Your data is encrypted. So what? Are you using SSL, AES, 3DES, or something else? Can your data be compromised with a cryptographic attack? What key length are you using? This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption.
7. The Network Security Challenge
The number of companies relying on the Internet for mission-critical business
has skyrocketed. And, while this growth has intensified the need for network
hardware, software and personnel, it has also increased the need for dynamic,
effective network security. New security vulnerabilities are released daily,
and maintaining a secure operating environment is a complex and costly
process. Some analysts claim 3 of every 4 business web sites are vulnerable
to attack, and by the end of 2006 Internet fraud could surpass credit card
fraud. Cyberattacks are now routine in today’s electronic landscape, and
cybercrime is no longer a future threat; it is here, now.
Public, Private & Proprietary
We categorize security vulnerabilities into three areas: public, private, and
proprietary. Public vulnerabilities are those reported in the mass media
and are usually the most easily corrected. These include viruses, worms,
misconfiguration notices, and other general security issues. Private
vulnerabilities are lesser known and usually held more closely within
the underground hacker community. Private vulnerabilities are almost
always more lethal, much less publicized and can cause more damage
to online networks. Proprietary vulnerabilities are those uncovered and
developed at Razorpoint Security. We utilize all of these during our security
engagements to ensure that our clients get the most comprehensive
assessments possible.
A Process, Not A Product
While many installations employ similar hardware and software products, not
all networks are alike. All too often misconfigured machines are put behind
firewalls (“a product”) giving a false sense of security. Hackers use their
unlimited time resources to find small idiosyncrasies in perimeter security
(e.g. firewalls) to obtain minimal access to internal machines (e.g. mail server,
web server, etc.) usually undetected. Once limited access is established,
hackers simply exploit vulnerabilities on the internal, misconfigured machines
to obtain Superuser (root) access. That’s it. That’s all it takes. Your entire
network is compromised. This simplistic scenario illustrates how someone,
with enough time and skill, can bypass a product-based security solution and
wreak havoc on a live network. Security needs to be monitored, maintained,
and updated constantly to meet the ever-changing security landscape (a.k.a.
“threatscape”). Proper security includes well-designed infrastructures,
firewalls, “hardened” operating systems, good passwords, intrusion detection,
and above all, awareness — all of which must be continuously updated.
This ongoing “process” is what keeps environments secure and minimizes
unauthorized access by malicious intruders.
There is no magic bullet. There is no shrink-wrapped package. And,
there is no universally applicable product that ensures the security of
a network environment. If there is one concept Razorpoint Security
Technologies stresses to its clients, it’s that “network security is
a process, not a product.”
Razorpoint Security Technologies, Inc. specializes in network security, attack / penetration
testing and identifying potentially disastrous security vulnerabilities especially as they
relate to Internet solutions and web applications. We offer security services that focus
the view of your network environments and e-business ventures.
Razorpoint Security offers business leaders and corporate clients the
necessary security services and solutions that help keep corporate networks
secure. While many security firms provide singular penetration tests with
limited documentation, Razorpoint offers a year-round assessment schedule
and customized documentation deliverables that help keep clients up to date.
Our assessments go well beyond the average “port scan” or “vulnerability
scan” exercises. We look at your network through the eyes of those looking
to do you harm. We know what they know, we know what they see, and
we know what they do.
What is secure?
Products alone do not secure data.
Processes do.
R a z o r p o i n t ’s c o m p r e h e n s i v e
security services identify real world
vulnerabilities and help keep data
secure.
www.razorpoint.com
and, how do you know?