[manu]

Hey,

Companies, like the humans who make them run, are creatures of habit :) . An effective approach to information security involves making choices. Companies must compromise, deciding what are the most important assets that need to be protected and then deploying a proportionate level of security around them.

1. Assess and audit
Have a risk assessment and a regular security audit performed by an outside pair of eyes. The risk assessment creates an inventory of assets and undertakes a detailed threat assessment. It assigns ratings to threats, and proposes a list of counter-measures. The security audit is designed to show whether those measures have been adequately implemented. How "regular" a security audit should be depends on the business and how much information is being exchanged with customers and suppliers.

"We're seeing most companies have an audit three or four times a year if they have a lot of online interactions with their clients," says Victor Keong, a partner with Deloitte & Touche LLP in Toronto. Also, have a consultant rather than the internal I.T. staff perform the audits. "An independent set of eyes is necessary to probe and to test what was done inside," says Mary Kirwan, an independent security expert in Toronto. "It's a conflict issue. Think of the security audit as you would a financial audit."

2. Update your security software
Make sure your firewalls and anti-virus systems are up to date. Enterprises need to ensure that firewalls on the underlying operating systems are secure and that "edge-protection devices" such as anti-virus software, intrusion detection boxes and upstream routers from the ISP are up to date.

"Ninety per cent of companies have these devices in place," says Keong, "so why are they still vulnerable to viruses? It's because of remote users. Their anti-virus signatures are not updated like those in the office environment." Personal firewalls must be installed on laptops and other remote computers. Keong also recommends event correlation software that will enable the IT department, when logging security-related events, to better discern when a genuine attack is occurring and then take action.

3. Put policy into place
Have an IT policy that is written and enforceable and covers all the critical systems as well as employees of the enterprise. "The baseline of any security architecture has got to be policy," says Ray Gazaway, vice-president of professional security services, Internet Security Systems Inc. (ISS) in Atlanta.

From a legal perspective, the policy should prohibit pornography, conversing with competitors and circulating sexist, racist or defamatory e-mails. Beyond the strictly legal implications, however, the policy should incorporate a digital disaster recovery plan. It should address the basic issue of whom to call in the event of an emergency. The enterprise's IT department should be an integral part of writing the policy relating to IT issues, says Gazaway, "but it should be the HR group that really owns the policy.

It should make sure that employees sign off that they've read it, understand it, and are aware of the consequences of violations."

4. Backup plan
Have a disaster recovery plan. Denial-of-service attacks have sensitized enterprises to the danger of being knocked offline. "If your livelihood is coming off e-commerce, you had better have that [Web site] backed up, just as you do your data," says Citron. "Back it up at least once a week so that you've always got the latest version."

But digital disaster doesn't only take the form of deliberate attacks on IT assets, she cautions. The disaster recovery plan has to anticipate unintentional disruptions such as last August's power failure and the SARS crisis. "I've seen data centres burn down, and we go to the hot site, and away we go," says Citron. "But we'd never seen a situation where companies had to sequester work groups. Companies immediately had to layer security onto notebooks that hadn't been used before but now were needed to enable people to work from home."

5. Train and authenticate
Minimize the internal threat by properly training and authenticating employees. Enterprises should have not only a policy but also an awareness program informing employees not to open e-mail attachments from unknown sources and not to bring in disks from home. In addition, firms need to have rigorous authentication and access policies.

"We're still seeing a lot of very poor password procedures in place," says Gazaway. Companies should make employees change their passwords at least monthly -- and explain why.

Role-based access to systems is another important safeguard. "There needs to be a concerted effort in a corporation to say, 'This employee is only working in this particular role and should only have access to this particular group.' It's amazing how often we see new employees come to a corporation and get access to everything. There's no reason for a person working in a mailroom to have access to financial records or HR records. It's a question of who needs to have access and why. And that needs to be reviewed on a regular basis."

6. Encrypt your data
The use of encryption technology has become widespread in enterprises for e-commerce transactions and wireless communications, but not for stored data.

"Encryption of the data at rest is just as important as encryption of the data in transit," says Mark Fabro, chief security scientist with AMS Information Security Services Group in Fairfax, Va.

Not only has stored data become more susceptible to exposure due to open networking requirements, says Fabro. In addition, stored data tends to be in an aggregated format that, when considered together with other data, can have a much more harmful impact if compromised than data in transit.

