using BS 7799 as the basis for it's ISMS, can become registered by BSI, thus demonstrating to stakeholders that the ISMS meets the requirements of the standard

Section IVBenchmarking Security Index

IntroductionHumanfirewall.org council is an independent organization formed In September 2002, consists of a committee of professional security practitioners dedicated to improving leading practices in information security.

The Humanfirewall.org has introduced the “Security Index” as an online survey at www.humanfirewall.org. based on ISO 17799, as well as various leading practices from security industry analysts and professional associations. As noted earlier, the ISO 17799 standard defines very elaborately the 10 security domains and 127 controls. Many researchers and governments have been questioning its utility or effectiveness. Today, nonetheless, ISO 17799 has gained an international acceptance and become the InfoSec de facto standard, for defining (at a high level) an organizational information security program and architecture. Even though it has received a lot of criticism, its interest and adoption has built up significant momentum all over the world. It is currently undergoing revisions that are appeasing its staunchest critics and enhancing the standard and its applicability.

As a step towards simplifying the Security Management Index humanfirewall.org provides a comprehensive way to organize and define the key security issues every organization faces in today’s globally networked environment. Taking the survey offers an easy to understand benchmarking tool for judging how well an organization is managing enterprise wide security to protect its critical information assets.

To date, more than 1,000 organizations have participated in the survey, representing corporate and government organizations from throughout the world.

Global State of Information Security As per the recent report published by humanfirewall council2, the state of information security level is alarming in various industry sectors the world over. The results so far indicate that companies are clearly failing to do an acceptable job of managing their security programs in the opinion of the humanfirewall council. The council feels that the low SMI scores point to the prevailing security management practices the world over being in its early stages of evolution and recognition.

Following is a summary of the survey results:

1. The vast majority of organizations taking the survey appear to have failed to meet what may be considered minimally acceptable standards for managing security across the enterprise. Many organizations scored an F on all categories except the Physical Security category.

2 “The Alarming State of Security Management Practices Among Organizations Worldwide”, Published by The Humanfirewall Council.

The humanfirewall.org council feels that the implications of such poor performance against minimal security practice standards are disturbing. Organizations appear to be losing the battle to secure them properly even as reported security vulnerabilities and incidents have been increasing at an exponential rate. Organizations worldwide appear to be more vulnerable to inside and outside attacks than ever before, and the cost of security breaches continues to escalate.

2. Results suggest a reactive, “Techno-Centric Solution” perspective for security still prevails within a large population of the industry

From the experience of the Human Firewall Council, the results shown in the Security Management Index indicate that a reactive “Techno-Centric Solution” perspective still prevails with most organizations when it comes to securing their information assets. This reactive InfoSec perspective reflects the fragmented evolution of information security solutions that typically focus on implementing non-integrated technology (while ignoring the human management element) to address immediate problems such as installing a firewall for perimeter security, an intrusion detection system to detect breaches, or anti virus software to prevent destructive viruses and worms.

3. While the initial results of the Security Management Index indicate poor to failing performance, the Human Firewall Council expects to see these scores rise significantly over time as more and more organizations begin to adopt and expand security programs throughout their organizations.

4. Vast majority score an unsatisfactory grade in Security Management Practices

One of the most striking results of the SMI research reveals how poorly most organizations scored overall: nearly 9 in 10 organizations received an SMI score below 70, similar to scoring a “D” grade or below, with the vast majority scoring an “F” for failure (below 60). These scores confirm that few organizations have made substantial progress in implementing even minimal standards of security management practices s prescribed by security industry analysts, professional associations, and international standards such as ISO 17799.

5. Alarming results across all categories and industries

Survey participants showed consistently poor scores across all categories of security management practices based on ISO 17799 standards and other industry leading practices. Average scores are less than satisfactory in all categories of the standard: all but one category, physical security, revealed failing levels (less than 60).

