Why Computer Security Affects YOU?

Computers today are an integral part of day to day campus life. E-mail and instant messages are heavily used for communications. University administrative business processes depend upon computer automation, record keeping, and dependable, confidential, and quick access to reliable information. The university's academic processes make use of computers for classroom presentations, lab demonstrations and simulations, and online research. For many of us, computers are also used frequently in our private lives.

We all have a vested interest in ensuring that our computing infrastructure continues to operate reliably and that it preserves the confidentiality and integrity of the information it handles - both our own and that of those we serve. Our JMU network is made up of over 15,000 computing devices. Each and every device contributes to our network's security. Each and every operator of those devices has a necessary and important part in preserving the integrity of our network, just as every citizen has a necessary and important part in preserving a society.

Each and every day, some of the 600 million people on the Internet are reaching out and touching our computers in attempts to violate our privacy, use our resources, dupe us into helping them perform a crime, or steal information. Every one of the 15,000 or so computers on the JMU network is an attractive target for criminals. Serious crimes have been committed on, by, and through five year old laptops.

"The people of the world have granted control of their existence to computers, networks, and databases. You own property if a computer says you do. You can buy a house if a computer says you may. You have money in the bank if a computer says so. Your blood type is what the computer says it is. You are who the computer says you are." ^{How to Own an Identity}

Do you think your computer isn't an attractive target for criminals? Think again:

• Invasion of the Computer Snatchers ( Washington Post 02/20/06 )
• Panel paints grim picture of cybercrime battle ( ZDNet 06/01/2005 )
• Attack of the BOTS ( Wired 11/02/06 )
• Phishing is Big Business ( eWeek 03/07/2005 )
• Feds square off with organized cyber crime ( SecurityFocus 02/17/2005 )
• Is your computer part of a criminal network? ( GlobeandMail.com 01/20/2005 )
• 1.5 Million Node IRCBOT Network ( USA Today/AP 10/21/05 )
• Experts fret over online extortion attempts - 'Bot' armies capable of toppling big sites, some say ( MSN 11/10/2004 )
• Are hackers using your PC to spew spam and steal? ( USAToday 09/08/2004 )
• Malicious Bots Threaten Network Security ( IEEE Computer Society PDF File )
• When BOTS Attack ( Technology Review 09/24/2004 )
• Alarm growing over bot software ( News.com 04/30/2004 )
• Could your computer be a criminal? - PCs hijacked to send spam, serve porn, steal credit cards ( MSN 07/15/2003 )

And while setting up a computer and operating it in a more secure manner may sometimes be confusing, frustrating, and inconvenient, some simple steps can help prevent not only crimes against the network at large, but also personal losses:

The resources found here will hopefully help provide an understanding of the threats we face and the steps we can take to protect both ourselves and the rest of the JMU computing infrastructure.

How Security Event Manager (SEM) Technology Can Facilitate Risk Assessment (Part 2)

What Security Event Management Tools Contribute

Security Event Management (SEM) tools, tools that correlate and analyze intrusion detection, firewall and other security-relevant output to provide a picture of the security condition of computing systems, networks, and applications, are playing an increasing role in information security programs worldwide. Although log aggregation and powerful event correlation based on a wide range of inputs are generally considered to be the greatest benefits of using SEM tools, a growing number of organizations are using SEM tool output to facilitate risk assessment efforts. SEM tools aid the risk assessment process by:

• Helping identify actual threats. Identifying potential threats traditionally almost always amounts to little more than a guessing exercise. For example, individuals who conduct risk assessments are likely to assume that a Web server located in a network’s external gateway will be exposed mainly to threats associated with the activity of external attackers (“hackers”). Other threats may thus easily be overlooked, however. SEM tool output shows actual, not expected attacks; in so doing, it facilitates identifying previously unanticipated threats. At the same time, the validity of already identified threats can be verified because SEM tools produce empirical data. For example, SEM tool output might show that 80 percent of attacks on an external Web server originate from unknown external hosts, 10 percent originate from known external hosts (such as hosts with IP addresses assigned to competitors), and 10 percent originate from internal hosts. Accordingly, a risk assessment could be modified to include new threats to the Web site in question—threats due to competitors as well as threats due to insiders.
  
  
• Providing more accurate and complete information. No reporting device such as a firewall or intrusion detection system is perfect; every one misses at least some of the events that it is designed to detect. An intrusion detection system may, for instance, fail to detect several attacks. The nature of SEM tool functionality can, however, help compensate for limitations of reporting devices. Information from a firewall and several host-based agents may thus result in the identification of attacks that the intrusion detection tool missed. The same principle applies to false alarms. An intrusion detection system may trigger a false alarm; if firewalls and host-based agents have not detected the attack, however, an effective SEM tool is likely to suppress the false alarm. The more accurate and complete information about security-related incidents, the more accurate risk assessments will be.
  
