National Banks headquarters are in Dublin and there are two different types of remote sites: 20 branch offices nationwide; and two international offices. The enterprise network design, as shown below, has built-in security to protect the integrity of National Bank's systems, data and assets and to safeguard the confidentiality of its information and data (Cisco p. 5-1).
The design accommodates the headquarters and the 22 remote sites, which are all interconnected over a Metro Ethernet Core. The network has a centralised Internet connection at National Bank's headquarters in Dublin that serve employees at all of the locations and mobile employees. The network consists of a strong routing and switching network. National Bank's services operate on top of this network and include banking and financial services applications, databases, a data warehouse, accounting and customer relationship management applications and human resources applications. The majority of these services are deployed and managed at National Bank's headquarters, thereby reducing the need for separate services to be operated and maintained at the 22 remote locations. A serverfarm at headquarters serves the centralised systems and applications (Cisco, p. 5-2).
The enterprise network design has a defence-in-depth structure, with many layers of protection built into the architecture. The different security tools are combined together for better visibility and control (Cisco, p. 5-2).
Features of the network include email, the hosting of National Bank's website that is accessible to customers and others over the Internet, web browsing for employees and secure remote access for employees using laptops and smartphones. Data backups are done on-site at headquarters are there are also two remote back-up sites that are not included in the design.
The Internet Perimeter Connection - The Internet Edge and the Core Distribution
The network infrastructure that provides Internet connectivity is the Internet perimeter (Cisco, p. 5-5). The main purpose of the Internet perimeter is to allow safe and secure access for users in all locations and to provide services to customers and members of the public without compromising the integrity, confidentiality and availability of National Bank's resources and data.
The Internet perimeter consists of the Internet Edge, the Metro Ethernet and parts of the Core Distribution. These provide safe and secure access for employees, customers and other users from any location, national or international. They are designed to protect and maintain the confidentiality, integrity and availability of National Bank's resources and data. They are comprised of the following security functions and hardware
Internet Border Router: This is the Internet gateway that routes traffic between the enterprise network and the Internet. It is the first layer of protection that fights against external threats (Cisco, p. 5-6).
Internet Firewall: This provides access control and deep packet inspections to protect National Bank's resources and data from unauthorised access and disclosure (Cisco, p. 5-42). The firewall includes a botnet filter to defend against botnet threats. An inspection and prevention security service module in the firewall provides additional threat detection and prevention (Cisco, p. 5-6). It is configured to assist in blocking certain applications, including instant messenging services, BitTorrent and Skype. It limits outbound resources going to the Internet. The firewall sends web traffic to the web security appliance along with information identifying the user by IP address and user name (Cisco, p. 5-40). The firewall sends all traffic considered safe and acceptable to the user (Cisco, p. 5-40). The firewall also participates in routing. Intrusion prevention deployment is integrated in the Internet firewall (Cisco, p. 5-55).
The demilitarised zone (DMZ) is integrated in the firewall. National Bank's website, mail server and other public-facing services are on a DMZ for security and control purposes. (Is this part of the firewall or a separate item) This prevents non-employees, people who are external to the bank, from directly accessing any internal servers and data. It protects public resources served by the DMZ by restricting incoming access to the public services and by limiting outbound accesss from DMZ resources out to the Internet (Cisco, p. 5-45).
Demilitarized Zone (DMZ): National Bank's website, mail server and other public-facing services are on a demilitarised zone (DMZ) for security and control purposes. (Is this part of the firewall or a separate item) This prevents non-employees, people who are external to the bank, from directly accessing any internal servers and data.
Sensor Base: The SensorBase (remove this from diagaram - probably yes
Email Security: This appliance is located at the DMZ in order to inspect incoming and outgoing emails. It eliminates threats such as email spam, viruses and worms. It includes anti-virus software, virus outbreak filters and anti-virus engines (Sophos and McAfee). It also encrypts emails so that the confidentiality of messages is maintained and data loss is prevented.
