IT Manager's Handbook: Getting Your New Job Done (51 page)

If you manage the person in charge of security, or you are that person, a very close examination of the various elements of your system is required. You have to be able to tell quickly and often what is ordinary and what is even slightly out of the ordinary. See the section
“Types of Threats”
on
page 224
later in this chapter for more information on this.

8.2 Managing Security

There are five actions that can serve as your guide to manage IT security:

•
Action 1: Evaluate your environment's needs, exposures, and defenses.

•
Action 2: Get upper level management buy-in.

•
Action 3: Mitigate the risks.

•
Action 4: Work with users to make everyone more secure.

•
Action 5: Remember that security is an ongoing process.

Action 1: Evaluate Your Environment's Needs, Exposures, and Defenses

The first step in most security problems is to determine how much exposure and vulnerability you have.

Perform a Security Audit

In the world of computer security, determining your exposure and vulnerability is done by performing a computer security audit. An audit like this can range from having your network administrator regularly review logs, current levels of security patches, firewall settings, and policies to bringing in third-party security auditing companies and outside consultants. The latter is often the preferred method, because it eliminates any conflict of interest and built-in bias that could be associated with assessing your own environment. Most companies of any size will use outside firms to assess their security as a means of validation that the controls, policies, and technologies are working as the company had hoped and planned.

The magnitude of your commitment to a security audit depends on two things:

•
How big your company is

•
Which industry and which specific business your company is in

Naturally, a security audit for a garage-based start-up is going to take less time and money than one for a corporation with 25,000 employees. But the first point may not be
less important
than the second: In these days of intellectual property awareness, it isn't hard to imagine how valuable Google cofounders Larry Page and Sergey Brin's work was back when they were grad students just out of Stanford. And while no company wants to lose data, most would agree that losing sales figures for a small furniture company isn't as disastrous as data lost by some of the private companies doing war time security contracting for the government.

Regardless of size or industry, the first step you should take is to perform an audit. The goal of your audit should be to clearly determine the level of risk you are facing now and any potential exposures you can identify that you will face in the future.

Risk Analysis and Risk Management

Risk analysis is the process of identifying the security risks throughout your system and the potential loss for every threat that is identified. Risk management is the steps you take to address the risks identified as a result of your analysis. Most of this chapter is concerned with risk management; however, the next section discusses risk analysis.

Risk Analysis

There are two types of risk analysis: quantitative and qualitative. As their names imply, each approaches the same data in a different way.

•
Quantitative.
This method assigns numerical values to the amount of damage that would occur as well as the costs of prevention to any threats. Formulae include calculating the probability of a threat occurring and the likely loss should one occur. Despite the supposed mathematical rigor of this technique, subjective evaluations creep in.

•
Qualitative.
This method generates an analysis of the risks facing an organization and is based on experience, judgment, and intuition. While subjective by definition, efforts are made to make these analyses as objective as possible.

Regardless of which method you choose (or, if you have sufficient time and money, you choose both), know that there are many companies poised to help you conduct your analysis. As with every component of this chapter, individual companies have arisen that are devoted to even the smallest corner of the computer security world. The goal of a risk analysis is to provide a clear cost/benefit comparison. The cost of securing an item is compared with the risk of losing it.

Risk analysis is performed throughout corporate America, not only in the computer industry. It's a formal requirement of HIPAA, for example. (
HIPAA
is the Health Insurance Portability and Accountability Act of 1996—see more information regarding
HIPAA on
page 228
). The final security rule of HIPAA requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” In addition, the rule states that the “required risk analysis is also a tool to allow flexibility for entities in meeting the requirements of this final rule…”

Three Common Weaknesses I Find after I Do a Security Assessment

When doing a security assessment, there are three major components that companies always suffer from:

#1 Weakness: Weak Internal Controls on People

Companies need stringent controls on their employees. That does
not
necessarily mean watching their every move, tracking their every keyboard stroke, or monitoring every website they go to—although it
can
mean that, depending on the organization.

What “internal controls on people” really means is careful authentication to control who/what/when and which particular people can access which information. Eighty percent of security breaches occur because of improperly screened people and poor internal controls.

#2 Weakness: Mis-Configured (and Occasionally Mal-Configured) Devices

Most hardware devices, servers, routers, and desktops now come with security controls installed by default. However, these devices are often not configured properly, not patched properly, and not documented properly. Security is a 24/7/365 concern, not an “install-the-device-and-forget-about-it” type of activity.

#3 Weakness: Outside “Fingerprints”

As a computer security consultant, I am amazed that corporations don't take advantage of the large number of intrusion detection and intrusion prevention tools that are now available. Hackers are clearly studying these things, why aren't you using them?

