Editor's note
Editor's note
Editor's note
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
analysis that should not be made by the IT area alone,<br />
where all organization’s areas should be necessarily<br />
involved. These kinds of analyses typically require<br />
of an external vendor’s assistance with a team of<br />
experts who contribute with their skills, experience and<br />
qualified human resources to accelerate information<br />
gathering and classification.<br />
I believe every organization should implement this kind<br />
of analysis, and at least should update them on a yearly<br />
basis. This is something stated by several international<br />
standards for many years now (ISO 17779, ISO 27001,<br />
BS 7799) as well as for the methodologies that support<br />
this task (MAGERIT, COBIT).<br />
Lack of analyses to assess an organization’s assets<br />
and exposure risks has several impacts on IT and<br />
Information Security strategic planning, though it hits as<br />
well everyday matters, i.e. investment rationale!<br />
Ghosts do Exist<br />
I have tried to reinforce the secret characteristic of APT<br />
attacks. This is something that should make us think<br />
that chances of having our organization’s components<br />
infected are very high (or are on their way to being<br />
infected).<br />
In fact, many experts go a bit further and propose<br />
working based on a specific assumption; that their<br />
organization has already been infected. So they<br />
suggest working as from there. I must confess that I<br />
agree with this approach!<br />
Assuming that company has been infected by some<br />
kind of silent threat does not mean to check that you<br />
have the latest antivirus version in place or review<br />
the list of open ports at the firewall; this is an indepth<br />
insight and self-awareness process where all<br />
technological aspects, processes and human resources<br />
of the organization should be involved.<br />
Controlling Is Not The Same Than Prohibiting<br />
Many organizations have decided to limit (or directly<br />
prohibit) access to social networks, messaging, and a<br />
growing number of websites and applications to their<br />
employees; in most cases this is the plain result of<br />
categorizing these sites as dangerous, and in the best<br />
case scenario reveals a deep unawareness of how<br />
social networks and individuals work.<br />
It’s been widely proven that any ban triggers a<br />
countermeasure; if users want to access a forbidden<br />
site they will certainly find their way to do it, and most<br />
likely while trying to do so new problems will arise.<br />
Some organizations, further to a risk analysis make<br />
a quantitative decision to prohibit one or several<br />
applications based on a tangible business risk. Well,<br />
those organizations are in the right pathway; however<br />
starterkit 02/2011(2)<br />
they represent a minimal amount out of the aggregate;<br />
and those who have really made it usually opt to forbid<br />
the least possible number of sites.<br />
Before prohibiting, organizations should first evaluate<br />
what the benefits are of controlling use of these<br />
potentially hazardous applications; social networks are<br />
growing sources for revenue generation, in addition to<br />
relatively low-cost and widespread promotion sources!<br />
Many companies have people devoted to managing<br />
promotion and sales channels in social networks.<br />
If companies are going to increasingly use this kind<br />
of communications channels as an alternative to the<br />
traditional ones, maybe the wisest thing to do would be<br />
recognizing those potential benefits and opportunities<br />
of encouraging a controlled use to minimize risks, rather<br />
than trying to prohibit something that sooner or later, in<br />
one way or another we will have to allow, without the<br />
skill and experience we would have gained if we had<br />
cleared it from the very beginning.<br />
On the other hand, the fact of prohibiting something<br />
makes us feel we don’t have to worry for that anymore,<br />
something that may turn into a double-edged sword!<br />
Although Devices Are Not Company-owned, They<br />
Still May Have Company’s Information<br />
Some years ago it was very easy to draw an imaginary line<br />
between the organization and the outer world (perimeter),<br />
and focus our protection efforts in safeguarding the<br />
traffic through this line. The regulating principle for this<br />
approach was that everything inside the line belonged<br />
to the company and therefore had to be protected, while<br />
everything on the other side of the line belonged to the<br />
outer world and it was the source of any threat.<br />
Even though we should have quit that myth several<br />
years ago due to some statistics showing that above<br />
70% of attacks perpetrated against an organization<br />
had their source on the intranet (i.e. the inner side of<br />
the perimeter); over the last years we have seen that<br />
line blur at a high-speed pace; first due to timework<br />
expansion, followed by Business to Business interconnections;<br />
and more recently the Coup de grậce<br />
(finishing blow) fostered by the increasing adoption of<br />
Cloud Computing.<br />
Well then, in addition to everything known and<br />
mentioned in this paper, a new kind of threat is knocking<br />
on our doors; and we’d better take it into account; let’s<br />
welcome Smartphones, PDAs, tablets and alike!<br />
These devices, that in most cases are not property of<br />
the organization, usually have access to email and other<br />
systems, and possess organization’s critical information<br />
that not only are outside organization boundaries, but<br />
travelling directly who knows where, without any kind of<br />
security control whatsoever.<br />
Page 33 http://pentestmag.com