In the aftermath of a security breach is often when senior management realises its IT infrastructure isn't entirely under control, and could be out of control. The causes behind a breach highlight a yawning gap in the organisation's information systems security and control
If this is the case, management will want a plan to put the organisation's IT system on secure footing as quickly as possible.
Organisation may also need to get security under control quickly after an acquisition: The security processes and ethos of the acquired company may be well below that of the acquiring company.
So where is the best place to start when the security of an IT system needs a complete overhaul and upgrade? The first action to take is to prohibit any changes to the system outside of a properly authorised maintenance window when all changes can be logged and recorded. To make this effective, senior management must endorse a policy of zero tolerance for unauthorised changes, make everyone aware of the disciplinary consequences for not following this protocol and ensure employees understand that the company is actively monitoring systems for such changes.
Why is policy implementation such an important step to regaining control? It will immediately reduce the number of system problems and amount of downtime due to incorrectly implemented changes, whether authorised or not. By reducing the number of changes, administrators will have fewer problems to distract them and will be able to determine the causes of any problems far more easily, as any system changes will have been fully documented. Formal change management, supported by documented policy, is a key step to integrating security into daily IT operational processes and greatly reduces the amount of unplanned work.
Once the system is no longer subject to ad hoc and uncontrolled changes, create an inventory of information assets. This can be a drawn-out task, but, for this exercise, a detailed inventory (including information such as purchase dates and insurance values), isn't necessary; such information can be gathered and collated once you're back in control. For now, list all business-critical assets and services, their location and purpose, and how they are configured. Although this list can be used to identify assets that require the greatest level of protection, the immediate purpose is to identify those that currently require the most attention: the fragile assets.
These assets are termed 'fragile' as they require the most maintenance: They regularly cause problems whenever changes are made and are costly to put right. Changes to these assets should be avoided at all costs, either until the issues that make them fragile are resolved -- many issues are due to a poor understanding of how assets are configured -- or they can be replaced.
Next, continue to ensure security is built into the system. Access is usually an area that needs to be controlled more effectively, generally by reducing permissions to more appropriate levels. Other important areas to focus on include security incident handling procedures and data breach policy, software configurations and patching. One target should be to reduce the number of unique configurations administrators need to support. Having hardened, correctly configured builds of critical servers greatly reduces recovery times in the event of problems. Introducing internal audits to ensure documented procedures are followed is an effective way of embedding security into day-to-day work.
So far, we've looked at closing the gaps that exist in control and resolution processes. Now, the next step is to introduce a continuous round of improvements to bring your security controls across the board up to scratch. Monitoring the success and effectiveness of changes and introducing a lessons-learned exercise after any unplanned events helps to raise the overall effectiveness of system management processes.
The required level of security and the preventive, detective and corrective controls needed to achieve it will be very much dependent on your business and industry, but what are the main factors behind good, efficient security?
Back in 2000, the IT Process Institute looked at what distinguished a high performing and secure IT operation from a poor one. Taking into account technical, management, performance, monitoring and audit practices for both operations and security, the measures used included:
- Mean time to repair system flaws .
- Mean time between failures.
- The early integration of security requirements into the operation's life cycle.
- The lowest amount of unexpected work created by a change.
- The highest server-to-system administrator ratios.
The performance gap between high and low performers showed that high performers focused their efforts on these areas and had measures that were typically 5 to 8 times more effective than the medium and low performers. They were far more likely to detect breaches and detect them faster by using automated controls. Those security breaches that did occur were far less likely to result in loss events.
Needless to say, top performers allocate more budget to security as a percentage of total IT operational expense, three times in fact. But this extra spend delivers extra value: High performers complete more projects, manage more applications and IT services, and implement more changes with fewer problems, resulting in far less unplanned work. I'm a great believer in learning from those who are doing it better. So why not take advantage of the lessons others have already learned to get your IT security under control?
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com's contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons.
This was first published in February 2011