Keeping security real

Insiders pose the biggest threat to corporate security. And trying to keep up with internal and external threats is nigh impossible. In this feature, Brainstorm gets to grips with realistic security management
1 September 2008

The security game can be likened to trying to hit a series of constantly moving targets, which are simultaneously changing in nature and severity on an hourly basis. Insiders, dumb end users, cyber-crime syndicates and our old friends the virus writers are all still out there causing havoc.

Further complicating matters is the drive to mobility, with users wanting to access corporate resources from whatever device is most convenient. Perimeter security is no longer sufficient, not when your perimeter is constantly on the move. What, you might ask, is your security department to do?

 Beware the BDU

The industry's famous dumb end users have a new(ish) moniker: Brain-dead users, or BDU. These pose the greatest threat to corporate security, most frequently due to the aforementioned lack of brain activity.

Says NGS managing director Guy Golan: "Internal threats take three forms. The first is accidental and takes place through employees trying to do their jobs. For example, e-mailing a balance sheet (without encryption) to their personal e-mail account so they can work on it at home.

"The next is the malicious attack. There's more planning behind this one and the tools are more sophisticated. One example is an employee who does much more than they should because they have the authority. We call it the temptation factor. It's like being in a vault and knowing you can transfer money from the vault to anyone and never be caught.

20 questions

Karel Rode, principal consultant of CA's security practice, believes companies should start with the 20 questions of security management:
1. Is it cost-effective?

2. Is the IT security system based on a sound architecture?

3. Is it supported by policies, procedures, standards and guidelines?

4. Have all business units provided input?

5. Do security management policies support owner/shareholder mandates?

6. Are we following good governance practices?

7. Do we take account of industry mandates and legislation, local and international if applicable?

8. Does it include deployment and active rules implementation of gateway controls like firewalls, intrusion detection & prevention and anti-virus tools?

9. Should this also include the user community?

10. If we do include them, what are the roles attributed to users and the associated entitlements?

11. What credentials do we demand from the user community to access data?

12. What if the user is not within the organisation's trusted realm?

13. Can I trust the devices used to access the network?

14. Should I demand a stronger credential and what type of credential works for my business?

15. How do I maintain the software versions and ensure that software vulnerabilities are reduced to a level acceptable within my organisation's risk appetite?

16. Do I allow users to gain higher privileges such as admin or root?

17. How do I account for user actions in these modes?

18. Do I keep logs and system events in a secure and tamper-proof way so that forensic investigators can access them after the fact?

19. Can I apply some level of logic to these data sets to provide me with an early warning system?

20. Do I have the ability to tighten preventative controls based on input from such a system?

"The last one grows bigger daily," he says, "and involves privileged use accounts - power users/administrators/developers/programmers. These all have privileged usage rights and are impossible to trace because you cannot know, for example, which administrator was logged into the admin account at that time."

The Société Générale case is the most recent example of this threat being played out. As Golan notes: "Just because we haven't seen an example in South Africa, doesn't mean it can't happen."

The other problem with insiders is, of course, social engineering. Says Mike Hamilton, managing director of Channel Data: "Hackers and malware generators have evolved into social engineers who use techniques to illegally acquire passwords and other intellectual property belonging to an organisation. They are successful because they exploit flaws in human logic known as cognitive biases, which are distortions in the way humans perceive reality.

"One of the most dangerous traits is called projection bias - the tendency to unconsciously assume that others share the same or similar thoughts, beliefs, values or positions as we do. Phishing exploits this trait. Many people have been duped by techniques designed to fraudulently obtain banking or credit card details from them.

"Pretexting is another. It's the act of using an invented scenario (a pretext) to persuade someone to perform an action. This technique is often used to trick a business into disclosing customer information, banking records and other information," he says. "Whether you're talking internal or external, security is about human behaviour and the ignorant accomplice - people in organisations who trust outsiders, share information willingly and don't expect anyone to manipulate them or have a negative motive. You need to identify them, manage against them and take steps to change their behaviour without coming down in draconian style because of the malpractice of one or two, which may not have been intentional but based on ignorance."

Built-in vulnerabilties

Perhaps one of the most well-known security vulnerabilities - thank you, Patch Tuesday - the threats inherent in poorly built software are seldom discussed or addressed. Software is built buggy. Everyone knows this and pretty much seems to accept it.

Says Hayden Pinnell, managing director of Gallium: "Security is not built in at the grassroots in application lifecycles. If you change an application, you need to reassess for vulnerabilities. This is particularly [problematic] in the SME space where a lot of the application development lifecycle is outsourced or off-shored to various organisations for development or quality assurance before being released to market. I don't think a lot of organisations place enough focus on the risk of taking an application to market where there are vulnerabilities or that place customer data at risk."

