The case for consistency in security

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches.

An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm’s policies and leading to forgetfulness in employee adherence to best-practice procedures. Eventually, another incident causes the organization to spend money again, and the cycle starts all over.

This situation is detrimental to companies in two ways. First, it results in periods when the organization is quite vulnerable. Also, in the end, more money is spent on security than would have been required if security spending were consistent from quarter to quarter. In fact, effective IT security solutions contribute to business success and profitability. Let’s explore this by looking at major areas where security dollars go; technology, governance, and training.

Technology

Technology such as firewalls, Intrusion Detection Systems (IDS), antivirus software, authentication systems or auditing and alerting systems, is essential to protecting organizational information assets but technology is quickly outdated. More sophisticated attacks or better equipment on the part of the attackers necessitates increased investment by organizations to protect themselves.

Consistent spending keeps technology up to date so that it continues to address current risks. It is also much easier to make incremental improvements to address new risks rather than design a completely new solution. Those who maintain security systems have a better understanding of how the product protects against threats and how it can be modified if necessary.

Governance

Governance includes the policies that spell out the organization’s approach to information security such as how users will be authenticated, how data is classified, roles and responsibilities and sanctions for those who do not follow policies. Procedures document how specific tasks are performed to accomplish what is set forth in the policies. When security spending is consistent, policies are updated so that they are in line with business objectives. When inconsistent, policies may conflict with business objectives and the policies are either ignored or business objectives are not met.

Similarly, consistent security spending allows for procedures to be updated as technology and forms of attack change. When spending is irregular, procedures may be followed but won’t adequately protect the organization or informal undocumented procedures may occur — which affects operational effectiveness. Lastly, policies are enforced when security spending is systematic, leading to regular patterns of behavior and a culture that sustains security rather than obstructing it.

Training

Training is also more effective with consistent security spending because it keeps security awareness top of mind. Otherwise, employees will need to be completely retrained on information security because much of the information is forgotten.

So how is security spending addressed in your organization? Is it consistent and proactive or inconsistent and reactive?

Continue reading

Ineffective Security Policy Adherence Results in Another Data Breach

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?  If so, do you know if employees are following it?  Don’t let this happen to you.

 

Security Focus at the Corporate Board Level

Imagine a boardroom a generation ago.  Smoke fills the air, and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterward the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.

So what happens today where technology is so prevalent?  In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members.  The study titled “Better board governance: Communication, security, and technology in a global landscape of change” looked at a global cross section of companies from a variety of industries.  These companies ranged in size from under $500 million to over $10 billion.  The results indicated a lack of secure procedures for corporate board information management.

Board Communication and Security

In today’s world of technology, board members can be distributed across the globe and meetings are sometimes virtual.  Surprisingly, though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members.  Another 49% transfer documents through email.  Unless encryption is used, email is not a secure method for transmitting confidential documents.  Only 10 % of companies use specific email accounts set up for board members to deliver information.  Instead, a whopping 65% said they never use the corporate email network.  In these situations, the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.

A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information, so data is protected against eavesdropping.  Additionally, in secure portals Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.

Document Retention

With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board-related documents.  However, only 30% of all enterprises surveyed suspected that the board members did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smartphone, or tablet.  Not only is this a risk for data disclosure, but it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.

Board Scrutiny

On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance is regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.

Security is necessary for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.

Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.

 

Teaching Users to Spot Malicious Programs

We have worked hard to educate users of the need for computer hygiene, using anti-spyware, multiple browsers, data backups, and antivirus programs. Unfortunately, users are getting fooled into installing fake antivirus programs through clever pop-ups that work off the fear users have of viruses. These programs install themselves and trick users into paying for bogus services or they gather private information on user activities and send it off to spammers and thieves.

These malicious antivirus programs are extremely common. Google has identified over 11 thousand sites distributing fake antivirus code.

It is important to take the next step and teach users how to differentiate between legitimate programs and scams. Your company probably has a standard antivirus program that is used on all machines. Users should be made aware that this program will protect them from viruses and that they have no need of other programs.

Unfortunately, even clicking no or what appears to be a close button on a pop-up can result in the program being installed. Users need to be taught how to close out of windows properly to avoid activating the malicious code they contain. One method is to press [Alt] + F4 to close the current window. If that does not work, pressing [ctrl] + [alt] + [esc] in Windows or [option] + [apple] + [esc] in MacOS will open the task manager/force quit applications window where Internet Explorer (iexplore.exe), Firefox (firefox.exe), or Safari can be closed.

