This is “Taking Action”, section 13.4 from the book Getting the Most Out of Information Systems (v. 2.0). For details on it (including licensing), click here.
For more information on the source of this book, or why it is available for free, please see the project's home page. You can browse or download additional books there. To download a .zip file containing this book to use offline, simply click here.
The weakest link in security is often a careless user, so don’t make yourself an easy mark. Once you get a sense of threats, you understand the kinds of precautions you need to take. Security considerations then become more common sense than high tech. Here’s a brief list of major issues to consider:
Developing organizational security is a daunting task. You’re in an arms race with adversaries that are tenacious and constantly on the lookout for new exploits. Fortunately, no firm is starting from scratch—others have gone before you and many have worked together to create published best practices.
There are several frameworks, but perhaps the best known of these efforts comes from the International Organization for Standards (ISO), and is broadly referred to as ISO27k or the ISO 27000 series. According to ISO.org, this evolving set of standards provides “a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.”
Firms may also face compliance requirements—legal or professionally binding steps that must be taken. Failure to do so could result in fine, sanction, and other punitive measures. At the federal level, examples include HIPAA (the Health Insurance Portability and Accountability Act), which regulates health data; the Graham-Leach-Bliley Act, which regulates financial data; and the Children’s Online Privacy Protection Act, which regulates data collection on minors. U.S. government agencies must also comply with FISMA (the Federal Information Security Management Act), and there are several initiatives at the other government levels. By 2009, some level of state data breach laws had been passed by over thirty states, while multinationals face a growing number of statues throughout the world. Your legal team and trade associations can help you understand your domestic and international obligations. Fortunately, there are often frameworks and guidelines to assist in compliance. For example, the ISO standards include subsets targeted at the telecommunications and health care industries, and major credit card firms have created the PCI (payment card industry) standards. And there are skilled consulting professionals who can help bring firms up to speed in these areas, and help expand their organizational radar as new issues develop.
Here is a word of warning on frameworks and standards: compliance does not equal security. Outsourcing portions security efforts without a complete, organizational commitment to being secure can also be dangerous. Some organizations simply approach compliance as a necessary evil: a sort of checklist that can reduce the likelihood of a lawsuit or other punitive measure.M. Davis, “What Will It Take?” InformationWeek, November 23, 2009. While you want to make sure you’re doing everything in your power not to get sued, this isn’t the goal. The goal is taking all appropriate measures to ensure that your firm is secure for your customers, employees, shareholders, and others. Frameworks help shape your thinking and expose things you should do, but security doesn’t stop there—this is a constant, evolving process that needs to pervade the organization from the CEO suite and board, down to front line workers and potentially out to customers and partners. And be aware of the security issues associated with any mergers and acquisitions. Bringing in new firms, employees, technologies, and procedures means reassessing the security environment for all players involved.
On inauguration day 2009, credit card processor Heartland announced that it had experienced what was one of the largest security breaches in history. The Princeton, New Jersey, based firm was, at the time, the nation’s fifth largest payments processor. Its business was responsible for handling the transfer of funds and information between retailers and cardholders’ financial institutions. That means infiltrating Heartland was like breaking into Fort Knox.
It’s been estimated that as many as 100 million cards issued by more than 650 financial services companies may have been compromised during the Heartland breach. Said the firm’s CEO, this was “the worst thing that can happen to a payments company and it happened to us.”R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Wall Street noticed. The firm’s stock tanked—within a month, its market capitalization had plummeted over 75 percent, dropping over half a billion dollars in value.T. Claburn, “Payment Card Industry Gets Encryption Religion,” InformationWeek, November 13, 2009.
The Heartland case provides a cautionary warning against thinking that security ends with compliance. Heartland had in fact passed multiple audits, including one conducted the month before the infiltration began. Still, at least thirteen pieces of malware were uncovered on the firm’s servers. Compliance does not equal security. Heartland was complaint, but a firm can be compliant and not be secure. Compliance is not the goal, security is.
Since the breach, the firm’s executives have championed industry efforts to expand security practices, including encrypting card information at the point it is swiped and keeping it secure through settlement. Such “cradle-to-grave” encryption can help create an environment where even compromised networking equipment or intercepting relay systems wouldn’t be able to grab codes.T. Claburn, “Payment Card Industry Gets Encryption Religion,” InformationWeek, November 13, 2009; R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Recognize that security is a continual process, it is never done, and firms need to pursue security with tenacity and commitment.
