Final Essay- security Threats for companies | Security Threats for Companies | Focusing on Employees | | Meadows Steven A CTR SITEC United States Special Operations Command | 4/17/2014 | American Military University

TABLE OF CONTENTS
Introduction 2
Chapter 1 4 External Threats 1.1 4
Malicious Code 1.1.a 4
Firewalls 1.1.b 6
Chapter 2 7
Physical Threats 2.1 7
Structure Outside 2.1.a 7
Structure Inside 2.1.b 7
Chapter 3 9
Internal Threats 3.1 9
Employee Access 3.1.a 9
Employee Attitude 3.1.b 10
Employee Training 3.1.c 11
File Permissions 3.2 11
Least Access 3.2.a 11

References 12

Introduction
The internet has become a global resource for the working companies. Those who utilize the internet have near endless resources at their fingertips. This gives companies large advantages that those that don't utilize the information available to them on the internet. However, with great advantages, and information, comes great responsibility, and risks. The internet is also full of those who want to hurt companies, for reasons unknown to the company or for reasons that the company may be aware of, but is unable to prevent. Companies will never be able to eliminate the human factor from the work place. Even as self-automation and computers take over the human bodies for work and productivity, the human factor is still there. Someone, somewhere has to have access to the systems in order to maintain accountability, control, quality, and ensure the systems are running the way they are/were designed to. This human factor, even in today's world where we don't have T-800's running our systems, (That's the model # of the original Terminator played by Arnold) is what I will be discussing in the next few pages. This human factor that opens businesses up for failure and damages, how to help circumvent a lot of the abilities for distraught employees who want to do the company damage, and methods to secure files so even when the distraught employee gets into the system, has very little access to do anything. In this order, we will discuss methods of keeping your company safe from internal and external threats. We will begin by discussing External threats, the threats that a company is exposed to, and how to mitigate damages done to the company. We will then follow that up with physical threats to the company; this will be a combination of internal and external attacks. From there we will discuss internal threats and how to mitigate employee access and ability to damage the networks or leak sensitive information. Concluding with file system sharing permissions and the "Lease amount of access" method of keeping files safe.

CHAPTER 1: External Threats

1.1.a Malicious Code Malicious codes don't necessarily have to come from external threats, they can be implemented internally. However, the focus here will be on the types of malicious codes that companies are exposed to. Malicious codes are designed for a purpose, a specific function, that function and execution of that function/purpose varies upon the type of code. Some can be damaging, others copying, some controlling, spying, and some just replicate for no other purpose but to spread. The types of malicious code include, but are not limited to: Viruses, worms, Trojan horses, adware or spyware, logic bombs, denial-of-service (DoS) attacks, and blended threats. Viruses operate in four environments: file viruses, boot viruses, macro viruses, and network viruses. File viruses infect the system or target in a few ways to include being a parasite, a companion, or through link viruses. File viruses are written for a particular operating system (OS) and can infect nearly any executable. When said executable is ran, the virus is activated, which in turn, causes the virus to do what it was programmed to do. These types of viruses can override file contents, delete them, or even replace them completely. Also known as Prepending, Appending, and Inserting viruses. Companion viruses don't overwrite data, but clone it. So that when a program is run, or a file opened, the link actually opens up the virus, not the original. Link viruses, do not change the physical contents of a file, but when the file is executed or started, the virus then forces the OS to execute their code. Boot viruses attack either the boot sector, master boot record, or active boot sector. IE when a system is booted, the virus being part of the boot code, it will execute and run. Macro viruses are typically associated with business software. They are designed primarily to infect documents, spreadsheets, databases, and presentation files. Macro viruses use the macro languages written and built into business software, IE: Microsoft Office. Network viruses attack the network directly. Even without executing or opening the attachments in emails infected with a network virus, the network can still be infected. Worms, unlike viruses, are self-replicating, stand-alone software. And, unlike a virus, they do not need to attach themselves to any files. They will continue to replicate without users intervention. Some worms are coded to destroy, others to shut down, some to just crash and overload systems. Trojan horses are, just like what they were named after, (the wooden horse) is a program, an unauthorized program that is contained within a legitimate program. When a user downloads this legitimate program, and/or executes it, the Trojan is executed. There are nearly a dozen types of classifications for Trojans, however, this essay isn't about Trojans, viruses, and malware, it's about knowing the threats to the systems so that you can better prepare and are more aware of them. Adware and spyware are not technically viruses or malicious code, however with the rate of employees using websites that aren’t work related, these programs and annoyances are becoming more prominent. These programs can redirect home pages, cause pop ups, and mislead individuals to access sites that in turn, will cause a malicious code to be downloaded. Denial-of-Service attacks, also known as DoS attacks are extremely dangerous and damaging, in the sense that one DoS attack can shut down an entire company for hours, if not longer. A DoS attack sends fake requests to a server, overloading it and preventing legitimate traffic, eventually the server will shut down. A blended threat uses a combination of all of the above.

