Governance

When and why companies disclose your information

Eric Vanderburg

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information.

  • Does the company require a warrant before releasing information?
  • Does the company inform users of requests for data?
  • Are statistics published on how often data is provided to requesting agencies?
  • Does the company have a policy outlining how they respond to information requests?
  • Does the company stand firm when information requests are too broad in scope?
  • Does the company support revisions to electronic privacy laws?

Some of the results of the study are surprising.  Dropbox, Linkedin, Sonic.net and Twitter were some who ranked the highest.  Others such as Amazon, Yahoo, and Apple ranked towards the bottom and Verizon and Myspace were the lowest.

Download the EFF report

Florida Department of Juvenile Justice Data Breach

Eric Vanderburg

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?┬á If so, do you know if employees are following it?┬á DonÔÇÖt let this happen to you.

 

Executive order increases information sharing

Eric Vanderburg

President Obama signed an executive order on February 12, 2013 that requires federal agencies to share information on cyber threats with each other and private companies.  This will include unclassified information on activities of known criminals and terrorists and cyber-attacks and some classified information for owners of critical infrastructure.  The order does not require private companies to share data with the government which alleviates some of the privacy concerns present in the Cyber Intelligence Sharing and Protection Act (CISPA).

Information will be collected and shared through two national critical infrastructure centers operated by the Department of Homeland Security (DHS); one for physical infrastructure such as fences, gates and checkpoints and the other for cyber infrastructure such as intrusion prevention systems, application gateways and firewalls.  These DHS centers will also assist with incident response and restoration efforts related to cyber-attacks.

Aspects of the executive order are unclear but there will be some requirement for owners of critical infrastructure to establish security metrics and guidelines as specified by the DHS and federal agencies.┬á Meanwhile, the National Institute of Standards and Technology (NIST) has been tasked with coming up with a preliminary framework for federal agency actions that are ÔÇ£prioritized, flexible, repeatable, performance-based and cost-effective.ÔÇØ (Sec. 7b)

This executive order is not the same as a law but it does show that the Obama administration is concerned about cyber security and it will impact further legislation in this area.  Upcoming legislation may carry this to the next phase and establish a long-term program of cyber security information sharing and awareness.

Security focus at the corporate board level

Eric Vanderburg

Imagine a boardroom a generation ago.  Smoke fills the air and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterwards the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.

So what happens today where technology is so prevalent?┬á In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members. ┬áThe survey titled ÔÇ£Better board governance: Communication, security and technology in a global landscape of changeÔÇØ looked at a global cross section of companies from a variety of industries. ┬áThese companies ranged in size from under $500 million to over $10 billion. ┬áThe results indicated a lack of secure procedures for corporate board information management.

 

Board Communication and Security

In todayÔÇÖs world of technology board members can be distributed across the globe and meetings are sometimes virtual.┬á Surprisingly though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members. ┬áAnother 49% transmit documents through email. ┬áUnless encryption is used, email is generally not a secure method for transmitting confidential documents. ┬áOnly 10 % of companies use specific email accounts set up for board members to deliver information. ┬áInstead, a whopping 65% said they never use the corporate email network.┬á In these situations the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.

A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information so data is protected against eavesdropping.  Additionally, in secure portals Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.

           

Document Retention

With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board related documents.  However, only 30% of all companies surveyed suspected that the board members actually did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smart phone, or tablet.  Not only is this a risk for data disclosure, it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.

 

Board Scrutiny

On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance are regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.

 

Summary

Security is important for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.

Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.

 

For more information

Many Corporate Boards Are Pretty Much Waiting to Get Hacked

Better board governance: Communication, security and technology in a global landscape of change

Malware security awareness primer

Eric Vanderburg

We have worked hard to educate users of the need for computer hygiene, using anti-spyware, multiple browsers, data backups, and antivirus programs. Unfortunately, users are getting fooled into installing fake antivirus programs through clever pop-ups that work off the fear users have of viruses. These programs install themselves and trick users into paying for bogus services or they gather private information on user activities and send it off to spammers and thieves.

These malicious antivirus programs are extremely common. Google has identified over 11 thousand sites distributing fake antivirus code.

It is important to take the next step and teach users how to differentiate between legitimate programs and fakes. Ymy company probably has a standard antivirus program that is used on all machines. Users should be made aware that this program will protect them from viruses and that they have no need of other programs.