Security is as much about people, process, and policy, as it is about technology.
From a people perspective, the security function requires multiple levels of expertise. Operations employees are involved in the day-to-day monitoring of existing systems. A group’s R&D function is involved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. A team must also work on broader governance issues. These efforts should include representatives from specialized security and broader technology and infrastructure functions. It should also include representatives from general counsel, audit, public relations, and human resources. What this means is that even if you’re a nontechnical staffer, you may be brought in to help a firm deal with security issues.
Processes and policies will include education and awareness—this is also everyone’s business. As the Vice President of Product Development at security firm Symantec puts it, “We do products really well, but the next step is education. We can’t keep the Internet safe with antivirus software alone.”D. Goldman, “Cybercrime: A Secret Underground Economy,” CNNMoney, September 17, 2009. Companies should approach information security as a part of their “collective corporate responsibility…regardless of whether regulation requires them to do so.”Knowledge@Wharton, “Information Security: Why Cybercriminals Are Smiling,” August 19, 2009.
For a lesson in how important education is, look no further than the head of the CIA. Former U.S. Director of Intelligence John Deutch engaged in shockingly loose behavior with digital secrets, including keeping a daily journal of classified information—some 1,000+ pages—on memory cards he’d transport in his shirt pocket. He also downloaded and stored Pentagon information, including details of covert operations, at home on computers that his family used for routine Internet access.N. Lewis, “Investigation Of Ex-Chief Of the C.I.A. Is Broadened,” New York Times, September 17, 2000.
Employees need to know a firm’s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations. Policies without eyes (audit) and teeth (enforcement) won’t be taken seriously. Audits include real-time monitoring of usage (e.g., who’s accessing what, from where, how, and why; sound the alarm if an anomaly is detected), announced audits, and surprise spot checks. This function might also stage white hat demonstration attacks—attempts to hunt for and expose weaknesses, hopefully before hackers find them. Frameworks offer guidelines on auditing, but a recent survey found most organizations don’t document enforcement procedures in their information security policies, that more than one-third do not audit or monitor user compliance with security policies, and that only 48 percent annually measure and review the effectiveness of security policies.A. Matwyshyn, Harboring Data: Information Security, Law, and The Corporation (Palo Alto, CA: Stanford University Press, 2009).
A firm’s technology development and deployment processes must also integrate with the security team to ensure that from the start, applications, databases, and other systems are implemented with security in mind. The team will have specialized skills and monitor the latest threats and are able to advise on precautions necessary to be sure systems aren’t compromised during installation, development, testing, and deployment.
A worldwide study by PricewaterhouseCoopers and Chief Security Officer magazine revealed that most firms don’t even know what they need to protect. Only 33 percent of executives responded that their organizations kept accurate inventory of the locations and jurisdictions where data was stored, and only 24 percent kept inventory of all third parties using their customer data.A. Matwyshyn, Harboring Data: Information Security, Law, and The Corporation (Palo Alto, CA: Stanford University Press, 2009). What this means is that most firms don’t even have an accurate read on where their valuables are kept, let alone how to protect them.
So information security should start with an inventory-style auditing and risk assessment. Technologies map back to specific business risks. What do we need to protect? What are we afraid might happen? And how do we protect it? Security is an economic problem, involving attack likelihood, costs, and prevention benefits. These are complex trade-offs that must consider losses from theft or resources, systems damage, data loss, disclosure of proprietary information, recovery, downtime, stock price declines, legal fees, government and compliance penalties, and intangibles such as damaged firm reputation, loss of customer and partner confidence, industry damage, promotion of adversary, and encouragement of future attacks.
While many firms skimp on security, firms also don’t want to misspend, targeting exploits that aren’t likely, while underinvesting in easily prevented methods to thwart common infiltration techniques. Hacker conventions like DefCon can show some really wild exploits. But it’s up to the firm to assess how vulnerable it is to these various risks. The local donut shop has far different needs than a military installation, law enforcement agency, financial institution, or firm housing other high-value electronic assets. A skilled risk assessment team will consider these vulnerabilities and what sort of countermeasure investments should take place.
