With the latest breaches in the news, I felt it was important to map out base practices and well as some of the best practices in Information Security. In the age of LulzSec, industrial espionage, and everyday breaches, it’s more important than ever to be proactive about security. I consulted with several top security engineers that I have worked with in the past to construct these practices. Much of this post was first published in early April in Information Week and I have updated it further. Unfortunately, this area should be a top priority for IT leaders to protect their firms, customers and information. If it’s not at your firm, you need to change that. Best, Jim.
PS. Here is a good reference on the biggest data breaches the past 15 years to help you get the investment required to properly implement IT Security.
Mark Twain observed 150 years ago: “A lie can travel halfway round the world while the truth is putting on its shoes.” With the advent of social media, these days that lie has likely made it all the way around the world and back while the truth is still in bed.
And today it is not just the false information it’s the confidential information, your customer’s information or your company intellectual property that is spirited away. The pace and sophistication of attacks by hackers and others who expose confidential data and emails has increased dramatically. For their latest exploit, a group calling itself LulzSec Reborn recently hacked a military dating website releasing the usernames and passwords of more than 170,000 of the site’s subscribers.
Then there are the for-profit attacks by nation states and companies seeking intellectual property, and fraud by organized crime outfits. Consider the blatant industrial espionage conducted against Nortel and more recently, AMSC, or the recent fraud attack against Global Payments. These are sobering stories of how company’s falter or fail in part due to such espionage.
One of a CIO’s most critical responsibilities is to protect his or her company’s information assets. Such protection often focuses on preventing others from entering company systems and networks, but it must also identify and prevent data from leaving. The following recommendations can help you do this. They are listed in two sections: conventional measures that focus on system access, and best practices given the profiles of today’s attacks.
Conventional Measures:
Establish a thoughtful password policy. Sure, this is pretty basic, but it’s worth revisiting. Definitely require that users change their passwords regularly, but set a reasonable frequency–any less than three months and users will write their passwords down, compromising security. As for password complexity, require at least six or seven characters, with one capital letter and one number or other special character.
Publicize best security and confidentiality practices. Do a bit of marketing to raise user awareness and improve security and confidentiality practices. No security tool can be everywhere. Remind your employees that security threats can follow them home from work or to work from home. Help your employees take part of your company’s security practices — there is a good post on this at How To Make Information Security Everyone’s Problem.
Install and update robust antivirus software on your network and client devices. Enough said, but keep it up-to-date and make it comprehensive (all devices)
Review access regularly. Also, ensure that all access is provided on a “need-to-know” or “need-to- do” basis. This is an integral part of any Sarbanes-Oxley review, and it’s a good security practice as well. Educate your users at the same time you ask them to do the review. This will reduce the possibility of a single employee being able to commit fraud resulting from retained access from a previous position.
Put in place laptop bootup hard drive encryption. This encryption will make it very difficult to expose confidential company information via lost or stolen laptops, which is still a big problem. Meanwhile, educate employees to avoid leaving laptops in their vehicles or other insecure places.
Require secure access for “superuser” administrators. Given their system privileges, any compromise to their access can open up your systems completely. Ensure that they don’t use generic user IDs, that their generic passwords are changed to a robust strength, and that all their commands are logged (and subsequently reviewed by another engineering team and management). Implement two-factor authentication for any remote superuser ID access.
Maintain up-to-date patching. Enough said.
Encrypt critical data only. Any customer or other confidential information transmitted from your organization should be encrypted. The same precautions apply to any login transactions that transmit credentials across public networks.
Perform regular penetration testing. Have a reputable firm test your perimeter defenses regularly.
A Thoughtful Set of Additional Current Best Practices: With the pace of change of technology and the rise of additional threats from hackers and state-sposored espionage, your company’s security posture must adopt the latest best techniques and be updated regularly. Here are the current best practices that I would highly recommend.
Provide two-factor authentication for customers. Some of your customers’ personal devices are likely to be compromised, so requiring two-factor authentication for access to accounts prevents easy exploitation. Also, notify customers when certain transactions have occurred on their accounts (for example, changes in payment destination, email address, physical address, etc.).
Secure all mobile devices. Equip all mobile devices with passcodes, encryption, and wipe clean. Encrypt your USD flash memory devices. On secured internal networks, minimize encryption to enable detection of unauthorized activity as well as diagnosis and resolution of production and performance problems.
Further strengthen access controls. Permit certain commands or functions (e.g., superuser) to be executed only from specific network segments (not remotely). Permit contractor network access via a partitioned secure network or secured client device.
