Do You Know Where You Are Vulnerable? Charting a Landscape of Threat that Needs Attention
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Do You Know Where You Are Vulnerable? Charting a Landscape of Threat that Needs Attention

Uploaded on

At the Inc. 500/5000 Conference, held at Washington, D.C.’s. Gaylord Hotel this past October, Dell sponsored a pre-conference session that posed a number of interesting and critical questions......

At the Inc. 500/5000 Conference, held at Washington, D.C.’s. Gaylord Hotel this past October, Dell sponsored a pre-conference session that posed a number of interesting and critical questions regarding the need for security and the issues every business owner should consider in determining the safety of his or her own data and networks. The session was moderated by Erik Dithmer, vice president and general manager of Dell Small and Medium Business, Americas, and led by Barry Hensley, director of the Counter Threat Unit (CTU) at Dell Secure Works, and Billy Cox, director at Intel.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here

    My name is Blessing
    i am a young lady with a kind and open heart,
    I enjoy my life,but life can't be complete if you don't have a person to share it

    Hoping To Hear From You
    Yours Blessing
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Do You Know WhereYou’re Vulnerable?Charting a landscape of threat thatdemands attention be paid to security—inside and outside the business
  • 2. 1 Introduction How the hackers work . . . To help illustrate the problem, Hensley, former director of the Army’s Global Network At the Inc. 500/5000 Conference, held at Washington, D.C.’s Operations and Security Center, offered a few vignettes—what he referred to as “war Gaylord Hotel this past October, Dell sponsored a pre-conference According to Dell stories,” such as the following. “Since 2008 and through 2011, 14 small businesses in SecureWorks research, session that posed a number of interesting and critical questions Seattle, and 41 other small and mid-sized businesses within the region, have had millions cyber thieves are regarding the need for security and the issues every business owner stealing as much as $1 of dollars ‘ex-filtrated,’ or stolen from them,” he related. “The techniques and procedures should consider in determining the safety of his or her own data billion a year from the of the hackers and cyber-criminals ran the gamut, from basic to the more elaborate. For and networks. accounts of small and example, some hackers drove down the street with a laptop with a wireless device turned mid-size companies on, searching for available wireless access points. When they found ones that were open, The session was moderated by Erik Dithmer, vice president and in the U.S. and Europe every year,” stated they connected and collected data leaving the networks. They gained access to the general manager of Dell Small and Medium Business, Americas, Dithmer. “In addition, networks and watched how the payroll systems would roll out across the Internet. They and led by Barry Hensley, director of the Counter Threat Unit (CTU) courts have held that then created false employees and paid them overtime. Hackers such as these gain access at Dell SecureWorks, and Billy Cox, director at Intel. banks are not liable that allows them to obtain personal information from your clients and your employees. to repay losses if a Much of what participants gained was a sense of “you don’t know business has not Eventually, they steal the intelligence that composes ‘the secret sauce’ that made you what you don’t know;” that the areas of vulnerability for companies sufficiently protected successful as a business.” and organizations of every size were much more wide-spread than its computer network. Hensley also talked about thieves who physically broke into people realized? “According to Dell SecureWorks research, cyber businesses, installed a USB key logger (a tool that covertly tracks the In fact, Hensley says, thieves are stealing as much as $1 billion a year from the accounts small businesses can keystrokes on a keyboard), and remotely monitored the business. of small and mid-size companies in the U.S. and Europe every year,” often be the first “The police showed up, thinking thieves were trying to steal places hackers look stated Dithmer. “In addition, courts have held that banks are not liable something physical,” he says. “They found nothing, but it was to score disruptions. to repay losses if a business has not sufficiently protected its computer network.” intelligence that continued to be tracked and exploited.” In fact, Hensley says, small businesses can often be the first places2 Threat Assessment hackers look to score disruptions. He told the story of how one small company, whose revenues were around $25 million annually, became the target of cyber thieves. “After Part of the problem, and what the presenters all agree should concern any business reading an interview with this company’s CEO and learning that he was overseas, this operator, is that the threats to network and data security are so pervasive. You might have band of gypsy hackers decided to go after this company. They impersonated the CEO, a firewall and have taken other measures, but the hackers out there aren’t dissuaded by sending a phishing attempt to the administrator. The message was ‘give me full access to basic security techniques. the file transfer server within the company; because I’m in Germany, I need to get a brief.’ The system then interpreted this as ‘my boss is in Germany. He probably needs a brief, I’ll give him access.’ Once they gained access, the hackers stole the entire data cache of every email that company has sent in the past four years. And they posted it at an openDo You Know Where You’re Vulnerable? | Dell © 2011 2 Do You Know Where You’re Vulnerable? | Dell © 2011 3