6. A discouraging report card for most key areas of security management

Even though security policies provide the foundation of security management success, three out of four fail to fully implement security polices, and only one in five maintain or review their policies.

A majority of companies (six out of ten) do not even consider the organization and oversight of security resources, or simply have not implemented any system of Information Security Management organization. Managing security effectively requires defined roles and responsibilities that far too many organizations appear to ignore.

Less than one in five organizations has fully implemented an asset classification scheme to assess and assign risks to information assets. As security experts have repeatedly emphasized, it is not possible to effectively secure assets it is not clear which assets are worth protecting.

Some of the lowest scores are found in personnel security, where less than 20 percent of organizations have fully implemented proper incident management procedures, as well as security awareness and training. This suggests that people probably do not know how to recognize a breach or security violation, how to report it, or what procedures to follow when an InfoSec breach occurs in their vicinity.

Complying with laws, regulations, and contracts should be of paramount importance for many organizations, especially in highly regulated industries such as healthcare, and financial services. Yet, the survey revealed that only 20 percent had fully implemented policies and procedures to ensure compliance. This suggests many organizations run a risk for severe penalties for not complying with legal requirements in their industry.

The Challenges of Information Security The Human Firewall Council hears repeatedly from security and IT professionals how difficult it can be to obtain a comprehensive understanding of their enterprise security posture. Most are overwhelmed with data from a variety of security devices that require labor-intensive methods to maintain and manage. This puts security professionals in a double bind since most do not have enough budget or personnel to adequately handle the demands of managing security across complex, heterogeneous global computing environments. As a result, many organizations continue to invest in techno-centric “point” security technologies based on a reactive perspective. They are compelled to “put out fires” to meet the latest threat rather than developing and managing comprehensive security management programs. Reactive point solutions, however, pose a problem: increased spending on security initiatives may not always produce a corresponding increase in the effectiveness of their overall security posture. Rather, isolated technical security solutions may only add to current information overload and management headaches.

Section VTata Power Information Security Status

SMI ScoresWe have participated in the humanfirewall.org council’s benchmark tests since December 2002. Initially, in 2002 the score was an unacceptable overall 41% as compared to global 53%. Subsequent benchmark tests taken in April 2003 Tata Power scored 60% (passing border) as compared to global 52%.

As per the humanfirewall.org SMI benchmark test taken in January 2004, the Infosec Index is currently 66% as compared to global 52%.

Table below summarizes the Tata Power InfoSec Standing:

2002 2003 2004 Tata Power Score

2004 Industry Score

ISO 17799 DomainSecurity Policy 58% 83% 92% 51.5Organizational Security 42% 55% 58% 43Asset Classification & Control

33% 50% 71% 43.8

Personnel Security 27% 23% 43% 44Physical and Environmental Security

60% 83% 85% 63

Communications & Operations Management

43% 68% 73% 57.8

Access Control 34% 67% 69% 55.5Systems Development and Maintenance

39% 37% 45% 42.5

Business Continuity Management

20% 50% 50% 41.2

Compliance 49% 49% 49% 46.7Tata Power Score 41% 60% 66%Industry Overall Score 53% 52% 52%

This increase in rating can be attributed to:

1. Formulation of IT and InfoSec Policies2. Infosec training and awareness programs of users3. Improvement in network security due to firewalls, VPN, IDS4. Rigorous password implementations, Improvement of network physical

security.5. Improved antivirus software6. Formation of IT Committee and InfoSec Steering Committee

SMI Score Average by IndustryFor the sake of comparison, the table below summarizes the SMI score by various industries worldwide:

Type of Industry SMI ScoreFinancial Services 67.2Healthcare 44.4Consulting 54.2Public, Government, Military 43.6Computer and Software Manufacturer 55.6Manufacturing, Agriculture, Mining, Oil and gas 48.8Communication 49.9Service Provider 65.2Wholesale, Retail, Distribution 47.4Other 48.5

The survey shows a disturbing general SMI scores scenario across various industry sectors over the globe. Even those industries that are especially sensitive to security issues such as financial services (including banks, brokerage and insurance companies) and healthcare organizations appeared to have failed to earn a satisfactory score. (Score expectation greater than 70%).