Secure your sites from inadvertent outside channels.Implement your own secured wireless network, one that can detect unauthorized access, at all corporate sites. Regularly scan for rogue network devices, such as DSL modems set up by employees, that let outgoing traffic bypass your controls.
Prevent data from leaving. Continuously monitor for transmission of customer and confidential corporate data, with the automated ability to shut down illicit flows using tools such as NetWitness. Establish permissions whereby sensitive data can be accessed only from certain IP ranges and sent only to another limited set. Continuously monitor traffic destinations in conjunction with a top-tier carrier in order to identify traffic going to fraudulent sites or unfriendly nations.
Keep your eyes and ears open. Continually monitor underground forums (“Dark Web”) for mentions of your company’s name and/or your customers’ data for sale. Help your marketing and PR teams by monitoring social networks and other media for corporate mentions, providing a twice-daily report to summarize activity.
Raise the bar on suppliers. Audit and assess how your company’s suppliers handle critical corporate data. Don’t hesitate to prune suppliers with inadequate security practices. Be careful about having a fully open door between their networks and yours.
Put in place critical transaction process checks. Ensure that crucial transactions (i.e., large transfers) require two personnel to execute, and that regular reporting and management review of such transactions occurs.
Best, Jim D.
In some ways you can view it as no longer a matter of if you get hacked, but when. Information Week has a special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, where they take a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)
Jim, Another excellent and timely post. With the recent advent of spear phishing, do you have any suggestions for educating those with high level access as to how to prevent being targeted and mitigating hackers that wish to target individual administrators?
JJ,
You are right, spear phishing has grown to become a new threat in large part because people want to please those who they think are important in their lives (e.g. a senior manager at the company they work). And because they immediately jump to respond they ignore major warning signs that might otherwise cause them to not respond to such targeted requests.
Again, the key defense is education of your staff and team as to such attacks. And then of course, if you have been penetrated, having two factor authentication and strong detection defenses means the damage should be limited and you should recognize the attack. But it is not certain. This attack tactic and social engineering attacks are why you must go to two factor for all key entry and transactions.
If anyone has some additional please do chime in here.
Best, Jim
I actually have to strongly disagree about the password policy.
Even at three months the policy laid out basically ensures that at least 50% of employees will have their password written down somewhere – usually on a sticky note near their desk or in their wallet. It also ensures that they will pick an easy to remember variant with the required characters, usually using 1 for their number and ! or <3 or 🙂 (etc, etc). Ask your sysadmins for a printout sample of the employee passwords sometime. You'd be surprised how easy most of them are to guess.
Oh, and sysadmin passwords? Those all go in a text file. Usually on the desktop. Or in a folder labeled something obvious, like "Keys". If you're lucky, the password file will be encrypted, usually with something snarky like "rewritetheAPI" or "ihateMYSQL". If I were to write a sysadmin password cracker, I would start with all the cursewords and epithets, followed by names of software and company vps.
Also, hackers now know the 'secure' password system. They also know most people are likely to simply capitalize the first letter, and then use a punctuation symbol or an emoticon at the end with a number sequence. There are a couple of other patterns – 733t5p34k, for example (substituting numbers for similar looking letters) – and using important dates, but all of these are easy to automatically guess. I just put these additional functions into my cracker and voila.
Here's what I would do:
– Have an easy to use keychain system for sysadmins (there are many great commercial products available), with TWO FACTOR authentication (preferably a little usb key or one of those neat RSA fobs). Talk to your sysadmins honestly about their password policy. Ask them to open their wallets and hand over any index cards with passwords scrawled over them ;). Then ask them how to realistically manage the 30+ passwords they're supposed to memorize.
– For the rest of the employees, encourage people to USE RANDOM, SELF AUTHORED SENTENCES. Yes, sentences. It is exponentially harder to guess:
"I went shopping at noon and bought 15 eggs."
Then it is to guess:
"Sammy57"
It's also MUCH easier for a person to remember a sentence, and easier to come up with a new password. It's also much much much harder to crack. As an added bonus, any grammatical mistakes generate extra entropy!
See also this highly relevant comic: Password Strength
Susan,
Good comments on password and the difficulty of getting your staff to actually use strong passwords. If I recall correctly the team that cracked Syrian dictator Assad’s password found that he use ‘123456’. I like the idea of using sentences as passwords — they are easier to remember but harder to crack. In fact Google had a public ad campaign recommending such an approach. In fact perhaps a good one to use would be ‘Tryandguessthisone,stupidhackers!’
Unfortunately, between poorly chosen passwords and leaving corporate laptops in our cars, we leave the door wide open for hackers to do serious damage. Thanks for your insight!
Best, Jim