Search:  

 Blog     e-Newsletter       Resource Library      Directories      Webinars     Apps
AFCEA logo
 

Layered Approach Security Planning Offers Best Defense Against Attacks

April 2000
By Michelle L. Hankins

Establishing internal and external guidelines remains top priority in network assurance.

To protect information systems from security breeches, organizations increasingly are embracing a comprehensive strategy that relies on both technology and enforced policies. Meanwhile, the legal system has been hard pressed to keep pace with information system protection issues, leaving many questions unanswered about how far businesses may go to protect their systems.

Research, development and testing of security tools must continue and move into implementation phases if information—the proprietary cornerstone—is to be protected, industry experts say. To accomplish this, many organizations are turning to security specialists who examine networks and recommend the best products and procedures.

One company specializing in providing a confidential security solutions environment to customers whose systems have been breached or who want to prevent future problems is Houston Associates Incorporated, Arlington, Virginia. The firm offers its own methodology that it combines with available commercial software solutions to tackle corporate and government security issues. Company officials favor a layered security approach in which both hardware and software tools are used to prevent intrusion.

The firm often responds to clients dealing with intrusions by tailoring specific security approaches. “We go in and we get a good understanding of the network infrastructure based on the critical function of a business or organization,” Tony Garland, security systems engineer at Houston, explains. “Based on that mission, we start doing some vulnerability assessment. From that, we design a template.”

This template goes beyond available hardware and software products and on to security concepts. Once a client’s security weaknesses are determined, the company works to develop a plan to eliminate them. Various techniques for protecting a client’s information networks are carefully scrutinized. These concepts are combined with technology to build layers of security around a system, protecting information via network and host-based detection.

In addition to thwarting potential external attacks, network administrators must recognize that the greatest threat to systems security often comes from employees who are unfamiliar with a well-defined security policy. Many times, a company’s single greatest weakness lies in the failure to develop and fully implement a clear set of security standards, Garland contends.

Employees who, without malicious intent, send out proprietary information or violate password protection measures pose problems. While access to information is crucial for employees, allowing personnel to dial up to business accounts can also create a security issue that, if left unaddressed, could open a system to attack.

Houston consultants believe that the importance of following security policies must be projected from the top levels of management. As employees are hired, they must be immediately informed about regulations, Garland asserts.

Internal problems often arise because businesses do not fully understand their own network infrastructure and the vulnerabilities that exist. To address this, the security company’s representatives work to change the organization’s mindset about security. The company seeks to identify all of the weaknesses and vulnerabilities to provide a client with an extensive outline of security issues.

Many companies do not believe they are vulnerable to attack, but some hackers dedicate their lives to finding vulnerabilities, Garland warns. A dynamic security approach can work to prevent holes in network protection.

Constant and consistent network monitoring is one critical device that can protect against internal threats. “Monitoring [technology] is going to be a very useful tool for organizations on several levels because it monitors bandwidth and how many resources a business is using, and because it reveals exactly what the users are doing,” Garland says. While he maintains that monitoring must be conducted in an ethical manner, he believes it can be effective in hindering internal threats.

Houston engineers have tested and employed network-monitoring software. Some items can be configured to implement a security policy regarding a user’s capabilities by prohibiting certain actions that would violate company security standards. For example, a program would flag information when it is not approved for distribution but is being sent out. “It’s happening now, but that’s going to become a more robust system,” Garland says.

Garland reflects on the time when sharing information in a network was the most important aspect of computing for government and industry users. Today, the paradigm has changed to include security as an element in the shared information architecture. The rapid explosion in the use and growth of the Internet has especially forced government agencies to view information security as a top priority.

Government has traditionally served as a testbed for new security technologies, but that does not mean those agencies have been first in securing information systems. “It is government that is defining requirements and the types of software that are being created, but those requirements are being implemented in commercial industry quicker than they are being implemented in the public sector,” Garland says.

The security firm operates special laboratories to test and develop specific solutions for customers. The facilities are equipped to support both classified and unclassified security issues. It is in these laboratories that the company also tests commercial software and hardware. Experts look at a product’s advertised capability and then offer a third-party evaluation of the item. The company continually evaluates products and solutions, including testing of upgrades and product cost. A matrix of the data documents the product’s strengths and vulnerabilities. Garland estimates that his firm has tested more than 20 security products.

Security concepts are also examined in the company’s laboratories. Researchers regularly explore innovative approaches and test them for other businesses or organizations.

Because security is a sensitive issue, Houston maintains the confidentiality of its clients both inside and outside of its laboratory setting. Many customers enlist the company’s services after an attack has threatened their systems. They fear that widespread knowledge of an attack would affect the credibility of their systems security or spawn attacks from other intruders.

Perhaps one of the most pressing issues in information security is the legal aspect of security concerns. “What do you do if someone hacks into your networks?” Garland asks. Tracing attacks could violate the law, so industry and government officials are faced with determining how far they can go legally to find and retaliate against network intruders. What constitutes a malicious hack still has not been precisely defined from a legal standpoint.

Some of the products that Houston has tested provide source and destination Internet protocol information about hackers, and this is considered fair game, according to Garland. To obtain information beyond that, a company must get the government’s permission. However, corporations that need to protect information systems critical to their business functions often believe they need to immediately identify and possibly retaliate against potential hackers or a malicious user.

Some experts believe industry will push government to allow businesses to retaliate against hackers. Others predict that archaic thinking will help preserve the status quo about crime and punishment—if it happens within the home, a victim can retaliate, otherwise it is law enforcement’s responsibility to protect citizens and hold criminals accountable. Even if this ideology remains, some security experts speculate that a business would stop at nothing to protect its information networks.

Confidentiality of personal data records is another leading security issue. It is most often given high priority in the medical field where privacy of patient information must be ensured. However, many aspects of security that relate to medical practice remain open, Garland notes.