Areas of Concern for Tata Power:Although the Tata Power scores are higher than the scores of the peer/other industry sectors, it is essential to take an integrated approach and tackle several security domains. As per the benchmark result, following are the areas which need greater attention:

1. Business Continuity Management2. System Development and Maintenance3. Organizational Security4. Asset Classification and Control5. Personal Security6. Compliance

Nonetheless, the overall InfoSec index should to be targeted above 70% for the next year.

Recommendations for Achieving the 70% Target1. With the InfoSec policies in place in Tata Power, there is a need to enforce the

policies.2. The InfoSec Policies should be reviewed periodically3. The IT Committee also serves as the InfoSec Steering Committee; however there

is a clear need to percolate the InfoSec culture down to the SBU level. This will also ensure better enforcement of the policies.

4. All the software developed should be subjected to security screening

5. Software developing and operational teams should be isolated.6. Disaster Recovery System needs to be in place and stabilized quickly in order to

ensure business continuity.7. Information Asset Classification and Control Mechanism needs to be improved. 8. Personal Security mechanism needs to be in place/improved.

Additionally, the Human Firewall Council has recommended moving beyond a reactive techno-centric mindset to adopting an integrated security management approach that organizations must achieve if they are to become more effective and efficient in their security efforts by:

• Defining security management according to 10 categories that represent the major issues and challenges every organization faces in protecting critical information assets.• Implementing a security management approach that supports e-business objectives of protecting and enhancing revenues, limiting liability, and preserving brand integrity• Developing security programs that integrate people, process and technology while optimizing resources to improve productivity• Adopting security technologies that help automate key processes while enhancing overall management and control across heterogeneous IT environments• Measuring information security performance according to recognized standards such as ISO 17799 and other emerging leading practices articulated by industry analysts and professional associations.

ROI and Information Security:Investment, manpower and efforts to ensure Information Security are large, perpetual and monotonically increasing. The Return on Investment on Information Security is a hot topic of debate amongst circles of InfoSec Experts. How do we compute ROI on Information Security? Several US and EU organizations are attempting to build a meaning model in order to assist InfoSec practitioners. NIST is even inviting suggestions, ROI models to assist in developing an ROI methodology. As a general guideline, researchers suggest to perform an Organizational InfoSec Risk assessment first, devise an investment plan and depending upon the need prioritize the investment and manpower.

Appendix A

The Hacker Community

Who are Hackers?The term "hacker" originally meant "a very gifted programmer." However, over the years it has taken on a negative connotation. Technically, the term "cracker" is used to describe someone who hacks into a system with criminal or malicious intent. However, the term "hacker" is casually used for someone both with and without criminal or malicious intent. As such, for the sake of simplicity, this paper will use the term "hacker" to describe both "hackers" and "crackers".

Who are these hackers who have been dubbed "the enemy of information security?”. Marc Rogers, a Canadian Psychologist developed psychological profiles for hackers. He categorized them in the following way:

1. Newbies, Script kiddies, or beginners2. Cyberpunks(older but still anti social geeks)

3. Insiders, disgruntled employees, past employees

4. Coders (who actually write exploits, tools etc)

5. Professionals (hired Guns)

6. Full Fledged Terrorists

As this list implies, hackers can be just about anyone. They range in age from ten to sixty, and in computer literacy from novice to computer scientist, all with different motives and intents. As such, there is no clear profile of a hacker. IBM's Charles Palmer describes, "...if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you."