Unfortunately, even clicking no or what appears to be a close button on a pop-up can result in the program being installed. Users need to be taught how to close out of windows properly to avoid activating the malicious code they contain. One method is to press [Alt] + F4 to close the current window. If that does not work, pressing [ctrl] + [alt] + [esc] in Windows or [option] + [apple] + [esc] in MacOS will open the task manager/force quit applications window where Internet Explorer (iexplore.exe), Firefox (firefox.exe), or Safari can be closed.

Once a fake antivirus program is installed, it will appear to scan the hard drive. It will tell you it has identified viruses and then clean them but it does nothing of the sort. Usually users will notice a performance decrease. They may also find that their browser has been hijacked or they will begin to see many pop-ups and advertisements on their screen. Users should be made aware of what follows the installation of a fake antivirus program so that IT can resolve the situation. The sooner IT knows of it the better because these programs continue to do their dirty work even to the point of filling up a hard drive or making a computer completely unusable.

Spyware can also generate fake antivirus alerts. Make sure that anti-malware programs are up to date and that they scan programs in memory and programs on the hard drive and removable drives as soon as they are added. Corporate applications usually have the ability to report back to a central monitoring station when a workstation is infected with a virus or a malicious application. Train your administrators to make use of such consoles and to stay on top of any infections. When a machine is infected and not treated, it is not long before it turns into an epidemic.

Take the time to educate your users because it will save them a lot of grief and your IT staff a lot of time cleaning machines. Stay up to date on the latest fake programs and consider creating a security portal where your users can get information on fake programs and other security tips.

 

To get you started, Microsoft has compiled a list of 114 fake antivirus programs. See http://www.microsoft.com/downloads/en/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en for details.

For further reading

Threat of Fake Antivirus Software Grows

Protect Yourself from Fake Anti-Virus Software

Change management and how it is essential to your security

Eric Vanderburg

Change management is a key information security component of maintaining high availability systems. Change management involves requesting, approving, validating, and logging changes to systems. This process can bring significant benefits to an organization. Namely, it can strengthen the decision making ability of an organization by training personnel to fully think on and evaluate changes before they are made and it provides a knowledge base of past changes and the lessons learned from situations.

Information security can be divided into three sections: confidentiality, integrity, and availability, often called the CIA triad. Availability is extremely important. After all, if the data is not available to authorized users when they need it, of what use is it? High availability is another term that describes a system that is accessible to users 24×7 with minimal scheduled downtime.

An often mentioned method for obtaining high availability include hardware redundancy such as active/passive firewalls, clustered servers, network load balancing, and round robin DNS. Redundancy is an excellent aspect that high availability networks must have. However, another important factor in achieving high availability is a change management policy.

Any change has the potential to create new vulnerabilities or reduce the availability of systems. Of course, the process of maintaining systems and managing business objectives requires change. Therefore, organizations must determine how to balance the need for change with the minimization of risk. The answer is through change management. This starts with a change management policy that then leads into a change management program whereby change management is implemented throughout the company.

Let’s first define change management and describe what a change management system looks like. Change management is the process whereby changes are requested, approved, validated, and logged to reduce the risk of a change compromising the availability of systems or creating new vulnerabilities. Validation also takes place after a change has been made. The system needs to be tested to determine if the change produced the desired result. Change management approvers should thoroughly consider the impact of changes and notify users and others about the change. It is advantageous to schedule the changes during standard downtimes to minimize the potential impact to system availability.

Moving along with the description laid out for us, the first element of change management is approval. Change management systems require changes to be requested in a system and then approved by an authorized individual such as a supervisor, manager, data owner, or by multiple persons. The process of requesting a change and approving a change validates the actions taken since multiple people consider the decision and actions before they are approved.

The last element is logging. Logging produces some ancillary benefits to change management. Change management logging is a positive step towards knowledge management and it can aid personnel in reversing any damaging changes that may occur.

Change management can assist in knowledge management objectives because the rational behind changes along with those who implemented them are stored in the system. If a similar event comes along, such as a server error or a new project, the system can be queried to determine a course of action and the persons involved can be contacted for further information or involvement in future projects or troubleshooting.

Change management also gives an organization the ability to reverse damaging changes because it keeps a log of the actions taken. Not all changes achieve the desired outcome. In such situations, it is imperative that the organization have a method of reversing the changes to bring the system back into a functioning state. Change management accomplishes this by enabling users to view the log of actions taken so that these actions can be undone.

So what kinds of actions should be managed in a change management system? The CISSP common body of knowledge asserts that change management systems should manage changes related to the entire life cycle of a system including design, development, testing, evaluation, implementation, distribution, and ongoing maintenance.

The next question is what changes in these categories should be logged? This important question that has to be determined on a case-by-case basis by organizational decision makers. The greatest amount of benefits from a change management system will be realized by tracking even minor changes but this is a determination you will have to make.

