Fit best practice with your security software

Companies are increasingly considering their security as world events cast doubt on their ability to deal with natural disaster, human error or malicious attack.

Spending on security has reached record levels, and continues to climb as businesses seek to reassure shareholders and comply with standards and changing legal requirements.

However, being secure is about more than simply buying firewalls, antivirus software and login technology.

"Good IT security is about good management. It's more important to maintain patches and to document systems and procedures than it is to install expensive new security devices," says Bart Vansevenant, director of European security strategies at security service provider Ubizen.

"Secure environments are typically well-documented, with a procedure for regularly patching systems, good monitoring and control of servers, and where good security is part of a culture."

It's the process of managing a security policy which is paramount, because without an actively maintained and enforced policy, the vast majority of your investment in security technology will have been wasted.

The policy is the defining part of any security process. It outlines exactly what needs to be done and identifies what is most important to the organisation, and it embodies some of the most vital messages that it wants to communicate.

Policies define the culture of the organisation and are crucial to the organisation's compliance with the many laws and regulations to which the business is subject.

Best practice policy
Most organisations have at least some documented policies, perhaps covering a limited range of issues key to the business. While some areas - especially human resources - normally have well-established procedures, there are a number of key areas which are often under-developed.

These often relate to IT, where the fast-changing world of software and hardware technology makes it difficult to keep on top of the latest technologies and issues while, at the same time, serving the users and the business.

But where do you start? For most organisations a security policy needs to be based on business need.

"To formulate an adequate security policy, it is vital that the organisation understands exactly what needs protecting, and from whom," says Gary Clarke, vice president of sales and marketing at Rainbow Technologies.

"Evaluating who within the organisation needs access to certain types of information is key to developing an adequate security strategy. Who should be granted access, for how long and under what circumstances?

"By answering such questions a company can tailor a security policy to its own specific needs, and, once the policy has been recognised and understood across the company, the relevant technology can be implemented to safeguard sensitive information."

For those organisations which do not have the expertise or time to write policies in-house, pro forma policies are available via the internet, often for free or for a nominal fee.

The problem is that the the policy is up-to-date only on the date of purchase. It is the buyer's responsibility to keep it updated. Another disadvantage with these policies is that they can often be difficult to tailor to your own needs.

"Protecting information and ensuring compliance with standards of good practice is an increasingly important part of good business management," says Jason Creasey, senior project manager, at the Information Security Forum. "Organisations need a clear definition of what constitutes good practice in information security."

The Information Security Forum publishes a standard of good practice, one of the most concise available for free.

"The standard provides a framework that has been created through the work and experience of our member organisations," says Creasey.

"It can be used to help an organisation to assess its security situation and performance, along with enhancing awareness, checking compliance with industry standards and regulations and maintaining business integrity."

A more practical option is to bring in an outside consultant to assist with policy drafting - or at least to review what has been produced in-house. This gives all concerned additional peace of mind and may be a more efficient use of management time.

The burden of updating a policy can also be shifted to the third party, allowing the IT department to concentrate on the task of implementation.

Wireless security best practice
Wireless local area network (Lan) technology is already common in many organisations, and has already proved itself to be useful as a means of quickly, easily and cheaply extending the reach of the corporate Lan, providing mobility and roaming, improving productivity by increasing access to network resources.

However, wireless networks are also one of the biggest potential crisis points for IT security, posing the risk of leaving the network wide open to the outside world, and so putting systems and data at risk.

Companies looking to deploy wireless Lans, or which already have them, must ensure that policy and administration take into account the potential risks of a wireless Lan, and that these are addressed rather than simply being documented.

Angelo Lamme, international wireless and security manager for 3Com, lists the following considerations for maintaining security and aiding administration of a wireless network:

• Put the access point in the right place. Start with the basics: within your network configuration, ensure wireless access points are connected to the network outside your firewall.
• Use Mac addresses to control access: using Mac address-based access control lists will allow only registered devices to access the network.
• While it can be 'spoofed', Mac address filtering provides a good obstacle for unauthorised users.
• Manage your wireless network ID: all wireless Lans come with a default service set identifier (SSID) or network name. Change it immediately to something random and complex (using letters and numbers). If your organisation can handle the administrative work, regularly change the SSID.
• Turn on encryption: Wired equivalent privacy (Wep) is the standard 802.11b wireless security encryption protocol. Enable it, and then immediately change the Wep key from the default.Wep is widely regarded as being as robust as a chocolate fireguard, but it is an obstacle, and it's there - so use it, but don't rely on it.
• Integrate wireless and wired policies: wireless security is not a separate network infrastructure that requires different procedures and protocols. Develop a security policy that combines both wired and wireless security to ensure that loopholes do not occur for users of one technology over the other.
• Don't allow departments to sprout a rogue network: Wireless Lan set-up is now simple enough for non-technical staff to install their own wireless routers or access points in their office departments, with little thought for security. Regularly scan the network with intrusion detection tools to root out rogue networks that provide a potential hacker entry point. Create a policy that restricts wireless Lans from being established without formal systems administration approval and deployment.

