The starting line for effective data security is at
board level, writes John Kavanagh in this review of
current thinking and technology.
End-users' poor management and awareness of IT security mean
that information security threats are everywhere. Many will reveal
their passwords to complete strangers, as researchers for the
Infosecurity exhibition and conference discovered when accosting
commuters at London's Waterloo Station as part of their annual
study.
Effective management must start at the top, with a security policy,
says Jason Creasey, head of projects at user body the Information
Security Forum. Of its 270 members, nearly one-third are in the UK,
including all the big banks, British Airways, Ford, ICI and Tesco.
"Achieving an effective and consistent standard of good practice
throughout the organisation requires clear direction from the
board," Creasey says. "Top management must establish direction and
demonstrate commitment.
"They must be highly committed to treating information security as
a critical business issue, assuming ultimate responsibility,
ensuring that controls are proportionate to risk, and assigning
overall responsibility to a top-level director.
Correy Voo, head of business technology solutions at BT, says,
"Developing policy and then managing it are far more important than
technology selection. We have seen many organisations rush out and
spend a fortune on so-called compliance technology. This can lock
them into lengthy and costly relationships that, in many cases, are
unnecessary."
Voo, Creasey and others say classifying data and users is a vital
first step towards allocating access privileges and putting
security in place.
"Business information assets are seldom valued formally and are
usually protected in a haphazard way," says Luke Silcock, an IT
management consultant at PA Consulting Group and co-author of
Beating IT Risks.
"Most organisations have no classification system for their
information. Documents can be marked confidential but people may
not know why or who else can access them. And who decides?
"All information assets must be risk-assessed against the CIA
mantra: confidentiality, accessible only by those who have the
right; integrity or accuracy; and availability." Such
classification helps with making decisions about what security and
other measures are needed for particular data sets or documents.
"If an asset has not been valued, why protect it?" asks
Silcock.
Confidentiality measures that Silcock recommends include passwords,
which not only provide a unique identity for access but also
control the ability to edit and delete information; security
devices such as smartcards; physical access restrictions; and
restricting certain data to particular computers, with limited and
controlled access paths.
A series of unsuccessful log-in attempts with an invalid
combination of user name and password should lock out the user.
Sessions with no activity for a set time should be automatically
logged out. Passwords should never be sent as plain-text e-mails.
There should be no automatic "remember my password" facility.
Integrity can be maintained by using fault-tolerant systems, imaged
discs, system access logging and monitoring - "a basic
requirement", Silcock says - audit trails, back-ups, intrusion
detection, and preparing an appropriate response to incidents,
including safeguarding forensic evidence.
Availability can be improved by duplication of computers, networks,
power supplies and locations. Single points of failure need to be
identified.
Balance is needed in all of this, the experts say. Information
might be totally secure but if it is not readily available to
authorised users who need it, it is worthless. And users frustrated
by security might try to circumvent it, putting the information -
and potentially the organisation - at risk.
"There is not too much to worry about as long as you have been
applying a bit of common sense to your IT security," says Calum
MacLeod, senior consultant at security specialist Cyber-Ark. As a
minimum he says businesses need file access and version control so
that only authorised users can delete or change documents; controls
to prevent unauthorised copying; and monitoring and auditing
facilities to ensure all activities are logged.
"Ultimately, it seems that most compliance requirements for IT
hinge on effective access control and being able to demonstrate
that appropriate precautions have been taken," Macleod says.
But what counts as effective access control in these days of lax
user attitudes towards passwords? "Passwords are easy and
convenient to use, but that convenience creates a risk," says Andy
Kellett, security specialist at IT industry research firm Butler
Group. "There is a steadily growing acceptance that we have to move
away from passwords as the sole means of protection. It is not a
case of abandoning passwords, but in the past year security
suppliers have been pushing their clients hard to look at
multi-factor authentication. They see the password as being as much
of a problem as the security it is supposed to be protecting.
"Passwords are problematic and time-consuming in management,
support, updates, cancelling rights when users leave, changing
users' rights if they move departments, allocating and cancelling
passwords for temporary staff, and so on.
"Single sign-on systems help to automate password management and
help users who have to remember passwords for different systems and
files. But they arguably make things less secure: one password now
gives access to everything."