Lastly, consider implementing change management metrics and integrating them with other security metrics you track so that you can ensure change management goals are met.

Summary

Change management is a process that can greatly strengthen information assurance and provide a framework for high availability in information systems. The process involves requesting, approving, validating, and logging changes to systems. This process aids in knowledge management, incident response, security management, and governance.

For further reading

Top Ten Tips for ITIL Change Management 

How to Develop an IT Change Management Program

Educating employees on security policies and procedures

Eric Vanderburg

Information security policies and security awareness┬ágo hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. In order to do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.

This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.

 

The problem with policies alone

Companies are learning that they need to have policies in place that establish top management support for security initiatives. However, many of these policies lack effectiveness because end users have no knowledge of them or they do not care. Companies need to take the next step and educate users on the policies. A study by the Ponemon Institute found that 58% of those surveyed said their employer did not provide adequate security awareness training. This figure clearly identifies where improvements are necessary.

Awareness of the policies needs to address why the policy is important to the users. Many policies require users to take additional steps that may slow or impede the work they do. At the bare minimum, security policy adherence will require users to change their routines. Users will not be motivated to change their routines and they will resist attempts to impede their work unless they understand how these policies benefit them.

Users need to be brought “on board” so that they agree with the policy and are motivated to comply with it. The first part of this initiative is to educate users on the value of the information they possess and the importance of their position within the company. The second step is to show them how this information can be compromised and finally, how they can protect that information by adhering to the policy.

Awareness research findings

Current research has identified some concerning statistics in regards to unsecure employee practices. The table below summarizes a portion of the findings from a recent Ponemon survey and shows areas where security awareness is lacking.

Routine actions performed by users Percentage
Storing data on insecure mobile devices 61%
Downloading Internet applications on workplace computers 53%
Using web-based personal email in the office 52%
Divulging passwords to others 47%
Losing equipment with privileged or confidential data 43%

These five activities were routinely performed by roughly half of those surveyed. Each activity is potentially harmful to a company. Storing data on insecure mobile devices could allow unauthorized individuals access to company data if those devices were stolen. The last item in the table above shows that equipment containing privileged or confidential data is routinely lost. This exposes the company to potential privacy litigation, a loss of reputation, or a loss of competitive position in the marketplace if the data contained trade secrets, proprietary processes, or customer lists.

The downloading of Internet applications could infect company computers with malware including root kits, Trojan horses, viruses, and backdoors into company systems. These applications can also cause incompatibilities with supported software making it difficult for employees to perform their jobs. Many employees are aware of how easy it is to make a computer unusable by downloading software from the Internet as the practice is very prevalent for home users. Awareness programs should educate users on how downloading Internet applications can impact their ability to perform their job.

Using personal web-based email in the office brings risks similar to downloading applications. Awareness programs should educate users on how using web based email can impact their ability to perform their job. Many attacks are email based and while organizational email is often screened by equipment to filter out malicious email, web based email may not be as secure.

Divulging passwords to others gives them the ability to perform any action the user can perform. This could make it appear that the user who shared his or her password committed crimes or misused their authority. Users who are aware of this may be less likely to share their passwords with others. Awareness programs can stress that even if another person is trusted they may not adequately protect a username or password allowing it to fall into a malicious user’s hands. Passwords should not be shared with even trusted users.

Summary

As can be seen from this data, users routinely take actions that could be harmful to organizational information systems. Many companies already have policies that restrict such activities but users are unaware of them as is reflected in the low rating of awareness training. Until users know of the policy and are motivated to follow it, trends like these will continue and organizations will still be vulnerable. It is imperative that users be educated on the role of policy and be motivated to adhere to these policies once they are established.

For further reading

More Employees Ignoring Data Security Policies 

Ideas to Promote Information Security Awareness

Security governance for virtualized systems

Eric Vanderburg

Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization.

As with other policies, the security policy should not specify technologies to be utilized. Rather, it should specify requirements and controls. Technologies will be implemented to satisfy the requirements and controls provided by the policy.

  • Auditing and accountability
  • Server role classification
  • Network service
  • Configuration management
  • Host security
  • Incident response
  • Training

Auditing and accountability

The auditing and accountability portion has to do with the responsibilities of administrators, management, and users of the virtual environment. It is important to specify administrative roles such as backup operators, host administrators, virtual network administrators, server users, and self-service portal users. For smaller organizations, a few people may fill these roles but larger organizations will specify greater separation of duties between roles. Clearly identify the server role classifications that each user role is able to access.

