When and why companies disclose your information

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information.

  • Does the company require a warrant before releasing information?
  • Does the company inform users of requests for data?
  • Are statistics published on how often data is provided to requesting agencies?
  • Does the company have a policy outlining how they respond to information requests?
  • Does the company stand firm when information requests are too broad in scope?
  • Does the company support revisions to electronic privacy laws?

Some of the results of the study are surprising.  Dropbox, Linkedin, Sonic.net and Twitter were some who ranked the highest.  Others such as Amazon, Yahoo, and Apple ranked towards the bottom and Verizon and Myspace were the lowest.

Download the EFF report

Human response to changes in risk

 

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.┬á Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.┬á It all comes down to perceptions.┬á With WildeÔÇÖs theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.┬á So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?

 

Educating employees on security policies and procedures

Information security policies and security awareness┬ágo hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. In order to do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.

This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.

 

The problem with policies alone

Companies are learning that they need to have policies in place that establish top management support for security initiatives. However, many of these policies lack effectiveness because end users have no knowledge of them or they do not care. Companies need to take the next step and educate users on the policies. A study by the Ponemon Institute found that 58% of those surveyed said their employer did not provide adequate security awareness training. This figure clearly identifies where improvements are necessary.

Awareness of the policies needs to address why the policy is important to the users. Many policies require users to take additional steps that may slow or impede the work they do. At the bare minimum, security policy adherence will require users to change their routines. Users will not be motivated to change their routines and they will resist attempts to impede their work unless they understand how these policies benefit them.

Users need to be brought “on board” so that they agree with the policy and are motivated to comply with it. The first part of this initiative is to educate users on the value of the information they possess and the importance of their position within the company. The second step is to show them how this information can be compromised and finally, how they can protect that information by adhering to the policy.

Awareness research findings

Current research has identified some concerning statistics in regards to unsecure employee practices. The table below summarizes a portion of the findings from a recent Ponemon survey and shows areas where security awareness is lacking.

Routine actions performed by users Percentage
Storing data on insecure mobile devices 61%
Downloading Internet applications on workplace computers 53%
Using web-based personal email in the office 52%
Divulging passwords to others 47%
Losing equipment with privileged or confidential data 43%

These five activities were routinely performed by roughly half of those surveyed. Each activity is potentially harmful to a company. Storing data on insecure mobile devices could allow unauthorized individuals access to company data if those devices were stolen. The last item in the table above shows that equipment containing privileged or confidential data is routinely lost. This exposes the company to potential privacy litigation, a loss of reputation, or a loss of competitive position in the marketplace if the data contained trade secrets, proprietary processes, or customer lists.

The downloading of Internet applications could infect company computers with malware including root kits, Trojan horses, viruses, and backdoors into company systems. These applications can also cause incompatibilities with supported software making it difficult for employees to perform their jobs. Many employees are aware of how easy it is to make a computer unusable by downloading software from the Internet as the practice is very prevalent for home users. Awareness programs should educate users on how downloading Internet applications can impact their ability to perform their job.

Using personal web-based email in the office brings risks similar to downloading applications. Awareness programs should educate users on how using web based email can impact their ability to perform their job. Many attacks are email based and while organizational email is often screened by equipment to filter out malicious email, web based email may not be as secure.

Divulging passwords to others gives them the ability to perform any action the user can perform. This could make it appear that the user who shared his or her password committed crimes or misused their authority. Users who are aware of this may be less likely to share their passwords with others. Awareness programs can stress that even if another person is trusted they may not adequately protect a username or password allowing it to fall into a malicious user’s hands. Passwords should not be shared with even trusted users.

Summary

As can be seen from this data, users routinely take actions that could be harmful to organizational information systems. Many companies already have policies that restrict such activities but users are unaware of them as is reflected in the low rating of awareness training. Until users know of the policy and are motivated to follow it, trends like these will continue and organizations will still be vulnerable. It is imperative that users be educated on the role of policy and be motivated to adhere to these policies once they are established.

For further reading

More Employees Ignoring Data Security Policies 

Ideas to Promote Information Security Awareness

Security governance for virtualized systems

Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization.

As with other policies, the security policy should not specify technologies to be utilized. Rather, it should specify requirements and controls. Technologies will be implemented to satisfy the requirements and controls provided by the policy.

  • Auditing and accountability
  • Server role classification
  • Network service
  • Configuration management
  • Host security
  • Incident response
  • Training

Auditing and accountability

The auditing and accountability portion has to do with the responsibilities of administrators, management, and users of the virtual environment. It is important to specify administrative roles such as backup operators, host administrators, virtual network administrators, server users, and self-service portal users. For smaller organizations, a few people may fill these roles but larger organizations will specify greater separation of duties between roles. Clearly identify the server role classifications that each user role is able to access.