Economic decisions usually drive hacker behavior, too. While in some cases attacks are based on vendetta or personal reasons, in most cases exploit economics largely boils down to
Adversary ROI = Asset value to adversary – Adversary cost.An adversary’s costs include not only the resources, knowledge, and technology required for the exploit, but also the risk of getting caught. Make things tough to get at, and lobbying for legislation that imposes severe penalties on crooks can help raise adversary costs and lower your likelihood of becoming a victim.
Technical solutions often involve industrial strength variants of the previously discussed issues individuals can employ, so your awareness is already high. Additionally, an organization’s approach will often leverage multiple layers of protection and incorporate a wide variety of protective measures.
Patch. Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as patches). Firms that don’t plug known problems will be vulnerable to trivial and automated attacks. Unfortunately, many firms aren’t updating all components of their systems with consistent attention. With operating systems automating security update installations, hackers have moved on to application targets. But a major study recently found that organizations took at least twice as long to patch application vulnerabilities as they take to patch operating system holes.S. Wildstrom, “Massive Study of Net Vulnerabilities: They’re Not Where You Think They Are,” BusinessWeek, September 14, 2009. And remember, software isn’t limited to conventional PCs and servers. Embedded systems abound, and connected, yet unpatched devices are vulnerable. Malware has infected everything from unprotected ATM machinesP. Lilly, “Hackers Targeting Windows XP-Based ATM Machines,” Maximum PC, June 4, 2009. to restaurant point-of-sale systemsR. McMillan, “Restaurants Sue Vendors after Point-of-Sale Hack,” CIO, December 1, 2009. to fighter plane navigation systems.C. Matyszczyk, “French Planes Grounded by Windows Worm,” CNET, February 8, 2009.
As an example of unpatched vulnerabilities, consider the DNS cache poisoning exploit described earlier in this chapter. The discovery of this weakness was one of the biggest security stories the year it was discovered, and security experts saw this as a major threat. Teams of programmers worldwide raced to provide fixes for the most widely used versions of DNS software. Yet several months after patches were available, roughly one quarter of all DNS servers were still unpatched and exposed.IBM, X-Force Threat Report: 2008 Year in Review, January 2009.
To be fair, not all firms delay patches out of negligence. Some organizations have legitimate concerns about testing whether the patch will break their system or whether the new technology contains a change that will cause problems down the road.For example, the DNS security patch mentioned was incompatible with the firewall software deployed at some firms. And there have been cases where patches themselves have caused problems. Finally, many software updates require that systems be taken down. Firms may have uptime requirements that make immediate patching difficult. But ultimately, unpatched systems are an open door for infiltration.
Lock down hardware. Firms range widely in the security regimes used to govern purchase through disposal system use. While some large firms such as Kraft are allowing employees to select their own hardware (Mac or PC, desktop or notebook, iPhone or BlackBerry),N. Wingfield, “It’s a Free Country…So Why Can’t I Pick the Technology I Use in the Office?” Wall Street Journal, November 15, 2009. others issue standard systems that prevent all unapproved software installation and force file saving to hardened, backed-up, scanned, and monitored servers. Firms in especially sensitive industries such as financial services may regularly reimage the hard drive of end-user PCs, completely replacing all the bits on a user’s hard drive with a pristine, current version—effectively wiping out malware that might have previously sneaked onto a user’s PC. Other lock-down methods might disable the boot capability of removable media (a common method for spreading viruses via inserted discs or USBs), prevent Wi-Fi use or require VPN encryption before allowing any network transmissions, and more. The cloud helps here, too. (See Chapter 10 "Software in Flux: Partly Cloudy and Sometimes Free".) Employers can also require workers to run all of their corporate applications inside a remote desktop where the actual executing hardware and software is elsewhere (likely hosted as a virtual machine session on the organization’s servers), and the user is simply served an image of what is executing remotely. This seals the virtual PC off in a way that can be thoroughly monitored, updated, backed up, and locked down by the firm.
In the case of Kraft, executives worried that the firm’s previously restrictive technology policies prevented employees from staying in step with trends. Employees opting into the system must sign an agreement promising they’ll follow mandated security procedures. Still, financial services firms, law offices, health care providers, and others may need to maintain stricter control, for legal and industry compliance reasons.