1.1.b Firewalls This section will focus primarily around enterprise based firewalls. As this papers' main focus is on the enterprise level. Firewalls are the first line of defense from external and internal threats. From an insider threat perspective, if a user is trying to access a site that is malicious in content and is filtered as a denied site, the firewall will ultimately deny the user access, then nullifying that threat. From an outsider perspective, firewalls have a hefty job of filtering everything coming in and out of the network. You can set a firewall to allow or deny specific rules, users, IP's, etc. A firewall filters both inbound and outbound traffic as mentioned prior, however, firewalls can't stop the human factor. Firewalls can't stop an employee from calling someone, or emailing someone sensitive information or passwords and login information, thus a firewall alone isn't an end all means to security, but it's a good place to start.

Chapter 2: Physical Threats
2.1.a Outside From a security perspective, a company's data is only as safe as the physical implementations to stop theft. A security advisor must always keep in mind that a disgruntled employee knows all the weak spots in a company. They want to do damage, so they do there research. Everything from physical barriers to protect vehicles from crashing into the building, facility access controls, intrusion detectors, and alarms. Access to the server room is the most important aspect, as anyone who has access to the server room, has access to everything on the companies networks and servers. That is where our primary focus will be in this section. The server room needs to have as little access to it as possible from outside personnel. There should be no way anyone but an authorized individual can gain access to the server room, even if they have access to the door to the server room, man-traps work wonders. A facility access control device should include access logs, employees should have specific access badges and pins to allow them into the server room so you can track who went in and out and when they did.
2.1.b Inside Once a person has access to the inside of the company, they can then attempt to have access to the server room. Precautions need to be taken that only verified and authorized individuals have access to the server room. First thing is first, always lock up your server room. As basic as it sounds, and as common sense as it may seem, a lot of companies don't lock up server rooms, or networking closets. They utilize and implied trust with employees and those that enter their complex. IE: I trust you to not do something dumb, because I trust you. Which is flawed in oh so many ways. You then need to set up some sort of surveillance in order to monitor the locked door. Anyone with a crowbar, a jackhammer and explosives can break into a server room. You need to see who, what, when, and how someone got into your server room unauthorized. You also need to make sure your security logs and videos are being stored somewhere other than that server room! If someone breaks in, they can corrupt the hard drives that can be used to incriminate them. Companies need to also utilize rack mount servers. Once a rack is full and bolted to the ground, closed and locked, they are nearly impossible to move, in any sort of timely fashion. Reducing risks of damage, theft or tampering to null. Companies also need to ensure they are backing up their data and ensuring the backups are secure. Good backups that are secure are an essential aspect of disaster recovery plans. The physical workstations should be secured and there shouldn't be any easy access to the hard drives.