—Mark Willoughby

Security Author and Consultant

Risk Analysis Tools

There are many risk analysis tool options, but here are links to two free methods from well-known sources (Carnegie Mellon and Microsoft):

•
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. It's a complete, free, and thorough method. The method was developed by
CERT
at Carnegie Mellon University (
www.cert.org/octave/methodintro.html
) and is federally funded.

•
Microsoft's Security Assessment Tool at
www.securityguidance.com
.

Risk Management

Once you've identified the risk using risk analysis, strategies for managing those risks can be defined. Common strategies for managing risk include:

•
Mitigate the risk by implementing controls, procedures, technology solutions, etc.

•
Transfer the risk, perhaps by sharing the risk with partners better able to deal with it.

•
Accept the risk by recognizing that it exists, people are aware of it, and it is being watched.

Even if no immediate steps to deal with risk are taken after the risk analysis is done, just being aware of the risk can be a form of risk management as that knowledge is likely to influence future decisions.

Hire
White Hats
(to Manage the Threat of Black Hats)

In general, a hacker is someone who is interested in finding and exploiting security flaws of IT systems and networks. The industry has stolen a paradigm from old cowboy movies to identify the good guys and the bad guys as white-hat and
black-hat hackers
. Black-hat hackers are those you generally think of with the term “hacker”—they're interested in security flaws in order to take advantage and abuse them—usually for profit, but oftentimes just to see what trouble they can cause. However, white-hat hackers are interested in security flaws as a way of identifying how security can be improved and how systems can be better protected. White-hat hackers are sometimes called “ethical hackers.” In 2011, the hacker group LulzSec claimed that its activities included hacking into the CIA, PBS, AT&T, and the Brazilian government's websites. The group said that its motivation, in part, is because these sorts of public attacks push websites to improve their security (
www.cnn.com/2011/TECH/web/06/26/tech.lulzsec.hackers/
).

Both white- and black-hat hackers have exceptional technical skills and are experts in operating systems, networks, etc. Many black-hat hackers become white-hat hackers when they realize that their skills should be put to use for good instead of evil. Sometimes, jail time or a fine helps them see the light.

Action 2: Get Upper Level Management Buy-In

Security is an issue that impacts every level and every facet of the organization. CEOs can have their core company data compromised and security guards can have their keys stolen and their offices broken into. Classically, a top-down approach works better: The security policies and procedures are better aligned with the company's overall direction. A bottom-up approach, where IT initiates the direction, will generally not be as successful. Many organizations identify an individual to function as the
Chief Security Officer
(CSO). Depending on the company and the industry, this role may exist within IT or may exist as part of the company's executive team. This individual may tackle issues related to physical security, computer security, IT policies, privacy, investigations, among others.

See the section
“Action 4: Work with Users to Make Everyone More Secure”
on
page 212
later in this chapter for ideas on how to get all employees in an organization to actively participate in making security a part of all corporate activity.

Action 3: Mitigate the Risks

Using the risk analysis process, you've identified certain exposures and vulnerabilities in the environment. Now you have to weigh those risks against the cost of mitigating them, along with navigating the trade-offs of security and privacy.

Some of the different technology solutions for reducing risks are discussed later in this chapter in the section
“Security Solutions and Technologies”
on
page 214.
However, many things can be addressed with simple solutions or procedural changes. For example:

•
User education can go a long way: simple steps such as advising them on effective passwords or reminding them to log off when leaving for the night can be very useful. Defining company policies about security practice, safeguards, and guidelines provides additional emphasis.

•
Policies to track security-related requests: asking users to submit written requests via e-mail, for example, for changes in security privileges (instead of a phone call to the network manager) is an effective tool.

•
Carefully tracking all changes to the environment with a
change request
(
CR
) system.

•
Periodic review of IDs and privileges, and disabling those that are no longer needed, should be a regular process.

•
Being diligent about applying security patches and following vendor and industry best practices.

•
Very prompt disabling of access when an employee leaves the company should become a standard practice in your department; ex-employees are a known source of security breaches. Many companies now cut off access the moment the employee is informed of their change in status. (See the section
“User Terminations”
on
page 216
for more detail.) In some organizations, employee accounts will be disabled automatically as soon as the employee's status changes in the payroll system.

Many of these items can be automated so that the manual processes, confirmations, and such can be minimized.

Action 4: Work with Users to Make Everyone More Secure

If they aren't aware of it yet (and many aren't), you must convince every person in your organization—for-profit or nonprofit—that computer and information security is
everyone's
job. It's a cliché to you—a computer system is only as secure as its weakest link—but to many other people, that statement counts as wisdom. You must take this message “to the masses.”