An information security blueprint, part 2
Symantec's Francis deSouza on the practicals of holistic information security in today's organization
A look back at recent data breaches including the Hydraq attacks exposes an alarming trend that only a handful of security experts anticipated. As predicted by some as early as 2005, Internet attackers are no longer driven by fame but by fortune and are using increasingly sophisticated techniques. These attacks are not just hunting for confidential information such as credit card or Social Security numbers, they can actually target specific employees at multinational companies and government agencies they know have access to design documents, source code and other forms of intellectual property and classified information.
As discussed in part one of this two-part Information Security Blueprint series, threats are likely to become even more complex and effective over time, so organizations should work to reduce their vulnerability by implementing a security blueprint that is comprehensive, proactive, enforceable and manageable. Among the most important components is a strategy that addresses the four most common security weaknesses today's cyber attackers target: poorly enforced IT policies, poorly protected information, poorly managed systems and poorly protected infrastructure.
Enforcing IT Policies
Data breaches may be caused either by cybercriminals outside the company or by malicious or well-meaning insiders operating within the company. Virtually all data breaches, however, involve missing, broken, or unenforced IT policies. Whether cybercriminals and malicious insiders exploit them or well-meaning insiders follow them, inappropriate IT policies are a common factor in data breaches. By prioritizing risks and defining policies that span across every location, customers can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
Cybercriminals rely on two factors as they consider target organizations from which to extract information. The first is that from an information security perspective, most companies are hard on the outside but soft on the inside. Malicious attackers look for companies that do not have appropriate IT policies either developed or enforced around who should have access to what infrastructure or what information. What that means is that once the criminals are inside the safety of the corporate network, they have free rein across that network to figure out what valuable data exists and where it is located.
The second factor upon which cybercriminals rely is "data spillage"--information unknowingly moves from its appropriately protected data storage container into another container that is inadequately protected. For example, a company might know that its employee records exist on the employee record database or that patient information is in a patient database. Yet, they do not know where else that information is stored. For many companies, data exists in multiple places, including file shares, laptops, test and development servers, USB drives, and other secondary locations. Unless this information is identified, it will remain vulnerable.
In the case of one healthcare company, cybercriminals realized that the corporate data they were seeking was actually well-protected, but the employee desktops were not. In response, attackers installed screen saving software on all the employee desktops. Then, as employees logged on to their personal bank accounts, that information was captured and sent to the cybercriminals. Attackers, in turn, were rewarded with valuable data that they could use for financial gain.
Knowing what is required and how to achieve cost-effective, strong IT compliance requirements requires a firm grasp of regulations, frameworks and best practices. Security experts recommend that organizations leverage automated, integrated compliance tools rather than one-off solutions for each compliance mandate. Organizations can automate the often-repeated, time-consuming processes typically associated with IT policies, including creating, defining, and distributing policies; tracking exceptions; managing standards and entitlements; remediating deviations; and performing procedural and technical assessments. Automated, integrated tools provide a way to perform these critical yet often costly processes more efficiently and cost-effectively.
External attackers are not the only threats to information. Insiders--either malicious or well-meaning--may be one of the most under-appreciated security risks to today's organizations. Confidential personal Information such as employee personnel data, medical patient records, credit card numbers and social security numbers all command top dollar on the black market. Companies' and government agencies' intellectual property too is increasingly at risk of being stolen or lost.
Therefore, organizations must understand where information is, how it is being used and who is using it, and then implement enforceable data protection policies enterprise-wide. By taking an information-centric approach to protection, organizations can establish a critical building block of an effective security blueprint.
Knowing know who has access to it, how it is being used, and where their confidential data is going requires visibility into activity on the corporate network, including email, instant messaging, web mail, and FTP. It also requires monitoring endpoints--whether on or off the corporate network--for any confidential information that is downloaded to local drives, copied to USB or other removable devices, burned to a CD or DVD, copied or pasted, printed or faxed, transferred over email or instant messaging, and more.