Once a fake antivirus program is installed, it will appear to scan the hard drive. It will tell you it has identified viruses and then clean them, but it does nothing of the sort. Usually, users will notice a performance decrease. They may also find that their browser has been hijacked, or they will begin to see many pop-ups and advertisements on their screen. Users should be made aware of what follows the installation of a fake antivirus program so that IT can resolve the situation. The sooner IT knows of it, the better because these programs continue to do their dirty work even to the point of filling up a hard drive or making a computer completely unusable.

Spyware can also generate fake antivirus alerts. Make sure that anti-malware programs are up to date and that they scan programs in memory and programs on the hard drive and removable drives as soon as they are added. Corporate applications usually have the ability to report back to a central monitoring station when a workstation is infected with a virus or a malicious application. Train your administrators to make use of such consoles and to stay on top of any infections. When a machine is infected and not treated, it is not long before it turns into an epidemic.

Take the time to educate your users because it will save them a lot of grief and your IT staff a lot of time cleaning machines. Stay up to date on the latest fake programs and consider creating a security portal where your users can get information on fake programs and other security tips.

Achieving High Availability with Change Management

Change management is a key information security component of maintaining high availability systems. Change management involves requesting, approving, validating, and logging changes to systems. This process can bring significant benefits to an organization. Namely, it can strengthen the decision-making ability of an organization by training personnel to think fully on and evaluate changes before they are made and it provides a knowledge base of past changes and the lessons learned from situations.

Information security can be divided into three sections: confidentiality, integrity, and availability, often called the CIA triad. Availability is extremely important. After all, if the data is not available to authorized users when they need it, of what use is it? High availability is another term that describes a system that is accessible to users 24×7 with minimal scheduled downtime.

An often mentioned method for obtaining high availability include hardware redundancy such as active/passive firewalls, clustered servers, network load balancing, and round robin DNS. Redundancy is an excellent aspect that high availability networks must have. However, another important factor in achieving high availability is a change management policy.

Any change has the potential to create new vulnerabilities or reduces the availability of systems. Of course, the process of maintaining systems and managing business objectives requires change. Therefore, organizations must determine how to balance the need for change with the minimization of risk. The answer is through change management. This starts with a change management policy that then leads into a change management program whereby change management is implemented throughout the company.

Let’s first define change management and describe what a change management system looks like. Change management is the process whereby changes are requested, approved, validated, and logged to reduce the risk of a change compromising the availability of systems or creating new vulnerabilities. Validation also takes place after a change has been made. The system needs to be tested to determine if the change produced the desired result. Change management approvers should thoroughly consider the impact of changes and notify users and others about the change. It is advantageous to schedule the changes during standard downtimes to minimize the potential impact to system availability.

Moving along with the description laid out for us, the first element of change management is approval. Change management systems require changes to be requested in a system and then approved by an authorized individual such as a supervisor, manager, data owner, or by multiple persons. The process of requesting a change and approving a change validates the actions taken since multiple people consider the decision and actions before they are approved.

The last element is logging. Logging produces some ancillary benefits to change management. Change management logging is a positive step towards knowledge management, and it can aid personnel in reversing any damaging changes that may occur.

Change management can assist in knowledge management objectives because the rationale behind changes along with those who implemented them are stored in the system. If a similar event comes along, such as a server error or a new project, the system can be queried to determine a course of action and the persons involved can be contacted for further information or involvement in future projects or troubleshooting.

Change management also gives an organization the ability to reverse damaging changes because it keeps a log of the actions taken. Not all changes achieve the desired outcome. In such situations, it is imperative that the organization have a method of reversing the changes to bring the system back into a functioning state. Change management accomplishes this by enabling users to view the log of actions taken so that these actions can be undone.

So what kinds of actions should be managed in a change management system? The CISSP common body of knowledge asserts that change management systems should manage changes related to the entire lifecycle of a system including design, development, testing, evaluation, implementation, distribution, and ongoing maintenance.

The next question is what changes in these categories should be logged? This important question that has to be determined on a case-by-case basis by organizational decision makers. The greatest amount of benefits from a change management system will be realized by tracking even minor changes, but this is a determination you will have to make.

