Maksim Pasko - Fotolia
It is vital to educate staff on good security practice, to establish clear and workable policies, and ensure effective access control to corporate information. We look at how to do it.
Companies spend fortunes trying to keep out hackers and viruses, but the fact remains that most security breaches come from within the organisation.
Users may be incompetent, nosey or malicious, but if they work for the company, they will have legitimate access to the network. And unless fine-grained role-based access controls have been applied, then they are likely to have greater access privileges than they need to get their job done.
IT staff get even greater privileges. Systems and database administrators, in particular, often have free rein to go snooping in any part of the system, all in the name of efficiency.
So how do you stop them poking their noses into the payroll file, or checking to see how the secret merger talks are going? Or in the case of outsourced public sector systems, opening medical or police files?
The first step should always be to have a policy that tells staff clearly what they can and cannot do with their computers during work hours. Without that basic starting point, you have no chance of enforcing good behaviour or reprimanding staff who misbehave.
“You have to educate staff in the proper use of technology,” said Andrew Brown, technical manager at internet security firm Sonicwall. “For that you need a written acceptable usage policy. It does not have to be a long or expensive exercise. You can either engage someone who knows what to do or even just Google ‘acceptable usage policy’ on the internet.”
But many companies fail even to get this far, said Richard Starnes, former director of incident response at Cable & Wireless. “Companies have tunnel vision and tend to deploy technology for problems that are not technology problems,” he said.
He advocated regular security awareness training, and said a well trained and alert workforce can ¬often spot anomalies and problems on a network before any number of security devices. “They need to know who and where to report these things to – so incident and response training is also essential. It creates huge dividends in the long term.”
A usage policy and good awareness training will go a long way to achieving good working practice, but of course they cannot guarantee it. Companies also need to have proper mechanisms in place to log what happens and to spot people doing things they should not. Trust is not enough.
David Taylor, vice-president of strategic services at encryption firm Protegrity, said: “Of course, you have to trust people, but how much? Even if you trust people, can you ensure the trust is justified? I am not talking about video monitors, but simple controls to see if people are attaching spreadsheets to e-mail messages, or transferring files with sensitive information in them.”
Logging and access controls are not difficult or expensive to implement. And when you log the transactions, you need to look at the logs and analyse the data.
The purpose of this is to prevent bad behaviour rather than detect it. “You tell people you are doing it,” said Taylor. “The aim is not to catch people in a lie, but to modify their behaviour gently. Tell people they have a responsibility, get them to sign the policy, then test them. Very few organisations do this. But if things go wrong, it is the corporation that will be sued because it has all the money.”
This can add up to a lot of work. Logging what everyone does and then going through the logs would be an impossible task for most companies without some level of automation or exception reporting.
Basic tools such as Microsoft Active Directory can be used to determine who gets access to which files, but most organisations do not apply this to any degree, mainly because of the administrative overhead in assigning detailed access rights.
One way around it is to automate the process of establishing what is normal behaviour and then to throw up an alert every time behaviour patterns change.
This technology is still in its early days, but Secerno and Tier-3 are two companies trying to tackle the problem. In both cases, the system takes a large chunk of network traffic – or database traffic in Secerno’s case – analyses it and builds up its own set of rules for acceptable usage.
But it is a mistake to throw technology alone at any problem, especially if you have not laid down the foundations of good security management.
Many companies still struggle to manage basic user provisioning, with the result that accounts fail to get shut down when people leave the organisation, or staff are granted more privileges than they need.
Privilege creep can happen very easily, said Starnes. “Bob in accounts receivable moves to accounts payable, but IT does not revoke the privileges he had in his old job. So we have a security problem because Bob can do things he should not, and we lose the separation of duties.”
He said responsibility for assigning duties should be pushed down to the level of the immediate supervisor. “Put responsibility for privacy where it belongs. It is more efficient because you do not have to wait for IT to get around to it. The same goes for when an employee leaves or gets a promotion or is made redundant.”
But identity and access management is only part of the problem, according to Antony Rawlings, a consultant at risk management specialist Xantus. Identity management needs to be accompanied by a proper data classification exercise.
“Data classification is vital to get any control over who sees what files. With Active Directory, for example, it is possible to ensure that only one set of users gets sight of confidential files,” he said.
Data classification need not be too onerous or even too detailed. It can start with a broad-brush approach, but it requires IT security and the business to work together to grade different applications or files, and to decide what is critical and what should be freely available.
Having done that, the process of protecting the most valuable or mission critical information becomes a lot easier, and job roles can be mapped against data security levels. It also means that efforts can be focused where they are most needed.
The failure to tackle this is already hitting some big organisations that need to comply with new corporate governance regulations. “Companies affected by Sarbanes-Oxley have trouble writing up policies in relation to the section 404 controls because they do not understand what is critical and what is not,” said Perry.
“The owners of the businesses and applications do not do a very good job of expressing what should be regarded as important. And that builds up problems over time.”
Even if we have all those controls in place, there is still a chance that a curious or malicious employee will want to look at files he should not see, or siphon off information to sell to a rival organisation. With proper logging and the right forensic tools, companies can get a clear picture of what is happening.
Tim Leehealey, vice-president of corporate development and marketing at digital investigations software supplier Guidance Software, cites the example of a large semiconductor company whose two chief designers resigned on the same day. Using forensic tools to trawl through the two men’s logs, the company discovered they had been copying design data which they planned to use in a new venture of their own in China.
“You could not have prevented them from having access to the designs – they were the designers – but the investigation saved the company £53m,” he said.
Preventing such events happening in the first place is trickier. Disabling USB ports or tightly restricting access privileges are technically easy, but often politically difficult to achieve, and they may stop people doing their jobs.
The answer for many is to encrypt complete hard discs, files or even parts of files to prevent the wrong eyes seeing information. But encryption has often proved clunky to implement and created a heavy system overhead.
David Tomlinson, managing director at software supplier Data Encryption Systems, advised selective encryption of information on PCs, rather than blanket encryption of the whole disc. “Gartner advised encrypting the hard drive, but I think that is wrong. If I need to get my PC fixed by the IT department, they would need to have the disc decrypted first. If I just keep sensitive data in an encrypted folder, I do not have to decrypt anything.”
In the end, however, selecting and training the best people – and rewarding them to be good team members – is the best way to be secure.
Brian Shorten, IS risk manager at Cancer Research, offered the following advice, “When you are recruiting people, do the simple things. Look for gaps in CVs, check on qualifications. Make sure people bring some identifier, such as a passport or driving licence, so you can ensure they are who they say they are.”
Failing that, you can get someone checked out by a vetting agency for less than £20. It could be money well spent.