IT Manager's Handbook: Getting Your New Job Done (50 page)

Hasselman C, (2011).
Value Driven Enterprise Architecture
. CreateSpace.

High PA, (2009).
World Class IT: Why Businesses Succeed When IT Triumphs
. Wiley Press/Jossey-Bass.

Meyers M, (2009).
CompTIA Network + Guide to Managing and Troubleshooting Networks
. McGraw-Hill.

Shane SA, (2008).
Technology Strategy for Managers and Entrepreneurs
. Prentice Hall.

Turban E, Volonino L, (2011).
Information Technology for Management: Improving Strategic and Operational Performance
. Wiley.

Chapter 8

Security and Compliance

If you don't like their rules, whose would you use?

Charlie Brown

Chapter table of contents

8.1
How We Got Here

8.2
Managing Security

8.3
Security Solutions and Technologies

8.4
Types of Threats

8.5
Compliance and IT

8.6
The Rules

8.7
How to Comply with the Rules

8.8
Hidden Benefits of Compliance

8.9
Methodologies and Frameworks

8.10
It's Not Just Regulatory Compliance

8.11
Further References

(In)security is everywhere. Security is a critical component of an IT Manager's life. Almost every decision he makes will have to be evaluated at some point for its security implications. Hiring a new programmer? How much access should that person have? Installing a new server? Who is allowed to access it? Making sure that authorized people have the access they need (and
only
the access they need), along with making sure unauthorized people are blocked from access, has become one of the many security-related themes of IT.

If confidential e-mails about unannounced merger or acquisition plans are posted on the Internet, a lot of yelling happens. But security problems do not just cause embarrassing situations. If a database with credit card and bank account information is hacked, or a laptop with employee information is lost, then there are various laws and regulations you have to deal with (particularly related to notification). You don't want your CEO furiously knocking at your door, but you
really
don't want law enforcement coming to see you.

And don't ignore the costs of exposures. In 2011, the Ponemon Institute released the results of its sixth annual survey, which showed that the average organization cost of a data breach was $7.2 million, or $214 per compromised record. The study also found that negligence was the most common cause of a security breach (41%), and another 31percent caused by malicious or criminal attacks (source
www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher
).

It seems like major security breaches are a daily occurrence: Sony, RSA, Honda, the U.S. Defense Department, and so on; losses from the events number well into the billions. The costs to repair these lapses in manpower alone are staggering, let alone the price of damaged reputations, data loss, business intelligence, national security issues, etc.

The topic of computer security has grown so large and complex that a single chapter can't begin to do justice to the topic. Security concerns are now so widespread that it's essentially an industry within an industry, with its own training classes, trade journals, certifications, job definitions, books, webinars, and so on devoted to addressing the issue.

As a result, the primary goal of this chapter is to provide you with a framework to think about security, to outline the issues, and to point you to places where you can get more information.

8.1 How We Got Here

It is well understood in the technology community that in the 1980s, but especially in the 1990s, the push was to connect everything and everybody. One of the original goals of Java was to create an operating system so basic it would allow, famously, your toaster to talk to your computer.

Well, with handhelds, social networking, wireless, and countless ways to exchange and share data, it's safe to say that almost all that connectivity has been achieved. But it has come at a giant price. Little or no thought was given back then to the consequences of allowing all those computers to connect to each other. International and domestic groups of hackers with less-than-ideal motives have joined communities, entered networks, and caused serious computer havoc all over the planet. The main challenge was once how to share things electronically. The main challenge now is how to keep everything safe—how to keep your data, your networks, and your company secure.

Get Perspective

First, don't be overwhelmed. Read this chapter to determine which issues you should start examining. Not every threat will affect you; if yours is a virtual company, for example, you may have a different set of security priorities and concerns than someone managing a traditional office setting.

The volume of threats, vulnerabilities, and risks is enormous. Even scarier is what we don't know. If you start thinking of all the ways your environment can be breached, you'll feel inundated and feel paralyzed. You need to take comfort in the fact that you're taking the right steps to best protect your environment. Remember, security protection is an ongoing and iterative process; you can never say, “Okay, it's done.”

Second, read the section later in this chapter on
“Risk Analysis and Risk Management”
on
page 210
carefully. If it hasn't been done already, perform a risk analysis. Finally, read the section on
“The Rules”
on
page 227
in this chapter to help you understand what is expected in your industry, or required by different regulations. Lastly, read the sections,
“How to Comply with the Rules”
and
“Methodologies and Frameworks”
on
page 234
for ideas on ways to ensure best practices for compliance.

Computer Security Themes

Within the discussions of security, several themes appear again and again:

•
Security versus privacy versus convenience

•
Intention matters

•
CIA (confidentiality, integrity, and availability)

•
Look very closely—it may not be what it appears to be

Security versus Privacy versus Convenience

In security, the trade-off between privacy and security is a choice made all the time. Radio Frequency Identification (RFID) tags, for example, are an excellent example of this duality.
RFID
tags are small chips embedded in thousands—soon millions—of products.

