Dealing with the dissemination of security threats

According to the statistics collected by CSI / FBI, financial fraud and theft of proprietary information lead to greater financial loss than computer viruses or hacking attacks.

Nevertheless, many organisations still place more emphasis on the 'wolf at the door' than those in sheep's clothing.

Much has been made of the threat of the external hacker and, while this is a real problem, insiders are responsible for the majority of security breaches.

As well as malice, mistakes made by employees are also an important reason for loss of vital services. For example, the most common reason for application downtime is unauthorised changes, often made by well-intentioned administrators. Whatever the cause, the effect can be a loss of revenue or even worse a loss of reputation.

This guide aims to explore the changing nature and scope of these threats, and suggest how to spot and counter them.

Threat: Mis-managing Identities

Issue:
Managing users' identities and access rights is one of the biggest challenges an organisation faces.

This process, which involves adding users to systems and applications when they join, maintaining their access rights as they change role and removing them when they leave, is referred to as 'user provisioning'.

Problem is, as they change roles, rights need changing too - and when they leave those rights need deleting quickly and effectively. A common problem is that over time users acquire new access rights that are never removed.

This is usually to avoid employees getting frustrated at not being able to do their job properly due to a lack of access to critical work systems. A more extreme problem is that the door may be left open to them and others when they leave the organisation.

CA research has found that any one user will be defined in a minimum of 17 places in your IT infrastructure. However, when that person leaves, it can take between two and four months to remove all the user rights - and even then, on average, six will be left on the system. The risk of abuse that this poses is all too clear.

Solutions:

• Ensure that you have a process in place to provision users quickly and efficiently when they join your organisation based on their job function or role. This can include making sure they have the right IT resources and access, as well as ensuring they have a desk, phone, car etc. A full inventory should also be taken so that effective asset management can be undertaken.


• Make sure you have an accurate record of the user accesses and rights that each individual has, so these can be audited and changed or removed quickly and easily when a user changes role or leaves.


• Assign access rights according to the job function or 'role'. This is to ensure that access rights are consistent across the organisation and that when a user changes job function it is easy to see which rights can be removed as well as those that need to be added.


• Invest in software that can manage user rights for you, avoiding the need for manual records and activities. As well as removing the capacity for human error, this will also free up your IT staff for more critical IT activities by allowing non-IT (e.g. HR) staff to provision users to resources.

Threat: Inappropriate Access

Issue:
Under EU privacy legislation organisations are required to ensure that certain kinds of data is kept private and only used for the purposes that it was initially collected. However, for it to be useful, employees, partners and customers require appropriate access to this same data.

However, the scale of the Internet now means that access spans disparate platforms and operating systems, inevitably exposing businesses to the risks of inappropriate access.

Without appropriate access management, misuse can and will occur. For example, a disgruntled member of staff could access the HR records and find out about a colleague's salary package, or a careless employee could accidentally delete critical files, make incorrect financial data transactions, or be given authorisation to change documents they should only be viewing.

The administrator account is a particular problem because you need to let some people inside the organisation have access to it to manage the systems and deal with problems like lost passwords.

However, these very people can also misuse the administrator account, for example to read confidential data like salaries or customer lists. It's also worth noting Vanson Bourne research, which stated that 79% of companies have 49% of employees accessing remotely - so access by dial-up and VPN needs to be managed carefully.

In addition, over half (56%) acknowledge that other people in the company can get access to documents the respondent creates, but few (12%) admit to inadvertently coming across data on the system that they shouldn't see.

Worryingly, this figure increases to 20% in the largest companies (with more than 2000 PC users), and especially within in the commercially sensitive finance department.

Solutions:

• Ensure only those who need to access systems and applications can do so, and then only at the times and from the locations that they are authorised to access from. For example, if Rose in HR only needs access to the HR database 9-5, Monday to Friday, then you need to ensure that she (or her login rights) can't be used at 10pm on Saturday night.


• Make sure your IT admin staff only access the areas they need to administer. So, for example, make sure that the password administrator only has access to the password database, and not the audit log.


• Strictly control super-user access - no one individual should need access to everything in the organisation. It is important to separate administrators to ensure each can only access resources relevant and critical to their role.


• Invest in software that can manage access rights of users, freeing up your IT time for IT-critical activities.

Threat: Mis-managing Passwords

Issue:
In today's IT environment users have access to multiple logins, systems and applications. A typical organisation can have over 50 different security databases each with their own passwords. The result is multiple passwords for users to remember.

When users have to remember so many passwords, they often choose a simple word or number that is easy to commit to memory. Therefore, they generally choose things they perceive as personal to them, such as the names of pets, or date of birth. This kind of password is very easy to crack and software is readily available on the Internet that can do this.

So organisations often require the use of cryptic passwords (sometimes generated automatically) and changed frequently. However, this creates security holes because users need to find a way to remember all these cryptic passwords typically by writing them down where they could be seen by others.

Additionally, users often forget their passwords, putting the IT helpdesk under strain by spending time re-setting passwords instead of looking after the critical IT resources.