Chapter 3: Internal Threats

3.1.a Employee Access As you see by the above graph, the majority of insider misuses are preventable. For example, where that firewall we had talked about earlier would come in handy. You can use a firewall to stop media downloading, p2p, rogue access points, remote-access programs, so on and so forth. A lot of the items in this list were initially harmless in intention by the user. However, not every user knows the safety concerns associated with these threats on a work computer. Viruses and Malicious content are some of the bigger concerns from these threats. Hence why we talked about it earlier. One of the points we didn't touch was the human aspect of Hackers, black hats. Black hats are people whose primary goal in life is to crack a system and perform malicious intentions. Writing about how to stop/prevent hackers is an impossible task, as it's impossible to stop someone dedicated enough, with the right skillset and technological advantage from cracking a system. This block of writing revolves around employees. Employee access to systems and the internet. If you give an employee unrestricted access to the internet, you are bound, eventually to get something malicious. It's just the nature of the beast. All it takes is one wrong site, one miss-clicked popup, one bad email, to infect a system. With that in mind, you need to restrict employee access to websites and software usage on the systems/network to what the system administrator, and tech advisors agree upon. You can't however, restrict so much that you reduce productivity to a non-acceptable level. For example, where I work, for USASOC, I can't access my employee profile anymore, and we as IT individuals, have to do a work around and find a loop hole, in the system, managed by our bosses! Just so we can clock in and out. They find that our companies' home pages and website are an unnecessary risk. This work around, takes 5 minutes a day, per person that works for the company that I do, in the location that I do. Although not a major impact, it's still an impact none the less.
3.1.b Employee Attitude Complacency wreaks havoc in companies. Those who become complacent eventually stop following the rules as they should. One way to rectify this would be to change up employee roles. Never keeping them in the same job for too long, or the same office, or cubicle. By moving them around, they continue to get vision and exposure; it also keeps them happy and non-complacent. But, not all internal issues come from the "user" level. As far as administrators are concerned, you need to limit the access they also have. Of a four step process, admin #1 who oversights the first two steps, should NOT have access to the last two steps. Which leads me to the point of least access. I will cover that in 3.2.a.
3.1.c Employee Training By administering proper training, employees are much less likely to unintentionally cause harm to the company. By knowing the types of malicious codes, viruses, spam, spim, phishing, pharming, whaling and spear phishing, just to name a few, a user can better protect themselves and the company. People won't report what they don't know to be wrong or unusual. As well, companies must reassure employees that no harm will come to them if it was an accident or unintentional. I can, from personal experiences of working in the information assurance realm, tell you that people try to hide stuff they know they accidentally did wrong. This makes it worse, there fear of repercussions cause a lot more problems.
3.2 File Permissions
3.2.a Least Access Simply put, only give people, servers, software, systems, anything that has access to anything, the least amount of permissions possible, without hampering the daily duties or productivity too much. Administrators must find a balance between safety, usability, and productivity. By making a system too secure, it hampers usability and productivity. But, by making it less secure, you open the system up for safety concerns. Least access will help keep those prying eyes employees tend to have, from being able to pry, and those upset employees from causing too much harm.

References

Wunsch, J. (2014). Keep Company and Employee Information Safe. About.com. Retrieved January, from http://humanresources.about.com/od/healthsafetyandwellness/a/protect_data.htm

File Security - Protect File Data and Ensure Compliance. (2014). File Security - Protect File Data and Ensure Compliance. Retrieved January, from http://www.imperva.com/products/fsc_file-security-and-compliance_overview.html

Google's Approach to IT Security. (2012). Retrieved 2014, from https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf

File and Folder Permissions. (2000, January 1). File and Folder Permissions. Retrieved 2014, from http://technet.microsoft.com/en-us/library/bb727008.aspx

Employee Computer Operating and Security Policy - University of Maine at Augusta. (2012). University of Maine at Augusta. Retrieved April 17, 2014, from http://www.uma.edu/employeecomputerpolicy.html

SANS InfoSec Acceptable Use Policy. (2006). www.sangs.org. Retrieved April 17, 2014, from http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf

Data Leakage Worldwide: Common Risks and Mistakes Employees Make. (2008). Cisco. Retrieved April 17, 2014, from http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html

Security Threats in Employee Misuse of IT Resources. (2009, March). Computer Economics. Retrieved April 17, 2014, from http://www.computereconomics.com/article.cfm?id=1436

Smith, R. E. (2013). Elementary information security. Burlington, MA: Jones & Bartlett Learning.

Taylor, R. W. (2011). Digital crime and digital terrorism (2nd ed.). Boston: Prentice Hall.

Guil, F. (2006). Global Information Assurance Certification Paper. Giac. Retrieved April 17, 2014, from http://www.giac.org/paper/gsec/2892/computer-rooms-meet-physical-security-measures/104866