Implementing a Good Information Security Program
The frequency and potential impacts of information security breaches are increasing. Dr. Jim Kennedy explains why and looks at what organizations can do about it.
Computer, network, and information security is based on three pillars: confidentiality, integrity, and availability. In my business as an information & cyber security, business continuity and disaster recovery consultant, I see every day how various sized and types of companies address these three areas. Some very well, some not so well, and some really poorly.
Given all the regulations and standards (like HIPAA, SOX, NERC-CIP, FISMA, PIPEDA, and etc.), developed and published over the last five years you would think that business and government should be doing much better in securing their computing systems and network infrastructures. However, based on the on-going events prominent in the press and trade journals almost every day this does not seem to be the case.
We continue to be informed that government agencies and private sector companies continue to have numerous cases of data leakage: a politically correct way of saying data loss, theft, or compromise. We hear about the theft of credit card and personal information and worst of all we hear of companies that have lost critical personal and health related information despite the many security controls that were supposed to be in place. Worse yet we hear of extremely large sums of monies extorted from banks and other financial institutions and also of the fragility of our power grids and gas distribution systems world-wide.
And from time-to-time the media will provide on screen experts that speak of ‘script kiddies’ or non-expert computer hackers that use pre-packaged software to break into systems without the use of their own intellect. Often the term is used in a derogatory or sarcastic fashion to denote the less than knowledgeable hacker.
So when it comes to information security, where exactly are we?
Every government entity or private enterprise business generally has a security plan in place which utilizes numerous types of controls to reduce or attempt to eliminate the adverse effects coming from security risks to their operations. For the most part there are three basic types of controls in use:
- Technology – software and hardware used to address internal and external threats to the security of the organization.
- Process – policies, processes, and practices to address vulnerabilities and to reduce security risks while establishing baseline standards of secure operations.
- Ignore the vulnerability and threat.
The third control type is, disturbingly enough, used more frequently than one would think. However, I will focus on the first two types of controls which are more realistic and really do attempt to provide some safety and security for the information and/or systems being protected. In the controls of the first type (Technology) we find firewalls, intrusion detection/protection systems (IDS/IPS), virus scanning software (AV), data loss prevention systems (DLP) and malware detection software (to protect against key loggers, Trojans, and backdoors).
In the controls of the second type (Process) we find the corporate or government policies, standards of practice, and standard operating procedures.
All of these types of controls, if implemented and maintained correctly, form a good and sound basis for protecting the organization that uses them.
Yet despite the risk and vulnerability assessments, and the implementation of the above mentioned controls, security breaches and information leakage continues to rise. Why?
I have been reviewing, over the last fifteen years, the security breach and incident reports collected by Verizon, AT&T, Ponemon, amongst many others which are published yearly. My research shows that the trend of data breaches and security intrusions continues to be on the increase, despite new government regulations and laws in addition to the advances in technology and understanding of potential threats, as a whole year-after-year. Oh yes, we (the information/cyber security experts) have made some progress in some areas only to fall back in others.
However, one thing that I have found is that many of the breaches and intrusions which succeeded did so by attacking known vulnerabilities that had been identified and had been around for years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until only yesterday by the security community at large. And, even more disturbing, social engineering continues to be a most successful way to begin and/precipitate an attack.
So let’s look at why.
One simple thing to remember is that if we look at very successful predators in general (such as the lion or the cheetah) they do not attack the fastest prey or the most protected; they attack the sick, the slow, the tired, or the unwary. Why? Because it presents the least expenditure of energy with the most potential for a successful outcome or food source. So also is the case with information and cyber attacks where the predator is the hacker.
For some small and medium sized companies (and, more often than not, some very large) cost and manpower is always an issue. So the upgrade of hardware and software is often slow and arduous and takes time to occur. Often budgets for security software and/or hardware upgrades are sparse of put off for more business important reasons or for when security comes to the forefront of board thinking and can be made available. Virus software and signatures are often out of date, systems often go un-patched, and hardware is often years old and cannot run the newer, more secure operating systems. Many times the implementation of hardware security devices, such as firewalls and intrusion detection systems, are done without giving the employees installing them, often for the first time, adequate training making the installations improper or marginal at best. I have found many large companies who do not have proper or adequate firewall rules established prior to installation of the device leaving holes for hackers to easily find and to penetrate.
Further, I have also found from personal experience that a majority of security breaches could have been avoided if only the security policies and processes already in place and in effect were actually followed.
Companies have done a fairly good job creating policies, but a less than admirable job in insuring that people are trained on the policies and in making sure that those policies are followed. Often failure of compliance with the policies, when uncovered, result in only a stern warning, followed by everyone going back to the ‘business as usual’ of not following the policies already in place. Many times this non-adherence of policy has resulted in the loss of thousands of personal information and/or health records or company intellectual property, and in still more acted as the vector for the hacker to use to focus their efforts on to break into the networks or systems of that agency or company.