Another serious problem is sharing passwords - often, senior executives give their password to secretarial or administrative staff - then these staff share the password to permit breaks. Before long this password has become common knowledge and could be used to access very sensitive information.

The Vanson Bourne survey confirms these issues, stating that, generally, passwords were found to be unique to the user i.e. pet name etc, and almost all (92%) record their password 'in my head'. All also call the IT helpdesk directly if they forget their password. Encouragingly, 73% claim to change their password every 1-3 months - but this is still too infrequent for comfort.

In addition, over half of users (54%) have to memorise more than one password, with half of those having to use at least three passwords to gain access to their systems. The finance department is the worst offender, with only just over a quarter (27%) having a single password. Added to this, only 37% were aware that an incident response procedure exists in the event of hacking or password abuse.

The result? A complicated, ill-educated mess which is difficult to track.

Solutions:

• Educate users on the need for secure passwords, how to create them and how to remember them or securely store them.


• Ensure that a password-abuse process is in place, and promote it effectively so that everybody is aware. This way, there's a far greater chance that stolen passwords can be reported and changed quickly.


• Create a password quality policy and implement software that enforces this policy.


• Encourage or force users to change their password frequently - at least once a month.


• Avoid using password synchronisation methods - these create two risks. Firstly, the password quality will be set by the lowest common denominator. Secondly, if a hacker can crack a users password on the weakest system he can get access to all the systems.


• Reduce the number of passwords that users have to remember by implementing a single sign on solution.

Single sign-on means that users only have to remember one secure password and, once authorised through transparent secondary authorisation tools (e.g. digital certificates, e-tokens and biometrics), the access is secure.

Threat: Desktop Anti-virus Tools

Issue:
Anti-virus tools are a standard part of an organisation's security infrastructure nowadays. However, they can pose a risk if anti-virus software allows local desktop control rather than centrally enforced policies.

Severe loss of service due to the same virus.
Why? Well firstly, desktop anti-virus allows the user to switch off the virus protection, as is sometimes requested during the installation of other programs, and then forget to switch it on again. It also means users can alter the configuration settings, breaching your security policy, and creating dangerous gaps in the virus defence.

The second problem is ensuring that anti-virus signatures are always up to date. Unless there is an utomatic update facility you cannot rely on protection against emerging virus threats. During a recent virus outbreak two divisions in the same organisation had different anti-virus signature update policies. One division implemented an automatic update policy and never noticed the outbreak. Another division implemented a weekly update and suffered severe loss of service due to the same virus.

Solutions:

• Desktop anti-virus protection must operate automatically and must not rely on initiation by the user, as users are fallible and forgetful.


• For desktop machines connected to your corporate network choose an anti-virus solution that allows you to enforce policies centrally and to automatically perform signature updates automatically as soon as they become available.


• If you choose desktop anti-virus as added protection for free-standing machines, then you should ensure it is tamper-proof or password protected so that only authorised staff can make changes to it.


• Use 'Push' technology that rolls out new anti-virus updates to the desktop as soon as they become available to maximise protection.


• Reinforce virus protection for the desktop with scheduled full virus checks (rather than the intelligent on-access virus check), which can be performed automatically at times of low traffic.


• Educate your users on email attachments from unknown or unexpected sources - the golden rule is: if the users aren't expecting it, then they shouldn't open it.


• Don't rely on just one anti-virus engine - two engines will ensure that if one misses the virus, the other should catch it. You may also find that one anti-virus tool receives it's updates more quickly than the other one.


• It's also worth checking if your ISP offers anti-virus screening as part of the service. Many do and, while it's not recommended as a standalone solution, it certainly builds in another line of defence.

Threat: Web Browsing and Web-Based Email

Issue:
Surfing the Web and using Web-based email can seem innocent activities to the user, but both activities can disrupt normal business activity - and not only through a lack of user productivity. Viruses and malicious code can be hidden in Web sites and downloads of unsigned ActiveX and executables can contain harmful hidden payloads.

Other downloads, such as MP3s and images, clog up network bandwidth and drive space, causing restricted use for legitimate business activities or even server crashes.

In addition, as gateway anti-virus tools cannot detect Webbased email activity, this means users can receive emails with dubious content or damaging attachments that run onto the local desktop and server. In addition, users can attach confidential documents and send these via email accounts completely undetected, exposing the company to risk and compromising competitive advantage.

Solutions:

• Have an acceptable usage policy in place to ensure employees know which Web sites are acceptable to visit and when. For example, you may decide that some users should only have Web access at lunchtimes and after work.


• Ensure employees are aware that Web sites and email received via Web-based email can contain viruses that harm the desktop and can spread internally to other users.


• Use software to perform virus checks, prevent large Web downloads, block ActiveX, MP3s, executables and restrict viewing of certain URL's, including Web-based email URLs, as appropriate to your business.

Threat: Instant Messaging and Chatrooms

Issue:
Instant Messaging (IM) can be a useful tool for employees to stay in touch with each other and continue business where email is not possible or sufficiently 'real time'. However, IM tools are typically used for personal reasons, and a large part of the day can be taken up with this type of chat, leading to a reduction in employee productivity.

