| |
 Submitted
by the Information Technology Committee
AASCIF members' use of the Internet or the Web to deliver
policy and claims information to policyholders, brokers and employees
has increased dramatically. This increasing use of the Web means an increased
risk to host organizations’ information systems environments. For
example, over a one-week period, SecurityFocus of San Mateo, California,
tracked 10 million security incidents. The results indicate that 64 percent
of the threats targeted the victim’s web applications.
Hackers are a lazy lot - they will target a weak link within a system,
the door with the easiest lock to pick! Increased focus over the years
has been on hardening systems through firewalls, segmented networks, strong
authentication, Virtual Private Networks, and Intrusion Detection Systems.
However, it is the internal end user and trusted business partner who
are the most important parts of an organization’s information systems
security posture. Threats to the trusted user are many, including:
- “Social Engineering” (i.e., the use of non-technical means
to obtain information to break into a system);
- Laptop and media theft;
- Remote machine attacks; and
- Malicious code.
The attacker will exercise these threats through a variety of means,
exploiting particular known system vulnerabilities by:
- Taking advantage of user trust and user ignorance of corporate policy
that it is poor practice to share his or her passwords with anyone regardless
of who they are. Earning this unqualified end user’s trust is
accomplished via Social Engineering;
- Stealing laptops and removable unprotected media and accessing (and
selling) the private data to their advantage;
- Attacking remote host operating system and application vulnerabilities
that have not been updated with the latest security patches; and
- Introducing malicious code such as viruses, worms or Trojan horses
onto the end user’s machine unprotected from viruses that can
later be used for entry into the corporate information system.
|
Threat |
Vulnerability |
Security Control |
|
|
|
|
|
|
|
Encryption and Strong Passwords
|
|
|
Unpatched Host Operating Systems and Applications
|
Latest Software Patches, Personal Firewall
|
|
|
Outdated or No Virus Protection
|
|
Managing the Risk: Security Controls
There is no "silver bullet"; however, there are a number of
things management can do to make your network more secure. You can manage
the risk by deploying particular security controls to your users’
environment.
- Periodically require users to read and acknowledge the latest corporate
security policies and procedures covering good password management practices
and incident reporting. Ensure that they know whom to contact when someone
has asked them for their password. Reporting these incidents now may
protect others within your organization from the same threat in the
future.
- Ensure that users physically protect their laptops and removable
media. If they cannot physically secure their laptop, ensure that they
have at least properly encrypted the media or are using strong passwords
to protect the media, and have backed up the data to ensure minimum
impact of its loss.
- Ensure that users update their remote computers with the latest software
and application security patches. Additionally, they should add a personal
firewall to their machines if they are attached to the network remotely
via a dial-up or broadband (DSL, cable modem) connection.
- Ensure that your organization installs virus protection software
on each and every host, desktop, and laptop and that the latest virus
definitions are installed and are protecting those machines from malicious
code.
Resources
This article did not intend to provide all the information necessary
to protect the State Funds from Internet threats. There are many other
places to go for help. Here are just a few:
Download
complete newsletter in PDF
format
|