Lastly, consider implementing change management metrics and integrating them with other security metrics you track so that you can ensure change management goals are met.  Change management is a process that can greatly strengthen information assurance and provide a framework for high availability in information systems. The process involves requesting, approving, validating, and logging changes to systems. This process aids in knowledge management, incident response, security management, and governance.

The Essential Link between Awareness and Security Policies

Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. To do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.

This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.

The problem with policies alone

Companies are learning that they need to have policies in place that establish top management support for security initiatives. However, many of these policies lack effectiveness because end users have no knowledge of them, or they do not care. Companies need to take the next step and educate users on the policies. A study by the Ponemon Institute found that 58% of those surveyed said their employer did not provide adequate security awareness training. This figure clearly identifies where improvements are necessary.

Awareness of the policies needs to address why the policy is important to the users. Many policies require users to take additional steps that may slow or impede the work they do. At the bare minimum, security policy adherence will require users to change their routines. Users will not be motivated to change their habits, and they will resist attempts to impede their work unless they understand how these policies benefit them.

Users need to be brought “on board” so that they agree with the policy and are motivated to comply with it. The first part of this initiative is to educate users on the value of the information they possess and the importance of their position within the company. The second step is to show them how this information can be compromised and finally, how they can protect that information by adhering to the policy.

Awareness research findings

Current research has identified some concerning statistics in regards to insecure employee practices. The table below summarizes a portion of the results from a recent Ponemon survey and shows areas where security awareness is lacking.

Routine actions performed by users Percentage
Storing data on insecure mobile devices 61%
Downloading Internet applications on workplace computers 53%
Using web-based personal email in the office 52%
Divulging passwords to others 47%
Losing equipment with privileged or confidential data 43%

These five activities were routinely performed by roughly half of those surveyed. Each activity is potentially harmful to a company. Storing data on insecure mobile devices could allow unauthorized individuals access to company data if those devices were stolen. The last item in the table above shows that equipment containing privileged or confidential data is routinely lost. This would expose the company to potential privacy litigation, a loss of reputation, or a loss of competitive position in the marketplace if the data contained trade secrets, proprietary processes, or customer lists.

The downloading of Internet applications could infect company computers with malware including rootkits, Trojan horses, viruses, and backdoors into enterprise systems. These applications can also cause incompatibilities with supported software making it difficult for employees to perform their jobs. Many employees are aware of how easy it is to make a computer unusable by downloading software from the Internet as the practice is very prevalent for home users. Awareness programs should educate users on how downloading Internet applications can impact their ability to perform their job.

Using personal web-based email in the office brings risks similar to downloading applications. Awareness programs should educate users on how using web-based email can impact their ability to perform their job. Many attacks are email based, and while organizational email is often screened by equipment to filter out malicious email, web based email may not be as secure.

Divulging passwords to others gives them the ability to perform any action the user can perform. This could make it appear that the user who shared his or her password committed crimes or misused their authority. Users who are aware of this may be less likely to share their passwords with others. Awareness programs can stress that even if another person is trusted, they may not adequately protect a username or password allowing it to fall into a malicious user’s hands. Passwords should not be shared with even trusted users. For more information, see the article “Guidelines for Username and Password Risk Management.”

Summary

As can be seen from this data, users routinely take actions that could be harmful to organizational information systems. Many companies already have policies that restrict such activities, but users are unaware of them as is reflected in the low rating of awareness training. Until users know of the policy and are motivated to follow it, trends like these will continue, and organizations will still be vulnerable. It is imperative that users be educated on the role of policy and be motivated to adhere to these policies once they are established.

Developing a Virtualization Security Policy

Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way, a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization.

As with other policies, the security policy should not specify technologies to be utilized. Rather, it should define requirements and controls. Technologies will be implemented to satisfy the requirements and controls provided by the policy.

  • Auditing and accountability
  • Server role classification
  • Network service
  • Configuration management
  • Host security
  • Incident response
  • Training

Auditing and accountability

The auditing and accountability portion has to do with the responsibilities of administrators, management, and users of the virtual environment. It is important to specify administrative roles such as backup operators, host administrators, virtual network administrators, server users, and self-service portal users. For smaller organizations, a few people may fill these roles, but larger organizations will specify greater separation of duties between roles. Clearly, identify the server role classifications that each user role can access.