  • 3. community on the Internet. Beyond the revenue issue is that of they’ve got the keys, and they can go into your data. So when you credibility. This is the kind of attack that can destroy a company’s This is the kind think about a public cloud, think about it that way.” Even if your data and of attack that can secrets are encrypted reputation in a very viral way. In today’s world we’re used to people destroy a company’s “Amazon, Rackspace, and others do an amazing amount of threat on a hard drive, if they targeting major Fortune 500 kind of companies, but they’re targeting reputation in a very viral can get access to your mitigation inside their own world, and they’ll do everything they can all companies.” way. In today’s world machines, they’ve got we’re used to keep the bad guys out,” he continues “but they can’t keep everyone the keys, and they can to people targeting out.” The solution then becomes moving to a hybrid or private cloud. go into your data. So . . . and how they learn major Fortune 500 when you think about a At that point you’re looking at bringing in an outside expert who can kind of companies, help you develop a cloud that is a hybrid (a combination of publicly public cloud, think about While security measures are ever-increasing in terms of but they’re targeting it that way. sophistication, the methodology with which to attack them is on the and privately hosted applications and data). In a hybrid setup, the all companies. same upward trajectory. Cox even talks about a recent “hacker” event information and applications you feel you can comfortably have he attended. “A group of Georgia Tech students had a competition being public is coupled with that that needs to be sealed in public/ to see if they could hack into a wide range of security scenarios,” private combination. If you want complete control, a private cloud is one you develop with he says. “If they could hack into certain secure sites and networks, they’d gain various access only to your firm. tokens, and whoever got the most tokens would win. Here’s the scary part: because these students, and thousands of others, don’t have their own infrastructure to play and learn in, guess where they’re going? They’re learning on the Web. They’re out there scanning the 3 Prioritizing Your Needs Internet looking for vulnerable sites that they can play with.” In terms of exploring your overall security, Hensley put it in a nutshell: “What’s most Concerning the cloud critical to you and your business?” he asked. While the question is basic, it focuses on two Another area that some may not think about is the cloud. While cloud important things. First, you must understand the areas in which you’re vulnerable; in order computing has become viable and popular, it carries its own security Here’s the scary part: to do this, you need to perform what Dell’s Dithmer terms a “penetration test and Web because these students, concerns. “What you need to understand is that the cloud, while an application scanning service.” Second, based on your assessment, you need to put the and thousands of others, excellent way to do business, isn’t just a single entity,” avers Cox. don’t have their own right protection in place. “There is a public cloud, a hybrid cloud, and a private cloud. What’s infrastructure to play and learn in, guess To get there, all three subject experts chimed in with a variety of questions designed to the difference? It depends on what you’re comfortable putting outside where they’re going? help you map out a strategic direction, including, but not limited to: your own walls. For example, Amazon offers a great cloud service They’re learning on the with a firewall and solid perimeters to its data center. Yet, the enemy Web. They’re out there 1. How do you prioritize your most critical business assets (e.g., financial may already be in Amazon’s data center. If you’re going to go put your scanning the Internet data, employee records, customer records, transaction records, business in there, those guys are already inside, and they’re sitting looking for vulnerable proprietary business model/product/service design, etc.)? sites that they can on the machine next to you with at least a one gigabyte pipe into play with. 2. What tops your list, in terms of security coverage? whatever it is you’ve got connected. Even if your data and secrets are encrypted on a hard drive, if they can get access to your machines,Do You Know Where You’re Vulnerable? | Dell © 2011 4 Do You Know Where You’re Vulnerable? | Dell © 2011 5
  • 4. 3. How can you learn where your networks and data are provide a better security infrastructure than you—could potentially protect your data better compromised? What are your “windows” of exposure? In terms of exploring than you can—I would have them ‘open the kimono’ and show you how they secure your your overall security, 4. How does data leave your network? data for you, so that you can sleep at night if you work with them. For off-the-shelf stuff, I Hensley put it in a nutshell: “What’s most can’t tell you to just go buy this solution or that solution. At the end of the day, the solution 5. What data is truly confidential? How do you ensure that all critical to you and your you choose is only as good as either the security professional you have on staff or the employees follow the same policies? business?” he asked. security professional that you’ve outsourced to help you.” 6. Do you have a social media policy in place (e.g., that it not While the question is be utilized in the work environment or that employees not basic, it focuses on two mention work on their sites)? important things. First, Case Study: Security Snapshots you must understand 7. Have you vetted employees that have left? Have they signed the areas in which any form of noncompete or non-disclosure agreement? you’re vulnerable. We spoke with a few of the Inc. 500/5000 leaders who attended the Dell session 8. Have you accounted for every possible area of about their current security setups and what they felt their vulnerabilities were. encroachment (e.g., onsite and offsite employees, mobile Here are some of the “security snapshots” they shared. devices, VPNs, etc.) in your planning? Following “Best Policies” 2011 Inc. 5000 Ranking: #49274 Conclusion Business model: Manufactures diploma and award frames for more than 1,000 colleges, universities, and professional organizations nationally. It also provides contract and custom framing services for corporations, hotels, and the military. “Security is not about any one particular thing,” says Cox. “You’ve got Do you have security Three-year growth: 5 percent to have some basic policies in place. At Intel, for example, IT has a awareness training 2010 Revenue: $6.2 million very rigid method regarding secure data; it comes in ‘tiers.’ There’s within your group? 2007 Revenue: $5.9 million the ‘that’s public,’ ‘internal confidential,’ and then what we call ‘red Does everybody know Employees: 55 cover.’ No matter what, red cover data doesn’t leave our walls—it can’t not to use the same Founded: 1991 be attached to email or faxed—and it has special treatment for how password in their Gmail Location: Monroe, Connecticut account as in their it’s handled and stored. And so these are our basic, everyday data corporate account? “Our security follows ‘best policies,’ and we’re at medium risk,” says Lucie Voves, security principles. It’s a baseline we start with and that everyone in It’s the little things’s founder and president. “We have a usage policy included the organization has to be aware of.” that underpin a sound in our company manual, and our Business Systems and HR managers are security foundation. responsible for the implementation and enforcement of this policy. We also have Hensley echoes the belief that there are certain basics to which every an outside vendor/partner that understands and has access to this information. company should adhere—those that just make sense. “Do you have Both monitor server usage on a daily basis. All PCs and servers are on a remote security awareness training within your group? Does everybody know not to use the same monitoring system. We conduct a yearly risk analysis, both internally and with password in their Gmail account as in their corporate account? It’s the little things that underpin a sound security foundation,” he opines. “If you decide that somebody else canDo You Know Where You’re Vulnerable? | Dell © 2011 6 Do You Know Where You’re Vulnerable? | Dell © 2011 7
  • 5. the outside contractor, to re-evaluate. To achieve this, we use a combination of Employees: 120 an internal email server with enterprise-class spam and virus protection, DNS and Employee growth: 117 DHCP servers, secured ERP, and a firewall.” Founded: 2007 Location: Alpharetta, Georgia Voves notes that’s core security concern is loss of productivity and high cost incurred due to malware on their system and devices. The company’s Currently, EndoChoice utilizes a cloud-based ERP system. “Like many Inc. 500 most valuable asset is the confidential data stored in its ERP database. That ERP companies, we don’t have a large IT group, so we outsource the management system functionality is also central to its manufacturing and accounting operations. of our systems,” says Mark Gilreath, president & CEO. EndoChoice’s core concern regards the protection of employee and customer data. To meet that demand, About seven years ago, established a company-wide security adds Gilreath, “we’ll continue to outsource and add more internal resources as the program, when it reached about $3 million in annual sales. ”Prior to that, we were operation continues to scale.” using PC-based, off-the-shelf virus protection and had no real, cohesive strategy,” says Voves. “We brought in IT experts primarily to respond to problems. We realized that it was necessary to implement stronger methods as the company ECSI: Managing Fraud and Unauthorized Access began to grow in size and number of employees and as Internet-based threats 2011 Inc. 5000 Ranking: #2671 expanded. It became clear we were spending too much time fighting fires, and needed a more proactive approach. At