Traditional hackers, those who laymen think of as hackers, are those who are associated with the Cyber Underground. These are the stealthy, computer wizards, who marvel at the challenge of breaking into a computer system. “The Hacker Manifesto”, written by "The Mentor", allows us to get into the psyche of just such an Underground hacker. As stated, people hack for many reasons. Like the few hackers of the early 1970s, many of today’s hackers do it for the fun and challenge; they can be called "electronic joy riders." It would be inaccurate to portray the majority of hackers as criminals who surreptitiously enter systems to steal, copy, or alter data; many just do it for the challenge.

According to Peter Tippett, the head of the National Computer Security Association (NCSA), only about five percent of hackers write their own code and understand the details of how to infiltrate system or a network. He continues, "Most hackers are wanna-bes, (i.e. grabbing something and running away with it)." Most hackers are merely

curious to see if they can get into the system, but plan on doing no harm once they are inside. Others however, hack to cause very serious harm. Some vandalize web sites while others actually steal information, software or money. A small minority of hackers are professional thieves whose sole aim is to break in and steal information leaving no traces around. The following chart indicates the type of attacker and what kind of attack they are likely to do.

Compromise Modification Denial of Service

“Newbies” Moderate Low High

Curious Explorers

High Low High

Serious Attackers

High High High

Espionage Agents

High Low Low

Hackers of the Underground tend to operate in a close knit group. They share information on the Web about how to hack into computer systems. There are countless of underground hacking sites that explicitly describe how to hack into a system. Recently, in 2003, a hacking was even organized by such an underground group with a reward for the hacker who would be able to deface maximum number of websites on the day of the competition.

Hackers are also on the lookout for new vulnerabilities published openly by the software vendors as these provide easy information on compromising computers which have not applied the software patches. Hackers know that people are too ignorant and lazy about the software patches announcements (forget about applying the patches).

What do Hackers Do?Once a hacker gains access into a system, there are many things that can be done.

1. Access: Hackers may hack into a computer system and may not change, add or copy anything. They merely enter the unauthorized site and leave it exactly as it was found. Although many hackers say that as long as they just gain access to a computer system and do not alter the information they have not done anything wrong and no damage has been done. However, this is not accurate. The fundamental problem is that when there is unauthorized access of information systems, therefore there is a loss of control. Many security experts feel that once a system has been infiltrated, even if the information has not been altered, the system can no longer be trusted.

2. Unauthorized Possession: Once they have gained access to a system, a hacker can transfer software and/or data from compromised systems to other systems. They can steal or modify any information, data or software programs contained in the computer they have infiltrated. Often, hackers can take whatever they choose and leave no trace that the system has been compromised. Examples of unauthorized possession of are break-ins into a number of academic institutions such as University of California at Berkeley, California Institute of Technology and Harvard University where the hacker stole approximately 48,000 encrypted passwords which the hacker then decoded.

3. Compromise Integrity: Once inside a system, hackers instead of stealing information can alter the information that is already present. This can be done by changing information in large databases, that may go unnoticed, or by replacing material on a Web page with new material. There have been countless examples of hackers defacing Web sites. Just a few examples of hacked Web sites are: CIA, ValuJet, The New York Times, UNICEF, Amnesty International, and the US Department of Justice.

4. Denial of Service: Hackers can shut down numerous host machines and networks just by gaining access to one computer if it is hooked up to Internet. The primary purpose of this is to prevent legitimate use of the computer or network and customers.

Once hackers are in a system, they can implant their own software agent program such as incorporating back doors. This can allow them to re-enter the compromised computer system as often as they want. Certain intelligent software agents can periodically transmit selected sensitive information.