Furthermore, this section should indicate that administrative actions will be logged and audited. Logs should be redundant, backed up regularly, and applications should be available for audit log searching and review.

Server role classification

Virtual machines or guests, serve different roles such as a file server, domain controller, email server, remote access server, or database. Some roles are more sensitive than others and thus they should be treated differently. Roles can be determined by the applications a server hosts or the data it hosts, as well as its criticality and value.

A series of classification levels such as standard, secure, and highly secure should be specified. The number of levels you have is determined by your organization’s business rules. For each classification, clearly state the server roles and information types that would fall into the category and the level of authentication, segmentation, encryption, and integrity verification necessary. For example, for segmentation, virtual machines classified as highly secure must be located on physically distinct hosts and separate logical networks and backup media should be allocated solely for use on highly secure systems.

Network service

The network service section details how remote access to hosts and virtual machines will be conducted or if it is allowed at all. It specifies Access Control List (ACL) requirements and how logical addresses will be allocated, distributed, and managed for virtual hosts and machines. Resource limits for hosts should be specified so that hosts are not overburdened with virtual machines causing performance degradation. Indicate the need for service accounts and least privilege configuration of service account privileges, ie: configuring service accounts with the bare minimum privileges necessary for the service to function.

Configuration management

The configuration management section is concerned with maintaining the consistency of the virtual environment. This section should specify the types of changes that require approval and how each type is approved. Any exemptions to the approval process are listed. Some change types include virtual network creation, modification, or removal, host addition or removal, host hardware modification, or virtual machine hardware modification.

Approval stages should be specified including the roles or groups responsible for approving change requests and the types of change requests that can be approved by each role or group. List how authorization will take place and where and how change authorizations are tracked and stored.

The configuration management section should also include statements on how violations of the configuration management policy will be dealt with and how actual changes are validated against logged changes. This includes any auditing that is required for change controls.

Host security

The host security section defines where hosts will be stored, how hosts are monitored, and how physical and remote access to the hosts is controlled. The location of hosts is important because hosts need to be available and secure. The location determines the level of network connectivity such as redundant network links and internet connectivity as well as power redundancy, power availability and cooling.

The next part of host security deals with how the hosts are monitored. Specify the types of monitoring that will take place. For example, physical monitoring may use closed circuit cameras that archive footage to DVD. You might specify logging of successful and failed logon attempts to the host servers and directory modification on storage devices containing virtual machine files or configuration data.

Incident response

This section should detail what should happen if the virtual environment is compromised in some way. It should explain how information security incidents in the virtual environment are evaluated and how they are reported. It then defines the persons and groups responsible for controlling the issue and what constitutes issue resolution.

Ymy business may have an incident response plan in place already. This plan should be consulted when constructing this section so that it is aligned with the main information security policy. This section should still be included even if an incident response plan exists because the virtual environment can differ in how incidents are resolved and in what constitutes an incident.

Business continuity

Virtual environments differ greatly in Business Continuity (BC) methodologies. Since virtual machines are stored as files, they can be easily moved around. Business continuity methodologies, therefore take this into account in specifying how machines will be brought back into production when significant outages or disasters occur.

The business continuity section should specify what should be backed up and how it would be restored in the case of an emergency. Levels of emergency should be stipulated as well as the groups responsible for coordinating BC efforts. The section should also specify if resources such as a cold, warm, or hot site are necessary for BC.

Training

The training section should clearly define what skills a person should have to fulfill the roles specified in the auditing and accountability section and how those skills will be taught and measured. It is important for those working on the environment to be trained in how to not only perform their job duties but to perform them in a secure manner.

The training section should specify ongoing assessment of training gaps and areas of focus for team members including how often training should occur, whether this will be handled internally or┬áoutsourced, and how training budgets will be determined. If training is to occur in house, curriculum evaluation and follow up reviews should be specified in the training portion. In this way, when technology changes, the team’s skills will be kept up to date as well.

Summary

The virtualization security policy contains many elements from other organizational security policies but it is specifically targeted to virtual hosts, the machines they contain, and the tools that manage them. It is important that virtual environments have such a policy because existing security controls do not adequately address the risks associated with using virtual machines. If you do not have a policy in place yet you are encouraged to develop one before your virtual environment is implemented. This policy will resolve security ambiguities associated with managing the environment and it will ensure a consistent approach to information security within your organization if those affected by the policy are properly trained and required to adhere to it.

For further reading

NIST Releases Virtualization Security Guidelines

Altor Networks Automates VM Security Policy Enforcement

Security in a Virtualized World