PLUGGING THE GAPS

Knowing how to implement security solutions means first gaining an understanding of the risks and vulnerabilities your organisation faces.

"The best way to start is by taking an overall view of where you stand with security today, what your main vulnerabilities and risks are"

It might seem, sometimes, as though taking practical steps towards enhancing security is all about products and software – anti-virus scanners, firewalls, patches and so on. Indeed, there are at least 30 sub-categories of IT product that fall under the heading of ‘security’ today, and the range is growing and changing all the time. Just keeping track of what’s available and coming soon is enough to keep a security team busy.

However, creating a secure environment involves adopting the right approach before you get into the details of how to implement it. So where should organisations begin if they want to go back to the drawing board and re-think their security approach to ensure it as watertight as possible?

“Organisations vary enormously in their state of maturity when it comes to security,” comments Chris Knowles, head of security at Computacenter. “Some try each new solution as it comes out; others sit and wait until they’re more ‘proven’. But the best way to start is by taking an overall view of where you stand with security today, what your main vulnerabilities and risks are, and then determining a set of policies which address these. The actual solutions can be worked out last.”

A matter of education

Security means more than installing patches, implementing anti-virus updates and monitoring network activity. Effective security depends on processes and on people. While flawed technology might create many security vulnerabilities, there is nothing like human error to create real havoc.

For example, are staff fully aware of the company’s ‘acceptable use’ policy concerning web and email use? Do they understand which data is confidential, why, and what this means in practice? Have confidentiality clauses and data protection issues been adequately communicated to all staff, and on a regular enough basis? Do they know what they are and are not allowed to do with data, and what their obligations are with regard to backing up data and keeping it safe? Are they aware of their own

personal liabilities if data gets into the wrong hands as a direct result of their own actions?

Training is critical. “The single, quickest gain you can achieve in security comes from having a welldefined policy, which everyone understands and adheres to,” urges Computacenter’s Chris Knowles. “To achieve the best results, you need to include the human resources department and senior executives in the process. There are pieces of software that can help make sure that everyone is complying with the policy. These can be set up to remind employees once a month about the company’s Acceptable Use policy (governing Internet and email use, for example). Users could be asked to answer five questions to show they’ve understood the content.

This could be made a pre-requisite to accessing the Internet.”

This information can then be logged with your human resources department, too, so that the company has proof of employees’ knowledge and understanding of the company security policy, or to identify specific training needs.

E-learning solutions should take a similar approach, requiring the proactive involvement and proof of understanding of those being trained. Computacenter’s training division specialises in developing customised e-learning programmes which ensure that employees are trained in all the right areas, to meet companies’ business needs as well as regulatory compliance requirements – and that, again, this can be proven.

George Anderson, Computacenter’s IT security business development manager, adds: “Begin by recognising what your assets are, and why you’re protecting them – this might be for regulatory compliance reasons and/or for competitive reasons, for example. You need to think of each type of data in terms of its needs for confidentiality, integrity and availability. This information should then be used to determine your security policies. Once these are in place, you can start thinking about how you’re going to ensure that those policies are adhered to.”

Anderson emphasises the importance of taking a holistic, company-wide view of security. This is the best way of ensuring that nothing has been missed, and reduces the cost of ownership of security. Too many organisations have fragmented security solutions, many of which have been put in place reactively, which make the overall business of security management difficult and expensive. Often, each system has its own standalone console for activity monitoring and management, which adds to the complexity.
“We would seek to work with the company to integrate these disparate solutions to produce a single, consolidated view of the infrastructure, which could be combined with trouble ticketing and workflow event management,” Anderson says. “Then, if there is a security event, it will be able to allocate security problems to appropriate experts in the security or network administration teams, enabling speedier resolution. The workflow element would also enable the handling of the incident to be tracked for progress to ensure it is properly resolved.”

Some best practices
  1. Seek the right expertise to understand the security threats you face and your legal responsibilities (if you don’t already know these).
  2. Integrate security into everyday business practice, through a clear security policy, and by communicating this effectively to all staff.
  3. Invest appropriately in security controls, and/or in insurance.
  4. Ensure that key security defences (such as operating system patches and disaster recovery plans) are robust and current.

Broader picture

The need for the broader picture becomes even more important now that remote and mobile data access is being provided by many companies. IT assets now include smartphones, PDAs, email systems and instant messaging and it’s important to consider whether your organisation has a suitable infrastructure to manage all this.
This means considering end-point security as well as that concentrated at a network or server level. While centralisation of IT resources and tools makes sense in almost every other scenario, when it comes to securing data, it is essential that no end device can become a weak link in the chain.

“There is a growing interest in end-point security,” says Anderson. “Organisations have begun to realise its importance now that the network edge has become so blurred and have recognised the danger of ‘walk-ins’, where a contractor,

"There is no point in having security policies in place if you don’t keep on top of security updates"

supplier or unprotected machine used on the Internet at home can potentially compromise the network.”
Policies and solutions that encompass the mobile and remote access element need to consider not just who is accessing the corporate network and ‘seeing’ the data, but also what is happening to that data. If it is being downloaded or copied locally onto individual devices, that data is more vulnerable than ever. It could be lost, stolen or passed on, possibly without the end user even realising that this is a problem. If the data concerned is confidential customer or patient information, or is financial, strategic or other highly sensitive competitive data, this could present a real risk for the organisation.