How Do Hackers Get In?New hacker techniques are steadily being developed and new security vulnerabilities in networks are found every day. Hackers are getting more and more advanced and thus, harder to prevent and detect. On average, it takes less than 10 minutes to hack into even the most secure company’s servers by means of tools and a personal computer. A hacker can gain access quickly because most hackers will do some research about they system they are trying to gain access to first. They will try and find out anything useful about the network they are trying to break into such as the type of firewall, networking software, operating systems in use, as well as holists, usernames, network connections, and sibling domains. Often there are peer network connections that can be used as back doors into a network. In a Wired interview with Peter Shipley, the founder of Network Security Associates gave an example of such an incident. Shipley used the example of hackers gaining access into NASA computers, by going through Lockheed Aerospace (forming sibling domain) and getting in through their connections.

The basic idea is for hackers to find vulnerabilities in the computer system that they can exploit. Steve Foote states, "As every computer hacker knows, the way to break into a computer system is to look for security vulnerabilities and poor configurations in the

network and the computer’s operating system." Every operating system has its share of weaknesses and vulnerabilities are not hard to detect. The latest vulnerabilities can be found on the COAST or CERT web servers or on any number of hacker sites. The more obvious vulnerabilities are: guessable passwords, accounts with no passwords, anonymous ftp access, word writable directories, and passwords sent in clear text across the network from one computer to another. There is also software such a SATAN that was developed by Dan Farmer, originally designed to help computer administrators detect weak parts of their system, that hackers are using as a tool to detect vulnerabilities. Software needed to hack into a system can easily be downloaded from the Internet or obtained from hacker conferences or on-line bulletin boards. Dan Farmer used his SATAN software to conduct a nonscientific study and he found security holes in about 2,200 Web sites and found about 70% to 80% with "serious security flaws."

Some Hacking MethodsSome of the more common methods hackers use to gain access to computer systems are listed below:

Password Cracking and TheftA hacker can steal or guess a password or encryption key in order to gain access to a computer system. Using this method, a hacker does not have to sit at the computer and guess the password; the computer can actually do the guessing itself. Cracking programs such as, Crack, and a dictionary is often all the tools that are needed. The cracking program takes each word in the dictionary, uses it as a key to encrypt the known block of data, and then compares the result with an entry in the password file. The program can also take dictionary words and try them backwards or in another common pattern. Passwords and encryption keys could also be breakable by brute force, that is, by trying all possible characters or bit combinations until one is found that works.

Packet SniffingPacket sniffing is useful when a hacker surreptitiously inserts a software program at remote network switches or a host computer. The program then monitors the information inputted in the computer and smuggles it to the hacker. This way, the hacker can learn passwords and user identifications that they can then use to break into the system. Once the intruder is inside a system, he/she acts as a legitimate user. They are able to steal information from the compromised system as well as from any system connected to it. Thus, this can lead to a cascaded domino effect and security systems can fall flat.

Jamming or FloodingAttacks using this method lead to disable or tie up a system’s resources. This is commonly known as a "denial of service attack (DOS)." An intruder can consume all the available memory or disk space on a machine and then flood it with so much traffic that no one else can use it. One way of doing this is to flood the victim’s mailbox with thousands of e-mails, thus jamming his mailbox and eventually shutting down access. Attackers can conceal their identity by using a forged return address or by directing the message through an anonymous remailer.

SendmailSendmail is a common type of attack in which the attacker installs malicious code in an electronic mail message that adds a password into the system's password file. This then gives the attacker total system privileges.

IP SpoofingIP spoofing means that a hacker poses as a legitimate host using a fabricated IP address, that is, it lets one computer impersonate another. This tricks the firewall into letting the intruder through the network. The intruder can then masquerade as that user throughout the system. Through IP spoofing, the intruder can use the system as a springboard to log into another system and yet another system, and so on. This process is called "looping". Inherently, it conceals the identity and location of the intruder

Social EngineeringSocial Engineering is a relatively non-technical technique. It is the process of learning about how computers are used by individuals and organizations. It can merely consist of a hacker calling up a network engineer, or someone else with access to information, and simply asking what type of software and configurations or port assignments are being used in their network. Social engineering is often cited as the easiest way into a system.

