Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Security Assurance Sometimes Starts From the Outside In

SIGNAL Staff

The explosion of new Web tools increases the usefulness of everyone’s computers but also amplifies the threats to organizations’ network systems. Life behind the corporate firewall may be relatively safe, but once the windows are open to let exciting capabilities in, systems administrators must take extra precautions to ensure that information isn’t leaking out.

Blake Frantz, chief technology officer for the Center for Internet Security, says risks to organizations’ systems today generally fall into three categories. The first is at the desktop itself. Information security officers need to evaluate the information that traverses between their computer users and the outside world. Security officers also must take an inventory of the tools their users have on their desktops. “Enough attention isn’t being paid to the inventory on desktops,” Frantz states.

While software creators develop patches for their products when vulnerabilities are discovered, users may be employing a plethora of different plug-ins and widgets that include vulnerabilities that are not being patched. “Overall, the popularity of Internet tools means that you have more computers on your local area network that have them. The sheer number causes this to be an increasing threat,” he explains.

Because varieties of browsers, plug-ins and widgets have become a way of life in many organizations, they cannot be totally banned, Frantz admits, but he quickly adds that they also should not be ignored. Researchers have found that 9 out of 10 widgets, for example, involve parsing information such as an image from an unknown—and potentially malicious—source. The likelihood of encountering a problem increases with the complexity of the widget, he says. One approach is to restrict the number of browser plug-ins personnel are allowed to install, he suggests.

While operating systems such as Vista offer built-in safeguards to mitigate the risks to computers from conveniences such as widgets, software companies must opt in to take advantage of these controls, Frantz reveals.

The second category of threats to organizations’ networks can come from efforts to mash content. In the age of information sharing and in an effort to provide convenience and a one-stop source to its site visitors, organizations are opening up their Web sites by pulling in content from other organizations’ Web sites. If a company is not smart about how it is integrating the merged content, security holes can open up, enabling a hacker to trick visitors into believing they are sending personal information to a trusted site when in reality it is being diverted to a look-alike.

“Be aware of the implications [to systems] when you talk about mash-ups,” Frantz recommends. “Ask the creator about security. What security guarantees are made by this solution? Are you sure no one can see my credentials? Can anyone come behind me and use my browser? These are some of the questions you want to ask.”

Flaws in configuration—or simply lack of configuration awareness—are the third area that can create risks to organizations’ computer systems. The majority of systems administrators understand the configuration of their operating systems, but now this represents only the first step to mitigating risk, Frantz says.

The Center for Internet Security, for example, is turning its attention to the application layer because that’s where vulnerabilities are popping up. “Organizations need to be aware of the configuration status of their computers. A lot of applications have a feature set to do a lot of stuff, and the user won’t use it all, so it can be disabled to reduce the threat,” he explains. Management of this process should not be left up to the users, he adds.

Frantz says that overall, when a company is trying to put a bear hug around the security of its systems, it should start from the outside and move in: the Internet, then secured sites, then servers. First, organizations need to identify the areas of their Web sites that don’t require identification verification. That is the outer layer. Then they should find all the areas where information could be diverted—such as store locators that allow visitors to find the outlet nearest them by putting in their ZIP codes. This service, while valuable to customers, could lead to hackers diverting users to bogus sites. Finally, security officers need to examine what verified customers have access to once inside.

The topic of cybersecurity readiness will be the focus of the next free SIGNAL Magazine webinar, October 21, 2008, at 2 p.m. EDT. Additional information about the speakers and topics as well as registration for the event is available online.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA