Security for a

Faster World

In this issue:

Understanding
the Risk in Your IT
Infrastructure

Tips for
Implementing
Enterprise Security

The Technologies to
Protect a Modern
Infrastructure

Issue 1, 2012
Contents
Security for a Faster World

Contributors: Drew Robb and Paul Rubens.

2 [SEE] Understanding the Risk in Your IT Infrastructure

6 [UNDERSTAND] Tips for Implementing Enterprise Security

6 9
9 [ACT] The Technologies to Protect a Modern Infrastructure
 Security for a Faster World

SEE
Understanding the Risk in Your IT Infrastructure
By Paul Rubens

W
hen hackers broke in to the network of the fray. Its very likely that some of these groups are
Atlanta-based payments-processing firm sponsored and aided by foreign governments seeking
Global Payments in early 2012, they stole to gain advantage for their countries. Vulnerabilities,
information relating to an estimated 1.4 malware and the information that is stolen as a result
million peoples payment cards. The total cost of of successful hacking attacks are actively traded on
investigations, fines, remediation and other activities underground online markets, and automated hacking kits
incurred by the company as a direct result of the security known as exploit packs are available as a service
breach was about $85 million. and can be rented by the hour. Depending on the nature
of your business and the industry it operates in you may
A few months earlier, a small UK-based cosmetics face a range of differently motivated attacks
firm called Lush found that hackers had discovered
and exploited a vulnerability in its ecommerce site. Opportunist Attacks
The company had no choice but to take its site down
effectively closing up shop and spend months Automated tools enable hackers of all types to scan
rebuilding it from the ground up. huge IP address ranges and compromise any systems
they encounter that are running software with known
Its no surprise that a large international corporation vulnerabilities in a matter of seconds. No matter what
makes a tempting target for hackers, but you may kind of industry your business operates in, you are
wonder why anyone would bother hacking the website vulnerable to this kind of attack. That means if one of
of a small cosmetics business. To answer
that question satisfactorily you need to
understand the nature of the hacker threat
and how it has evolved. While 20 years ago
hacking was the preserve of mischievous
teenagers who broke into computer
systems out of a sense of adventure, or
who wrote viruses that deleted files from
infected machines for no better reason
than the thrill of vandalism, hacking is now
a multibillion dollar, multinational industry.

Today, hacking activities are still carried

out by individuals, but small hacker
groups, politically motivated hacktivist
collectives such as Anonymous and
organized crime gangs built on the model
of modern businesses have also joined

2 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World
your computers is running vulnerable software then its
more than likely that a hacker will come across it and
compromise it.
If that happens then they may install an email relay and
use it to earn money by sending out spam email messages
from your network to thousands or even millions of
addresses. This consumes your system resources and
network bandwidth, slowing down your IT infrastructure
and making employees less productive. And if your IP
addresses gets placed on a blacklist of known sources of
spam by anti-spam organizations then you may find you
are unable to send emails to many of your customers, with
serious consequences for your business.
But hackers also use compromised machines for far more
malicious purposes than relaying spam. For example, they
can turn them into zombie systems: nodes in a botnet
that receive orders from a command and control server.
This may task them with searching out and infecting more
systems, or sending traffic to a selected victim as part of
a coordinated distributed denial of service attack.
If your Web server is compromised then your customers
could fall victim to a drive-by attack. Your sites visitors
could get infected with malware simply by visiting
your website with a vulnerable machine. That can be
extremely harmful to your reputation, resulting in a loss
in customer confidence and therefore lost business
and could also result in your website being blocked by
anti-virus software and search engines such as Google,
until you discover the breach and repair your server.
Hacktivist Attacks
If you are involved in an industry or business activity
that is targeted by activists then your website could
If you are involved in an industry or business activity
that is targeted by activists then your website could be
specifically targeted and attacked by hacktivists.
3 Back to Contents
be specifically targeted and attacked by hacktivists. If a
vulnerability is found then the website could be taken
offline or defaced with slogans promoting the activists
cause, harming both your business activities and your
reputation.
Hacktivists may also attempt to make your website
unavailable to your customers by overwhelming it with
traffic generated automatically from many different
sources by software designed for exactly this purpose -
a so called distributed denial of service (DDoS) attack.
Some DDoS attacks can be blocked by your firewall, but
it is wide to discuss measures that can be put in place
to defend against DDoS attacks with your hosting or
network provider
Criminal Attacks
But arguably, a far more dangerous type of hacker is the
one that breaks into your network and compromises your
systems in order to plunder what he can find. This could
be customer information, including credit card details
or account information that allows him to steal services
or make fraudulent purchases. If customer information is
lost, in most U.S. states you are obliged to inform your
customers, which inevitably involves a financial cost as
well as harm to your business reputation.
Targeted and Advance Persistent Threat (APT)
Attacks
Potentially more devastating, your company could be
targeted by rival businesses or foreign governments
intent on stealing confidential corporate information such
as financial records, business plans, tender documents
and intellectual property like source code to computer
programs or designs for future products.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World
This type of information is often stolen as a result of a
targeted attack known as an advanced persistent threat
(APT) attack in which a team of hackers uses a variety of
methods to compromise your IT infrastructure and keep
the security breach hidden for as long as possible so
that they can continue to exfiltrate information without
detection for a period of months or even years.
To perform these attacks, hackers may carry out
detailed research on individual employees. Once
this reconnaissance has been done they may be sent
tailored emails - apparently from other people in your
organization - designed to fool them into revealing useful
information such as login details and passwords, or they
may resort to stealing a laptop from a key employees car
or home.
Such thefts can have devastating consequences for
the business concerned in terms of loss of competitive
advantage, and therefore lost potential sales. There is
also the chance that hackers modify data left on your
system, causing serious disruption to your operations
long after their attack has been detected.
Mitigating These Security Risks Using a Multi-
Layered Approach
Given this level of business risk inherent in your IT
infrastructure, what can you do to mitigate it? Since there
is no single solution to security, a multi-layered approach
is advisable.
4 Back to Contents
Security Intelligence
To protect against all the kinds of attack mentioned
above - opportunist, hactivist, criminal, targeted and
APT - its vital to know what threats you are up against.
Research organizations such as HPs TippingPoint DVLabs
can help in this regard by finding vulnerabilities in
software before hackers do, as well as analyzing malware
samples found in the wild to understand the underlying
software vulnerabilities they exploit.
While the vendors of the vulnerable software are
informed so that a security patch can be produced,
DVLabs creates vulnerability filters that are delivered
automatically to your intrusion prevention system (IPS)
to protect your applications, network devices, Web
applications, virtualization systems and operating
systems until the vulnerability is patched by the vendor
concerned.
TippingPoints ThreatLinQ security intelligence portal
can also help businesses of all sizes reduce unnecessary
business risks by providing information and detailed
real-time analysis of the current threat landscape and any
new, emerging threats. You can use this information to
ensure that any security gaps are spotted and covered
by adding new IPS filters or determining necessary policy
changes.
Intrusion Prevention Systems
HPs TippingPoints intrusion prevention system (IPS)
range includes next-generation IPS systems, IPS
switch modules and IPS appliances including an SSL
appliance that inspect your network traffic to detect
threat patterns or signatures (including those supplied
by DVLabs ). They also detect suspicious activity on your
network by comparing traffic at a given time to baseline
or normal traffic. While an IPS is recommended for
companies of all types, running one is particularly
important for companies that may face targeted attacks
or APTs. Thats because an IPS is likely to detect unusual
movements of information or requests for information
from suspicious sources. If malicious activity is detected
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World

then the IPS can take action, including blocking or
stopping suspect traffic and instantly alerting your
security staff.
Software Vulnerability Elimination
Moving up a layer, software like HP Fortify Software
Security Center can help you eliminate software security
risk by preventing or fixing security vulnerabilities in your
applications before they can be exploited by hackers.
It can secure both your in-house, custom-developed
applications and software bought from third-party
vendors, including desktop, mobile and cloud-based
applications. This provides vital protection against more
determined criminals or hackers who may target your
organization by probing for vulnerabilities in your custom
developed applications, or in specialist applications from
vendors that you have bought in.
Fortify works in two fundamental ways:
Carrying out static and dynamic security testing
to find vulnerabilities and critical problems in your
conventional, mobile and web applications. (HP
Fortify on Demand enables you to test the security of
any application as a service, without any software or
hardware to install.)
can also give you visibility into internal threats such as
database breaches and fraud, risks from application flaws
and configuration changes. By sifting through millions of
log records to find critical events and presenting them
to you in real time via dashboards, notifications, and
reports, it helps you prioritize and manage security risks
in your infrastructure quickly and easily.
Security Risk Management Dashboards
For a complete overview of enterprise risk it can
be helpful to use a security intelligence and risk
management platform like HP EnterpriseView. This can
analyze vulnerability and risk assessments and combine
them with a model of your business by correlating
devices with business services. By doing this it lets you
quantify the risk to your business, view the security
posture of individual parts of your business (like website
sales) and show you how these vary over time.
Entirely eliminating security risks in your IT infrastructure
simply isnt feasible, and that means you have no
alternative but to mitigate them. Ultimately the best
way to do this is by understanding the nature of these
risks, and employing appropriate software tools like the
ones discussed here to manage them as effectively as
possible.

Providing you with a secure software development

framework, enabling you to track, fix and report on
vulnerabilities through a centralized management
server as it is developed.

Security Information and Event Management

At a higher layer still, security information and event

management (SIEM) systems such as HP ArcSight
Enterprise Security Manager are an important defense
for medium and large companies that face attacks from
many different sources - particularly criminal or targeted
attacks, but also more opportunistic ones. Thats because
they can provide you with an overview of security
incidents and alerts generated by your devices and
applications caused by malware and hacker activity. They

5 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World

UNDERSTAND
Tips for Implementing Enterprise Security
By Paul Rubens

A
security breach can be a major catastrophe
for any organization, but large enterprises
are especially at risk. While small businesses
are not immune to security risks and
attacks, large enterprises are bigger targets. Enterprise
data breaches get press attention, affect thousands of
customers or former customers and often have a trickle-
down effect on other businesses or partners.

When it comes to security, the bigger they are the harder

they fall. Thats because the consequences of a security
breach or a targeted attack can include:

Major business disruption and loss of revenue

Theft of confidential data such as proprietary

information, future product plans or financial data
that can lead to permanent loss of competitiveness or
business advantage

Destruction or alteration of valuable data

Virus and other malware infections, which can
have unknown consequences. Once infections are
discovered there is a loss in productivity as resources
have to be devoted to removing the infections and
bringing the disinfected or rebuilt systems back in to
service.
Loss of customer data, with significant consequent
costs and harm to your corporate reputation
carried out by Ponemon Institute. The average per-
incident cost in 2012 may well turn out to be higher still.
So what are the best practices for protecting your
corporate data, keeping intruders and malware out
of your network, and protecting against disgruntled
employees who may attempt to use their access
privileges to compromise your systems? You may find
these tips helpful to consider:

In sheer financial terms the cost of a single security
breach is usually very significant: in 2011 the average
per-incident cost for U.S. companies was $5.5 million
without taking lost future sales dues to a negative change
in competitiveness or reputation according to research
Know what you are managing. Its only possible to
start implementing a complete enterprise security
strategy when you know exactly what it is that you are
trying to secure. That means conducting an inventory
of corporate IT assets including servers, desktop

6 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World
and laptop computers; mobile devices including
smartphones and tablets; internal, third-party and
cloud-based applications and databases; storage
resources; and networking devices. There are plenty
of tools and management systems available that
include asset auto-discovery, which can help you carry
out this inventory exercise.
Categorize your data as either public, internal or
confidential. This involves deciding which data your
company stores is available outside the organization
(public), which data is meant only for use inside
the organization (internal) and which data is highly
confidential, such as intellectual property or customer
information, or otherwise critical to the business
(confidential). Its also important to establish where
and on which platforms all this data is stored.
Leverage Risk Assessment and Threat Modeling to
ensure efforts are spent in the right places. Given
the complexity of most organizations, and the sheer
number of overall vulnerabilities, its important to be
able to prioritize risks in order to determine what gets
remediated and when. Key to any successful security
organization is the knowledge that you cant fix
everything overnight and the ability to focus attention
on the things that present the most danger to the
organization.
Mitigate the risks by applying appropriate security
controls to each data category. Security costs money,
and that means that ultimately security is about risk
management: ensuring sufficient controls are applied
to each data category to reduce the risk of a breach
Security costs money, and that means that ultimately
security is about risk management: ensuring sufficient
controls are applied to each data category to reduce the
risk of a breach to an acceptable level.
7 Back to Contents
to an acceptable level. Security can almost always be
improved, but the question is always whether it can
be done in a cost-effective manner: you dont need to
apply platinum-level security to public data. Although
all four of these steps are important, the last of these is
the one that is the hardest to carry out. Thats because it
involves implementing the entire security infrastructure
software and hardware -- that will actually keep your
business secure. This may include:
A firewall and other perimeter security systems to
separate your corporate network from the Internet
Malware scanners to prevent malicious software from
getting on to the network hidden in email, instant
messaging or Web traffic
An intrusion prevention system (IPS) to detect
malicious, suspicious or simply unusual activity on
your network and to take steps to prevent such
activity leading to a security breach
The use of authentication and encryption systems to
prevent unauthorized access to networks, computers
or data stored on them
For smaller businesses, a lot of this functionality can
probably be achieved with a unified threat management
(UTM) appliance, which provides basic firewall,
antimalware and IPS services. An alternative is to engage
a managed security service provider (MSSP) to configure
and manage your security devices and provide log
management as well.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World

Larger enterprises, as you might expect, have more
decisions to make. Enterprises should look for a security
partner that can supply the basic infrastructure discussed
above, expert deployment advice and professional
services, as well as additional monitoring features and
services such as:
A security information and event manager (SIEM)
platform to monitor and report on relevant security
events and logs. A SIEM platform like HP ArcSight
Security Intelligence can analyze and correlate millions
of log records of events such as logins, logoffs, file
accesses and database queries occurring across your
infrastructure to highlight possible critical incidents.
These incidents are then presented through real-time
dashboards, notifications or reports.
HP ArcSights Enterprise Security Manager (ESM) is
able to understand who is on your network, what data
they are accessing, which actions they are taking with
that data and how that affects business risk. It can
then apply techniques such as pattern recognition
and behavioral analysis to detect and manage
incidents to prevent damage using a built-in workflow
engine.
Security services. Some security partners can assist
with fast implementations, upgrades and tuning and
system health checks. If you prefer not to become
involved in the day-to-day operation and monitoring
of your security infrastructure, a security partner can
also carry this out as a managed service. Such services
may include some or all of: perimeter and network
security monitoring; insider threat monitoring; log
management; and data loss monitoring.
There are no easy fixes to implementing enterprise
security and its a job thats never finished. Start by
understanding what you have and the extent to which it
needs to be protected, implement your protection and
continue to gather data to aid your security efforts.
When youre looking for a partner to help with your
enterprise security efforts, look for a vendor that
provides all of the tools you need, as well as services.
Most find that developing an ongoing relationship with
one vendor provides a better experience on every level
than integrating a number of point solutions that arent
designed to work together.

A business-centric risk management platform

to identify risks to the business that originate in
your IT infrastructure. A risk management platform
such as HPs EnterpriseView provides you with real-
time graphical and report-based identification of
these business risks by aggregating data from risk
assessments, vulnerability assessments, security
configuration management monitoring, and security
event correlation.

Protection for your cloud-based resources. If you

have a significant amount of virtualized resources or
operate a private cloud in your data center then you
will need a security solution that is designed to work
with virtualization. ArcSight, as well as HP Fortify
Software Security Center and TippingPoint network
security hardware and software are all designed to
work with VMware virtualization and cloud software.

8 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World

ACT
The Technologies to Protect a Modern Infrastructure
By Drew Robb

T
he New York City Police
Department has 35,000 sworn
officers to protect its population.
The Prefecture of Police in Paris
has 34,000. The Tokyo Metropolitan Police
Department has 43,000. Those numbers,
however, pale in comparison to the number
of professionals working to keep information
secure.

More than 80,000 people hold the Certified

Information Systems Security Professional
(CISSP) certification from ISC2 (The International
Information System Security Certification
Consortium, Inc.) of Palm Harbor, Fla., and that
is the just the tip of the iceberg. ISC2 Executive
Director Hord Tipton says there are about 2.2
million IT security professionals worldwide, the
size of the Chinese army, with a need to double
that number in the next three years.
But as any successful general could tell you, winning a
war requires more than just getting weapons in peoples
hands, it is a matter of strategy.
You need to take an overall holistic view of
cybersecurity, not simply what to put in place but how
to put it in place, says Richard Zaluski, President and
CEO of the Center for Strategic Cyberspace and Security
Science (CSCSS) in London.
Changing Threat Structure
At one time it was good enough to protect the perimeter
with a firewall and then use antivirus software to track
down whatever managed to make it inside. That is no
longer adequate. To begin with, there is no longer an
easily defensible perimeter. Employees use their own
laptops, home computers, tablets and smartphones
for company business. There are wired and wireless
networks. Customers and vendors interact with backend
systems to conduct business. Printers, industrial
equipment, phone systems and security cameras are built
with Internet access.
The nature of the threats has also changed. What were
once major attacks such as the Melissa virus seem mild
compared to what is out there now. People are no longer
attacking for fun, but for profit or to do lasting harm.
Stuxnet, speculated to come from teams in the U.S. and
Israel, destroyed as many as 1,000 centrifuges at Irans
Natanz nuclear facility in 2009 and 2010. In March, a
Cambridge University researcher, Sergei Skorobogatov,
found that the military-grade ProASIC3 A3P250 chips,
designed in the United States and manufactured in
China, had a backdoor deliberately built into them. In

9 Back to Contents Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World
September 2012, Japanese government websites were
attacked, apparently from China, in retaliation for a
dispute over ownership of the Diaoyu Islands. In October
2012, the U.S. Secretary of Defense, Leon Panetta, said
that the Shamoon virus, which wiped files on computers
at Persian Gulf oil and gas facilities owned by Saudi
Arabian state oil company Aramco and Qatari natural
gas producer RasGas, originated in Iran. It is estimated
30,000 computers in Saudi Arabia alone were destroyed
in the attacks.
The most destructive scenarios involve cyber actors
launching several attacks on our critical infrastructure at
one time, in combination with a physical attack on our
country, Panetta said at the timer. The collective result
of these kinds of attacks could be a cyber Pearl Harbor;
an attack that would cause physical destruction and the
loss of life.
Not all such attacks are politically motivated. In 2008
a disgruntled network administrator set up a password
giving him exclusive access to the City of San Franciscos
computer systems, and locking out the rest of the citys
employees.
Then there are all the attacks that are done for financial
gain. Thieves no longer need to break into vaults to
access the cash. Visa and Mastercard; Citibank and
Bank of America; Britains HSBC; Switzerlands Credit
Suisse and Julius Br; and Belgiums Belfius; have all had
customer data stolen.
On top of those are the attacks done to secure and
release, or threaten to release, confidential data. The U.S.
Department of Health and Human Services lists about
500 data breaches involving the medical records of more
than 20,000,000 patients, just since September 2009
The most destructive scenarios involve cyber actors
launching several attacks on our critical infrastructure at one
time, in combination with a physical attack on our country.
10 Back to Contents
six of those involving more than one million patients
each. WikiLeaks has released millions of documents from
governments, businesses and individuals.
And dont forget the field of corporate espionage,
where confidential data is stolen to copy designs, poach
personnel or otherwise gain competitive advantage.
If you have a cutting edge product you may be on the
radar of a number of organizations, both domestic and
foreign, as well as national players who see competitive
intelligence as a valid form of business development,
says Zaluski.That can occur at a number of levels and
can impact your intellectual property, which can damage
your very existence as an organization.
From Tactical to Strategic Security
The broadening range and complexity of cyber attacks
means that organizations need to rethink security
measures. It is not enough to deploy the same old
solutions, you need a comprehensive approach.
Organizations want security products that work well
together, can be managed easily across IT devices and
cut cost, says Naveen Hegde, Senior Market Analyst,
IDC Asia/Pacific in Bangalore, India.The threats are
evolving rapidly, and the security solutions that an
organization implements play a major role in the success
or failure of the organizations overall security strategy.
Given the ever-changing nature of threats, it is impossible
to build a security infrastructure that will be absolutely
secure, within budget and doesnt cripple business
operations. The key is to identify what are the critical
business processes and then adapt the security systems
to the business needs.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.
 Security for a Faster World
There is no point in just lumping everything together
in a group and hoping for the best, says Zaluski. You
have to segment and you should do that by application
business group, etc., keeping networks, servers and
applications that should be separate separate.
HPs Enterprise Security Services provides a
comprehensive set of tools and services to give security
personnel the 360 degree view they need of critical
systems and make it easy to manage and reduce risk.
Since you dont know what threats will be coming next,
HPs TippingPoint Next Generation Intrusion Protection
System (NGIPS) uses context awareness and content
awareness, geoLocation, reputation awareness and
other technologies to identify and block malware.
The HP ArcSight Logger collects information from any
system or device that generates log data and places
it in a centralized high-performance repository for
processing, searching, analysis and reporting. The
ArcSight ESM platform correlates the log data to users,
applications and business processes, so any threats
or risks can be related to the individuals, business
11 Back to Contents
units, regions and processes that would be affected.
Finally, HP EnterpriseView Security Intelligence and Risk
Management (SIRM) Platform provides a business-centric
view of all security and business service assets, mapping
the IT devices to the business services they support.
These HP Enterprise Security tools provide security
personnel with the tools and data they need to move
from a tactical to a strategic approach, allowing them to
concentrate on those risks and threat that will produce
the most harm to the organization.
Organizations need to be able to demonstrate to their
customers and regulators that it has an effective security
posture and the ability to meet stringent compliance
requirements, says Hegde. As organizations continue
to increase their remote employee access, as well as
distributed partner access back to their networks, a
proactive security approach that enables organizations
to leverage cloud, mobility, big data and more is a
requirement.
Security for a Faster World 2012, IT Business Edge, a division of QuinStreet, Inc.