Web security: A web security appliance operates at the distribution switches to examine Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) traffic that is going to the Internet. This causes Uniform Resource Locator (URL) filtering processes to block access to websites containing non-business related content and protect from web-based malware and spyware (Cisco, pp. 5-6, 5-19). The web security appliance controls and blocks messaging services, peer-to-peer file-sharing and Internet applications, e.g., Kazaa, messenger, BitTorrent and Skype. It blocks file downloads that are based on file characteristics such as file size and type (Cisco, p. 5-69). The web security appliance scans web traffic, enforces acceptable use policies and protects the user, including a mobile or remote user, from security threats. It tracks the requests it receives and applies policies specifically for remote users (Cisco, p. 5-40).
Secure Mobility: By means of the web security appliance and the Internet firewall, secure connections are provided to remote and mobile users, regardless of the type of mobile device used (Cisco, p. 5-39). All Internet traffic scanning is done by the web security appliance, not the mobile device. This improves overall performance by not hampering the mobile device (Cisco, p. 5-40).
Core Distribution
The Distribution layer applies policies (Searchnetworking). The Core moves packets from one point to another as quickly as possible and with the least amount of manipulation (Searchnetworking). Features include:
Network Admission Control (NAC) Server Appliance: This enforces security compliance on all devices seeking to access computing resources on the network (Cisco, p. 5-27). It identifies whether networked devices, e.g., laptops and phones, are compliant with the network security policies and can repair any vulnerability before permitting access to the network. It isolates non-compliant devices from the rest of the network. It scans for virus and worm infections and port vulnerabilities (Cisco, p. 5-27).
The Serverfarm
The serverfarm contains the systems that serve business applications and store the data accessible to internal users. It includes applications servers, storage media, routers, switches and other media (Cisco, p. 5-23). (include other servers in diagram?) These are the main security features of the serverfarm:
Access Control Server Appliance: This controls network access. It provides device administration by authenticating administrators and providing authorizations and an audit trail. It helps regulatory and corporate compliance. For remote access, it works with VPN and other remote access devices. For wireless, it authenticates and authorises users and enforces wireless policies. It provides network admission control by enforcing admission control policies.
Network Admission Control (NAC) Server Manager: This creates security policies and manages online users ( Cisco, p. 5-70). It authenticates servers and is used to provide user roles, compliance checks and identify any remedial work that needs to be done. It communicates with and manages the NAC Server appliance.
Firewall: This limits access to only the necessary and authorised applications and services for the intended users. An intrusions prevention system module is included to improve threat detection. This identifies and blocks unusual traffic and well-known attacks (Cisco, p. 5-24). It can stop malicious traffic before it reaches its target.
The Access layer connects devices to the network (Searchnetworking). Accessed 6 March 2013 http://searchnetworking.techtarget.com/tip/Core-Distribution-and-Access
Applications
The software applications are: Windows (operating system); MS Office, including Word, Excel, PowerPoint and Outlook; Sophis Risque (asset trading and risk management and include data encryption for these activities); encryption software that was determined by the encryption method International Data Encryption Algorithm (IDEA) (for activities that are not covered by Sophis Risque); Oracle Database; VERITAS Volume Manager; VERITAS File System; Chrome web browser and Java.
Potential Vulnerabilities and Threats
Vulnerabilities in a network refer to the known weaknesses in a system that make it vulnerable to attack ((a) Griffin, p. 2).
Windows: Because Windows is such a popular operating system, it is has a well-known reputation of being vulnerable to attack (a. Griffin, p. 6). A number of ports in Windows are vulnerable and Port 139 - NetBIOS Session (TCP), for Windows file and printer sharing, is the single most dangerous port on the Internet (a. Griffin, p. 6).
MS Office: The macros in MS Office make it vulnerable, e.g., in Windows and Excel (a. Griffin, p. 6).
