Not that long ago, the ‘ART’ of IT security was the domain of a specialist group of ‘tecchies ‘ who suffered while trying to portray the virtues of computer and communications security to a disinterested audience of managers. Concepts like ‘Bulletin Board’ and ‘Packet Switching’ were deemed too irksome to interest all but the most inquisitive of bosses. To many, the subject was too complicated and distant – not to say irrelevant.
How the situation has changed. In recent years, the exponential development and application of IT has revolutionised the ways in which most organisations work. IT has been elevated to a position whereby it informs a part of daily life for many of us, and is the ‘virtual backbone’ for a host of blue chip concerns.
IT is all around us, and has thus become somewhat easier to understand. It has also become streamlined and, in turn, much more simplified. Web sites have replaced the aforementioned Bulletin Boards, while the now-instant and seamless transmission of e-mail seems light years away from the dark ages of Packet Switching protocol.
That said, with this new-found understanding and interaction comes a raft of threats and vulnerabilities. The only way that effective security can now be implemented within IT systems, communications and the Web is by using specifically-designed IT risk management techniques that are broad enough to cope with the pace of change. There are various types of risk management methods and packages out there. Ideally, your chosen product should be structured to:
By using a structured risk management approach it should be possible to provide your senior management with sufficient information by which they can make sensible decisions based on quantitative evaluations of risk to countermeasure. In essence, whatever the chosen methodology it must be able to answer some questions. How good is IT security now, and how good does it need to be? What are the threats to the company assets, and what’s the frequency with which each of those threats will be realised? In addition, what steps might be taken to successfully reduce the impact and frequency of a given threat occurring?
Many end users are guilty of ignoring the evaluation of risk weighed against perceived countermeasures – the end result being that minimal security measures have been applied across IT systems and within the working environment in general.
The threat assessment
What might a typical threat and vulnerability assessment highlight for you, the security manager? Let’s start with the structure and staffing of your company’s IT department…
The basic requirement includes the need for an operations manual, end user guides, security manuals, disaster recovery plans, back-up procedures and so on. Inappropriate security measures may result in unlawful system penetration or an absence of any accountability.
At the end of the day, both of these factors may result in the disclosure of confidential information. That could lead to public embarrassment or – worse still – a loss of revenue. Your bosses will not want that.
And what of the defined and documented security policy? Obviously, the absence of any IT security policy will mean that security on a given system will be, at best, ad hoc or cosmetic. Decisions on countermeasures are not matched to a paradigm to ensure that they conform with established security policies.
In turn, the IT security policy is far from harmonised with business strategy plans. This will result in salient countermeasures being applied without any defined financial benefits, and without any degree of certainty over their appropriateness.
The policy must be recognised as an essential tool, and should be used as such. The impact of not doing so extends to illegal access without detection. Trojan Horse programs may be implanted that could well corrupt your live and back-up databases. Meantime, the manipulation of information could be accomplished for personal profit. Last – but not least – information that’s seen as being confidential might be revealed to outsiders.
Countermeasures against any such vulnerability would include:
Disaster recovery and insurance
Your IT security disaster recovery plan should be produced for the IT department and then integrated within the organisation’s business continuity plan. The growth of a company, key personnel dependency and any failure to test the plan as it refers to IT alone would mean that any actual recovery will necessarily be protracted, expensive and difficult.
For their part, insurance levels must reflect the scale and function of a company’s IT process, and its ability to ‘deliver the goods’ in a disaster. Loss in consequence of a disaster needs to be in place, as does key personnel cover in respect of IT. The recovery process must be described through a disaster recovery plan, and the increased cost of working accurately assessed once it’s in place. Costs incurred as a consequence of any disruption should also be calculated, not only accurately but with the utmost care.
It’s worth noting at this point that the IT function is one where – because of its method of operation – staff in the department are privy to information that may be either confidential or sensitive. The level of trust conferred on IT personnel cannot be justified by references to previous employers, or the statement that subcontracting organisations have verified backgrounds. Clearance of any IT staff should be to the very highest level.
Software, logs and encryption
The prime threshold of security on any IT system is password-controlled access. Illegal access or access with malicious intent towards certain data files could result in fraud or damage that might itself be financially harmful.
With this in mind, end users should always deploy intrusion detection software. Such software ought to report to the IT or network manager the moment a breach of policy (or any activity that doesn’t conform to user profiles) is detected on the system.
The absence of any activity logs and poor password activity places an impossible dependence on trust. As end users become more and more aware that there’s an absence of accountability, it would then be very possible to attack data with little or no possibility of detection. So what’s the solution? User logs should be implemented – and, what’s more, staff should be made fully aware of their overriding purpose by the security team.