  
• Providing objective probability data. Because SEM tools provide empirical data about attacks and their sources, the probability of attack associated with each threat can readily be determined. The percentages in the previous hypothetical example of a Web server located in an organization’s external gateway illustrate the value of SEM tools in calculating probabilities. The more precise and objective the percentages, the more accurate risk assessments will be.
  
  
• Facilitating a more comprehensive view of risk. SEM tools deployed over
  extended periods of time help compensate for a major limitation of risk
  assessments, namely that they provide a view of risk only for a particular snapshot of time. Critics of risk assessment in fact generally point out that a recently conducted risk assessment is outdated as soon as it is completed. In contrast, SEM tools collect information concerning security-related events that have been initiated from a variety of sources continuously over time; they thus help build a more comprehensive view of what really is occurring over time.
  
  
• Providing sanity checking for asset valuation. As mentioned previously, asset valuation is virtually always a critical step in performing risk assessments. Effective SEM tools are also helpful in that they assist in providing sanity checks for the asset valuation process by allowing importance metrics to be assigned to each asset. For example, if the asset valuation process has identified a certain asset as extremely important, but those who operate a SEM tool rate that asset as a 1 on a scale from 1 to 10, a significant discrepancy that needs to be resolved exists.
  
  

Conclusion

SEM technology yields a wide range of benefits (see http://www.high-tower.com/news_white_papers_stm.asp). This technology appears to be increasingly improving to the point that there are now compelling reasons for organizations to use this technology in connection with their information security programs. Using SEM technology in connection with risk assessment efforts is one among many very important benefits. In particular, SEM tool output can provide empirical information that is usually not otherwise available during the risk assessment process.

Most SEM systems available in the market have common baseline features that include event collection, aggregation, correlation, analysis and response. These features should be evaluated and considered in selecting a SEM vendor after a Risk Assessment is preformed. When selecting a SEM tool it is important to look at functional capabilities with a specific focus on critical criteria such as ease of deployment, integration of vulnerability assessment data, and monitoring and reporting functionality for regulatory and audit compliance. In short, because of all they deliver for the price, SEM tools should be viewed as an investment, not an expense. Investing in network security measures that meet changing business requirements and risks makes it possible to satisfy these requirements and enable business processes without interfering with the business' viability.

About High Tower
High Tower Software provides advanced security event management solutions that quickly improve organizational security while simplifying processes for network and security administrators. The company’s flagship product, High Tower® Security Event Manager, leverages patented analytic technology to intelligently assess security risk conditions, reduce false positives, and deliver a streamlined view of active threats to the enterprise network. For more information on High Tower’s products, please visit our Web site at www.high-tower.com or call 877-HI TOWER (877-448-6937).

How Security Event Manager (SEM) Technology Can Facilitate Risk Assessment (Part 1)

By
E. Eugene Schultz,
Ph.D., CISSP, CISM
High Tower Software, Inc.

How Security Event Manager (SEM) Technology Can Facilitate Risk Assessment (Part 1)

Executive Summary

Risk assessment is one of the most essential activities performed in the information security arena. The many benefits of using Security Event Management (SEM) tools are becoming widely recognized, but the value of these tools in facilitating risk assessments is too often overlooked. Despite the many different risk assessment methodologies that currently exist, risk assessment in the most fundamental sense boils down to measuring the value of computing assets and the threats against them. SEM tools help in pinpointing real threats, providing more accurate and complete information than otherwise might be available, yielding objective probability data, helping produce a more complete view of risk, and helping check the validity of asset evaluation. The key is providing objective
data—without objective data, risk assessments lack validity.

Introduction

In information security, risk assessment is often defined as the process of analyzing threats against and vulnerabilities in a computing system, network and/or application and the potential negative impact the compromise of information or capabilities of the system, network, and/or application would cause. Of all the activities in which information security professionals engage, risk assessment is one of the most fundamental if not the most fundamental of them. Consider, for example, the following statement from the Computer Information Security Manager Certification Examination Preparation Manual:

The foundation for effective risk management is a comprehensive risk
assessment... Failing to understand the nature and extent of risks to information
resources and the potential impacts on the organization’s activities, it will not be possible to devise a relevant risk management program.

Additionally, risk assessment results are usually used in selecting and implementing suitable and cost-justifiable security control measures. Without the results of accurate risk assessments, inappropriate control measures are likely to be chosen and implemented, resulting in a waste of resources as well as unacceptably high levels of risk.

Although understanding the basic notion of risk assessment and its goals is not difficult,determining how to approach conducting risk assessments is a different matter. Many different risk assessment methodologies have been created; choosing among them is a potentially ominous task. At the highest level of abstraction, these methodologies are either quantitative or qualitative in nature. Quantitative methodologies produce metrics such as expected monetary loss over a period of time; qualitative methodologies yield results such as the amount of risk in terms of high, medium, or low risk for each computing asset. At a much lower level of abstraction, methodologies differ concerning the prescribed specific steps and/or procedures. Carnegie-Mellon University’s Software Engineering Institute (SEI), for example, advocates a risk assessment methodology, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), that is substantially different from the International Security Forum’s (ISF’s) Simple to Apply Risk Analysis (SARA). To say that no single widely accepted risk assessment methodology exists today is a major understatement.