Outlook Email: Emails can contain much confidential s and sensitive data and consequently are vulnerable to being hacked.
Users: Users can be the weakest link in the chain. In a 2013 Pricewaterhouse Coopers survey, current employees were estimated to be the highest source of information security incidents at over 36% (Pricewaterhouse Coopers, 2013). In 2006, AOL erroneously released a compressed text file on one of its websites containing 20 million search keywords of more than 650,000 users. Although the file was retrieved the following day, it had already been copied on the Internet. Personally identifiable information was included in the file (Armerding, 2012). A database administrator of Certegy Check Services stole 3.2 million customer records, including banking and personal information. The employee allegedly sold the data to a data broker, who then sold it to a number of marketing firms. The people whose information was stolen filed a class action lawsuit against the company. The employee was found guilty of fraud and was sentenced to almost five years in prison. The company paid almost $3.2 million as a fine. Each person whose data was stole was awarded $20,000 (Armerding, 2012). Get percentage of security violations. Users of remote technology often use the same devices to access both business and personal information. Devices used outside enterprise onsite controls could possibly allow viruses, spyware, worms and other types of malware access the device to enter the network. Confidential and proprietary information may also be lost or stolen while mobile users connect outside the company premises.
Service disruption: Disruption to the infrastructure, applications and other business resources caused by worms, Trojan horses, spyware macro viruses, malware, boot-record infectors, viruses, denial-of-service (DoS) attacks, Layer 2 attacks and other malicious software (Cisco p. 5-1). Denial-of-service attacks aim to disrupt IT services and can lead to the disabling of entire networks (UCC, 2013). In 2010, the Stuxnet worm was used in distributed denial-of-service attacks. It only targeted certain software and was intended to attack Iran's nuclear power infrastructure (Armerding, 2012).
Network abuse: Users such as employees, contractors and visitors can make the system vulnerable by downloading web content, using chat and messenger applications, engaging in social networking, using short-cut tools, such as macros for Word and Excel, engaging in peer-to-peer file sharing, playing online games and using pirated software (a. Griffin, p. 6). In general, access to non-business related content can exposed the system and users to harmful and inappropriate content from the Internet, web browsing and email.
Unauthorised access: This includes unauthorised users and unauthorised access to restricted resources (Cisco p. 5-1). In a 2013 Pricewaterhouse Coopers survey, former employees were estimated to be responsible for 27% of information security incidents, customers were at 16%, partners or suppliers were at 15%, hackers were at 25%, terrorist were at 4%, service provider/consultants/contractors were at 12%, governments (e.g., intelligence and law enforcement) were at 4.5%, competitors were at 17% and criminals were at 16% (Pricewaterhouse Coopers, 2013). In 2006, data from 94 million credit card was taken at TJX Companies Inc. in the USA. There are two versions as to how this happened: one is that hackers were aware of the weak data encryption system and stole the credit card information during a wireless transfer between two of the company's stores; the other is that the hackers broke into the company's network by using the in-store kiosks where people could apply for jobs electronically. This was possible because the company's network was not protected by firewalls. The main hacker was sentenced to 40 years in prison (Armerding, 2012). In the USA in 2005, hackers used an SQL Trojan to break into CardSystems Solutions' database. The Trojan inserted code into the database via the browser, resulting in data being sent back through zip files. The attack was successful because CardSystems was not compliant with data storage standards. The resulting exposure of 40 million credit card accounts ultimately caused the company to be unviable and it was acquired (Armerding, 2012).
