Preparing Tata Power for the Coming Information Security Challenge
Shrikant H. Agarwal
TATA POWER
March 2004
Information Technology Division
Tata Power Company Ltd.
Preparing Tata Power for the Coming Information Security Challenge
Executive Summary
Information in today’s world is undeniably becoming our greatest asset. As the world becomes more and more networked and dependence on online information increases, a threat to information is also increasing, making the keepers of information as “perpetual defenders”.
This report discusses the threats to information, threat agents, and information security concepts, InfoSec standards, Infosec Benchmarks, Tata Power’s InfoSec standing and areas of concern for improving the Information Security Index. We also discuss Tata Power SMI rating as measured by online test offered by humanfirewall.org, an independent benchmarking council based on ISO 17799 InfoSec Standard.
SHA
Section I
Information Value and Security
The Value of Information
The value of information[1] can not be underestimated in today’s world. Information could exist in the many forms such as, Technical know how, best practices, Trade Secrets, Inventions, Financial Business Plans, Project Designs, Project Proposals, the opponent’s moves etc. Information saves time, assists in quick decision making, saves money, improves quality, and improves customer satisfaction. Strategic knowledge and information can alter the course of business, fates of nations and civilizations.
Today we live in a world heavily dependent upon information. In stock markets large amount of money can be made by using information or even lost due to bad information. Administrators, rulers, and governments have always depended upon the information from spies to get an upper advantage in war and in ruling the country. Similarly, competitor secrets, plans, practices have always been eyed upon with great interest.
Today, computers are undeniably the storehouse of all our information. Also as is known, the power of information grows as a power law when connectivity increases and the number of legitimate users increase. Therefore the keepers of information create and enable networks so that more and more users can access the information. One the other hand, as a result, better connectivity attracts illegal users alike.
Information Security Principles, Trust, Risks:
Security is about well-being (integrity) and about protecting property or interests from intrusions, stealing or wire-tapping (privacy - the right to keep a secret can also be stolen). In order to be “secure” that, in a hostile environment, we need to restrict access to our assets, In order to grant access to a few, we need to know whom we can trust and we need to verify the credentials (authenticate) of those we allow to come near us and our assets. The Information Security basically is a function of the following:
- Confidentiality/Privacy – This is the ability to keep things (information) private/confidential
- Trust – Whom to trust and whom to not. Do we trust data from an individual or a host? Trust is highly relative and subjective. The meaning of security lies in trust. Every security problem ultimately boils down to a question of trust!
- Risk – There is a risk involved in everything, however, we must accept a certain level of risk! (Always)
- Authenticity – Is someone the same who he/she claims to be? Are security credentials in order? Are we talking to whom we think we are talking to?
- Integrity – How correct and pure is the information. Has the system been compromised/altered already?
- Non-repudiation - This means that it should not be possible for users to deny or repudiate actions carried out (hide their tracks). This gives one the possibility of monitoring and even punishing those responsible for criminal actions. It is about preserving the integrity of evidence, or forensic tracks laid by attackers.
Information security also depends upon the environment. Environments can be friendly or hostile because of
- Physical threats - weather, natural disaster, bombs, power failures, etc.
- Human threats - stealing, trickery, bribery, spying, sabotage, accidents.
- Software threats - viruses, Trojan horses, logic bombs, denial of service.
Information Security must ensure that the “rightful” owner is not subjected to:
- Losing the ability to use the system.
- Losing important data or files
- Losing face/reputation
- Losing money
- Spreading private information about people.
The Dilemma of security
The problem that we cannot get away from in information security is that we can only have good security if everyone understands what security means, and agrees with the need for security. Security is a social problem and issue, because it has no meaning until a person defines what it means to him. i.e. it is about what happens when policy is broken
Additionally, if we make things difficult for users by imposing too many restrictions, the users will tend to work around them as per human nature.
The harsh truth is this: in practice, most users have little or no understanding of security. This is most frequently the biggest security hole.
Figure 1: Attacker Sophistication and Technologies
Threats to Information and Agents- Attackers v/s Defenders:
Computer crime is becoming the biggest challenge to the modern societies. Cyber crime is all about stealing information either directly or indirectly. Anyone who assists either knowingly or unknowingly is a threat agent.
In the developed countries the biggest challenge that face law enforcement is the crimes committed using computer technology as computer hardware and access to internet is available to anyone at a very low cost. Computer crime can be divided into two categories:
a)Crimes in which computer is used as a tool to aid criminal activity such as producing false identifications, reproducing copyright materials etc.
b)Crimes in which computer is used as a target, and probably a tool, to attack organizations in order to steal or damage information, attack banks to make unauthorized money transactions, steal credit card numbers, and many other activities.