"The overall asset value of what is being encrypted will dictate the level of encryption that needs to be deployed to secure the data," says Fabro.

"If the information is valuable for one week and it would take a dedicated attacker only half a week to decrypt it, then that encryption is not the right one to use."

7. Report to the ceo
Appoint a chief information security officer (CISO) to be responsible for IT security. Ideally, the CISO shouldn't report directly to the chief information officer. A tangential relationship is necessary because the CISO's recommendations will be implemented through the activities of the CIO.

"The direct reporting should be to the CEO, because it is the CISO who is ultimately going to be responsible for the crafting of information security policies," says Fabro. "And those policies will only be effective if they have top-level buy-in. It is not the CIO who is going to be pressing adherence to an information security policy. It is going to be the highest representation of the company." That should not be the board of directors, however, because employees may not fully grasp the importance of boards, Fabro says.

Source

Manu ;)

[Spookie]

Having the poilcy in place is important, but an area that is often overlooked by some companies is the enforcement of the policies in place.

Sometimes you have to grab that one person that wants to test the policy and make them the example. No one is expendable just some have a higher level of difficulty replacing.


I also agree that the CISO should not report to the CIO as it makes the CISO seem subordiant to the CIO. When in fact the CISO is in most companies reporting to the CEO and President of the company.

You can't fix a problem if it makes the CIO look bad, and he's your senior and your having to report to him that his/her staff is not doing there jobs effectively

[tommmmmm]

7 habits....

I think it's good to know even a psycho of your potential opponent.
Any information is always appreciated.

[s3ntinel]

manu, on Jul 18 2004, 07:41 AM, said:

Make sure your firewalls and anti-virus systems are up to date. Enterprises need to ensure that firewalls on the underlying operating systems are secure and that "edge-protection devices" such as anti-virus software, intrusion detection boxes and upstream routers from the ISP are up to date.

Is this really enough?

How many people feel that just having the technology there will stop everthing? The one thing that wasn't mentioned in the rest of your post is that it is only when you understand the limitations of the technology used that you can fully utilise it to provide a beneficial addition to your security process. A fully patched firewall can still allow BHO attacks over port 80 or an IDS can still miss an attack if it's not looking in the correct subnet.

How people feel that AV software is the 'catch all' for malicious code and believe the hype? From personal experience, there is no AV vendor out there at the moment that can detect the majority of trojan/spyware/exploit code in the wild.

The industry as a whole is playing catch up; with use of technology to enforce security and the vendors and support companies still absolving themselves of all blame.

The blaming of users is, to an extent, valid but if hardware vendors don't ensure that the latest patches are deployed prior to shipment and ISPs don't ensure that users are properly advised when taking out an internet connection with them then who should. It shouldn't be the organistions, but until the industry shoulders it's moral obligation, then surely if we educate the end user in terms of what threats face them at home and focus them on security on their own PCs, then there is a greater likelihood that they will be more responsible, both at home and in work and then the vulnerable footprint reduces.

It's not only the phsyce of the potential opponent that needs to be understood, but also that of the potential victim.

[p0rnflake]

I believe most system administrators have second thoughts about encrypting their data as it add's another link to the chain of things that might break.. Personally I prefer keeping the physical datastorage in a safe ™ place - and putting the extra effort into securing the network based access to it..

[khilari]

One thing i strongly agree on is to have External Auditors... I have seen companies with internal audit departments which lack the motivation to find holes thru complex means... An external auditor is more often equipped and trained with the right set of tools.

[aelphaeis_mangarae]

Quote

From personal experience, there is no AV vendor out there at the moment that can detect the majority of trojan/spyware/exploit code in the wild.

Most important an attacker is NOT going to use a trojan/virus that is detected by anti-virus software.

I would say the chances are if a virus manages to get inside a companies network an attacker has put a bit of effort into getting it there.

And he isn't going to use any public trojan or anything.

[as0l0]

with regards to the post above. it's not possible to protect from every type of attack, especially very intelligent attackers.

with reagrds to the "is this really enough" poster (s3ntinal?), similar point, when you have thousands or hundreds of thousands of machines to secure your best defence is basic defense. Patches, passwords, AV, firewall. this will stop most things, but not everything. it's important to consider the difficulty in securing so many machines, especially since those machines go to places you can't control.

Anyway, I agree with everything in the article except for the point about a backup plan. having a backup plan doesn't increase your security, only your availability.