With the continued onslaught of breaches and state-sponsored espionage, I felt it was important to map out base practices and well as some of the best practices in Information Security. In the age of LulzSec, Advanced Persistent Threats (APTs), and everyday data losses and breaches, it’s more important than ever to be proactive about security. I consulted with several top security engineers that I have worked with in the past to construct these practices. Much of this material was first published in April last year in Information Week , and I have updated it further here. Unfortunately, this area should be a top priority for IT leaders to protect their firms, customers and information. If it’s not at your firm, you need to change that. Best, Jim.
It is no longer teenagers with nothing better to do or the occasional disgruntled IT employee doing the hacking, there are well-organized, well-funded entities from across the globe attacking your companies systems on a continual basis. And it is not just credit card fraud or the Nigerian prince email scam, it is your customer’s personal information or your company’s intellectual property that is being spirited away. The pace and sophistication of attacks by hackers and others who expose confidential data and emails has increased dramatically over the past 5 years to an overwhelming pace. The ‘epidemic‘ includes denial of service attacks on major banks and anti-spam services. Last year, a group calling itself LulzSec Reborn hacked a military dating website releasing the usernames and passwords of more than 170,000 of the site’s subscribers.
Headlines are splashed across front pages and business journals where banks, energy companies, and government web sites have been attacked. As I called out six months ago, the pace, scale and intensity of attacks had increased dramatically in the past year and was likely to continue to grow. Given one of the most important responsibilities of a CIO and senior IT leaders is to protect the data and services of the firm or entity, security must be a bedrock capability and focus. And while I have seen a significant uptick in awareness and investment in security over the past 5 years, there is much more to be done at many firms to reach proper protection. Further, as IT leaders, we must understand IT is in deadly arms race that requires urgent and comprehensive action.
Starting in fall 2012 and continuing are DD0S attacks against US financial institutions. These generally have been conducted by Muslim hacker groups purportedly in retaliation for the Innocence of Muslims film. But the Wall Street Journal outlined that the groups behind the attacks are sponsored by the Iranian government – ‘the attacks bore “signatures” that allowed U.S. investigators to trace them to the Iranian government’. This is another expansion of the ‘advanced persistent threats’ or APTs that now dominate hacker activity. APTs are well-organized, highly capable entities funded by either governments or broad fraud activities that enables them to carry out hacking activities at unprecedented scale and sophistication. As this wave of attacks migrates from large financial institutions like JP Morgan Chase and Wells Fargo to mid-sized firms, IT departments should be rechecking their defenses against DD0S as well as other hazards. (If you do not already have explicit protection against DDoS, I recommend leveraging a carrier network-based DDoS service as well as having a third party validate your external defenses against penetration.) While the stakes currently appear to be a loss of access to your websites, any weaknesses found by the attackers will invariably be subsequently exploited for fraud and potential data destruction. This is exactly the path of the attacks against energy companies including Saudi Aramco that recently preceded the financial institutions attack wave. And no less than Leon Panetta spoke about the attacks and consequences.
Beyond the DDoS incidents there are the for-profit attacks by nation states and entities seeking intellectual property, and fraud by organized crime outfits. The 2013 report on Chinese state espionage against US companies is sobering. Consider further the blatant industrial espionage conducted against Nortel and more recently, AMSC, or the fraud attack against Global Payments. These are cautionary stories of how companies suffer real losses and impacts due to cyber attacks.
One of a CIO’s most critical responsibilities is to protect his or her company’s information assets. And this includes your customers’ personal information (in fact, consumer protection regulation requires you to ensure it is protected or there are significant penalties for loss of such data). Protection often focuses on preventing others from entering company systems and networks. With today’s pervasive and sophisticated threats you must apply more advanced techniques in addition to traditional security practices. The following information security recommendations can help you ensure you have the right measures in place. They are listed in two sections: fundamental measures and advanced best practices.
Fundamental Measures: These measures should be viewed as both basic but also absolutely necessary. There are still far too many exploits and breaches that occur due to a failure to implement one of these basic items like patching. Make sure your shop has all of these in place and executed with rigor. Otherwise, it is like leaving your back door to your house unlocked.
1. Establish a thoughtful password policy. Sure, this is pretty basic, but it’s worth revisiting. Definitely require that users change their passwords regularly, AND set a reasonable frequency–any less than three months and users will write their passwords down, compromising security — so three to six months is best. As for password complexity, require at least six or seven characters (the preference today is eight), with one capital letter and one number or other special character.
2. Publicize best security and confidentiality practices. Do a bit of marketing to raise user awareness and improve security and confidentiality practices. Your company’s employees are your front-line. No security tool can be everywhere. Remind your employees that security threats can follow them home from work or to work from home. Help your employees take part of your company’s security practices — there is a good post on this at How To Make Information Security Everyone’s Problem.
3. Install and update robust antivirus software on your network and client devices. This is an absolute must-do. Enough said, but keep it up-to-date and make it comprehensive (all devices).
4. Review access regularly. Also, ensure that all access is provided on a “need-to-know” or “need-to- do” basis. This is an integral part of any Sarbanes-Oxley review, and it’s a good security practice as well. Educate your users at the same time you ask them to do the review. This will reduce the possibility of a single employee being able to commit fraud resulting from retained access from a previous position.