Methodologies vary, but most of them have at least some elements in common. In most, for example, the first step in performing a risk assessment is almost always determining asset valuation, i.e, assessing the value of information and computing assets. If the value of an asset is low, risk cannot be very great because risk should at least at some rudimentary level be viewed as the product of asset value multiplied by the probability of a security breach that adversely affects the asset summed over all assets. If on the other hand the value of an asset is high, risk is potentially much higher. The greater the value of an asset and the greater the probability of a security breach that negatively impacts that asset, the greater the risk. Additionally, most methodologies consider existing threats against assets. If an asset is extremely valuable but is isolated from all networks, there are fewer threats than if that asset is fully network-connected. In the former case, remote attackers are not a threat; the opposite is true in the latter case.

Measuring Security-Related Risk

Although most risk assessments are conducted according to a prescribed methodology, subjectivity during the process of conducting risk assessments is currently one of the major drawbacks. Risk assessment teams too often produce completely subjective estimates of both the value of assets and the probability that they will experience security breaches. Although a few individuals have over the years developed considerable savvy in estimating risk, for the most part subjective risk assessments are of limited value, especially when the cost to benefit ratio of these assessments is considered. At least some degree of subjectivity in risk assessment will, unfortunately, invariably be a part of the process; nevertheless, subjectivity can at least to some degree be minimized. Technical methods that include using special software can be deployed to more precisely identify, quantify and document risk than if risk is assessed purely on a subjective basis.

How Security Event Manager (SEM) Technology Can Facilitate Risk Assessment (Part 2)

By
E. Eugene Schultz,
Ph.D., CISSP, CISM
High Tower Software, Inc.

Security Event Management Tools

Here's a sampling of security event management products that are currently available:

• Arcsight Inc.
  
  TruThreat Risk Correlation Engine: Combines threat-severity information with asset data to determine and prioritize risk. Allows administrators to set and monitor policies according to asset priorities.
  
  


• Computer Associates International Inc.
  
  eTrust security management software: Product suite comprising of identity management, access management and threat management components. An eTrust security center provides centralized management of these functions.
  
  


• e-Security Inc.
  
  eSecurity Security Event Manager: Consists of three modules -- Sentinel, Wizard and Advisor -- for gathering and analyzing and centralized reporting of security event data.
  
  


• IBM
  
  Tivoli Security Event Manager: Allows users to automate responses to security events in addition to helping monitor and track security events.
  
  


• Intellitactics Inc.
  
  Network Security Manager: Does security event correlation from multivendor security devices and nonsecurity information sources and provides a graphical visualization of threats, anomalies and trends.
  
  


• netForensics Inc.
  
  Security Incident Manager: Uses a three-tier architecture. Agents gather data from security systems, Engines aggregate and correlate the data, and the Real-Time Console presents the data.
  
  


• NetIQ Inc.
  
  VigilEnt Integrated Security Management: A product suite for policy and compliance management, administration and identity management, vulnerability and configuration management, and incident and event management.
  
  


• Symantec Corp.
  
  Symantec Security Management System: Combines a security incident manager component for consolidating and correlating security information from disparate systems, an event-manager for antivirus software and a security manager policy-compliance tool.

From : http://www.computerworld.com/securitytopics/security/story/0,10801,84105,00.html

Security Event Management

How effectively can your security administrators protect your IT infrastructure? Businesses continue to face internal and external security threats from a multitude of fronts -- viruses, unauthorized access, denial-of-service attacks and other forms of intrusions that target applications, networks, hosting infrastructure, servers and desktops. The high volume of security events that are generated can make it difficult to quickly identify and respond to real security threats.

The IBM Tivoli security event management solution helps you actively monitor IT resources across your organization, filter and correlate events, and automate responses to security incidents. This scalable solution can centrally manage security incidents and vulnerabilities from a single security console to provide an overall view of the security architecture. It gives you the capability to drill down to the network topology to see where the affected resources are located and delivers true root cause problem determination.

The IBM Tivoli security event management solution can automatically respond with adaptive security measures, help administrators pinpoint hotspots and proactively address vulnerabilities and exposures. Predefined tasks can help quickly resolve denial-of-service attacks, viruses or unauthorized access. Historical reporting guides can help you comprehend business risks, and decision support tools can be used to quickly upgrade your security policies. The IBM Tivoli security event management solution helps you take a proactive approach to protect your organization.

From : http://www-306.ibm.com/software/tivoli/solutions/securityevent/