Lock down the network. Network monitoring is a critical part of security, and a host of technical tools can help.
Firms employ firewallsA system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use. to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication. Intrusion detection systemsA system that monitors network use for potential hacking attempts. Such a system may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel. specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss. Some firms deploy honeypotsA seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.—bogus offerings meant to distract attackers. If attackers take honeypot bait, firms may gain an opportunity to recognize the hacker’s exploits, identify the IP address of intrusion, and take action to block further attacks and alert authorities.
Many firms also deploy blacklistsPrograms that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions.—denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions. While blacklists block known bad guys, whitelistsHighly restrictive programs that permit communication only with approved entities and/or in an approved manner. are even more restrictive—permitting communication only with approved entities or in an approved manner.
These technologies can be applied to network technology, specific applications, screening for certain kinds of apps, malware signatures, and hunting for anomalous patterns. The latter is important, as recent malware has become polymorphic, meaning different versions are created and deployed in a way that their signature, a sort of electronic fingerprint often used to recognize malicious code, is slightly altered. This also helps with zero-day exploits, and in situations where whitelisted Web sites themselves become compromised.
Many technical solutions, ranging from network monitoring and response to e-mail screening, are migrating to “the cloud.” This can be a good thing—if network monitoring software immediately shares news of a certain type of attack, defenses might be pushed out to all clients of a firm (the more users, the “smarter” the system can potentially become—again we see the power of network effects in action).
Lock down partners. Insist partner firms are compliant, and audit them to ensure this is the case. This includes technology providers and contract firms, as well as value chain participants such as suppliers and distributors. Anyone who touches your network is a potential point of weakness. Many firms will build security expectations and commitments into performance guarantees known as service level agreements (SLAs).
Lock down systems. Audit for SQL injection and other application exploits. The security team must constantly scan exploits and then probe its systems to see if it’s susceptible, advising and enforcing action if problems are uncovered. This kind of auditing should occur with all of a firm’s partners.
Access controls can also compartmentalize data access on a need-to-know basis. Such tools can not only enforce access privileges, they can help create and monitor audit trails to help verify that systems are not being accessed by the unauthorized, or in suspicious ways.
Audit trails are used for deterring, identifying, and investigating these cases. Recording, monitoring, and auditing access allows firms to hunt for patterns of abuse. Logs can detail who, when, and from where assets are accessed. Giveaways of nefarious activity may include access from unfamiliar IP addresses, from nonstandard times, accesses that occur at higher than usual volumes, and so on. Automated alerts can put an account on hold or call in a response team for further observation of the anomaly.
Single-sign-on tools can help firms offer employees one very strong password that works across applications, is changed frequently (or managed via hardware cards or mobile phone log-in), and can be altered by password management staff.
Multiple administrators should jointly control key systems. Major configuration changes might require approval of multiple staffers, as well as the automatic notification of concerned personnel. And firms should employ a recovery mechanism to regain control in the event that key administrators are incapacitated or uncooperative. This balances security needs with an ability to respond in the event of a crisis. Such a system was not in place in the earlier described case of the rogue IT staffer who held the city of San Francisco’s networks hostage by refusing to give up vital passwords.
Have failure and recovery plans. While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. If a compromise has taken place, what needs to be done? Do stolen assets need to be devalued (e.g., accounts terminated, new accounts issued)? What should be done to notify customers and partners, educate them, and advise them through any necessary responses? Who should work with law enforcement and with the media? Do off-site backups or redundant systems need to be activated? Can systems be reliably restored without risking further damage?
Best practices are beginning to emerge. While postevent triage is beyond the scope of our introduction, the good news is that firms are now sharing data on breaches. Given the potential negative consequences of a breach, organizations once rarely admitted they’d been compromised. But now many are obligated to do so. And the broad awareness of infiltration both reduces organizational stigma in coming forward, and allows firms and technology providers to share knowledge on the techniques used by cybercrooks.
Information security is a complex, continually changing, and vitally important domain. The exploits covered in this chapter seem daunting, and new exploits constantly emerge. But your thinking on key issues should now be broader. Hopefully you’ve now embedded security thinking in your managerial DNA, and you are better prepared to be a savvy system user and a proactive participant working for your firm’s security. Stay safe!