Law and the Hackers There are a series of obstacles that policymakers and law enforcement officials are facing in their attempts to curb computer crimes.

1. Hackers are hard to find: Computer hackers are becoming increasingly sophisticated and therefore more difficult to detect and prosecute. The Internet can provide hackers with a high degree of anonymity. Getting Internet accounts in false names is easy and accounts can be used, abandoned even before the authorities know that the criminal activity has taken place. The interconnectedness of network computers further allows hackers to confound law-enforcement agents by accessing targeted machines through a series of other machines ("looping").

2. Complexity of laws: Many hackers know that when they break into a computer system they are committing an illegal activity. However, there are a large majority of hackers that are not even aware that they actions may be illegal. Even lawyers and judges have difficulty discerning lawful from unlawful hacking. The ambiguity of the law and the technically complex nature of computer crime make it hard for Judges and jurors.

3. International in nature: The challenge of international cooperation and coordination of investigations, coupled with diverse, overlapping and sometimes contradictory computer crime laws, regulations and criminal procedures make enforcement of criminal statutes even more difficult when the crime transcends national borders. Inherently computer crime is international in scope, that is, hackers are not hampered by borders or physical limitations. Additionally, since computer networks routinely cross city, county, state, and national borders, figuring out who has jurisdiction is often a laborious task.

4. Legislative time lag: While hacking has grown relative to the spread of technology, enacting law to prevent and punish hackers has not moved as quickly. Partially this is due, in large part, to the fact that the scope of hacking and its implications far exceeded the expectations of legislators. Legislation just has not kept up with technology.

Appendix B

SANS Institute’s Top Ten Security Exposures

As noted elsewhere in this report, the Infosec vulnerabilities and security holes are perpetual in nature, SANS institute has the given the following guidelines in general:

Operating system patches, particularly security fixes, not installed on desktop computers.Solution: Routinely review and install critical operating system patches to operating systems. Operating system vendors and a number of independent security organizations provide descriptions of recent security vulnerabilities and available operating system updates. Visiting the web sites of such organizations may alert users the need to install an important security patch.

Default operating system and application installations:Solution: The installation and routines for many operating systems and applications often include additional programs and scripts in the interest of user convenience and ease of use. Unless removed or disabled, many of these same routines provide a security vulnerability that can be exploited.

User accounts not having passwords or weak passwordsSolution: Remove default passwords and routinely change passwords to those that cannot easily be guessed.

Incomplete backups and/or local storage of backupsSolution: Verify that critical and essential data is backed up on a daily basis and stored in a safe location, away from the source of the data. It is a good practice to periodically check to ensure you can restore from backup media.

Un-needed services or programs runningSolution: When away from desktop computer or working in another program, it is a good idea to close unnecessary services or programs. System Administrators should also identify non-critical operating system services and application programs that can be removed. Some of the non-critical services and programs also could be vulnerable to security exploits.

Non-existent or incomplete loggingSolution: Security and event logs permit a review of computer activity should the computer become compromised. This information could be used to identify a security exploit and/or determine the scope of damage. Verify that your computer system logs have been enabled and are functioning. In addition, it is a good idea to periodically copy your logs to removable media or a remote system using write-once media to protect logs from being overwritten.

Infrequent log inspectionSolution: Once security and event logs have been enabled, you need to regularly inspect the log files for suspicious activity. While suspicious activity may not always be easily identified, you can review previous log entries for entries that occur at odd dates/times, or are made by unknown users of computer addresses.

Too many computer ports are open-

Solution: Computers communicate over the network via a variety of ports. Closing all but those ports that are absolutely necessary for proper computer functioning can reduce security vulnerabilities.

User accounts of terminated employees available after termination dateSolution: Remember to remove the access privileges for departing employees as soon as possible. Also, remember that internally transferred employees and temporary employees may need to have their access privileges changed periodically to match their work assignments. Identifying open ports see the security self-assessment web pages.