5. Put in place laptop bootup hard drive encryption. This encryption will make it very difficult to expose confidential company information via lost or stolen laptops, which is still a big problem (numerous recent incidents where customer confidential data is lost continue to occur). Meanwhile, educate employees to avoid leaving laptops in their vehicles or other insecure places.
6. Require secure access for “superuser” administrators. Given their system privileges, any compromise to their access can open up your systems completely. Ensure that they don’t use generic user IDs, that their generic passwords are changed to a robust strength, and that all their commands are logged (and subsequently reviewed by another engineering team and management). Implement two-factor authentication for any remote superuser ID access.
7. Maintain up-to-date patching. Another absolute must-do. Enough said.
8. Encrypt critical data. Any customer or other confidential information transmitted from your organization should be encrypted. The same precautions apply to any login transactions that transmit credentials across public networks.
9. Perform regular penetration testing. Have a reputable firm test your perimeter defenses regularly.
10. Implement a DDoS network-based service. Work with your carriers to implement the ability to shed false requests and enable you to thwart a DDoS attack.
A Thoughtful Set of Advanced Best Practices: With the pace of change of technology and the rise of additional threats from APTs and state-sponsored espionage, your company’s security posture must adopt the latest techniques and maintain constant vigilance. Some advise that with the sophistication of some attackers such as the Russian Business Network, you should assume your network will be hacked or penetrated at some point (if not already). In response you need to move to partition and segment your systems and network to reduce any one threat from compromising a broad array of systems. Further, you must be able to identify compromises in real-time and prevent data from leaving your network. These measures plus others are part of the current best practices that I highly recommend.
a. Provide two-factor authentication for customers. Some of your customers’ personal devices are likely to be compromised, so requiring two-factor authentication for access to accounts prevents easy exploitation of their accounts and transactions with you.
b. Notify customers of key changes. Ensure you notify customers when certain key transactions have occurred on their accounts (for example, changes in payment destination, email address, physical address, etc.).
c. Secure all staff mobile devices. Equip all employee or contractor mobile devices that access your company’s network with passcodes, encryption, and wipe clean. You can do this with a good Mobile Device Management facility. Also secure other data mechanisms such as requiring employee USD flash memory devices to be encrypted.
d. Further strengthen access controls. Permit certain commands or functions (e.g., superuser) to be executed only from specific network segments (not remotely). Permit contractor network access via a partitioned secure network or secured client device with two factor authentication.
e. Secure your sites from inadvertent outside channels. Implement your own secured wireless network, one that can detect unauthorized access, at all corporate sites. Regularly scan for rogue network devices, such as DSL modems set up by employees, that let outgoing traffic bypass your controls.
f. Monitor and be able to act in real time. For many medium and all large firms, make the investment in a real time monitoring capability – either yours or a third party. You can leverage your current production operations structure to provide this key coverage. Time is of the essence when a threat is detected and finding out three weeks after you and your customers have been compromised is not easy to repair. This security capability can then be used to implement many of the practices in this section on a continual and real time basis.
g. Prevent data from leaving. Continuously monitor for transmission of customer and confidential corporate data, with the automated ability to shut down illicit flows using tools such as NetWitness. Establish permissions whereby sensitive data can be accessed only from certain IP ranges and sent only to another limited set. Continuously monitor traffic destinations in conjunction with a top-tier carrier in order to identify traffic going to fraudulent sites or unfriendly nations.
h. Ensure you can see the bad guys inside. Too much encryption can enable the bad guys to go unseen. On secured internal networks, minimize encryption to enable detection of unauthorized activity as well as diagnosis and resolution of production and performance problems.
i. Keep your eyes and ears open. Continually monitor underground forums (“Dark Web”) for mentions of your company’s name and/or your customers’ data for sale. Leverage a security monitoring service to ensure you are getting key potential alerts. Help your marketing and PR teams by monitoring social networks and other media for corporate mentions, providing a twice-daily report to summarize activity.
j. Raise the bar on suppliers. Audit and assess how your company’s suppliers handle critical corporate data. Far too many data losses have been the result of gaps at suppliers. You and your company are still responsible for the customers’ data, and it will be difficult to get adequate recompense from some contract terms after the fact and you will still bear the reputational losses. Don’t hesitate to prune suppliers with inadequate security practices. And be careful about having a fully open door between their networks and yours.
k. Put in place critical transaction process checks. Ensure that crucial transactions (i.e., large transfers) require two personnel to execute, and that regular reporting and management review of such transactions occurs.
l. Consider moving to a ‘segmented’ network. Conventional network and security models established an overall secure perimeter around the company. This defense, once breached, enables critical data to be easily accessed and exploited. Given the sophistication of today’s threats, consider segmenting your company’s network into physical and logical segments by criticality of data and function or ‘enclaves’. Thus, when one enclave is breached, other defense and enclaves can be maintained (not unlike a medieval walled city’s defenses). This requires much more thought and planning then the conventional ‘Tootsie Pop’ model of defense, but is far more robust.
Best, Jim D.
In some ways you can view it as no longer a matter of if you get hacked, but when. Information Week has a special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, where they take a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)