The wired world of today makes it possible for a malicious
person to get into a company’s system in the middle of the night, when its
premises could actually be locked–the electronic equivalent of an intruder is
on the move.
Companies often make their computer networks vulnerable while
embracing a new technology–aimed at improving productivity–mainly because
they fail to recognize the security needs associated with that technology,
assuming, perhaps, that the technology is complete. For instance, by adding a
remote access e-mail gateway to enable employees access e-mails while away from
the office, companies may be unwittingly providing a side door into their
computer network, especially if strong authentication measures are not
implemented. Also, by adding a Web site and an FTP server so that customers can
instantly retrieve product information and software fixes from anywhere in the
world on a 24×7 basis, companies may actually be providing an electronic tunnel
to other, non-public corporate data. Similarly, by embracing electronic data
interchanges (EDIs) as state-of-the-art vendor order and payment systems, a
company could be allowing an imposter to access the company inventory or cheque
book.
However, too much security can be as counterproductive as too
little security–no modern organization can be self-destructive enough to shun
off a technology in the name of security. And as companies come to rely on
internetworking to lower the costs of doing business–e-mail for
communications, Web sites for information publishing, FTP for software update
distribution, and EDI for supplier-vendor transactions–the productivity gains
become too compelling to ignore.
The security policy
A
security policy is the answer
A security policy comes in handy and helps the organization
implement technology, without actually leaving holes to be exploited.
Enterprise security experts believe that risk management is
not about elimination of risk. Rather, it’s all about understanding the nature
of risks involved in, say, the implementation of a new technology, and taking
informed decision based on that to counter the risks. Unfortunately, according
to a KPMG survey report on information security practices, 77% of Indian
organizations do not have a formal security policy document to assist them in
managing the risk.
According to Akhilesh Tuteja, manager, information risk
management services, KPMG, the absence of a formal security policy in an
organization indicates the lack of recognition of the need for security by its
senior management. A well formulated, comprehensive security policy document
equips the organization with the right tool to assess the criticality of its
information assets, determine the extent of security required and assign
appropriate access to internal and external agencies.
A network security policy is required to establish an
enterprise-wide program of how both internal and external users interact with a
company’s computer network, how the corporate computer architecture topology
is implemented, and where computer assets are located. The policy is essential
to weigh possible threats against personal productivity and corporate assets,
which need different levels of protection. Explaining the need for a security
policy among enterprises and organizations, the KPMG report says, "Formal
security policies and procedures raise awareness about security issues and
establish specific processes for preventing and dealing with security breaches.
A security policy provides a framework to implement information security and a
benchmark to assess the adequacy and level of implementation of security in an
organization at periodic intervals."
Says Tuteja, "The goal of developing an official
security policy is to define the organization’s expectations of proper
computer and network usage and to outline procedures to prevent and respond to
security mishaps." This also means that all security aspects must be
considered and agreed upon by the policy-making group in the organization. But
who creates the policy-making group and who are to be the participants?
Drivers–IT and HR managers
While most of the companies tend to believe that network
security is an IT issue and should be handled by the IT department alone,
experts feel otherwise. In fact, policy creation should be a joint effort by a
representative group of decision-makers, technical personnel, and day-to-day
users from different levels within the organization–the IT and the HR
departments acting as the prime drivers. While the IT department would act as a
facilitator in terms of technology, the HR department should encourage its
implementation among employees. Similarly, the day-to-day users will give the
necessary feedback about the usability and effectiveness of a given technology
as also point out its loopholes, if any.
Only an active and cohesive involvement of these
representative groups can bring out a sound security policy document. However,
the document should give the policy makers powers to enforce it.
Tuteja is of the view that the responsibility of creating a
mechanism to protect a company’s vital information and its network ultimately
lies with the board members, who are answerable to the company’s stakeholders.
If the company does not have proper security measures in place, its vital
business data can be an easy target from competitors. This may lead to a serious
loss in business, and consequently a drop in the company’s share price.
"While employees remember every other policy matter that directly affects
them, there is a level of detachment when it comes to the organization’s
security policies. Involvement from senior management is critical to ensure
buy-in to these policies by the employees," he says.
Policy framework
Developing a security policy first entails identifying the
organizational assets, recognizing the threats and assessing the risks. Then
comes evaluating and implementing the tools and technologies available to meet
the risks, and developing a usage policy. An auditing procedure, to review the
network and server usage on a periodical basis, should also form a part of the
framework. Equally important is the provision of a response mechanism, should
any violation or breakdown occur. Finally, the policy should be effectively
communicated to everyone who uses the computer network, and be reviewed on a
regular basis.
Assessing risks
Unfortunately in India, while organizations have been trying
to cope up with the security challenges that are associated with the
introduction of new technologies and processes, not many of them are aware of
threats other than virus attacks or denial of service. The first step,
therefore, is to create a list of those hardware and software assets as well as
information that need to be protected. It should also include the tools that are
to be used to guard them. This list should be easily and regularly updated, as
most organizations add and subtract equipment at all times.