Data loss: Theft or leakage of private and confidential data from servers while in transit, or as a result of spyware, viruses, malware, etc. (Cisco p. 5-1). In 2008, 134 million credit cards were exposed at Heartland Payments Systems in the USA by means of an SQL injection to install spyware on the company's data systems. The mastermind of the operation was sentenced to 20 years in prison. SQL injections were well known security vulnerabilities of many web-facing applications and security analysts had warned about them for several years (Armerding, 2012). In 2006 in the USA, an unencrypted database of 2.5 million veterans and military personnel that contained the names, tax numbers, dates of birth was stolen. The database on was a laptop and external hard drive of an employee of the Department of Veterans Affairs and these were stolen during a home burglary. The stoen items were returned a month later. The Department of Veterans Affairs estimated it would cost $100 million to $500 to prevent and take care of possible losses (Armerding, 2012).
Identity theft and fraud: Theft of personnel identity or fraud on servers and end users through phishing and E-mail spam (Cisco p. 5-1). In 2011, a computer and security company in the USA had possibly 40 million employee records stolen by spear phishing. The hackers posed as people the RSA employees trusted in order to gain access to the network. The lesson is that even good security companies can be hacked (Armerding, 2012). Monster.com had its library of CVs hacked in 2007. The names, addresses, phone numbers and email addresses of 1.3 million job seekers were taken. The hackers sent out scam email looking for personal financial data, including bank account number. They also asked the addresses to click on links in the email that could infect their computers with malware. Hackers then emailed the users, telling them that they had infected their computers with a virus and stating that they would delete files unless the addresses paid them money (Armerding, 2012).
Typical Operating Systems
Windows is the operating system.
Armerding, T. (2012) 'The 15 Worst Data Security Breaches of the 21st Century' [online] (cited 9 March 2013) Available from http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century
a. Griffin, J. (2013) 'Security and the Organisation' Waterford Institute of Technology, p. 2.
The Global State of Information Security Survey 2013 [online] (cited 10 March 2013) Available from http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml
University College Cork [online] (cited 10 March 2013) Available from http://www.ucc.ie/ga/antivirus/securitybreach/
For key threats in Intranet Data Center see http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap4.html
http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html : Ready-to-Deploy Access Policy Control
The Cisco Secure Access Control Server (ACS) Solution Engine is a dedicated, rack-mountable appliance for network access policy control. It helps you comply with growing regulatory and corporate requirements, improve productivity, and contain costs. It supports multiple scenarios simultaneously, including:
Device administration: Authenticates administrators, authorizes commands, and provides an audit trail
Remote Access: Works with VPN and other remote network access devices to enforce access policies
Wireless: Authenticates and authorizes wireless users and hosts and enforces wireless-specific policies
Network admission control: Communicates with posture and audit servers to enforce admission control policies
http://www.gartner.com/newsroom/id/2028215 Gartner Says Monitoring Employee Behavior in Digital Environments is Rising
Latest Security Trends Will Be Explored at Gartner's Security & Risk Management Summit, 11-14 June, in National Harbor, Maryland; 16-17 July in Sydney, Australia and 19-20 September in London
Monitoring employee behavior in digital environments is on the rise, with 60 percent of corporations expected to implement formal programs for monitoring external social media for security breaches and incidents by 2015, according to Gartner, Inc. Many organizations already engage in social media monitoring as part of brand management and marketing, but less than 10 percent of organizations currently use these same techniques as part of their security monitoring program.
"The growth in monitoring employee behavior in digital environments is increasingly enabled by new technology and services," said Andrew Walls, research vice president of Gartner. "Surveillance of individuals, however, can both mitigate and create risk, which must be managed carefully to comply with ethical and legal standards."
To prevent, detect and remediate security incidents, IT security organizations have traditionally focused attention on the monitoring of internal infrastructure. The impact of IT consumerization, cloud services and social media renders this traditional approach inadequate for guiding decisions regarding the security of enterprise information and work processes.
"Security monitoring and surveillance must follow enterprise information assets and work processes into whichever technical environments are used by employees to execute work," said Mr. Walls. "Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment."
