It is vital to educate staff on good security practice,
to establish clear and workable policies, and ensure effective
access control to corporate information. Ron Condon
reports on how to do it
Companies spend fortunes trying to keep out hackers and viruses,
but the fact remains that most security breaches come from within
the organisation.
Users may be incompetent, nosey or malicious, but if they work
for the company, they will have legitimate access to the network.
And unless fine-grained role-based access controls have been
applied, then they are likely to have greater privileges than they
need to get their job done.
IT staff get even greater privileges. Systems and database
administrators, in particular, often have free rein to go snooping
in any part of the system, all in the name of efficiency.
So how do you stop them poking their noses into the payroll
file, or checking to see how the secret merger talks are going? Or
in the case of outsourced public sector systems, opening medical or
police files? The first step should always be to have a policy that
tells staff clearly what they can and cannot do with their
computers during work hours. Without that basic starting point, you
have no chance of enforcing good behaviour or reprimanding staff
who misbehave.
“You have to educate staff in the proper use of technology,”
said Andrew Brown, technical manager at internet security firm
Sonicwall. “For that you need a written acceptable usage policy. It
does not have to be a long or expensive exercise. You can either
engage someone who knows what to do or even just Google ‘acceptable
usage policy’ on the internet.”
But many companies fail even to get this far, said Richard
Starnes, former director of incident response at Cable &
Wireless. “Companies have tunnel vision and tend to deploy
technology for problems that are not technology problems,” he
said.
He advocated regular security awareness training, and said a
well trained and alert workforce can ¬often spot anomalies and
problems on a network before any number of security devices. “They
need to know who and where to report these things to – so incident
and response training is also essential. It creates huge dividends
in the long term.”
A usage policy and good awareness training will go a long way to
achieving good working practice, but of course they cannot
guarantee it. Companies also need to have proper mechanisms in
place to log what happens and to spot people doing things they
should not. Trust is not enough.
David Taylor, vice-president of strategic services at encryption
firm Protegrity, said, “Of course, you have to trust people, but
how much? Even if you trust people, can you ensure the trust is
justified? I am not talking about video monitors, but simple
controls to see if people are attaching spreadsheets to e-mail
messages, or transferring files with sensitive information in
them.”
Logging and access controls are not difficult or expensive to
implement. And when you log the transactions, you need to look at
the logs and analyse the data.
The purpose of this is to prevent bad behaviour rather than
detect it. “You tell people you are doing it,” said Taylor. “The
aim is not to catch people in a lie, but to modify their behaviour
gently. Tell people they have a responsibility, get them to sign
the policy, then test them. Very few organisations do this. But if
things go wrong, it is the corporation that will be sued because it
has all the money.”
This can add up to a lot of work. Logging what everyone does and
then going through the logs would be an impossible task for most
companies without some level of automation or exception
reporting.
Basic tools like Active Directory can be used to determine who
gets access to which files, but most organisations do not apply
this to any degree, mainly because of the administrative overhead
in assigning detailed access rights.
One way around it is to automate the process of establishing
what is normal behaviour and then to throw up an alert every time
behaviour patterns change.
This technology is still in its early days, but Secerno and
Tier-3 are two companies trying to tackle the problem. In both
cases, the system takes a large chunk of network traffic – or
database traffic in Secerno’s case – analyses it and builds up its
own set of rules for acceptable usage.
But it is a mistake to throw technology alone at any problem,
especially if you have not laid down the foundations of good
security management.
Many companies still struggle to manage basic user provisioning,
with the result that accounts fail to get shut down when people
leave the organisation, or staff are granted more privileges than
they need.
Privilege creep can happen very easily, said Starnes. “Bob in
accounts receivable moves to accounts payable, but IT does not
revoke the privileges he had in his old job. So we have a security
problem because Bob can do things he should not, and we lose the
separation of duties.”
He said responsibility for assigning duties should be pushed
down to the level of the immediate supervisor. “Put responsibility
for privacy where it belongs. It is more efficient because you do
not have to wait for IT to get around to it. The same goes for when
an employee leaves or gets a promotion or is made redundant.”
But identity and access management is only part of the problem,
according to Antony Rawlings, a consultant at risk management
specialist Xantus. Identity management needs to be accompanied by a
proper data classification exercise.
“Data classification is vital to get any control over who sees
what files. With Active Directory, for example, it is possible to
ensure that only one set of users gets sight of confidential
files,” he said.
Data classification need not be too onerous or even too
detailed. It can start with a broad-brush approach, but it requires
IT security and the business to work together to grade different
applications or files, and to decide what is critical and what
should be freely available.
Having done that, the process of protecting the most valuable or
mission critical information becomes a lot easier, and job roles
can be mapped against data security levels. It also means that
efforts can be focused where they are most needed.
The failure to tackle this is already hitting some big
organisations that need to comply with new corporate governance
regulations. “Companies affected by Sarbanes-Oxley have trouble
writing up policies in relation to the section 404 controls because
they do not understand what is critical and what is not,” said
Perry.
“The owners of the businesses and applications do not do a very
good job of expressing what should be regarded as important. And
that builds up problems over time.”
Even if we have all those controls in place, there is still a
chance that a curious or malicious employee will want to look at
files he should not see, or siphon off information to sell to a
rival organisation. With proper logging and the right forensic
tools, companies can get a clear picture of what is happening.
Tim Leehealey, vice-president of corporate development and
marketing at digital investigations software supplier Guidance
Software, cites the example of a large semiconductor company whose
two chief designers resigned on the same day. Using forensic tools
to trawl through the two men’s logs, the company discovered they
had been copying design data which they planned to use in a new
venture of their own in China.
“You could not have prevented them from having access to the
designs – they were the designers – but the investigation saved the
company £53m,” he said.
Preventing such events happening in the first place is trickier.
Disabling USB ports or tightly restricting access privileges are
technically easy, but often politically difficult to achieve, and
they may stop people doing their jobs.
The answer for many is to encrypt complete hard discs, files or
even parts of files to prevent the wrong eyes seeing information.
But encryption has often proved clunky to implement and created a
heavy system overhead.
David Tomlinson, managing director at software supplier Data
Encryption Systems, advised selective encryption of information on
PCs, rather than blanket encryption of the whole disc. “Gartner
advised encrypting the hard drive, but I think that is wrong. If I
need to get my PC fixed by the IT department, they would need to
have the disc decrypted first. If I just keep sensitive data in an
encrypted folder, I do not have to decrypt anything.”
In the end, however, selecting and training the best people –
and rewarding them to be good team members – is the best way to be
secure.
Brian Shorten, IS risk manager at Cancer Research, offered the
following advice, “When you are recruiting people, do the simple
things. Look for gaps in CVs, check on qualifications. Make sure
people bring some identifier, such as a passport or driving
licence, so you can ensure they are who they say they are.”
Failing that, you can get someone checked out by a vetting
agency for less than £20. It could be money well spent.
Have your say
What is your biggest security headache? Are there any easy
answers? Let us know at
computer.weekly@rbi.co.uk
Evolving your defences >>
Comment on this article:
computer.weekly@rbi.co.uk