Says Synaq technical director David Jacobson: "Business executives and some so-called security experts believe that the implementation of one or two security products can address vulnerability issues. This is truly worrying, particularly as some security products themselves contain flaws that increase a network's vulnerability.

"A solution is to check out the software's vulnerability pedigree. Go online and look at the sites of the security bodies and investigate whether a product has had flaws in the past and how quickly these were fixed. Another solution is to use open source software (OSS), not because OSS is inherently more secure, but because you have access to the code and can pay a consultant or use one of your own developers to analyse the bugs and fix any problems."

A priority?

Gartner Africa lead analyst on governance, compliance and security Les Stevens asks whether or not security is really still a concern. "When last did we see a widespread attack? There's no doubt that the way attacks occur is very much more targeted [than in the past]. It's with a purpose in mind. In the past, massive worm attacks would create havoc. We've not seen a big attack for a while - and it's been a long time since there's been a high-risk worm in the wild that's pervasive. The fact that there hasn't been one for a long time doesn't sit easy on my mind," he adds.

"I'm waiting, holding my breath... there will be another. People are doing a lot and have spent a lot. Attacks are being targeted at individuals and companies to get information. The trend is that concern for security has dropped off CIOs' radars. It's not that much of an issue in their lives any more. They feel a lot of time and money has already been spent and responsibility has been given to the security team, in-house, outsourced or a mix. That doesn't mean there isn't funding. We're seeing security budget increases that are still exceeding typical increases in IT budgets, but that's dropping off this year. There's an expectation that security is under control."

When last did we see a widespread attack?
Les Stevens, Gartner Africa
That said, Stevens still doesn't see good enough security management. "The technology is there; it has been for a while and it works. We're seeing product and vendor consolidation. Big players are selling consolidated products that address a wide range of threats. But we're not seeing the management component. Where are the processes?" he asks.

"We've been talking about processes for years and we're still not seeing organisations with maturity of processes that report. The assurance information isn't great. Users in organisations are getting tired of hearing about it. Security teams need to see how they can keep the user community aware of threats and risks. This is where the weakness will be, especially with the economy the way it is. We think this is a time when social engineering is far more likely. We are also close to seeing the Protection of Personal Information Act coming into force, which will place a legal obligation on organisations to tighten up how they manage personal data. Now is a grace period for people to start selling off client lists, personal information and so on."

Needless to say, very few companies need to be completely on top of every new threat that arises. If you're the Pentagon, perhaps. Your average corporate? Not so much.

Meet in the middle

That said, there's no excuse for being on the other end of the security scale - unpatched PCs, no access control, default security settings on appliances, etcetera.

In between these two lies what Dimension Data security solutions and services general manager Samresh Ramjith calls "adequate security". Each organisation will have a different security requirement depending on what it does and how much critical data it has.

"It's a cost benefit thing," he says. "If you have that much to lose, then you should invest." And if you don't, then a mammoth system with every bell and whistle known to a security vendor is probably overkill.

Where to draw the line? By getting a handle on what you have, what needs protection at what level and by closing the gaping barn doors before the horse bolts, corporates can protect themselves not only from security threats, but also from the tedious compliance requirements lurking out of site, waiting to pounce on the unwary.

Protecting your infrastructure By Mark Nicolett

The 2008 key issues for infrastructure protection define what Gartner believes the major security topics for the next 12 months will be.

Key findings:

* IT security organisations must focus most of their resources on developing new approaches to keeping the environment secure as threats and business processes change.

* Security organisations can maintain a forward focus only if they also focus on operationalising mature security functions.

* Due to increased user autonomy and use of consumer IT within the enterprise - and the growing use of service providers and outsourcing - enterprises need to find ways to ensure the security of IT infrastructures, operations and applications that are not under their direct control.


* Implement network security to provide enterprise-wide protection against general threats and vulnerabilities.

* Expand message content inspection policies beyond e-mail to include web mail, instant messaging (IM), blog postings and chat rooms.

* Extend signature-based endpoint security to include behavioural analysis, controlled code execution, and logical and physical port firewalling.

* Reduce security costs by operationalising mature infrastructure protection technologies.

* Link vulnerability management and compliance projects to ensure compliance spending results in lower security operations costs and a more secure environment.

* Implement content monitoring and filtering/data loss prevention (CMF/DLP), encryption software and database monitoring security technologies as appropriate mechanisms for ensuring the protection of enterprise data.

* Expedite the adoption of application security disciplines - even if application development and maintenance are outsourced - and work to improve the ability to discover fraudulent use of applications by employees and customers.