Because many organizations must demonstrate compliance with external regulations, it is crucial that sensitive information is handled in a way that meets these statutes as well. For example, organizations classified as Payment Card Industry (PCI) merchants must know where credit card data is--whether on storage repositories or employee laptops--and ensure that this data is protected. They must also be able to generate reports that show exactly which systems have been scanned, what was found on these systems, and how sensitive information has been secured.
To ease administration, it is important to be able to define and enforce all policies for preventing data loss in a centralized location from which incident remediation and reporting can also be addressed. In addition, both content and context should be analyzed on an enterprise scale; this increases accuracy which, in turn, minimizes incident remediation activities and costs.
Savvy cybercriminals are also sizing up organizations with poorly managed systems, taking advantage of the inefficiencies of these infrastructures to access valuable data. To guard against this threat, organizations should take a closer look at their own systems management practices and processes to be sure their information assets remain protected.
A well-publicized data breach that occurred in 2009 sheds light on the relationship between systems management and system security. After copying a large amount of confidential information onto her laptop, a hospital employee left the laptop on her office desk, and then closed and locked the door behind her as she left her office. Later that evening, someone broke into the office and stole the laptop--along with the hundreds of protected health information (PHI) records it contained.
It is difficult to understand which systems require patches and which are up-to-date, so manual patching processes usually result in inefficiencies and errors. What's more, poor patch deployment processes can hamper the productivity of end users, while also forcing IT to devote more time responding to incidents than to proactively managing day-to-day procedures.
With a comprehensive systems management strategy that includes standardization, workflow and automation, security software and tools do the heavy lifting. From patch management to regulatory audits, these systems management capabilities help organizations manage the lifecycle of all of their IT assets. A comprehensive systems management strategy also makes it easier for organizations to implement secure operating environments by helping them set the goals they want to roll out in their infrastructure and by ensuring that all the pieces of their infrastructure are compliant with critical policies.
To guard against the risk of information exposure, organizations must protect both their infrastructure, from endpoints to servers and gateways, and their information, wherever it is and however it is being used. In addition, organizations need to replace broken business processes with IT policies that are proactive and enforced. Finally, organizations must manage their systems by implementing secure operating environments, patching systems quickly, and automating processes to streamline efficiency both before and after a security event.
Protecting the Infrastructure
Protecting endpoints requires more than antivirus and antispyware. Endpoint protection also requires firewall, intrusion prevention, and device and application control as well as tools that automatically analyze application behaviors and network communications to detect and block suspicious activities. Endpoint protection also requires administrative capabilities that enable IT to deny specific device and application activities that are considered high risk. Endpoint protection must also provide network access control to make sure endpoints remain in compliance with IT policy when they connect to the corporate network.
To protect messaging server environments against spam and viruses, organizations should scan inbound and outbound email and instant messages for compliance with regulatory and governance requirements. To ensure the most up-to-date protection, spam signatures need to be updated automatically and virus protection must include next-generation capabilities such as reputation-based filtering.
With the proliferation of Web-based attacks, a secure infrastructure must also include protection against Web 2.0 threats. Traditional URL filtering alone is insufficient. Organizations must also be protected against spyware, active and dormant botnets, and viruses, and block malicious websites, active content, application file downloads, so-called "phone home" traffic, and attacks on-the-fly.
IT should have visibility into systems so they can understand if they are under attack. The most effective protection strategies leverage real-time security information management tools that collect, correlate, and store event, vulnerability, and compliance logs and then document response and remediation. These tools collect the diverse data that is generated by an organization's existing security devices and applications in real time. The most advanced tools also combine this data with external intelligence on malicious activities occurring globally, then analyze this data and rank incidents according to their priority.
Organizations that want to take action before an event occurs can also leverage early warning systems that keep them apprised of vulnerabilities that have not yet been exploited. It's critical for companies to have this holistic view across their IT infrastructure to be able to capture the logs across all the different elements of their IT infrastructure, correlate these logs, understand what threats are happening right now, and get a view into whether or not they are under attack.
Francis deSouza is senior vice president of the Enterprise Security Group at Symantec Corp.