Furthermore, this section should indicate that administrative actions will be logged and audited. Logs should be redundant, backed up regularly, and applications should be available for audit log searching and review.

Server role classification

Virtual machines or guests, serve different roles such as a file server, domain controller, email server, remote access server, or database. Some roles are more sensitive than others and thus they should be treated differently. Roles can be determined by the applications a server hosts or the data it hosts, as well as its criticality and value.

A series of classification levels such as standard, secure, and highly secure should be specified. The number of levels you have is determined by your organization’s business rules. For each classification, clearly state the server roles and information types that would fall into the category and the level of authentication, segmentation, encryption, and integrity verification necessary. For example, for segmentation, virtual machines classified as highly secure must be located on physically distinct hosts and separate logical networks and backup media should be allocated solely for use on highly secure systems.

Network service

The network service section details how remote access to hosts and virtual machines will be conducted or if it is allowed at all. It specifies Access Control List (ACL) requirements and how logical addresses will be allocated, distributed, and managed for virtual hosts and machines. Resource limits for hosts should be specified so that hosts are not overburdened with virtual machines causing performance degradation. Indicate the need for service accounts and least privilege configuration of service account privileges, ie: configuring service accounts with the bare minimum privileges necessary for the service to function.

Configuration management

The configuration management section is concerned with maintaining the consistency of the virtual environment. This section should specify the types of changes that require approval and how each type is approved. Any exemptions to the approval process are listed. Some change types include virtual network creation, modification, or removal, host addition or removal, host hardware modification, or virtual machine hardware modification.

Approval stages should be specified including the roles or groups responsible for approving change requests and the types of change requests that can be approved by each role or group. List how authorization will take place and where and how change authorizations are tracked and stored.

The configuration management section should also include statements on how violations of the configuration management policy will be dealt with and how actual changes are validated against logged changes. This includes any auditing that is required for change controls.

Host security

The host security section defines where hosts will be stored, how hosts are monitored, and how physical and remote access to the hosts is controlled. The location of hosts is important because hosts need to be available and secure. The location determines the level of network connectivity such as redundant network links and internet connectivity as well as power redundancy, power availability and cooling.

The next part of host security deals with how the hosts are monitored. Specify the types of monitoring that will take place. For example, physical monitoring may use closed circuit cameras that archive footage to DVD. You might specify logging of successful and failed logon attempts to the host servers and directory modification on storage devices containing virtual machine files or configuration data.

Incident response

This section should detail what should happen if the virtual environment is compromised in some way. It should explain how information security incidents in the virtual environment are evaluated and how they are reported. It then defines the persons and groups responsible for controlling the issue and what constitutes issue resolution.

Ymy business may have an incident response plan in place already. This plan should be consulted when constructing this section so that it is aligned with the main information security policy. This section should still be included even if an incident response plan exists because the virtual environment can differ in how incidents are resolved and in what constitutes an incident.

Business continuity

Virtual environments differ greatly in Business Continuity (BC) methodologies. Since virtual machines are stored as files, they can be easily moved around. Business continuity methodologies, therefore take this into account in specifying how machines will be brought back into production when significant outages or disasters occur.

The business continuity section should specify what should be backed up and how it would be restored in the case of an emergency. Levels of emergency should be stipulated as well as the groups responsible for coordinating BC efforts. The section should also specify if resources such as a cold, warm, or hot site are necessary for BC.

Training

The training section should clearly define what skills a person should have to fulfill the roles specified in the auditing and accountability section and how those skills will be taught and measured. It is important for those working on the environment to be trained in how to not only perform their job duties but to perform them in a secure manner.

The training section should specify ongoing assessment of training gaps and areas of focus for team members including how often training should occur, whether this will be handled internally or┬áoutsourced, and how training budgets will be determined. If training is to occur in house, curriculum evaluation and follow up reviews should be specified in the training portion. In this way, when technology changes, the team’s skills will be kept up to date as well.

Summary

The virtualization security policy contains many elements from other organizational security policies but it is specifically targeted to virtual hosts, the machines they contain, and the tools that manage them. It is important that virtual environments have such a policy because existing security controls do not adequately address the risks associated with using virtual machines. If you do not have a policy in place yet you are encouraged to develop one before your virtual environment is implemented. This policy will resolve security ambiguities associated with managing the environment and it will ensure a consistent approach to information security within your organization if those affected by the policy are properly trained and required to adhere to it.

For further reading

NIST Releases Virtualization Security Guidelines

Altor Networks Automates VM Security Policy Enforcement

Security in a Virtualized World