Raj Patel has a professional background of Information Security roles in major blue-chip companies including Aviva. In this article he asks what businesses have learned from high profile breaches over the last few years
Businesses are evolving to address their security needs and adopt best practices. A good thing too, as it’s often the basics that get forgotten. Most breaches occur from the inside, so an organisation looking at perimeter security may be missing other internal risk areas which could pose a threat. The joiners, leavers and movers process should ensure permissions of staff are revoked when they leave or move roles – staff should only have privileges that allow them to do their job.
It should be a top priority for businesses to ensure their critical IT systems are secure, so a vulnerability management program that regularly scans and fixes issues should be implemented. This program, which should also be applied to non-critical systems, can run monthly, quarterly, bi-annually or any combination of the aforementioned.
A non-critical and unpatched system is a common target through which hackers look to connect in order to gain access to more critical systems. The program should cater for firmware, operating systems and applications updates. As an example application updates could be applied bi-annually or annually, depending on the effort and risk involved. Operating system and firmware updates can be actioned more frequently, in line with vendor recommendations. Ideally a dedicated test or ‘staging’ environment is useful; failing that a phased rollout would be the next best thing.
Addressing ‘human loopholes’ in organisational security
The real weakness in security is the human element. Organisational changes can result in staff changing their behaviour to the detriment of the company, e.g. stealing confidential information or committing fraud as a result of downsizing. Employees need to understand why certain processes are done in a certain way to fully appreciate the security risks. Education is therefore key in communicating corporate policy to every member of staff. Good security awareness campaigns help employees feel engaged and hopefully encourage them to report security issues without feeling uncomfortable about doing so. They should include a combination of orientation for new starters, regular emails, posters, random checks and policy reminders.
“An individual’s security-risk status may have changed since you admitted them into your organisation”
Good information security is a process, not a ‘perform once and forget’ activity. Threats and risks change for a number of reasons and likewise a security function should be able to deal with changing attack vectors.
If your organisation is required to provide evidence of good security practices, such as PCI-DSS, then senior management should capitalise on this as an opportunity for security awareness and to embed good security practices in employees. For organisations that are not required to provide evidence, there are a number of approaches that they can take to ensure they are in the strongest position possible to minimise the likelihood of being compromised. (Refer to the comprehensive NIST (National Institute of Standards and Technology) publication of Generally Accepted Principles and Practices for securing IT.
The security industry has come a long way and so too have the tools and processes. This is in part thanks to the breaches suffered by well-known companies. Good security requires some investment in tools, technology and staff who are able to deal with security activities. Will your organisation be the next headline grabbing news story? How much reputational damage will a breach cost your organisation? Will you be able to carry on as a business if your organisation were to suffer a breach?
Access management tools and employee re-vetting as corporate security safeguards
Three factors which may merit consideration when considering the security of an organisation are the use of access management tools, the use of their logging features and the re-evaluation of ‘vetted’ employees periodically.
Access management tools can help track use of highly privileged user-accounts. These should be restricted to those that need them to do their job. Privileged accounts pose more of a risk to your organisations because they can breach personal data, complete unauthorised transactions, cause denial-of-service attacks (DOS), attempt to make a machine or network resource unavailable to its intended users, and alter audit trails. Highly privileged accounts are often shared between IT professionals because some systems make it almost impossible for IT professionals to delegate privileges to accounts.
It’s also recommended to use the logging features of tools currently deployed in your organisation – a great aid for investigative purposes should an incident arise. By collecting and analysing logs, you can understand what transpires within your network. Each log file contains many pieces of information that can be invaluable, especially if you know how to read and analyse them. With proper analysis of this actionable data you can identify intrusion attempts and misconfigured equipment.
Finally, consider that an individual’s security-risk status may have changed since you admitted them into your organisation. Vetting employees when they start is good, but consider re-vetting them every couple of years or so. People’s circumstances change, which can have an effect on their behaviour. Just because an employee has been initially cleared for employment does not necessarily mean that they will pose no risk to the business at some point in the future. Therefore ongoing screening of existing employees is essential as part of a rolling security audit.