Confidentiality in most IT systems is achieved through the encryption of transmissions and data files within databases. If it’s the case that no encryption algorithm is being used, communications may be eavesdropped, and the data held within the data files may be illegally browsed. Thus a cryptographic algorithm must be determined for use – following a detailed risk management study to include all data of maximum sensitivity within the database and on external communications (including the Internet).
One element you must not forget is the authentication algorithm. A satisfactory authentication mechanism to identify individuals to the system – or confirm that files or programs have not been tampered with – is most definitely needed. The potential impact here includes losses through undetected system attacks, as well as alterations to files and programs if communication messages are not verified as originating at the correct source, or as complete or unaltered in transmission. Importantly, any programs and/or files on your company’s system must be verified as correct and absolutely free from intrusive activity.
Drives, laptops and notebooks
‘A’ and ‘D’ drives exist on many PCs, of course, allowing users to introduce uncontrolled or copy-restricted data. Users could introduce Trojan Horses or similar code without detection for later manipulation. Also, restricted data files might be copied and removed for subsequent analysis and use.
IT security managers should give due consideration to blocking off drives capable of copying down or writing programs to the system, and the appropriateness of so-called ‘dumb terminals’. A good rule of thumb to follow is to release all new software through the IT manager’s console, at the same time as introducing software that will enable you to audit user activity and highlight any unusual or illegal accesses.
If used to link up the IT system, laptops and notebook computers can effectively destroy security measures which you may have implemented. They undoubtedly present an additional gateway for malicious attack.
Security managers must, therefore, make it a prime objective to determine a policy for laptop and notebook use within their overall IT security framework. This should clearly state who may have the machines, what type of work they may do on them, access to the database and spinning off data (together with the input of data to the database).
It almost goes without saying that password structure, life and repetition should be related to the sensitivity of the data it protects. Ultimately, full individual accountability should be implicit in the use of passwords.
Devising IT and Internet policies
Internet access opens a way to the system for the outsider who may conceal a Java or Active X program within another item of information or a separate program.
Similarly, e-mail that is received from unknown sources may have concealed macro viruses within it or a series of attachments.
Disruptions because of rogue programs or legal actions due to staff activity while on the Internet are real threats, as are the dangers of parallel updates and creeping corruption created in the database by way of laptops and remote sites. The security manager’s countermeasure program should include the implementation of a fully-integrated Internet policy backed up by staff training.
Databases need to be classified and a value placed upon them as assets. Restrict access in databases to information that is relevant to the user, and implement an activity log that can be software-monitored and will highlight any unusual or illegal activity. Consider, too, a secondary ‘highly secure’ network and the implementation of sanitised software as a prelude to data warehousing and mining.
Any disruption caused by the company’s IT centre being destroyed would inevitably make recovery both difficult and expensive. After all, any copies removed from secure control invite opportunities for attack. It follows that there’s a need for implementing a secure and structured back-up policy with file copies stored securely off site.
A modular security manual for your team is a good idea. Based on your IT security policy, it will inform and guide all system users and tell them what is required of them in particular. Similarly, the company’s IT staff will need a document informing them precisely what the company expects of the IT system(s) in respect of security. Its absence means that thresholds are low, presenting a perfect opportunity for the professional or ‘chance’ attacker.
Remember, too, that defined and documented procedures, controls and policies will increase security thresholds and reduce the levels of vulnerability.
IT and security awareness
System users who do not have an awareness of security issues will not be in the habit of taking spontaneous action to protect their company’s assets, nor will they be fully up-to-speed with the likely effects that their actions might have in compromising security.
A department dedicated to the implementation and updating of security measures is an objective of IT. It’s a sensitive area, though, so there is a need to ensure continuous, uninterrupted and accurate information processing. Ideally, there ought to be a trained systems security officer (perhaps ancillary to other functions) in place, a defined security reporting structure and the provision of software to support that function.
In addition, local departmental personnel should be appointed and trained to support the systems security officers.
Inevitably, computer disks may be lost or removed. With this in mind, you should locate your IT library in a secure area away from the processing function. A localised fire could destroy live versions of software programs, not to mention their back-ups.
Future security software also needs protection. This type of software can be used for protection, but in the wrong hands may also be deployed for intrusion purposes. Therefore, a single, dedicated individual within the IT section must be given full responsibility for the library catalogue, as well as the issuing and returning of disks.
What about IT security training? In essence, security must be initiated as a top down function. Part of that function must be the continuing professional education of IT staff – without whom it is nigh on impossible to maintain a secure edge.
As a golden rule, all IT staff should attend an IT security seminar within their first year of employment, and keep on training thereafter.
