Simon Holloway looks into the shady world of information security and explores some ways to stay safe.
We live in a world now that whatever you read you are bound to come across the word ¡°security¡± in some form. This word covers a whole gamut of meanings so let¡¯s go back to basics for a simple definition: Security is about freedom from doubt, anxiety, fear, risk or danger; safety. It also has associated with this meaning the context of confidence in that freedom.
Now if we then added the little word of IT in front, we have one of the bains of the IT manager, as Nigel Stanley, Bloor Research¡¯s practice leader for security explains: ¡°IT security comprehensively covers the whole remit of protecting and defending business or organisational systems and data from unwelcome attacks or intrusions.
This large area includes protection from the outer edges of the security domain such as handheld devices through to network perimeter, inside threats and local defenses. It looks at the ever growing threats, many of them new and innovative. It includes use of firewalls, data loss prevention, data encryption, antimalware, database protection, identity management, intrusion detection/prevention, content management/ filtering and security policies and standards.¡±
But why should you be concerned? Business Link in its guide to IT Security states: ¡°The security of business IT systems has never been so important. Businesses rely more and more on IT to support their activities, and this makes them increasingly vulnerable to threats from hackers, viruses and even their own staff. Having the correct information at the right time can make the difference between success and failure for your business.
Effective security can help you control and secure information from malicious changes and deletions or from unauthorised disclosure.¡± The manufacturing sector has harnessed the power of IT to underpin improvements in productivity, process efficiency and higher quality supply chains. Like every other industry, the sector also has to cope with a sharp increase in flexible working arrangements and growing security challenges. Ravi Pandey, senior vice president and UK head of NIIT Technologies, explains: ¡°IT managers are alarmed about the increasing use of social networks and social media by employees while at work.
Research has shown that employees using applications on social networks while at work is the largest single security concern for IT managers and when staff members download unapproved applications, this can lead to the infections of systems via viruses. With many organisations outsourcing their IT, it is essential all due diligence is carried out.¡± Dave Mount, Technical Director, UK & Ireland of NetIQ, says: ¡°Enforcing security policy is a challenge for enterprises. IT process automation can step in and ensure that there is a consistently applied and controlled procedure for managing access to critical data and applications. It is this capability to sustain the highest levels of security without deviation that underpins the role of ITPA in network security. This not only delivers a secure environment but also ensures an organisation complies with prevalent information governance requirements.¡± Real prevention starts from having in place robust identify management systems that are consistently applied and controlled.
Understanding the Standards
The key standard for IT security in the UK is BS ISO/IEC 27001, the main objective of which is to help establish and maintain an effective information management system. The standard covers all of the main security issues from a manager¡¯s viewpoint and goes into significant depth in explaining good practice. The standard is divided into ten main sections each of which is key to maintaining security.
These are:
¡ñ Security Policy ¨C explains what an information security policy is, what it should cover and why your business should have one.
¡ñ Organisational Security ¨C explains how information security should be managed in a business.
¡ñ Asset Classification and Control ¨C assets include the information itself, computers, software and even services.
These could all be valuable and need to be managed and accounted for.
¡ñ Personnel Security ¨C personnel issues such as training, responsibilities, vetting procedures, and how staff respond to security incidents.
¡ñ Physical and Environmental Security ¨C physical aspects of security including protection of equipment and information from physical harm, keeping key locations secure as well as physical control of access to information and equipment.
¡ñ Communications and Operations Management ¨C appropriate management and secure operation of information processing facilities during day-to-day activities. This specifically includes computer networks.
¡ñ Access Control ¨C control of access to information and systems on the basis of business and security needs.
Access control is concerned with controlling who can do what with your information resources.
¡ñ System Development and Maintenance ¨C some businesses develop their own software. This part of the standard deals with the issues that are associated with the design and maintenance of systems so that they are secure and maintain information integrity.
¡ñ Business Continuity Management ¨C addresses the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues.
¡ñ Compliance ¨C concerns business compliance with relevant national and international laws.
What should I be aware of that is new for this year?
