Data and identity theft has become a huge problem for plenty of companies that use personal computers, databases and networks worldwide. In fact, data is considered the new currency in the business sphere. Consequently, in such conditions data and network protection should be a number one priority for any IT department within the company.
In order to ensure data security protection many companies apply complex systematic approach. It is obvious that no single application or script can guarantee system security, thus measures, aimed at ensuring information and data protection should be reviewed, analyzed and applied in conjunction.
Systematic approach in ensuring network infrastructure security
Information Security Officer plays a key role in implementing, creating, and enforcing appropriate policies, practices and procedures to avoid a data theft, loss or corruption. Performing this role, he needs to obtain deep and broad knowledge regarding the data flow in the company. He should also follow guidelines and keep up to the policy of software/database providers when resolving any issues in the servers, containing critical data.
One of the popular tools for network security is virtual private networks, also known as VPN. These virtual networks are used for establishing secure remote connection to the company’s main network by employees when they are out of office for example, or based in different physical locations. As a rule, VPN is quite secure method of networking and in order to break through its defense one has to possess a control over a PC or laptop where VPN connection was set up. For this particular reason, protection tools and methods, such as enabling personal firewall and BIOS passwords should be applied by system administrator to his corporate PC, where all network related critical data is stored.
Taking into consideration that computer hackers often exploit vulnerabilities in the specific information system or network, it is important to check and identify such vulnerabilities by the responsible staff of the company in order to prevent them from exploiting. As an example of such vulnerability one can consider well known Oracle database feature called TNS Listener. It is responsible for establishing a connection with DB and has a well-known vulnerability – TNS Poison Attack that still does not have any fixes, but only a workaround. The vulnerability allows hacker to wiretap the traffic between Oracle DB and client that uses it and to see all sent and received data (Koret, 2008). Consequently, if the vulnerability is exploited, it gives attacker full control over the database server. In order to implement a workaround to this issue, provided by Oracle, a Premium Support database version should be used.
Assuming that support version of Ricman Investments’ Â Oracle products is Standard, there is no security alert solution to it and data bases can be easily attacked by TNS Listener Poison Attack.
Only a network access to TNS Listener is needed in order to exploit this vulnerability.
Thus, if the vulnerability is exploited, it gives attacker full control over the DB server. Assuming that Richman Investments has several Oracle installations, it would mean a total control over all data, stored in the DB.
Some more potential vulnerabilities on the employees’ PCs can be detected by installing and running various scanning tools, available at:
http://www.ehacking.net/2011/08/top-6-web-vulnerability-scanner-tool.html
The best chance for attacker for making significant damage to the company’s software resources is to get the remote access to the physical PCs of the Richman Investments key employees: CEO, CFO, CTO, System Administrator etc.
There is always a chance of exploiting vulnerabilities through the human factor. As a rule, the main target for the remote access and control attempt would be System Administrator’s PC.
Remote Control PC application allows to control remote computer in the real time mode, using all features of its OS and our local mouse and keyboard.
Theoretically, undetected remote control over System Administrator’s PC is a “game over†for a company since it allows attacker to install any malicious spyware, perform Denial-of-Service (DoS) attacks, damage data, stored in the DB, take control over remote PCs of the top management and development etc.
Assuming that System Administrators PC is up and running 24/7 and has permanent stable connection with Internet and static IP, attackers could try to obtain his IP address, using a sniffer, called 2IP.Spy, for example. All they need to do is to copy an address of the GIF image from the website and either to send a link to our “victim†by e-mail, Skype, social network messages etc, or paste the picture itself to any message or mail. As soon as the picture has been viewed, all required information about his IP address, location, browser, OS etc., appears in the table on the above mentioned website.
Once the IP address has been determined, attackers can install any sniffer, for example Cain & Abel on their PCs. It will enable them to get the password to System Administrator’s PC and other required information.
Thus, lack of staff, that is monitoring and ensuring computer security and information defense, freeware product versions and standard support service usage – these attempts to save money potentially put company’s computer, user, data and network security at risk.
Conclusion
Summarizing and expanding on the above, one can conclude that network and data security can be guaranteed only in case network and system vulnerabilities are detected and being monitored by professional staff, and combined security measures are applied.
Information Security Officer as a person, responsible for ensuring network security should incorporate various approaches and techniques and create a complex of security measures, applicable in each particular care. These measures can include:
- Enabling all default security features of the servers that are used in the company.
- Using hardware as well as software firewalls.
- Ensuring secure physical location of the servers.
- Keeping server software versions up to date.
- Protecting, encrypting and regularly changing system and other passwords.
- Installing specific encryption systems on the PCs that use wireless networks etc.