Information security: Lead from the top

The starting line for effective data security is at board level, writes John Kavanagh in this review of current thinking and...

The starting line for effective data security is at board level, writes John Kavanagh in this review of current thinking and technology.

End-users' poor management and awareness of IT security mean that information security threats are everywhere. Many will reveal their passwords to complete strangers, as researchers for the Infosecurity exhibition and conference discovered when accosting commuters at London's Waterloo Station as part of their annual study.

Effective management must start at the top, with a security policy, says Jason Creasey, head of projects at user body the Information Security Forum. Of its 270 members, nearly one-third are in the UK, including all the big banks, British Airways, Ford, ICI and Tesco. "Achieving an effective and consistent standard of good practice throughout the organisation requires clear direction from the board," Creasey says. "Top management must establish direction and demonstrate commitment.

"They must be highly committed to treating information security as a critical business issue, assuming ultimate responsibility, ensuring that controls are proportionate to risk, and assigning overall responsibility to a top-level director.

Correy Voo, head of business technology solutions at BT, says, "Developing policy and then managing it are far more important than technology selection. We have seen many organisations rush out and spend a fortune on so-called compliance technology. This can lock them into lengthy and costly relationships that, in many cases, are unnecessary."

Voo, Creasey and others say classifying data and users is a vital first step towards allocating access privileges and putting security in place.

"Business information assets are seldom valued formally and are usually protected in a haphazard way," says Luke Silcock, an IT management consultant at PA Consulting Group and co-author of Beating IT Risks.

"Most organisations have no classification system for their information. Documents can be marked confidential but people may not know why or who else can access them. And who decides?

"All information assets must be risk-assessed against the CIA mantra: confidentiality, accessible only by those who have the right; integrity or accuracy; and availability." Such classification helps with making decisions about what security and other measures are needed for particular data sets or documents. "If an asset has not been valued, why protect it?" asks Silcock.

Confidentiality measures that Silcock recommends include passwords, which not only provide a unique identity for access but also control the ability to edit and delete information; security devices such as smartcards; physical access restrictions; and restricting certain data to particular computers, with limited and controlled access paths.

A series of unsuccessful log-in attempts with an invalid combination of user name and password should lock out the user. Sessions with no activity for a set time should be automatically logged out. Passwords should never be sent as plain-text e-mails. There should be no automatic "remember my password" facility.

Integrity can be maintained by using fault-tolerant systems, imaged discs, system access logging and monitoring - "a basic requirement", Silcock says - audit trails, back-ups, intrusion detection, and preparing an appropriate response to incidents, including safeguarding forensic evidence.

Availability can be improved by duplication of computers, networks, power supplies and locations. Single points of failure need to be identified.

Balance is needed in all of this, the experts say. Information might be totally secure but if it is not readily available to authorised users who need it, it is worthless. And users frustrated by security might try to circumvent it, putting the information - and potentially the organisation - at risk.

"There is not too much to worry about as long as you have been applying a bit of common sense to your IT security," says Calum MacLeod, senior consultant at security specialist Cyber-Ark. As a minimum he says businesses need file access and version control so that only authorised users can delete or change documents; controls to prevent unauthorised copying; and monitoring and auditing facilities to ensure all activities are logged.

"Ultimately, it seems that most compliance requirements for IT hinge on effective access control and being able to demonstrate that appropriate precautions have been taken," Macleod says.

But what counts as effective access control in these days of lax user attitudes towards passwords? "Passwords are easy and convenient to use, but that convenience creates a risk," says Andy Kellett, security specialist at IT industry research firm Butler Group. "There is a steadily growing acceptance that we have to move away from passwords as the sole means of protection. It is not a case of abandoning passwords, but in the past year security suppliers have been pushing their clients hard to look at multi-factor authentication. They see the password as being as much of a problem as the security it is supposed to be protecting.

"Passwords are problematic and time-consuming in management, support, updates, cancelling rights when users leave, changing users' rights if they move departments, allocating and cancelling passwords for temporary staff, and so on.

"Single sign-on systems help to automate password management and help users who have to remember passwords for different systems and files. But they arguably make things less secure: one password now gives access to everything."

