[ISN] Seven habits of highly secure companies

From: InfoSec News (isn@private)
Date: Wed Jun 30 2004 - 07:24:39 PDT

  • Next message: InfoSec News: "[ISN] Re: Stephen Northcutt needs your help"

    By Sheldon Gordon 
    Companies, like the humans who make them run, are creatures of habit.  
    Some of those habits can make information systems more secure, rather
    than less. There's no such thing as absolute security, of course. But
    the seven best practices of highly secure companies are a standard
    against which CEOs can measure their organizations.
    "If you can't afford the security, you can't afford the project," says
    Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc.,
    citing a well-known axiom in the information security industry. On the
    other hand, "most businesses, big or small, can't afford to defend
    everything," says Mary Kirwan, an independent security expert in
    Toronto. Indeed, they would impede their productive business activity
    if they tried.
    An effective approach to information security involves making choices.  
    Companies must compromise, deciding what are the most important assets
    that need to be protected and then deploying a proportionate level of
    security around them.
    1. Assess and audit
    Have a risk assessment and a regular security audit performed by an
    outside pair of eyes. The risk assessment creates an inventory of
    assets and undertakes a detailed threat assessment. It assigns ratings
    to threats, and proposes a list of counter-measures. The security
    audit is designed to show whether those measures have been adequately
    implemented. How "regular" a security audit should be depends on the
    business and how much information is being exchanged with customers
    and suppliers.
    "We're seeing most companies have an audit three or four times a year
    if they have a lot of online interactions with their clients," says
    Victor Keong, a partner with Deloitte & Touche LLP in Toronto. Also,
    have a consultant rather than the internal I.T. staff perform the
    audits. "An independent set of eyes is necessary to probe and to test
    what was done inside," says Mary Kirwan, an independent security
    expert in Toronto. "It's a conflict issue. Think of the security audit
    as you would a financial audit."
    2. Update your security software
    Make sure your firewalls and anti-virus systems are up to date.  
    Enterprises need to ensure that firewalls on the underlying operating
    systems are secure and that "edge-protection devices" such as
    anti-virus software, intrusion detection boxes and upstream routers
    from the ISP are up to date.
    "Ninety per cent of companies have these devices in place," says
    Keong, "so why are they still vulnerable to viruses? It's because of
    remote users. Their anti-virus signatures are not updated like those
    in the office environment." Personal firewalls must be installed on
    laptops and other remote computers. Keong also recommends event
    correlation software that will enable the IT department, when logging
    security-related events, to better discern when a genuine attack is
    occurring and then take action.
    3. Put policy into place
    Have an IT policy that is written and enforceable and covers all the
    critical systems as well as employees of the enterprise. "The baseline
    of any security architecture has got to be policy," says Ray Gazaway,
    vice-president of professional security services, Internet Security
    Systems Inc. (ISS) in Atlanta.
    >From a legal perspective, the policy should prohibit pornography,
    conversing with competitors and circulating sexist, racist or
    defamatory e-mails. Beyond the strictly legal implications, however,
    the policy should incorporate a digital disaster recovery plan. It
    should address the basic issue of whom to call in the event of an
    emergency. The enterprise's IT department should be an integral part
    of writing the policy relating to IT issues, says Gazaway, "but it
    should be the HR group that really owns the policy.
    It should make sure that employees sign off that they've read it,
    understand it, and are aware of the consequences of violations."
    4. Backup plan
    Have a disaster recovery plan. Denial-of-service attacks have
    sensitized enterprises to the danger of being knocked offline. "If
    your livelihood is coming off e-commerce, you had better have that
    [Web site] backed up, just as you do your data," says Citron. "Back it
    up at least once a week so that you've always got the latest version."
    But digital disaster doesn't only take the form of deliberate attacks
    on IT assets, she cautions. The disaster recovery plan has to
    anticipate unintentional disruptions such as last August's power
    failure and the SARS crisis. "I've seen data centres burn down, and we
    go to the hot site, and away we go," says Citron. "But we'd never seen
    a situation where companies had to sequester work groups. Companies
    immediately had to layer security onto notebooks that hadn't been used
    before but now were needed to enable people to work from home."
    5. Train and authenticate
    Minimize the internal threat by properly training and authenticating
    employees. Enterprises should have not only a policy but also an
    awareness program informing employees not to open e-mail attachments
    from unknown sources and not to bring in disks from home. In addition,
    firms need to have rigorous authentication and access policies.
    "We're still seeing a lot of very poor password procedures in place,"  
    says Gazaway. Companies should make employees change their passwords
    at least monthly -- and explain why.
    Role-based access to systems is another important safeguard. "There
    needs to be a concerted effort in a corporation to say, 'This employee
    is only working in this particular role and should only have access to
    this particular group.' It's amazing how often we see new employees
    come to a corporation and get access to everything. There's no reason
    for a person working in a mailroom to have access to financial records
    or HR records. It's a question of who needs to have access and why.  
    And that needs to be reviewed on a regular basis."
    6. Encrypt your data
    The use of encryption technology has become widespread in enterprises
    for e-commerce transactions and wireless communications, but not for
    stored data.
    "Encryption of the data at rest is just as important as encryption of
    the data in transit," says Mark Fabro, chief security scientist with
    AMS Information Security Services Group in Fairfax, Va.
    Not only has stored data become more susceptible to exposure due to
    open networking requirements, says Fabro. In addition, stored data
    tends to be in an aggregated format that, when considered together
    with other data, can have a much more harmful impact if compromised
    than data in transit.
    "The overall asset value of what is being encrypted will dictate the
    level of encryption that needs to be deployed to secure the data,"  
    says Fabro.
    "If the information is valuable for one week and it would take a
    dedicated attacker only half a week to decrypt it, then that
    encryption is not the right one to use."
    7. Report to the CEO
    Appoint a chief information security officer (CISO) to be responsible
    for IT security. Ideally, the CISO shouldn't report directly to the
    chief information officer. A tangential relationship is necessary
    because the CISO's recommendations will be implemented through the
    activities of the CIO.
    "The direct reporting should be to the CEO, because it is the CISO who
    is ultimately going to be responsible for the crafting of information
    security policies," says Fabro. "And those policies will only be
    effective if they have top-level buy-in. It is not the CIO who is
    going to be pressing adherence to an information security policy. It
    is going to be the highest representation of the company." That should
    not be the board of directors, however, because employees may not
    fully grasp the importance of boards, Fabro says.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 09:50:38 PDT