The traditional approach to policy deployment is to issue a new employee with a staff handbook - with a clause in the contract obliging them to read the information. The reality, however, is that few people will take the trouble to carefully read a policy handbook, and they are rarely updated.

Baltimore Technologies principal consultant, Ian White says companies must pay more attention to education and communicating the point of their policy to staff, rather than just expecting it to be adhered to.

"One of the most cost-effective security measures that a company can implement is to raise the level of security awareness in staff and customers through the use of a small number of targeted security messages," he says.

Even a modest increase in the general level of security awareness is likely to result in more instances of unusual behaviour being noticed and may deter potential attackers.

Lack of understanding about policies is evident not only on the shop floor, but also in the boardroom. IT departments continue to battle to explain that a policy applies to all.

"The chief executive can unwittingly pose the greatest security threat," says Clarke. "While having unlimited access to all data and systems, it is also probable that he or she is least likely to appreciate the need for security controls.

"Consider the case of the chief executive who finds it difficult to remember new passwords. They inevitably will at best select a weak password, or in the worst case scenario will write down the new password on a Post-It note where it might be found and used by an unauthorised person."

This is a problem for IT departments, which sometimes find themselves placed in an unacceptable position where their authority and responsibility to the business is compromised by senior management.

So as well as laying down the reasons why operational policy is in place, it's also important that a policy details the business and productivity argument.

This, in turn, will make it easier to argue the case with the board on budget, let alone compliance.

"A chief executive's focus is not security, it's ensuring that they get the best for their stakeholders," says Clarke.

"This means that expensive deployments to ensure the security of the company could well be curtailed by the board, because they see the security measures they have in place as adequate because no damage has been done and new deployments are overkill.

"Only when a virus shuts down the network for a few days will they ask why security was not good enough."

While the consequences of not being able to demonstrate the required level of compliance are sometimes purely financial, it would be unwise to underestimate the hidden costs of lost management time and negative publicity that can stem from compliance failure.

Similarly, while penalties for compliance failures have traditionally been a problem for businesses, there is an increasing number of situations where there is a tendency to look behind the corporate veil towards those with stewardship of the organisation. The creation of well-drafted policies and their effective deployment can have a significant impact on minimising the occurrence of compliance breaches.

Making passwords work
In their simplest form, passwords are a string of characters chosen by a user to substantiate their identity, authority, access rights and so on, to the computer system that they wish to use. They remain central to all computer systems.

But choosing an 'impossible to guess' password is just the start. Management of the password will determine its effectiveness. The following best practice guidelines should be observed:

• User passwords must never (ever) be written down. The moment they are committed to a paper or a document, discovery will invalidate other security measures. A potential hacker may see a password lost as an easy target that may include not only an individual password but possibly those to other systems and services.
• Passwords of key role holders - such as system and network administrators - should be copied and held under dual control in a fire-resistant secure location, to enable access to the system by an authorised person in an emergency.

• Passwords must be changed at regular intervals, and should be chosen privately by the individual users. Although often issued initially by the IT department, the password must be changed immediately to maintain confidentiality.

• Password changes must be forced if necessary by implementing an expiry period, after which a user's password will not be accepted and the next attempt to log on by that user will result in a security flash to the system console.
• No sensible system would allow a 'user' to remain online for up to two weeks trying all possible combinations. A lockout must be activated after a set number of failed attempts or a fixed amount of time.

One of the biggest problems with antivirus technology is that, unlike many other security technologies, you cannot reliably use multiple antivirus applications on a single machine.

The invasive and probing techniques used in the process of looking for and removing viruses from a system often resemble the activities of viruses themselves, so running multiple antivirus applications on the same machine will usually result in one antivirus client mistaking another for a virus and vice versa.

The answer is often to use different brands of antivirus spread across the IT infrastructure, ensuring that there is antivirus coverage on file servers, application servers, mail gateways, desktops, laptops and so on, but using different brands on each to limit exposure resulting in a failure in any one make of antivirus.

But all this remains useless unless the applications are kept up-to-date. So prevalent are viruses that major antivirus vendors find themselves issuing def file updates (a def file is a database of known viruses and behavioural information to assist in heuristic scanning) on a daily basis.

Mechanisms need putting into place to ensure that applications on all platforms are up-to-date.

Most vendors have enterprise management tools that can automate the distribution of def files, application updates and patches at login and in the background, as well as allowing centralised management of all users of a given antivirus application.

Further reading:
A set of resources for network and application security can be found here.

Papers on policy management best practice can be found here.

A template for security best practice devised by the US Department of Energy can be found here.

The Information Security Forum's Standard for Information Security is available here.

See also:

Security

The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack.  15 Apr 2004

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!