Appendix C

Gartner’s Recommendation for Battling the Internal Security Attacks:

Creating and Implementing Policies and Plans

The single strongest defense for an enterprise against social engineering attacks is an educated employee. But a well-educated employee must be armed with more than just information about what social engineering is. He or she must be part of a security-conscious enterprise. The employee must know what the enterprise is doing to maintain security and how to support those efforts. And while learning how to support these efforts, the employee must be motivated to do so.

The first building block for developing a security-aware enterprise is to create simple, clear and enforceable policies and plans.

The policies lay out the security goals set by or supported by executive management.

The plans are the means to achieve those ends - the constantly updated guidelines, processes and procedures that go into complying with the policies.

Create and Foster a Security-Conscious Culture

Creating a culture of security is the single most critical factor in building a security-aware enterprise and defending you from nearly every type of attack. It is very difficult to impose this culture from the top down. It must be grown and developed so security can become a habit for employees, not an effort:

Management must set an example by leading from the front and exceeding expectations.

Employees need to understand why security is important to the enterprise and to the employees themselves.

Everyone in the enterprise should understand that his or her personal efforts make a difference.

Employees must be rewarded for positive behavior through recognition and/or bonuses.

Create and Organizational Structure to Manage IT Security

Security needs a well-designed management structure just like any other operation in the enterprise. Many fail to realize that security is fundamentally different than the day-to-day maintenance and support of systems. Usually the employees running IT systems do not have the resources or the training for security, and at times concerns related to managing security can actually conflict with everyday IT management.

Although information security and physical security are traditionally separated, sometimes it makes sense to combine them under a single management structure, while other times just opening strong communications channels is more appropriate. Even individual business units need to assign responsibility for security. Treating security as an extra duty, without management or resources, will almost always result in failure.

Develop an IT Security Education Plan for Employees

The enterprise must create effective and concise education for employees. It’s hard to be aware of security incidents if you don’t even know what the issues are. Education should cover the following areas:

Corporate policies: Employees must understand policies to both limit the potential for them to commit personal violations and allow them to recognize when others violate policies.

Security issues: Employees need training on a variety of security issues, from physical access, to information misuse, to e-mail safety.

Impact on enterprise/employee: Awareness and proactive actions are more likely if employees understand the negative consequences on the enterprise and themselves.

How to report/respond: Employees should know to whom they should report and what actions they should take if they are confronted by security breaches.

Frequently Test Security Awareness

There are three questions to ask in determining if an enterprise has successfully made itself security-aware:

1. Would an employee actually know if a security violation has been committed? This would be key to avoiding an attack by social engineering.

2. Would the employee choose to report the violation? This addresses the issue of the culture. Policies will be viable only if employees feel they are pertinent, fair and consistent.

3. Would the employee know how to report the violation? Security policies become ineffective if well-meaning employees are stymied by reporting procedures that do not work.

Continue to Monitor Security Effectiveness

Once the enterprise is prepared, its work is not done. It must monitor itself over time to make sure it sees a value on its investment. The increase in security expenses must result in sufficiently decreased security losses.

In judging the effectiveness of a security system over time, comprehensive penetration testing is one tool but it is not the only one at your disposal:

Try calling the help desk to see if you can trick them into revealing a password - but give them a bonus if they follow procedures.

Walk around and look for passwords or sensitive documents sitting on desks - and write an educational "ticket".

Watch how your business process changes over time. Do your security policies keep up with these changes? Monitoring doesn't have to be expensive- it needs to be consistent and constant.

Internal Threats Will Never be Eliminated

It will not be possible to completely eliminate internal threats (e.g., disgruntled or criminal employees); however, checks and balances can limit the effectiveness of an internal attack – intentional or as a result of social engineering manipulation.

Use business process to your advantage. Don't depend on awareness or technology alone. Many crimes are committed by people performing authorized tasks within their job duties. Make sure the damage any single individual can commit is limited