Dual authentication - combining a password with a smartcard or other token - increases security but creates new problems. Kellett says, "You have to manage the token too. How do you get it securely to the user? What happens if they lose or break it?" Biometrics is probably the way forward here, he says, with fingerprint reading via small plug-in devices emerging as the preferred method, for the time being.

Some passwords need special attention, says Macleod. "There is a set of passwords that are critical, highly sensitive and at the heart of the enterprise, yet their security and management are often overlooked: these are system administration passwords. Every day systems and security administrators log in to critical systems for maintenance, repair and to apply new security patches."

Silcock agrees. "Super-users can pretty much do what they want. Systems administrators with the task of granting others access have a position of responsibility and trust. It is important that checks and balances are placed on these roles."

This is made even more urgent by the fact that these passwords are often passed around, partly out of necessity, if a device only allows a single defined user to log on, and partly for convenience. "In both in-house and outsourced IT teams it is, unfortunately, all too common to hear someone say, 'Must go. Can you finish rebuilding the server? The root password is X'," Silcock says.

Even so, end-users with restricted access remain a bigger threat than IT specialists with all-areas passwords. A particular risk is users' ignorance of the fact that changes to Microsoft Word documents can be tracked, says IT market research firm Vanson Bourne, which recently surveyed users for document security specialist Workshare. It found little awareness of the tracking facility: a concern heightened by the finding that 70% of staff do not create documents from scratch but work on existing ones or from company templates. There were also mixed views about whether responsibility for document security should lie with IT or with users.

"Most documents are rarely the work of one person, so there has to be a process, rather than an individual, to ensure that document integrity is maintained," Vanson Bourne says.

Another worrying finding is that 78% of users print documents to work on them. "This compounds the complexity of maintaining document integrity," it says. "From the perspective of accountability and auditing, this creates gaps in the document trail."

Information also leaves the system when it is backed up and this area, which is supposed to give a sense of security, has its own drawbacks, says Macleod.

"What happens to back-up data. Does it become open to unauthorised access?" he asks. This is a question echoed by others. For example, how secure are back-up tape racks stored along a corridor; and what happens to tapes handed over to courier companies for transport to a back-up site?

Macleod says, "In the early days of IT the unreliability of hardware meant rigorous copying of data and frequent use of back-ups. Reliability has dramatically improved, and we are less likely to use the restoration facility. As a result, restores and recoveries often do not work satisfactorily."

Clearly here, as in other areas of information security, the emphasis comes back not to technology but to people and, in particular, to management.


Case study: Clearing house digitises paper-based password management

It might be surprising to hear that until recently the organisation running the UK’s automated payments clearing service kept its 800-plus passwords on paper.

Voca, formerly Bacs, handled £11bn a day in direct debits and credits last year, using people, paper and safes to manage the passwords. About 15 staff held the keys to safes that protected the passwords, and they checked and signed forms to allow people access to them. This practice is quite common among financial institutions.

"In 2004 Voca processed over 4.5bn items and it became clear that we had outgrown our paper-based password management system,” says Keith Reeve, Voca’s manager of certification authority and access control. “With our number of passwords it was essential and timely to introduce a digital password management system that was reliable, simple to use and trustworthy.”
Voca used IT consultancy Nexillis to find a package, and it suggested supplier Cyber-Ark.

”In a few weeks we have experienced time, cost and convenience benefits,” Reeve says. ”Staff have quickly embraced it as a convenient and safe alternative to the rather outdated process we were relying on. There are no more forms to be filled in or journeys down to the safes.”

Reeve said Voca needed “unequivocal resilience, auditing and, most important of all, high levels of security”, and has got these with a system that protects passwords during transmission and in store with several layers of security and auditing.


Will your security pass the test?

  • Are sensitive documents managed according to a classification scheme that staff understand and follow?
  • Do you limit access to a need-to-know basis?
  • Are staff found guilty of serious security policy breaches dismissed?
  • Do you test back-ups?
  • Do you monitor systems for attacks and respond effectively?
  • Is your security spending allocated rationally and in line with the value of the information and the potential exploitation by others?

Six yes answers mean you are doing the right things. If you have answered no to two or three questions, there is significant room for improvement.

Source: Beating IT Risks, by Luke Silcock and Ernie Jordan

Read more on IT risk management