Philip Alexander - Information Security: A Managers Guide to Thwarting Data Thieves and Hackers (PSI Business Security)

X:/greenwood/Alexander/WORK/alexander.3f 01/20/2008 8:57 AM Page INFORMATION SECURITY

X:/greenwood/Alexander/WORK/alexander.3f 01/20/2008 8:57 AM Page Praeger Security International Advisory Board Board Cochairs

Loch K. Johnson, Regents Professor of Public and International Affairs, School of Public and International Affairs, University of Georgia (U.S.A.) Paul Wilkinson, Professor of International Relations and Chairman of the Advisory Board, Centre for the Study of Terrorism and Political Violence, University of St. Andrews (U.K.)

Members

Anthony H. Cordesman, Arleigh A. Burke Chair in Strategy, Center for Strategic and International Studies (U.S.A.) Therse Delpech, Director of Strategic Affairs, Atomic Energy Commission, and Senior Research Fellow, CERI (Fondation Nationale des Sciences Politiques), Paris (France)

Sir Michael Howard, former Chichele Professor of the History of War and Regis Professor of Modern History, Oxford University, and Robert A.

Lovett Professor of Military and Naval History, Yale University (U.K.) Lieutenant General Claudia J. Kennedy, USA (Ret.), former Deputy Chief of Staff for Intelligence, Department of the Army (U.S.A.) Paul M. Kennedy, J. Richardson Dilworth Professor of History and Director, International Security Studies, Yale University (U.S.A.) Robert J. ONeill, former Chichele Professor of the History of War, All Souls College, Oxford University (Australia) Shibley Telhami, Anwar Sadat Chair for Peace and Development, Department of Government and Politics, University of Maryland (U.S.A.) Fareed Zakaria, Editor, Newsweek International (U.S.A.)

X:/greenwood/Alexander/WORK/alexander.3f 01/24/2008 5:14 AM Page INFORMATION SECURITY

A MANAGERS GUIDE TO THWARTING

DATA THIEVES AND HACKERS

Philip Alexander

PSI Business Security

W. Timothy Coombs, Series Editor

PRAEGER SECURITY INTERNATIONAL

Westport, Connecticut London

X:/greenwood/Alexander/WORK/alexander.3f 01/24/2008 5:14 AM Page Library of Congress Cataloging-in-Publication Data Information security: a managers guide to thwarting data thieves and hackers /

Philip Alexander.

p. cm. (PSI business security)

Includes bibliographical references and index.

ISBN-13: 978-0-313-34558-6 (alk. paper) 1. Business enterprisesComputer networksSecurity measures. 2. Information technologySecurity measures. 3. Computer security. 4. Data protection. I. Title.

HF5548.37.A44 2008

005.8dc22

2007043997

British Library Cataloguing in Publication Data is available.

Copyright 2008 by Philip Alexander

All rights reserved. No portion of this book may be reproduced, by any process or technique, without the express written consent of the publisher.

Library of Congress Catalog Card Number: 2007043997

ISBN-13: 978-0-313-34558-6

First published in 2008

Praeger Security International, 88 Post Road West, Westport, CT 06881

An imprint of Greenwood Publishing Group, Inc.

www.praeger.com

Printed in the United States of America The paper used in this book complies with the Permanent Paper Standard issued by the National Information Standards Organization (Z39.481984).

10 9 8 7 6 5 4 3 2 1

X:/greenwood/Alexander/WORK/alexander.3f 01/24/2008 5:14 AM Page CONTENTS

Preface: The Heartbreak of Data Loss

vii

Acknowledgments

ix

1. Computer Use and Data Security Policies and Standards 1

2. Network/DMZ Design

3. Defense in Depth

4. Authentication and Authorization

5. Security and the Mobile Employee

6. Business Continuity Planning

7. Hackers, Snoops, and Viruses

8. Personnel Issues and Hiring Practices 93

9. Contractual Considerations

10. Data Privacy Laws

11. Overseas Outsourcing

Appendix A: The Trusted Computer System Evaluation Criteria 141

(TCSEC)

Appendix B: Rainbow Series

Appendix C: The International Organization for Standardization 149

(ISO)

Glossary

Index

X:/greenwood/Alexander/WORK/alexander.3f 01/20/2008 8:57 AM Page X:/greenwood/Alexander/WORK/alexander.3f 01/20/2008 8:57 AM Page PREFACE: THE HEARTBREAK

OF DATA LOSS

What would be the impact if your company lost critical data? The answer to that question varies depending on the nature of the data itself. Some data is regulated by the government. If that data is compromised as a result of a security breach, your company could be in violation of a number of laws and regulations. Data loss could also mean that your company couldnt make accurate and timely financial reports or even respond to a judges subpoena. And if the data is about your companys newest wonder drug or next generation electronic gadget, losing that information or letting it fall into the wrong hands could cost millions.

Data loss can have serious repercussions.

A couple of years back at a computer security symposium, attendees were asked what the worst type of data loss would be. The majority responded with the conventional wisdomit would be a total loss of all the information on a major system such as a large database or other major system of record. Thats the wrong answer. Most companies perform regular backups, and this type of catastrophic data loss would be easy to spot and recover from the backups. A more damaging situation would be a series of small, hard-to-notice changes that over time invalidated or compromised the data. Since it would be hard to detect, your backups would be tainted as well, thus making recovery much more difficult.

Another data risk would be to lose information bit by bit, the work of an insider adept at covering his tracks while bleeding the company dry. Data exposure is just as serious a risk as data loss.

Moreover, depending on the nature of the information, and the number of records, the fines associated with a data breach could run into millions of dollars. There are laws that hold people criminally liable for certain types of data loss, some of which are felonies. Note that Im not talking about hackers, but rather the executives who failed to adequately protect the data itself.

This book focuses on the factors involved in protecting your companys data, as well as its computing resources. As youll see, I take what is X:/greenwood/Alexander/WORK/alexander.3f 01/20/2008 8:57 AM Page viii

Preface

known as the C-I-A approach, which stands for Confidentiality, Integrity, and Availability. In other words, safeguarding your companys data is not just limited to warding off the intentional misdeeds of hackers.

This book is all about knowing what your risks are when it comes to information security, and what solutions are available to manage the risks. I take a pragmatic approach, keeping an eye on the bottom line. I look at the real benefits of solutions that are available today, what they can do, and what they cant.

I also clear up some common misconceptions. For example, there are no silver bullets that will solve all your problems at once. If somebody is tell-ing you otherwise, he or she is probably a salesperson whose knowledge is limited to what theyve read in their products marketing brochure.

This book takes an international approach, as many companies now have a presence in several countries, such as the United States, the European Union, India, and elsewhere. And I cover a broad spectrum of issues that will arm you with the knowledge to understand the challenges faced in trying to both manage and secure the data in your companys computer network as well as the data entrusted to third parties at home and abroad.

In short, this book will make you better prepared to meet the challenges of keeping information safe and secure head on.

Note: This book contains an extensive glossary. If you run across a word or concept you dont know, chances are that I have defined it in the glossary. It will also help to befriend an articulate IT person in your company. Since this book is not designed to explain concepts or procedures in great depth, that IT person can help you understand how these ideas play out in the real world.