Corey Nachreiner, senior security analyst at WatchGuard, has put forward the following predictions for 2010:
¡ñ Social Networks: The #1 Malware Source ¨C Neilson Online says social networks have become more popular communication tools than email. Social networks by their very nature are gathering places, which tends to imply increased levels of trust. Lastly social networks leverage complex, Web 2.0 technologies that can suffer serious security vulnerabilities.
¡ñ Third-Party Programs Get Owned ¨C OS vendors have fixed most of the obvious flaws so the code in their popular client applications for web browsing and email is more secure, and the patch cycle is well established and often automatic. Nachreiner sees that hackers will target 3rd party applications such as Adobe Flash, Sun Java, and Adobe Reader.
¡ñ Smart Phones Get Hammered ¨CA smart phone is simply a mobile phone that has all kinds of extended PC-like services, such as web browsing, email, and sometimes even word processing. They increase your phone¡¯s attack surface. Now add to this scenario the number of smart phones in use. Nachreiner predicts that every popular smart phone will suffer at least one attack during 2010.
¡ñ Data Loss Prevention Makes Big Gains ¨CAs technologies that directly protect data ¨C things like local hard drive encryption and DLP (data loss prevention) solutions are adopted by SMBs.
¡ñ Windows 7 Suffers Critical Zero Day Vulnerability ¨C Windows 7 reversed some of Vista¡¯s security capabilities.
Nachreiner expects at least one critical, zero day Windows 7 exploit to surface in the next 12 months.
¡ñ Cloud Computing: Half Haven, Half Storm ¨C Nachreiner expects at least one major cloud service security breach, which will bring some of a number of the security issues I raised in the previous article on Cloud computing security issues to a head. On the other hand, cloud-based security solutions will thrive in 2010.
¡ñ Mac Threats Double ¨C In 2009, Apple fixed hundreds of vulnerabilities in its OS and supporting products and Apple users began to see increased examples of Mac malware Nachreiner believes that. Mac users should expect to see twice as many Mac threats in 2010.
¡ñ Poisoning The Information Well ¨C Nachreiner expects major SEO (search engine optimisation) poisoning attacks to surface in 2010, and he suggests you remain wary of your web search results.
This sounds like a big headache. So what how can you ensure your organisation is adequately and effectively protected?
Getting the ground rules in place
It is important to have an effective set of policies and procedures in place which are constantly kept up-to-date. They are crucial to implementing an effective information security strategy. They should be viewed as the glue that holds all aspects of information security together, without them each aspect of information security would be a collection of disparate parts. For policies to be effective, they must reflect the organisations¡¯ specific requirements. But the key is to identify what you are vulnerable to and concentrate on that.
Pandey explained that NIIT conducts a vulnerability assessment in order to highlight vulnerabilities that an attacker could exploit in an organisation¡¯s system. There are a number of consultancy companies who provide similar services.
So where can you go to to find guidelines to help you get started? Business Link has issued a number of useful introductory texts that provide some good basic advice. The Information Security Forum (ISF) is an independent, not-for-profit organisation that supplies authoritative opinion and guidance on all aspects of information security. It has produced a Standard of Good Practice and as a basic guide I have found this a useful starting point. This presents a comprehensive set of practical and measurable information security-specific controls. The main aspects covered are: ¡ñ Security Management (enterprise-wide) ¨C high-level direction for information security, arrangements for information security across the organisation, and establishing a secure environment.
¡ñ Critical Business Applications ¨C requirements for securing business applications, identifying information risks and determining the level of protection required to keep information risks within acceptable limits.
¡ñ Computer Installations ¨C the design and configuration of computer systems, management activities required to establish a secure computer installation and maintain service continuity.
¡ñ Networks ¨C network design and implementation, management activities required to run and manage secure networks, including local and wide area networks, and voice communication networks.
¡ñ Systems Development ¨C the application of information security during all stages of systems development, including design, build, testing and implementation.
¡ñ End User Environment ¨C local security management, protecting corporate and desktop applications, and securing portable computing devices.
Whatever size of organisation you are, your information is a critical resource that you have to protect. But not all information is equal in importance, so you do need to understand what information is critical to your business, and also what information you share with external sources, such as customers, suppliers and partners. You also need to set up some basic security levels, such as locked room for servers, user ids and passwords, security entry cards. Always remember that security needs to be actively managed in your organisation.