Threat agents have been identified as hackers [Appendix A], crackers, artificial life forms (Viruses and Worms), or insiders (such as employees and keepers of information).
As per a study, the earliest hackers and crackers were highly qualified computer wizards. The technical expertise of the hacker community and virus writers has however steadily declined as on Internet one can get advanced hacking and virus creating tools very easily. [Fig 1]. One can find several sites called virus labs where anyone can design new viruses using the websites’ user friendly graphical user interface and control the extent of damage intended. Figure2 below depicts clearly the lifecycle of such tools and technologies.
Computer Viruses and Worms:
The 2000 computer virus prevalence survey reported 10 billion Dollars damage estimate from computer viruses. The BBC World News in the 8th of June 2000 reported that the love virus affected more than 45 million computers and it is believed that among these were the computers of the Pentagon, the CIA, and the British Parliament. The damage of this virus according to the BBC reached 8.75 billion Dollars.
Figure 2: Vulnerability Exploit Life Cycle
Internal Security Attacks:
As per recent CSI/FBI and Gartner reports, the most damaging penetrations to an enterprise's security system often come with help from the inside. Gartner suggests for enterprises to keep a lid on sensitive information that could make the business vulnerable to an attack.
As per statistics, it’s not hacking that result in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data.
Figure 3: Attacker Statistics (CSI/FBI Report)
Mobile Computing and Physical Theft of Information:
With the advent of mobile computing, laptops, palmtops are becoming extremely convenient devices to process, store and carry information. However these are also popular targets of information theft. Laptops are stolen for information within then and not for the Laptop itself.
As per a CSI/FBI survey, in the US, 53% more notebooks were stolen in 2001 than in 2000. Financial loss due to laptop theft has been second only to loss due to computer virus for the last seven years running.
Internet as a Frequent Source of Attack:
According to a study produced by the Computer Security Institute and the F.B.I., the Internet is a source of frequent attacks: 70% in 2001 as compared to 59% in 2000, while at the same time internal attacks dropped from 38% to 31%.
Attackers Take Advantage of Employees
The malicious attackers are making their way into IT systems frequently do not work on their own. Their accomplices are often unsuspecting employees of the enterprises they are targeting. Malicious attackers know that the easiest way into any system is to exploit the people that use and administer it as a source of information in order to assist them in launching the attacks.
Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, of which are more than 95% of intrusions that result in significant financial losses. The attacker can be a person inside or outside the enterprise who pretends to be someone else:
- In person
- On the telephone
- Via conventional mail or e-mail
- Through a computer program disguised as an interesting message or a legitimate program (Trojans).
Gartner also warns about “employees” in organizations who may have completely unlimited access (often off-hours), yet not undergo nearly the scrutiny of a "regular" employee. One of the easiest ways to get past security is to work from the inside .Such people can be involved in acts such as:
- Housekeeping
- Maintenance and external repairs/service (phone company, construction)
- Temporary workers
- Contractors
Employees as Unwitting Victims of Social Engineering
"Social Engineering", uses the age-old art of human persuasion. The employee targeted by a security system attacker is a victim of social engineering, the manipulation of a person through a combination of spying, theft and clever deception. This "art of human persuasion" takes advantage of a person’s natural tendencies - such as seeking prestige, avoiding embarrassment or merely finding acceptance – and it usually follows a simple pattern:
- The attacker gathers information about his target that can be as simple as a phone number or as detailed as an organization’s structures and procedures. (For example, a user name can be gleaned from an e-mail address.)
- A relationship is developed between the outsider and the employee that establishes a degree of trust. (With the user name in hand, the attacker takes advantage of a natural instinct to be trusting and successfully identifies himself as a tech support worker.)
- The attacker maneuvers his target into revealing information or performing an action that he would not normally do. (The innocent and “helpful” employee reveals his password.)
- The attacker obtains his objective often leading him to successfully execute the cycle once more. (With user name and password in hand, access to one level of the enterprise’s system is complete. From within that level, more information is easily gathered. This allows the attacker to approach another employee and establish a trusting relationship).
Section II
Studying Attacker Behavior- Statistics
Once we have identified the attackers, it is a good war tactic to first study the enemy behavior and prepare for the battle. However as many experts cite, information keepers will continue to be defenders as attackers would be always one step ahead.
CSI/FBI Computer Crime and Security Statistics:
FBI has been conducting computer security surveys periodically since 2000. As per a recently published FBI survey, following findings are of interest:
- The risk of cyber attacks continues to be high, and even organizations which have deployed a wide variety of security technologies can fall victims to significant losses.
- Percentage of these incidents reported to law enforcement agencies are surprisingly low, therefore the attackers may believe that their odds against their being caught and prosecuted are low.
