Individuals engaged in targeted espionage can be more damaging than script kiddies.
Targeted espionage covers numerous threats: corporate espionage targeting a specific corporation; individuals seeking access to specific projects that are jointly owned by both educational and military institutions; military and financial targeted espionage; and cyber terrorism. Many people believe that targeted espionage attacks are uncommon and it is more a story line in today’s cyber thriller novels than a reality. On the contrary, this threat is quite real.
Many large corporations have been specifically targeted, so that a remote individual can gain access to intellectual property that can be either sold to other individuals or to corporate competitors. In addition, the information might be held as blackmail in exchange for large sums of money.
As you might expect, target espionage attackers are not common script kiddies. Instead, they are the elite code writers and true hackers whose out-of-the-box thought process is often many years ahead of the security mechanisms that are meant to keep them out.
Regardless of the advanced thought processes and mechanisms used by this type of individual, one thing remains constant. Certain operating system and application functions should behave only in well defined ways and any deviation can trigger the CSA to defend the system and prevent access.
Insiders
The last type of individual threat we discuss is the insider. The insider threat is often overlooked because it is typically from trusted individuals who are permitted access to data and are therefore not commonly questioned when a log shows that they have accessed proprietary information. These individuals commonly cross the line and become threats after an event occurs that makes them angry with the organizations, such as a missed promotion or firing. Additionally, individuals can become untrusted insiders when approached by individuals outside the organization looking for unauthorized access to information. This type of event is not uncommon and might even seem benign to the individual being approached. For example, a friend asks an insider for some information that is proprietary or requests simple information about corporate processes. Although the request can seem innocent, the information sought might easily be used by a person skilled at social engineering to then gain further pieces of information from other individuals.
NOTE Social engineering is the practice of gaining access to information through social interaction rather than digital hacking. Social engineering is almost impossible to prevent because it typically takes only a single individual’s error to provide just enough information for the social engineer to then access the next piece and so on. It is important that your organization treat this as a real threat and address the possibility through regular security awareness programs.
Legislation
Previous sections covered security threats that require a solution, such as malicious code and hackers. This section covers a different type of issue facing security professionals:
government- and organization-mandated compliance in the form of legislation. The cyber threats many organizations have faced in the past several years have forced governments around the world to rewrite laws so they can enforce this new type of nonphysical crime. In addition, many of these crimes have impacted not only organizations but more importantly, the customers and the customers’ private data, such as social security numbers and credit information. This can cause a single incident to impact hundreds, thousands, or even
Legislation 11
millions of individuals. The following sections discuss a few pieces of this legislation and more specifically, the CSA’s role in assisting with corporate compliance with this legislation.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was originally designed to cut health care costs that result from a lack of standards that surrounded payment processing. In addition, part of this legislature mandated the protection of patient data in two states: as it moves through electronic networks and when data is at rest, such as in electronic storage. The data that is protected is known as electronic personal health information (ePHI). A group of rules define the patient data set and specify what types of data, when combined, must be protected. For example, patient data can include the patient name, address, and medical exam record.
HIPAA affects many organizations primarily in the healthcare field, such as healthcare providers, health plans, and healthcare clearinghouses. Unfortunately, understanding these guidelines and implementing the required controls is not easy. To assist organizations in compliance, it is commonly recommended that the organizations start by following the Center for Medicare and Medicaid Services Acceptable Risks Safeguards document (CMS ARS). This document provides guidance that makes compliance easier.
NOTE To review the CMS ARS document, browse to http://www.cms.hhs.gov/it/
security/docs/ars.pdf.
The CSA can assist organizations to comply with several HIPAA requirements, as laid out in the CMS ARS document. The following list outlines how CSA assists organizations by document section:
•
Section 7: System Maintenance—Enforce immediate installation of vendor-supplied patches and virus definitions within 72 hours or provide a sufficient workaround security procedures.The CSA provides exploit protection without the need for an update to the software. Typically, when a new exploit is released and a sufficient patch is not yet available, the exploit is referred to as a Day Zero threat. Because Section 7 requires the organizations to patch or load necessary virus definitions within 72 hours, each time a new Day Zero threat is released, the staff needs to implement these updates immediately. Because CSA does not require updates, yet still provides the necessary protection, organizations can
comply without assuming any additional immediate workload. This provides companies with a sufficient timeframe needed to effectively test patches and other updates before implementing them in production environments.
•
Section 10: IDS Devices and Software—Implement host-based IDS on critical systems.The CSA provides Day Zero intrusion protection as a core function of the product.
•
Section 10: Inspection of Critical Files and Directories—Review directories and files for unexpected and unauthorized changes no less than twice per 24-hour period.The CSA product provides real-time access control security and reporting for specified directories and files on protected systems.