Overall, it has been a rough year for information security in the world. We ended 2010 with WikiLeaks, and it continued into 2011, supported by the disclosure to WikiLeaks of classified government material and confidential internal use only corporate information. This trend of intolerance with the system calmed through much of the summer only to resurrect itself in the form of the anti-establishment “Occupy” movement later in the year. While the Occupy movement is not itself a cyber-security worry, it does highlight that people have a considerable dissatisfaction with the status quo and are looking for change – and unmoderated change is usually not exactly good for the efficiency and security dynamics of any organization.
We’ve heard more about Stuxnet, and seen new viruses – I just picked off a copy of a Trojan Dropper last night, reading security news stories (an executable stored in Explorer temp files – cool). We’ve seen Apple systems exposed to attack. We’ve seen corrupt applets running on Android – I’m not quite ready to say I have seen Android hacks or viruses in the wild. I have seen rampant loss of control over the permissions requested by Android widgets on install (Google Maps, you really need access to my private phone information, read and write access to my contact information, along with the ability to make phone calls and record audio? Really? Update fail.) We’ve seen zero day vulnerabilities in widely used applications and services. We have seen literally millions of healthcare records breached. We have seen huge companies get breached, resulting in days and weeks of outages, and probably billions of dollars spent in recovery and rebuild. We found that an unauthorized user can access sensitive functions on an iPhone by using Siri. Should we be surprised that web-enabled printers can be attacked remotely? We have had drone hacks, ATM scammers, phone hacking and nude photos galore (so to speak). And that is just the tip of the iceberg. Sometimes it seems like the sky is falling.
A friend of mine asked me a couple weeks ago, “So, with all these things going on, how do you do everything that you need to be safe?” That is a hard question. Everything?
A complete list of everything an organization should do to make itself safe would literally fill books. So, instead, if you want to take the right steps to being secure, and being compliant where appropriate, what are the 10 things that should be at the top of everyone’s wish list for the holidays?
What are the 10 things that should be at the top of every organization’s wish list for the holidays?
1. I wish for a complete BIA (Business Impact Analysis). You have to know what you have before you know how to protect it. I won’t dwell on this other than to say that if you answer these four questions and you are working on your BIA: a. What is your most critical data? b. What systems, databases, and applications support that data? c. What regulatory requirements am I required to d. What would the impact on your organization be if that data, or supporting systems, was lost or compromised (and released to the public)?
2. I wish for a complete Risk Assessment. It has probably been many years since I read a security standard that did not prominently include language to the effect that “the organization must do a Risk Assessment”. Your BIA will drive this directly, because it will help identify the relative criticality and sensitivity of your data. Where the BIA helps identify the relative criticality of your systems and data, your Risk Assessment helps identify known risks and potential exposures of that data. Part of the assumption of doing a Risk Assessment is that you actually track results. If you identify risk to part of your environment, you should be taking mitigating actions, and tracking what actions you have taken. And, for that matter, even where you have not yet done anything, you should be identifying an action plan for how you plan to close any known risks in your environment. Most compliance assessments understand that it is hard to fix everything immediately and will give you credit for identifying a flaw, as long as you have a plan to fix that flaw.
3. I wish for new storage criteria. If you don’t need it, don’t store it. This can be hard because you want to make sure you have the data you need to run your business and service your customers. But if you are evaluating data, why require compliance for data you might not need? Do you need to store that credit card data? If you do you are subject to PCI requirements. If you don’t need to store the data, then there is a lot of work that you may be able to avoid. Depending on your exact business and industry, you may be able to eliminate compliance data from your environment. Part of your BIA and Risk Assessment should be to evaluate, “do I really need that data to run my business?”
4. I wish to segregate systems by data sensitivity. If you can isolate systems you can potentially have better control over the environment in which the data resides. Would you rather do a PCI or HIPAA audit of your entire environment, with all 730 servers, or would you rather segregate your required systems into a PCI network with three and a HIPAA network with four servers. I am not sure about your math, but to me I would much rather do compliance on those seven servers than all 730 of my corporate systems. But, that does mean you have to plan what you are doing, and you may have to do apply re-architecture effort to make it work. This may very well be impossible in a highly diverse environment, but you should at least be considering at and making a conscious decision to do or not to do.
5. I wish for better encryption. Encryption goes a long way towards protecting your sensitive information. Many compliance standards require encryption, and others recommend it. The point is that it can transform your entire environment. HITECH considers unencrypted healthcare data as “unsecured” PHI. HITECH makes such a distinction here that if your data is encrypted, and lost, (as long as you have any confidence that you have taken reasonable protection of the encryption key) that this is not considered a breach, and does not need to be reported. Look at the reported losses on the DHS website and tell me this is not significant. Sensitive data should be encrypted wherever it sits in your environment, on any portable devices or media, and any time it moves around. And, you don’t have to make this overcomplicated, even hard drive encryption and database encryption can go a long way to protect your cool data.
6. I wish for better controls for high-level data. Enforce need-to-know with your users, and limit administrative access to administrative personnel who genuinely need access. You should be checking your group accesses, and group memberships to help ensure that your information access is appropriate, and should be monitoring and tracking user access to help you more easily resolve any incidents.
7. I wish for better user education. Saying that training is important just sounds lame. But, it is. Important, not lame. Make sure your compliance people understand the appropriate compliance standards well enough that they can be genuinely productive. Make sure your technology and security staff are trained in the technology you are using. Make sure your security staff understand security concepts, threats, risks and vulnerabilities. Make sure your staff understand the value of your organizational and client data, along with appropriate steps to protect it. Make sure your staff understand how to recognize and avoid social engineering attacks. Basically, make your best use of a solid security awareness program.
8. I wish for control over my environment. Implement configuration management and control. Standardize your environment to the extent possible and lock systems and settings down through configuration control. Controlling change helps you field standardized systems. It also helps you simplify troubleshooting and problem isolation, and helps in failure and incident recovery. Actively manage system patches. Actively manage known faults. Actively manage known vulnerabilities in your systems (and map those back to your BIA and Risk Assessment to prioritize fixes). Actually having confidence in what your environment looks like goes a long way towards managing your risk, as well as enables your active monitoring.
9. I wish to have a clearer eye on all of my systems. Don’t just take everything that you have done for granted. Monitor your internal environment. Monitor internal access. Monitor unauthorized access attempts. Monitor access to critical and sensitive data. Monitor for aberrant behavior on internal systems. Monitor for traffic where there was no traffic, and monitor for unauthorized changes to controlled systems. If you are watching for all the little indicators, you can improve the chances that you can catch something happening. Sometimes this just puts you in a better position to recover when something goes wrong, but sometimes this helps you catch, and stop, something before it goes wrong. Always a good thing.
10. I wish peace on Earth and good will towards all mankind. No, that is not necessarily security relevant, but if I had to choose, I would probably pick this one first.