IM has the same security concerns as Web-based email - users can potentially send and receive sensitive corporate data. There are also viruses that are specifically aimed at IM systems (e.g. Choke virus). Anti-virus tools at the gateway do not detect IM, so infected files can seep onto the desktop and then into the network.

Chatrooms are another gateway for viruses, as they bypass the gateway anti-virus solution. Like Web-based email, they also provide the means for confidential data to be transferred.

Solutions:

• Decide whether your users can use IM as a legitimate business tool or not, and then ensure you have a policy in place - and then communicate and enforce it.


• Put secure desktop anti-virus in place (see desktop antivirus solutions).


• Use software to manage access to IM URL's.

Threat: Update Patches on Servers

Issue:
With so many applications, servers and workstations, how can a company ensure it has the latest updates and most recent patches in place?

The demand on IT time for maintaining system patches and updates is huge - each supplier Web site must be checked on a daily basis for the most recent updates.

Even email pushes don't relieve the issue, as these updates still need to be installed across an increasingly diverse IT environment.

However, without this activity, how can you be sure your systems are secure? Without regular checks, systems become security loopholes and companies find themselves stuck in a continuous loop of checking Web sites and email pushes, as well as manually implementing patches and updates.

This activity uses up valuable IT resource that could be focused on other security areas, and becomes demoralising for the IT administrator handling this task.

Solutions:

• Use a generic site that can tell you all the vendor updates released in one go.


• Use proactive, not reactive, technology to tell you when and where a patch is needed.


• Make sure you have a patch policy in place and people know what they, as individuals, are responsible for.

Threat: People, Process, Planning

Issue:
Many organisations have a security policy in place and expect users to abide by it - and even to report incidents.

However, this is not foolproof - in the previously cited Vanson Bourne survey 30% of employees were ambivalent or hostile toward their company's computer security procedures (37% in smaller companies containing between 500-1,000 PCs).

One of the biggest threats is when an incident occurs and nobody knows what to do. Companies don't have a process in place, so nobody 'owns' the incident process. If appropriate action isn't taken when the incident occurs, it will have maximum impact, meaning investment in security is wasted and heads will roll.

It's interesting to note that organisations are starting to have to re-think their IT employee structure to avoid the traditional super-user structure - and hence the risk of delivering an 'access all areas' pass into the wrong hands. As mentioned earlier, no one individual should need access to everything in the organisation - if you have a super-user, ensure they can only access resources relevant and critical to their role.

One of the downfalls of security is allocating budget. Most organisations allocate a percentage of their IT budget to security - but how can they know if this is enough or too much? Organisations need to work out what security they need to protect their unique business and processes, and then allocate budget accordingly.

In essence, any security strategy must go beyond technology - it has to involve people and processes, otherwise technology on it's own won't be able to combat the risks. After all, it's not technology you're trying to protect; it's knowledge and business processes. But there must be a balance - you're no good to anyone if your front door is permanently bolted.

Solutions:

• Make sure you know if you have a security policy in place. If you do have one, make sure employees are trained on the policy - don't just rely on an 'I Agree' click on a login screen


• Incident response procedures should be put in place that define the plan of action for given incidents:


• Identify who does what and when.


• Identify what systems might be effected and plan recovery methods.


• Any procedure must cover all function areas, not just IT. e.g. brand/PR, HR, customer relations, etc.


• Educate users on their responsibility to notify a nominated person of any abnormal activity, but don't rely solely on this. Ensure you have monitoring software in place, such as intrusion detection, to ensure you are always alert, and proactive rather than reactive.


• Look at your IT employee structure, the roles they have to undertake and their administrator rights - make sure they only have rights to resources that are needed to do their specific role.


• Make sure you calculate what you need to secure and allocate IT budget accordingly. Don't just rely on a ballpark figure of 1% of the IT budget - you will never know that 1% will be enough.


• To see how good your security is, take a look at www.humanfirewall.org where you can benchmark how you're doing against peers in your industry.

The Seven Deadly Sins of Security
Finally, remember that there are many reasons why systems are breached, but some are more common than others - so move to block these and the risk is minimised. Most find their roots in the following areas:

1. Gullibility
Anything from people pretending to be someone else to gain information to be used e.g. via phone calls, to users sending out sensitive documents to other parties who may not be all that they seem.

2. Curiosity
Generally the case of people entering systems where they should not be, not necessarily out of malice, more like inquisitiveness.

3. Courtesy
For example, holding a door open for unknown person at swipe card entry point, therefore allowing them to bypass security; or giving your password to a third party without really questioning why they may want it.

4. Greed
A desire for intellectual or monetary gain from illegal entry to systems or pure theft.

5. Diffidence
Such as allowing people to look over your shoulder while you enter a password.

6. Thoughtlessness
Security should always be at the front of users minds. If it's not, then there's a real risk of compromise.

7. Apathy
A failure to shred documents, a lack of caution where outsiders are concerned; in general, the 'it's not my responsibility' attitude.