Appropriate security solutions may include authentication/access control measures on the mobile device; data encryption (so that the data is unintelligible to hackers); and virus/worm protection in the form of web and email filtering. Or, if it’s practical with the types of users who need remote access at your organisation, you may want to opt for a Citrix thin-client type model, where remote staff can access all the information they need, but without downloading it.

Key to successful patching
The key to successful patch management is to treat the process strategically rather than reactively. This is the thinking behind Computacenter’s patch management service, which takes a holistic approach to the wider discipline of data security management, ensuring that patching is carried out systematically, yet efficiently and minimising both the cost and the disruption to the business.

Intelligent solutions

At the network and server level, there is a move towards deploying security solutions that are more flexible and intelligent in their ability to detect and respond to security threats wherever these might occur on the network.
Because of the speed at which hackers and virus writers can identify and exploit security holes in software, causing untold damage before patches and anti-virus updates have become available, security systems need to be able to detect ‘strange’ activities as well as being able to spot recognised attacks.

Over the past few years, attacks such as Nimda, Code Red, SQL Slammer and MS Blaster have infected computers worldwide by targeting application vulnerabilities. More recently, hackers have turned to peer-to-peer and instant messaging applications as a means of unleashing their attacks. As these attacks become more dynamic and malicious in nature, organisations need to be one step ahead of the hackers, rather than two paces behind.

 

"There is a vast array of external expertise for any organisation that feels data security is taking too much time and energy"

This is the premise behind Intrusion Prevention Systems (IPSs), which are now growing in popularity. “In the last 12-18 months, intrusion prevention has become reasonably mature, so organisations are beginning to look at enterprise-strength solutions,” says Gavin Fulton, security practice technology leader within Computacenter Client Services, the company’s professional services division.
Intrusion prevention systems and services use deep packet inspection technology to enable them to investigate network traffic more thoroughly, as a defence against both internal and external attacks. This is achieved by examining information all the way up to the application layer.

“Before, someone would have had to know about SQL Slammer and develop a signature for these packets, which an intrusion detection system could then recognise,” Fulton explains. “With an IPS, you can still use signatures to identify known threats, but the big benefit is that all protocol anomalies are detected. The technology sits between the edge switch and your core network switch and, when it sees a bad packet, it doesn’t transmit it – so it can’t spread across your infrastructure. This can also be used to provide central anti-virus protection where it isn’t practical to have local anti-virus software on individuals’ machines.”

If organisations don’t want to implement a full network IPS, they can deploy a host IPS solution, where a piece of software sits between the operating system and the user software. It is given a list of the normal activities users will typically undertake and if a user breaks that pattern, their actions can be stopped.

Calling in Interpol

It is perhaps not surprising that Interpol is an organisation with a profound interest in security. Its website offers a comprehensive checklist for companies worried they might have holes in their IT security. Significantly, this puts an emphasis on policy rather than specific technology use. It also breaks down the list into areas of responsibility.

For example, areas that the company management needs to consider include the security policy – whether you have one, how it is approved and validated and whether it is supported by an actual security plan. It also asks pertinent questions about how the policy is communicated and whether it is backed up by a training plan.

There are also questions for the organisation as a whole, which cover areas such as responsibility for security, contingency planning, incident handling and training. When it comes to dealing with actual hardware and software, the checklist highlights issues such as ensuring that the solutions integrate properly into your environment, policies for using the systems, testing their effectiveness and reliability, and so on.

For any company reviewing its security situation, this checklist would be a useful place to start. However, you may find you have more work to do than you thought.

For the full checklist from Interpol click here

Constant vigilance

Successful security at all levels, however, relies on vigilance – in monitoring and resolving attacks, and in refreshing the protection itself. “There is no point having security policies in place, if monitoring is not happening. And if you don’t keep on top of security updates, you will be undermining everything you’ve put in place,” Fulton warns.
Take security patches. Ineffective patch management is one of the biggest bugbears of security administrators, because it can be relentless, time-consuming and disruptive. What’s more, because they are designed as quick fixes, some patches can cause almost as many problems as they solve. This has contributed to their neglect by some organisations.
The cost of not being patched could be the loss of business, while the cost of being up-to-date can be significant in terms of people cost and application availability. According to some analysts, the operational cost to an enterprise of manually implementing patches can run to somewhere between £150-£200 per server, and that doesn’t include any costs associated with resolving problems caused by a worm or virus. Faced with these kinds of challenges, organisations need technology solutions to enable them to patch, reliably, efficiently and cost-effectively.

In an ideal world, organisations would allocate one day a month as ‘Patch Day’, making the cost of patching measurable and predictable. Yet, buying the time to do this means adequate protection needs to be provided to cover the infrastructure between the monthly updates, and a process needs to be in place to allow some ad hoc patching for some vulnerabilities. This is why patch management needs to be considered as part of a much wider, more strategic approach to security.

External expertise

Done properly, security management is no small job. It needs dedicated resources, it needs ongoing budget allocation, and it needs people’s time and attention. Yet there is also a vast array of external expertise that can be drawn on for any organisation that feels data security is taking too much time and energy away from the company’s core business.
Managed security services are a popular alternative for some organisations, especially those that already outsource network management or desktop services to a third party.
The advantage of outsourcing is not only that someone else can be tasked with the day-to-day administration of your security systems, but that they are also tracking the latest technologies, the latest viruses and other threats – in short, being vigilant on your behalf, so you don’t have to be. Such services can be worth their weight in gold to already over-stretched IT teams.