Another big reason for the increase of security breaches and information leakage is the continuing success of social engineering (the art of manipulating people into performing actions or divulging confidential information).
Why is social engineering so successful? Because most people, who work for companies or government, generally want to be helpful wherever possible: that is their organization’s mantra. This is preyed upon by malicious hackers every day. To compound the problem government and companies spend less money and time on security awareness training for their employees than they do yearly on copy paper: and hackers know it. So calling up and indicating that they are from Tech Support and need to fix the boss’s computer so they need to have his secretary change his password to ‘ABC123’ may find a secretary who is happy to comply. Or compliance may follow when the VP of the Marketing and Sales organization gets an unsolicited phone call where the caller indicates that they are from a virus protection firm and they know, based on some trumped up information, that the VP’s computer is infected, but they will clean it up if he or she just logs into a specific web site and then relinquishes control to the tech support person on that site. Once the VP links to the site they find that minutes later their computer stops working and their files copied and/or erased. Both of the above situations are actual examples from true situations that I have been called upon to investigate.
Lastly the sophistication of hackers is also increasing. Just as many companies and government agencies purchase off-the-shelf software to accomplish normal business functions rather than develop it on their own, so do hackers. Today, less than successful hackers can purchase or acquire pre-packaged malware (such as backtrack, metasploit, nmap, and etc.) which is produced by very expert and knowledgeable hackers. This sophisticated ‘shrink wrap’ malware is capable of identifying what versions of hardware and software are being run on computers or network systems and what types of attacks will be successful. Then would be hackers using that knowledge along with well-publicized known vulnerabilities are very capable of breaking into many computer systems and networks that are not properly protected. Hacking has become a commodity business, accomplishable by anyone capable of buying, loading and executing pre-packaged software.
Oh, and one last thing. Do not think that because your organization has placed their computing infrastructure in the cloud that it is any safer. The security of the cloud has the same issues and short comings as your own internal computing infrastructure, as I have explained above. I have personally performed security assessments on over 100 cloud providers over the last few years and have found some are very secure and many are very vulnerable as well.
So what can we do?
I have found that some basic steps can have an order of magnitude improvement of security management as it stands today in your environment. Remember these steps will only be effective if top management agree that security is important and endorse (act as champions) the security activities to be undertaken.
Step one: Conduct a risk assessment to determine exactly what information and data is most important (mission critical) to your organization and identify security vulnerabilities to those resources. Create a risk register which identifies critical systems, vulnerabilities, internal & external threats, and controls needed. This is a very important first step, so, if you do not feel that you have the expertise in-house it would be prudent to have a knowledgeable security consultant perform this task for you to give you a good baseline from which to operate. It also provides a mechanism to identify projects for budgeting and planning purposes.
Step two: Based on the vulnerabilities and threats identified develop policies (like password policies, acceptable use policies, encryption policies, and etc.) to identify proper process and standards of practice the organization wants followed. However, recognize that people do not always follow these policies, process and procedures.
Step three: Implement necessary technical controls (insure that they are designed and implemented by knowledgeable personnel – proper training to internal staff on the new technologies). The reason for technical controls is that, wherever possible, we should endeavor to protect humans from their own bad practices. So if they feel pressured to work around security controls the technology will not allow them to do so.
Step four: Implement security awareness training across the entire staff – from board to lowest levels in the organization. Again this should be conducted by knowledgeable people and bringing in experienced trainers would not only be smart but most cost effective. Training to address social engineering and Internet/email good practices will go a long way to protecting an organization.
Step five: Implement a good security monitoring program. Often many anomalies or inconsistencies in network traffic or systems access is a precursor for a more intensive attack to come. Make sure that security logs are kept and reviewed on a weekly basis, more if the assets you are protecting are extremely critical to the survival of your organization or its customers.
Step six: In security we have our own mantra: Trust but Verify. So, do not simply trust that steps one through five when complete are sufficient. Technology, business operations, hackers, and threats are all continually changing and evolving. What works today may not work tomorrow. So, conduct regular (at least once a year) vulnerability tests. Use an independent third party so you get the real scoop on you security posture not what your organization’s people think is politically correct.
Information and computer security continues to be a ‘work in progress’ never complete. So, treat it that way.
Dr. Jim Kennedy, MRP, MBCI, CBRM, CEH, CHS-IV, CRISC has a PhD in Technology and Operations Management and is the Lead and Principal Consultant for Recovery-Solutions. Dr. Kennedy has over 35 years' experience in the information/cyber security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of three books, ‘Blackbook of Corporate Security,’ ‘Disaster Recovery Planning: An Introduction,’ and ‘Security in a Web 2.0+ World – a standards based approach,’ and is author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Dr. Kennedy can be reached at[email protected]