While there is a great deal of publicity about intruders on
computer networks, most of the surveys show that the actual loss from people
within the organization is significantly greater. Risk analysis involves
determining what you need to protect, what to protect it from and how to protect
it. It is the process of examining all your risks, and ranking those risks by
level of severity. The process involves making cost-effective decisions on what
you want to protect. Possible risks to a network include unauthorized access,
unavailability of service, corruption of data or a slowdown due to a virus.
Disclosure of sensitive information to an unwarranted person or agency or a
theft, say of credit card information, are other major security issues.
Once the list has been assembled, a scheme for weighing the
risk against the importance of the resource should be developed. This allows the
policy makers to determine how much effort should be spent protecting a
particular resource.
Auditing and review
Policy makers can take advantage of the tools available at a
given point of time to determine a range of security breaches and the levels of
violation. Most operating systems, for instance, store numerous bits of
information in log files. Examination of these log files on a regular basis
often forms the basis for the first line of defense against unauthorized usage
of the system.
Periodic reviews are imperative in view of the fast changing
computing environment. Says Tuteja, "It is getting astoundingly easy to
break into network sites through available user-friendly point-and-click
packages. Security is a
dynamic process. Only by assembling the core team or a representative subset,
reviewing how well things are working, keeping abreast with the latest threats
and security tools, and assessing the risk against new assets and business
practices can an organization stay secure and productive."
Usage framework
The security policy draft should include a formalized process
to communicate the security guidelines to all users. In addition, an awareness
campaign should be initiated to educate users about how computer and network
systems are expected to be used and how to protect themselves from unauthorized
users–a process which needs to be driven by the company’s HR department.
Dissemination of information regarding the policy and the reason for its
implementation will also help the organization absorb the new system comfortably
and dispel any apprehension among employees about breach of their privacy.
All users should be informed about what is considered the
proper usage of their user account or workstation. This can most easily be done
at the time users receive their accounts, by giving them a policy statement.
Proper policy statements typically dictate things like whether or not the
account or workstation may be used for personal activities like checkbook
balancing or letter writing, whether profit-making activities are allowed or
whether game playing is permitted.
Users should also be explained how to detect unauthorized
access to their accounts. If the system prints the last login time when a user
logs in, he or she should be told to check that time and note whether or not it
agrees with the last time he or she actually logged in. Ideally, the security
policy should strike a balance between protection and productivity.
Response plan
There can be a number of responses, which an organization may
choose upon after the realization of a security violation. Planning responses
for different scenarios well in advance–without the burden of an actual event–is
a good practice. Not only does an organization need to define actions based on
the type of violation, the policy should also contain a clearly defined series
of actions based on the kind of security breach of the enterprise-wide computer
network.
When a policy violation has been detected, the immediate
course of action should be pre-
defined to ensure a prompt and proper enforcement. A detailed investigation may
be performed later to determine how and why the violation occurred and further
corrective action should be executed. The type and severity of action taken
would vary, depending on the type of violation.
There are two suggested courses of action in case of a
security violation. If the management fears that the site is sufficiently
vulnerable, it may choose upon a ‘protect and proceed’ strategy. This
approach will have as its primary goal the protection and preservation of the
network facilities and restoration of normalcy as quickly as possible. Attempts
will be made to actively interfere with the intruder’s processes, prevent
further access, and begin immediate damage assessment and recovery. This process
may involve shutting down the facilities temporarily, closing access to the
network, or such other drastic measures. The drawback is that unless the
intruder has been identified, he or she may come back into the site via a
different path or target another part of the network at some other point of
time.
The alternative approach is ‘pursue and prosecute’. This
approach is exactly opposite to the earlier one. The primary strategy here is to
allow intruders to continue their activities until the monitoring system
identifies the responsible persons or paths. In fact, law enforcement agencies
and prosecutors endorse this approach.
Prosecution is not the only possible outcome if intruders are
identified. If they are employees, the organization may choose to undertake
internal disciplinary actions. Hence, the computer security policy also needs to
spell out the different courses of action for different sets of intruders.
Policy makers must carefully consider in this regard before the problem occurs:
the strategy adopted might vary, depending upon each circumstance, or, there may
be a global policy that mandates one approach in all circumstances. The pros and
cons must be examined thoroughly and the users of the facilities must be made
aware of the policy so that they understand the implications of a violation.
Capturing lessons learned
Once the invaded system has been restored to a ‘safe’
mode, it is still possible that holes and even traps could be lurking in the
system. In the follow-up stage, the system should be monitored for items that
may have been missed during the clean-up stage.
A security log can be of great value during this phase. There
are two considerations here. One, to keep logs of those procedures that have
been used to make the system secure. This would include command procedures, like
shell scripts, that can be run on a periodic basis to recheck the security. Two,
to keep logs of important system events. These can be referenced when trying to
determine the extent of damage of a given incident.
After an incident, it is prudent to write a report describing
the incident, method of discovery, correction procedure, monitoring procedure
and a summary of lesson learned. This will aid in the clear understanding of the
problem. Remember that it is difficult to learn from an incident if you don’t
understand the source.
SHUBHENDU PARTH
in New Delhi