- Percentage of organizations reporting some form of cyber abuse is same as the previous years the losses reported from these incidents have lowered.
- Theft of proprietary information caused greatest loss amounting to 70 M$.
- Denial of service is the second most expensive computers crime loss amounting to 65.6M$.
- Virus incidents reported as 82%.
- Insider abuse reported as 80%
- There is a wide resistance amongst the organizations in hiring reformed hackers to detect vulnerabilities.
- Interestingly, one in every ten organizations do not use any extra physical precautions to protect their computer assets (specially locked rooms, locking cables for laptops)
- IDS technologies are used by 73% of the organizations
- Biometrics technologies are used in 11% of the organizations
- Organizations using advanced security measures such as biometrics are more likely to use leading edge technologies such as file encryption, digital IDs or certificates.
- Internet is being quoted as the increasingly frequent point of attack.
- Theft of proprietary info has been the costliest of all the losses. This is due to an economy’s high dependence on technical know-how.
- Top sources of attack-
- Independent Hackers - Highest
- Disgruntled employees
- Competitors.
- Top Types of attacks experienced
- Insider abuse - Highest
- Virus and Worms
- Laptop Thefts
- denial of service
- Top losses due to attacks experienced
- Virus and worms - Highest
- Laptop thefts
- Net abuse
- Denial of service
- Actions taken by organizations experiencing abuse-
- Patched holes - Highest
- Did not report
- Reported to law
- De-facto Security Technologies used
- Anti virus software (99%),
- Firewalls (98%)
- Deploy some form of physical security for information access (such as Access control 92%)
Section III
International Information Security Standards
Standardization
Standardization is a tactic in the battle against disorder and chaos. Agreement about standards is a useful starting point for talking about security. Standardization leads to predictability and predictability leads to trust.
The main risk to computers is the people who come into contact with them: networked users. To minimize the effects of users on the system it is necessary to introduce security mechanisms.
The Orange Book
The Trusted Computer Security Evaluation Criteria (TSEC) Orange book was the first attempt to try to specify a standard for security management in the US in 1967. Although concentrated on national security issues, the recommendations were also of general applicability.
Information Security Standard BS 7799 and ISO 17799
BS 7799 and ISO 17799 are a set of best practices for information security, designed to helporganizations better manage their information security systems. An IT Governance based on ISO 17799 guidelines specializes in helping organizations, in both the public and private sectors, to plan and implement Information Security Management Systems that are capable of certification to BS7799.
A BS 7799 certification service is also available for various organizations. ISO 17799 guidelines based on BS 7799 standard and provide a good reference document. BS7799 consists of 10 Security Domains and a set of 127 rigorous controls. An organization following the BS guidelines can thus make sure of rolling a good security process. The opinion is however divided whether organizations should get the BS 7799 certification. The certification is expensive and time consuming, and there is no guarantee that a certified organization will not be hacked. Surprisingly, several agencies we discussed with, offering BS 7799 certification were themselves not BS certified! As a general trend, ISO 17799 certification is generally sought after by organizations which are seeking outsourcing contracts from overseas and inland as it makes them likely candidates for projects.
Nonetheless, The BS 7799 and ISO 17799 undoubtedly provide an excellent guideline for organizations intending to attain comfortable level of information security.
BS 7799 is organized into 10 sections:
- Security policy - This provides management direction and support for information security
- Organization of assets and resources - To help you manage information security within the organization
- Asset classification and control - To help you identify your assets and appropriately protect them
- Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
- Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information
- Communications and operations management - To ensure the correct and secure operation of information processing facilities
- Access control - To control access to information
- Systems development and maintenance - To ensure that security is built into information systems
- Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
- Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement An organization using BS 7799 as the basis for it's ISMS, can become registered by BSI, thus demonstrating to stakeholders that the ISMS meets the requirements of the standard
Section IV
Benchmarking Security Index
Introduction
Humanfirewall.org council is an independent organization formed In September 2002, consists of a committee of professional security practitioners dedicated to improving leading practices in information security.
The Humanfirewall.org has introduced the “Security Index” as an online survey at based on ISO 17799, as well as various leading practices from security industry analysts and professional associations. As noted earlier, the ISO 17799 standard defines very elaborately the 10 security domains and 127 controls. Many researchers and governments have been questioning its utility or effectiveness. Today, nonetheless, ISO 17799 has gained an international acceptance and become the InfoSec de facto standard, for defining (at a high level) an organizational information security program and architecture. Even though it has received a lot of criticism, its interest and adoption has built up significant momentum all over the world. It is currently undergoing revisions that are appeasing its staunchest critics and enhancing the standard and its applicability.