or

Information security (INFOSEC)

Nocturne has a keen awareness of information security issues and threats. INFOSEC is not a line of business for us, it is a way of life. We take information security very seriously and go far beyond industry standards in the protection of confidential client information. We also integrate INFOSEC wherever possible into our information management solutions.

Many organizations focus too much on technology as a magic bullet in their efforts to maintain information security. While we use the best available technology, we focus on processes. Strong, consistent processes, mixed with a healthy amount of paranoia, reduce the potential for accidental breaches of security and make intentional, malicious intrusions much more difficult.

We won't say much here about our techniques, for obvious reasons. But we will highlight a few of the things we do to keep your information safe:

• Nested desktop encryption, using 256-bit AES and 1024-bit RC5 algorithms
• VPN connectivity between servers
• Maximum available encryption of wireless connections, when used
• Use of 'honeypot' (decoy) servers and filesystems
• Overlapping monitoring systems to track attempted intrusions
• Hardware-implemented firewalls
• Clear processes for identifying levels of security and confidentiality for files, users and computing environments
• Solid processes for tracking the assignment, distribution, retirement and any compromise of passwords and codes
• Separate computer environments for specific levels of security and confidentiality
• Fail-safe systems (systems that, when they fail, fail into a locked or encrypted state)
• Overlapping virus and worm detection systems
• Executable suppression in Microsoft document types
• Non-trivial passwords for all systems
• Regular updates of all software to address newly discovered vulnerabilities
• Monitoring of warnings regarding viruses, worms and vulnerabilities

The sections below provide some information that might be of interest to you when you consider your own INFOSEC processes.

Encryption algorithms

Encryption is an essential part of business, information management and communications today. However, it is dangerous to rely on encryption alone. While new technologies provide incredibly powerful methods for encryption, it is certain that future technologies will make those algorithms completely ineffective.

When using encryption to protect your communications, consider the following facts:

• Government agencies very likely have backdoor access to all commercially available VPN and communications encryption systems.
• It is impossible to be certain how secure the secure areas of your service provider's network are, in VPN systems that use gateways instead of true end-to-end tunneling.
• VPN traffic might be stored by service providers to satisfy legal requirements, and might be made vulnerable at some future time by advances in cracking techniques.

When using encryption to protect your stored data, consider these recommendations:

• In the near future, encryption tools capable of cracking your deepest levels of encryption will become readily available. Protection of data through encryption has a definite lifespan. If you have data you would not want cracked in ten years, or even five, implement physical security controls as well as encryption.
• Encryption software may protect data on your hard drive's filesystem, but may leave data vulnerable in swapfiles or temporary files on unprotected areas of the drive.

VPN systems

VPN gives the illusion of security, but most VPN systems have known vulnerabilities. Use VPN wherever possible, but don't trust it to provide a complete solution. Consider implementing nested secure tunnels, or using server-file-to-RAM keyless encryption.

Wireless networking

Wireless networking has suddenly become commonplace, but the implementation of security on those networks has not caught up with demand. A common problem is a complete lack of security. Most network access points (NAP) have their security features turned off by default. Administrators need to know how to turn on security, and how to generate significant encryption keys.

Another problem with Wifi (802) wireless encryption is an inherent weakness built into the encryption. Although 128-bit encryption is available on most NAPs and adapters, it isn't true 128-bit encryption. The first 27 bits are fixed and therefore trivial, reducing the strength of the encryption severely.

Another issue with Wifi encryption is a flaw in the algorithm for shared keys. A Wifi circuit operates either in Open mode, or in Shared mode. In Shared mode, key data is exchanged between the NAP and the adapter. When a cracker intercepts this exchange repeatedly during wireless operation, they can use readily available cracking tools to expose the encryption keys and gain access. Ironically, Open mode is more secure because it does not offer this vulnerability. Most administrators and users of Wifi falsely believe Open mode to be the less secure mode.

Firewalls

Firewalls come in two forms: software, and hardware. Both have advantages, and both have vulnerabilities.

Hardware firewalls tend to be less vulnerable to cracking and are easier to implement and administer. The drawback to hardware firewalls, other than the cost, is the potential for fixed, known vulnerabilities that cannot be automatically patched.

Software firewalls tend to be more vulnerable to cracking, and put a serious load on the systems on which they are hosted (oftentimes a user's own workstation). The advantage to software firewalls is their ability to automatically update themselves as vulnerabilities become known.

Microsoft documents

Microsoft Word, Excel, and PowerPoint files are not true data filetypes. These files may contain executable code (called macros). Macros serve a useful purpose by adding functionality or intelligence to otherwise static data files, but also introduce a serious risk for users and security administrators. Every Microsoft file is potentially a self-contained program, and any of those programs could include a packaged virus or worm.

Trojan worms

One of the most serious threats to information security is the use of specifically targeted trojans, or worms. These are programs designed for malicious purposes. Many of the worms that have been detected to date are dangerous to information integrity but not to the protection of confidentiality; they may destroy data, but they do not generally deliver data into unauthorized hands. (There have been exceptions.)

Unfortunately, the real concern is that someone will target you with a worm designed specifically to compromise your information security. Worms that are not generally distributed are not likely to be included in the definitions used by commercially available anti-viral software, and will not be detected. A worm can scan your filespace for data of interest, or capture your data and passwords through keyboard monitoring.

There are several things you can do to defend yourself against these compromises:

• do not accept executable files, including macro-enabled Microsoft files, from any untrusted source
• scrub all executable files with all available anti-viral programs
• keep your anti-viral definitions and all your software up-to-date
• install software firewalls capable of automatically blocking and reporting network communications from unknown or altered applications
• partition your dataspace and your computing environments so that more vulnerable systems (such as your web server) cannot 'see' systems hosting secured files or sensitive data
• do not enter usernames or passwords on systems outside your trusted environment (for example, terminals in web cafes or in public areas, at client sites, or in the home)
• do not allow anyone to install software not included in your corporation's standard release package (SRP)
• do not leave your computer unattended without implementing BIOS and screensaver password protection

White-hat hacking

Hackers (the proper term is actually crackers) come in two general flavors: black-hat hackers, who hack and crack for malicious or irresponsible reasons, and white-hat hackers, who hack and crack to benefit the computing community or an individual client. White-hat hackers identify and communicate vulnerabilities to ensure that those vulnerabilities are addressed before a black-hat comes along.

Consider the value that a white-hat could bring to your information security. A white-hat will test your security to identify vulnerabilities in your technology, implementations and processes. (Nocturne does not offer this service.)