that time, we began to enlist outside Business model: Provides billing, student loan servicing and collection, tuition IT consultants to oversee our servers and propose preventative measures. We payment, and e-payment processing services for more than 1,300 colleges and implemented what we could afford to and tried to focus on critical needs first. We universities throughout the country. did not truly lock things down until we implemented a major ERP system in 2008. Three-year growth: 85 percent During the past three years, we’ve focused on internal training, created a more 2010 Revenue: $20.7 million cohesive technology plan, and we have implemented the “Best Policies” practice 2007 Revenue: $11.2 million that we continue to use today.” Employees: 125 Employee growth: 55 EndoChoice: Protecting Employee and Customer Founded: 1972 Data First Location: Coraopolis, Pennsylvania 2011 Inc. 5000 Ranking: #103 “Customers, employees and business partners of companies have an expectation that their sensitive information will be respected and given the adequate and Business model: Provides gastrointestinal endoscopy equipment, devices, appropriate protection. So security is something we take very seriously. Our diagnostics tools, supplies, and services. enterprise security program initiatives drive our budget, and this year our efforts Three-year growth: 2,646 percent focused on enhancing our security efforts at all levels within the organization,” 2010 Revenue: $9.4 million states Dan Frazier, ESCI’s COO. ”As we look across the organization we separate 2007 Revenue: $342,000 security into four key categories of focus; technical infrastructure, applicationDo You Know Where You’re Vulnerable? | Dell © 2011 8 Do You Know Where You’re Vulnerable? | Dell © 2011 9
  • 6. Know–and Act Against–Your Vunerabilities security, operational processes, and employee education. The first two are clearly You don’t know where your business is truly vulnerable until you actively technologically focused and are the areas that draw the most attention in terms seek out exposures. Dell SecureWorks experts work with you to assess your of security. However, the last two areas are equally important when it comes to policies, processes, and technologies to identify weaknesses, categorize risks, having an enterprise security program in place.” and recommend improvements. Our Security Assessment and Risk Analysis service helps fortify your environment and improve compliance with industry As for security within the culture, ECSI has someone on staff that leads those regulations by providing a comprehensive assessment of each important aspect efforts. Along with Frazier, he co-chairs the company’s Enterprise Security of your security program, including: Steering Committee, which involves team members throughout the organization including Application Development, HR, Training, Customer Support, Product • Internal and external controls Development, and Executive Management. This committee is charged with • Physical security participation and accountability to ensure compliance and awareness of in-house • Policies and procedures and external changes. • Gaps vs. regulations and best practices Frazier notes that ESCI spends a significant amount of time focused on three key • Vulnerabilities and threats areas regarding security: managing its environment to prevent unauthorized access to its assets; fraud prevention efforts to ensure that no one electronically The report objectives of our Security Assessment and Risk Analysis impersonate ECSI or a representative of ECSI; and minimizing the “security scope,” service are to provide management with clear and concise answers to the which includes reducing access points to its technology assets, containing access following questions: to confidential information into security zones, and restricting administrative access to those assets by organization and/or team role. • Within the scope of the control areas being tested, how well are you protecting your information-based assets from internal and During the past year, ESCI has enhanced its physical and technical environments external threats? with additional perimeter defense devices to limit access to the authorized • Are management, administrative, physical, technical, and policy- users. “The next phase of our upgrade will be live at the end of Q4 2011, when based controls adequate? we expand our production data center to a Tier III hosting provider,” he says. • How do your controls compare to others in its industry? ”We’re also in the process of developing a new security model that mimics • What is the quickest, most cost-effective way to manage risk to an what the large financial institutions utilize for authentication and authorization acceptable level? management. This will be rolled out in the first six months of 2012. While we have been handling security internally, we plan to partner with a third-party firm to be To learn more about the ways in which Dell SecureWorks can help you a part of the team and assist us as we progress with our security initiatives.” understand where your security is vulnerable and build a plan to keep your data and networks safe, visit SecureWorks Security and Risk Consulting, or call 877-838-7947.Do You Know Where You’re Vulnerable? | Dell © 2011 10 Do You Know Where You’re Vulnerable? | Dell © 2011 11