The popularity of consumer cloud services, such as Facebook, YouTube and LinkedIn, provides new targets for security monitoring, but surveillance of user activity in these services generates additional ethical and legal risks. There are times when the information available can assist in risk mitigation for an organization, such as employees posting videos of inappropriate activities within corporate facilities. However, there are other times when accessing the information can generate serious liabilities, such as a manager reviewing an employee's Facebook profile to determine the employee's religion or sexual orientation in violation of equal employment opportunity and privacy regulations.
"The confl
http://www.net-security.org/article.php?id=959 What Are The Most Common Causes Of Security Breaches?
by Harnish Patel - SurfControl
Bookmark and Share
Historically, the approach to enterprise security has been to make the fortress bigger and stronger - to install more products, and write more policies. Yet despite heightened security awareness and cutting-edge tools, 2006 was the worst year yet on record for corporate security breaches - continuing the year-on-year escalation of security risk. The problem is, attackers are as advanced as the defenders - and the attacks don't always come from the expected direction.
Inside job
The fact is that the biggest threat to an organization lies within its boundaries. In its 2006 survey, "Information Security Breaches," the DTI and PricewaterhouseCoopers found that 32% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners.
Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly. So securing the enterprise isn't just about stopping external threats. It's just as important to contain the threat from hapless or hazardous employees.
One of the key internal threats to corporates is spyware, because it's all too often introduced without malicious intent, by employees that naively click through a couple of pop-up browser windows, or install an unapproved yet 'cool' application on the network. The situation isn't helped by the myths that surround spyware.
Mythbusting
These are the six most common spyware myths:
1. It's an isolated problem.
2. Blocking at the gateway is good enough.
3. Locking down the desktop is good enough.
4. Drive-by downloads are a primary source of penetration.
5. The problem comes from the outside in.
6. No one wants spyware.
But the truth of the matter is somewhat different. Let's look at the real situation that's masked by each myth.
1. Most spyware comes in as the direct result of user behavior, whether that user is naïve or ill-intentioned.
2. Stuff comes in at the desktop all day long. Blocking at the gateway without securing the desktop PC doesn't make security sense. It's like locking the doors and windows of the house - with the burglar still in the basement - and not bothering to call the police. What's more, gateway defenses cannot detect threats already on desktop PCs.
3. If "locking down" the desktop and restricting user installation were effective, there would be no need for antivirus software. Spyware is designed to get around acceptable use policies and exploits users' inquisitive nature.
4. "Drive-by downloads" should never occur in a corporate environment, because they come from sites that users should not visit at work.
5. Sure, spyware comes from outside - because someone opened the door and let it in. Not recognizing this results in a porous security infrastructure.
6. True, no-one actually wants spyware, but it comes as part of that cool application that users do want. So spyware gets installed anyway.
Spy trap
So what can companies do to minimize internal threats?
First, make a Web filter a required part of the network security arsenal. This should prohibit users from visiting known spyware and 'drive-by download' sites.
Second, deploy an effective email filter that blocks spyware from entering the network via active HTML, attachments, phishing and spam. There also needs to be protection at the desktop to stop spyware as it's introduced.
Finally, implement a solution that disallows running or installing programs that in turn install spyware.
Put simply, to keep the burglar out of the basement, organisations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade - no matter what the external inducements.
http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/net_implementation_white_paper0900aecd80557152.html
http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century
The 15 worst data security breaches of the 21st Century
Security practitioners weigh in on the 15 worst data security breaches in recent memory.
.
» 4 Comments
By Taylor Armerding
February 15, 2012 - CSO -
Data security breaches happen daily in too many places at once to keep count. But what constitutes a huge breach versus a small one? For some perspective, we take a look at 15 of the biggest incidents in recent memory. Helping us out are security practitioners from a variety of industries, including more than a dozen members of LinkedIn's Information Security Community, who provided nominations for the list.
See our photo gallery of the 15 worst data breaches in recent history
1. Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
2. TJX Companies Inc.
Date: December 2006
Impact: 94 million credit car