These tags allow for the electronic identification of people, animals, and objects. A sweater you buy at the department store can carry an RFID tag, for example. With RFID tags, your entire shopping cart could be scanned in an instant at the checkout without having to remove every item to be scanned individually. This is already being done in supermarkets in Europe (
news.cnet.com/Tesco-to-track-milk-deliveries-by-RFID/2100-1033_3-6079022.html?tag=lia;rcol
).

However, as you go through your day, RFID scanners at other stores could also read those same tags. Perhaps these other stores do this to get a sense of whether you're a big spender or not, what your clothing sizes are, or what their competition is selling. The uses for RFID chips are multiplying at a dizzying rate.

Grocery store shopping lists are generally not held that close to the vest, but you might be surprised at what you value when it's taken away from you. During Super Bowl XXXV in Tampa, all attendees’ faces were surreptitiously photographed; those photos were then scanned and compared with images in a police database of criminals and criminal suspects. Many people found news of that action profoundly disturbing because it was done without permission or notification.

The aftermath of the World Trade Center attacks implemented a lot of debate about this topic, as many people felt that some of the United States’ actions and laws to help prevent a recurrence would sacrifice civil liberties and personal privacy.

The trade-off between security and convenience will only become more onerous. The long lines at security gates at airports are an excellent metaphor for modern life; you can no longer just walk up to the gate and board your plane. Nor can you just turn on your computer and start working. You need to enter a password (perhaps more than one) to a machine that may be locked to your desk. Now passwords are often six and 10 digits long and have to be changed frequently. If you require “complex” passwords (e.g., mixing upper- and lowercase, use of special characters, etc.) and those passwords can't be reused, your auditors will probably be thrilled. Finding an acceptable balance between security and convenience is one of the greatest challenges in IT security.

However, you may find that users end up writing their passwords on Post-It notes attached to monitors in order to remember them. Users complain mightily about issues like this, but the more educated they are about the risks the company faces and their role in mitigating these risks, the less they will protest. This issue is discussed throughout this chapter; in particular, see the section
“Action 4: Work with Users to Make Everyone More Secure”
on
page 212.

Intention Matters

White and black hats, hacking, mis-configuration or mal-configuration, adware, spam, phishing,
spoofing
, and
spyware
are just some of the terms related to computer security, but one of the key points in any security discussion is what was the
intent
behind the event? The results can still be devastating regardless of intent, but knowing the original purpose can sometimes help solve the problem more quickly.

If your system has been breached by a malicious hacker, you need to take specific steps to address the problem. If your system is overwhelmed by
adware
, you also need to address the problem. In both cases, the entire system can come crashing down. But understanding that one event was the result of malicious intent, and the other may have been the result of innocent user activity can help determine the magnitude of the problem and how it's addressed so it does not recur.

CIA

The three basic tenets of information security are summarized with a classic acronym: CIA. It stands for confidentiality, integrity, and availability. Learning about information security means learning about “CIA.”

•
Confidentiality
refers to keeping secret information secret. Techniques for keeping things secret include cryptography, access control, and others. You may be protecting customer data or files for next week's presentation to the board. In either case, you want to keep confidential material from getting disclosed accidentally or intentionally. In many cases, confidentially isn't only a professional/ethical obligation, but also a regulatory requirement.

•
Integrity
in information security means that data aren't altered, either intentionally or accidentally, without proper process and authority.

•
Availability
means the systems are running and usable as they are supposed to be.

The CIA model, adopted from the military, has its strengths and weaknesses. It is a place to start thinking about security, but it isn't the final answer. The Web is full of discussions about the pluses and minuses of the CIA security model.

Look Very Closely: It May Not Be What It Appears

Computer security now is often a matter of determining that one innocent-looking item—an e-mail, a log entry, or a file change—is actually a sign of something radically different.

•
Phishing is e-mail with a well-disguised intent. If they haven't been already, you need to educate your users on how to behave when they receive those fake requests that look like legitimate queries for information from legitimate sources (like banks and financial websites), but aren't.

•
See the sidebar called
Some Security Stories
on
page 225
later in this chapter for the story of how research into a $.75 accounting discrepancy led to the dismantling of an international hacking ring.

•
Trojan horses
and viruses are applications that appear to be something you want, but in reality they're just disguised files for malicious programs. Programs like these may be used for various things like capturing passwords, looking for (or creating) vulnerabilities on your network, or grabbing data from your servers.

•
Social engineering
is a technique for gathering confidential or privileged information by simply asking for it. Hackers have discovered that people have a general tendency to trust others; hackers can get users to reveal items such as passwords, or to do something that's essentially against policy, by simply phoning the user and pretending to be from tech support, for example.