Dual authentication - combining a password with a smartcard or
other token - increases security but creates new problems. Kellett
says, "You have to manage the token too. How do you get it securely
to the user? What happens if they lose or break it?" Biometrics is
probably the way forward here, he says, with fingerprint reading
via small plug-in devices emerging as the preferred method, for the
time being.
Some passwords need special attention, says Macleod. "There is a
set of passwords that are critical, highly sensitive and at the
heart of the enterprise, yet their security and management are
often overlooked: these are system administration passwords. Every
day systems and security administrators log in to critical systems
for maintenance, repair and to apply new security patches."
Silcock agrees. "Super-users can pretty much do what they want.
Systems administrators with the task of granting others access have
a position of responsibility and trust. It is important that checks
and balances are placed on these roles."
This is made even more urgent by the fact that these passwords are
often passed around, partly out of necessity, if a device only
allows a single defined user to log on, and partly for convenience.
"In both in-house and outsourced IT teams it is, unfortunately, all
too common to hear someone say, 'Must go. Can you finish rebuilding
the server? The root password is X'," Silcock says.
Even so, end-users with restricted access remain a bigger threat
than IT specialists with all-areas passwords. A particular risk is
users' ignorance of the fact that changes to Microsoft Word
documents can be tracked, says IT market research firm Vanson
Bourne, which recently surveyed users for document security
specialist Workshare. It found little awareness of the tracking
facility: a concern heightened by the finding that 70% of staff do
not create documents from scratch but work on existing ones or from
company templates. There were also mixed views about whether
responsibility for document security should lie with IT or with
users.
"Most documents are rarely the work of one person, so there has to
be a process, rather than an individual, to ensure that document
integrity is maintained," Vanson Bourne says.
Another worrying finding is that 78% of users print documents to
work on them. "This compounds the complexity of maintaining
document integrity," it says. "From the perspective of
accountability and auditing, this creates gaps in the document
trail."
Information also leaves the system when it is backed up and this
area, which is supposed to give a sense of security, has its own
drawbacks, says Macleod.
"What happens to back-up data. Does it become open to unauthorised
access?" he asks. This is a question echoed by others. For example,
how secure are back-up tape racks stored along a corridor; and what
happens to tapes handed over to courier companies for transport to
a back-up site?
Macleod says, "In the early days of IT the unreliability of
hardware meant rigorous copying of data and frequent use of
back-ups. Reliability has dramatically improved, and we are less
likely to use the restoration facility. As a result, restores and
recoveries often do not work satisfactorily."
Clearly here, as in other areas of information security, the
emphasis comes back not to technology but to people and, in
particular, to management.
Will your security pass the test?
- Are sensitive documents managed according to a classification
scheme that staff understand and follow?
- Do you limit access to a need-to-know basis?
- Are staff found guilty of serious security policy breaches
dismissed?
- Do you test back-ups?
- Do you monitor systems for attacks and respond
effectively?
- Is your security spending allocated rationally and in line with
the value of the information and the potential exploitation by
others?
Six yes answers mean you are doing the right things. If you have
answered no to two or three questions, there is significant room
for improvement.
Source: Beating IT Risks, by Luke Silcock and Ernie
Jordan
Case study: Clearing house digitises paper-based
password management
It might be surprising to hear that until recently the
organisation running the UK’s automated payments clearing service
kept its 800-plus passwords on paper.
Voca, formerly Bacs, handled £11bn a day in direct debits and
credits last year, using people, paper and safes to manage the
passwords. About 15 staff held the keys to safes that protected the
passwords, and they checked and signed forms to allow people access
to them. This practice is quite common among financial
institutions.
"In 2004 Voca processed over 4.5bn items and it became clear
that we had outgrown our paper-based password management system,”
says Keith Reeve, Voca’s manager of certification authority and
access control. “With our number of passwords it was essential and
timely to introduce a digital password management system that was
reliable, simple to use and trustworthy.”
Voca used IT consultancy Nexillis to find a package, and it
suggested supplier Cyber-Ark.
”In a few weeks we have experienced time, cost and convenience
benefits,” Reeve says. ”Staff have quickly embraced it as a
convenient and safe alternative to the rather outdated process we
were relying on. There are no more forms to be filled in or
journeys down to the safes.”
Reeve said Voca needed “unequivocal resilience, auditing and,
most important of all, high levels of security”, and has got these
with a system that protects passwords during transmission and in
store with several layers of security and auditing.
For more information visit the
Citrix
website