Furthermore, this section should indicate that administrative actions will be logged and audited. Logs should be redundant, backed up regularly, and applications should be available for audit log searching and review.

Server role classification

Virtual machines or guests, serve different roles such as a file server, domain controller, email server, remote access server, or database. Some roles are more sensitive than others, and thus they should be treated differently. Roles can be determined by the applications a server hosts or the data it hosts, as well as its criticality and value.

A series of classification levels such as standard, secure, and highly secure should be specified. The number of levels you have is determined by your organization’s business rules. For each classification, clearly state the server roles and information types that would fall into the category and the level of authentication, segmentation, encryption, and integrity verification necessary. For example, for segmentation, virtual machines classified as highly secure must be located on physically distinct hosts and separate logical networks and backup media should be allocated solely for use on highly secure systems.

Network service

The network service section details how remote access to hosts and virtual machines will be conducted or if it is allowed at all. It specifies Access Control List (ACL) requirements and how logical addresses will be allocated, distributed, and managed for virtual hosts and machines. Resource limits for hosts should be specified so that hosts are not overburdened with virtual machines causing performance degradation. Indicate the need for service accounts and least privilege configuration of service account privileges, i.e., configuring service accounts with the bare minimum privileges necessary for the service to function.

Configuration management

The configuration management section is concerned with maintaining the consistency of the virtual environment. This section should specify the types of changes that require approval and how each type is approved. Any exemptions to the approval process are listed. Some change types include virtual network creation, modification, or removal, host addition or removal, host hardware modification, or virtual machine hardware modification.

Approval stages should be specified including the roles or groups responsible for approving change requests and the types of change requests that can be approved by each role or group. List how authorization will take place and where and how change authorizations are tracked and stored.

The configuration management section should also include statements on how violations of the configuration management policy will be dealt with and how actual changes are validated against logged changes. This includes any auditing that is required for change controls.

Host security

The host security section defines where hosts will be stored, how hosts are monitored, and how physical and remote access to the hosts is controlled. The location of hosts is important because hosts need to be available and secure. The location determines the level of network connectivity such as redundant network links and internet connectivity as well as power redundancy, power availability and cooling.

The next part of host security deals with how the hosts are monitored. Specify the types of monitoring that will take place. For example, physical monitoring may use closed circuit cameras that archive footage to DVD. You might specify logging of successful and failed login attempts to the host servers and directory modification on storage devices containing virtual machine files or configuration data.

Incident response

This section should detail what should happen if the virtual environment is compromised in some way. It should explain how information security incidents in the virtual environment are evaluated and how they are reported. It then defines the persons and groups responsible for controlling the issue and what constitutes problem resolution.

Your business may have an incident response plan in place already. This plan should be consulted when constructing this section so that it is aligned with the main information security policy. This section should still be included even if an incident response plan exists because the virtual environment can differ in how incidents are resolved and in what constitutes an incident.

Business continuity

Virtual environments vary greatly in Business Continuity (BC) methodologies. Since virtual machines are stored as files, they can be easily moved around. Business continuity methodologies, therefore take this into account in specifying how machines will be brought back into production when significant outages or disasters occur.

The business continuity section should specify what should be backed up and how it would be restored in the case of an emergency. Levels of emergency should be stipulated as well as the groups responsible for coordinating BC efforts. The section should also specify if resources such as a cold, warm, or hot site are necessary for BC.

Training

The training section should clearly define what skills a person should have to fulfill the roles specified in the auditing and accountability section and how those skills will be taught and measured. It is important for those working on the environment to be trained in how to not only perform their job duties but to perform them in a secure manner.

The training section should specify ongoing assessment of training gaps and areas of focus for team members including how often training should occur, whether this will be handled internally or outsourced, and how training budgets will be determined. If training is to occur in house, curriculum evaluation and follow-up reviews should be specified in the training portion. In this way, when technology changes, the team’s skills will be kept up to date as well.

The virtualization security policy contains many elements from other organizational security policies, but it is specifically targeted to virtual hosts, the machines they contain, and the tools that manage them. It is important that virtual environments have such a policy because existing security controls do not adequately address the risks associated with using virtual machines. If you do not have a policy in place yet you are encouraged to develop one before your virtual environment is implemented. This policy will resolve security ambiguities associated with managing the environment, and it will ensure a consistent approach to information security within your organization if those affected by the policy are properly trained and required to adhere to it.