You can imagine the logic as the board members debate the topic. "Um, we have a security problem. Someone could break into our computer system and wreck our business." Then the wise leaders make a decision: it's a computer issue, so therefore it belongs with IT to resolve.
Well, here's news for you: the IT aspect is only part of the solution. It's important to have firewalls and antivirus solutions in place but they will get you nowhere if you haven't established a set of policies and procedures and -- most importantly -- enforced them. Someone should tell that to the police, who recently faced an embarrassing situation when it was revealed that a good number were sharing pornography. That's not very PC, and no amount of technology will fix the problem if you don't establish a set of user policies and enforce them. May the enforcer be with you.
If you want to know about security, there is no better person to talk to than someone who is immersed in it both as an auditor and as a solutions provider. Kaon SecurITy's Tony Krzyzewski is one such person, and he has seen it all. In particular, as he performs his audits he sees that security's biggest challenge is a lack of policies and procedures. "What New Zealand seems to have been doing is throwing point solutions at the problem rather than getting to the underlying issues. What are we trying to protect? How do we ensure our staff know what we are supposed to be doing? That sort of thing. Very few companies I visit have documented policies and procedures in place."
So who should handle security? Putting the CIO or IT manager in charge is about as logical as putting an aircraft engineer in charge of flying a plane. It doesn't make a lot of sense, and the result, according to Krzyzewski, is that the person charged with the responsibility is likely to run a mile to escape it. Where security does work, he says, is when it is handled by a consensus under the CEO's guiding hand. If you get your security wrong, it's a liability. If you get it right, it's an asset. Security leadership must start from the top of the organization.
If you do get it right, by the way, the worst thing you can do is become complacent. Krzyzewski recalls with a smile how one firm showed a distinct lack of interest in his suggestion that it should have a security review. "We don't have any security issues," Krzyzewski was told. "We've never had a virus." Now, that's naïve and just asking for trouble.
"Security has got to cover everything, says Krzyzewski. "The first question you have to ask is: 'What are we trying to protect?' Typically you might be trying to protect your assets, your physical property, your intellectual property, your customer services and related data, your information content, your regulatory compliance in relation to archiving of information, information protected under the Privacy Act ..."
Once you have answered the question you are then in a position to develop a set of policies that match your business requirements. Out of those policies will emerge a set of appropriate technological and operational responses.
When Krzyzewski enters a firm to perform an audit the first thing he does is look at the company's computing environment. Most business will, of course, have standard systems -- typically, from Microsoft. That's fine, but the first thing the owner should do is ensure it is locked down properly and that the password system is as bulletproof as possible. Krzyzewski doesn't recall seeing one site in three years with adequate passwords. Put that on the "To Do" list -- educate staff on password creation and handling.
Next, if you are connecting to the internet make sure your business has an adequate firewall. There should be no compromises here. "Just this morning I visited an organization that had built a new network in April. It was connected to a Telecom Jetstream router but there was no firewall. The business hadn't got around to that yet. Well, the bad news is that the bad guys are likely to get into that business faster than it gets around to installing its firewall."
Having locked down your policies and procedures and installed a firewall, you need to make sure your mail protection is implemented. In some cases this might mean installing an antivirus system or, preferably, a mail firewall at the periphery of the network. You will also need to look at archiving of email because of its significance to the business. "Again we see a lot of weakness here," says Krzyzewski. "There's a lot of potential for loss of corporate information."
Krzyzewski believes mail archiving is an area that will take off before long. Policies and procedures relating to archiving need to be put in place and the information on the systems should be protected. He is amazed that so many organizations have failed to take action. Many operate on trust, saying they expect staff not to download certain items. Unfortunately that's not the way human nature works. Curiosity wins out, and all too often a business faces unexpected public embarrassment. Just think about the police on this one.
A decent internet management system will also protect against malware and prevent staff from downloading hostile applications as well.
The big one
Probably the biggest single culprit when it comes to security breaches is the notebook computer. While larger organizations might have the necessary firewalls and protection systems in place, many forget about the much-travelled notebook. All it takes is for one person to go out into the field, download hostile material and introduce it into the network when they return. The damage is done. The answer to the problem, once again, is to set up a personal firewall on each notebook, install an antivirus system and introduce appropriate policies and processes on data handling. If business-sensitive data is held on the laptop, it should be encrypted.
"Laptop theft levels in New Zealand are still pretty high," says Krzyzewski. "A report out of Australia said an average laptop theft in the corporate sector cost A$22,000 (US$16,737) per incident. There's an attitude that it's only a laptop and, well, they're cheap to replace. But consider the consequences if the information on the laptop gets out and how you can close down that leak."
Indeed, those leaks can have serious consequences. At the time we spoke, Krzyzewski was dealing with an organization trying to handle a potentially serious situation relating to information stored on a notebook computer.
Just as likely to cause damage are the growing number of outside links within business. "You've got to consider the implications when a vendor comes along and says it has an operating system or router that can give you the ability to enter and exit your network remotely. If you can make a connection out to the world, the world can make a connection back to you if you don't do it properly."
Krzyzewski recommends the use of a two-factor identification system, which -- as he describes it -- requires something you have and something you know. A typical system might employ a keyfob pass generator. That's combined with a username and a personal PIN number. After the user has logged onto the network, care must be taken to ensure that he or she has access only to information appropriate to their level of authority.
"We tend not to think users are going to be bad," says Krzyzewski. "It's a New Zealand trait. When it comes to security, though, the internet-borne attacks will be the ones that are annoying and take a lot of time to fix. But attacks from within are the ones that end up on the front page of Computerworld and the TV news. And they can cost big dollars." Krzyzewski refers to a book written in 1990, Network Security: the Threat from Within, that refers to the 80/20 rule. What it means is that 80% of security problems lie within the organization. The book was written 15 years ago and nothing has changed since. Typically, most internal threats relate to having inappropriate security controls. It's important not to give users elevated privileges.
"I audited a site earlier this year where, as a result of someone ticking an incorrect box, something like 45 users had full domain and administration rights. It was a simple mistake and it was picked up in the audit. Luckily it was the good guy that picked it up rather than the bad guy."
Of course, it's understandable that business and staff want to use the latest technologies such as PDAs and smart phones. The problem begins when they start using them without considering the implications. Having policies in place right at the start enables a business to set ground rules on how the technologies will be used. The security chief might, for instance, insist that all new products undergo a security review. That will help the security team develop a set of procedures and policies to ensure the organization isn't compromised.
Don't be lulled into thinking that thin clients will necessarily make life easier when it comes to security. Having dumb and diskless desktops will obviously help, but Krzyzewski still sees clients linking thin clients out into the world without due consideration of authentication and network transport issues. Some don't even bother with remote access controls or firewalls.
Outsourcing is another hornet's nest. Krzyzewski sees CIOs deciding on outsourcers without considering their security status. Naïve as it might seem, there's a tendency to trust blindly that the outsourcer knows what it is doing. The IT chief might say, "We don't know what we are doing, so we are going to outsource to this other company. It has a good name and must know what it is doing ..."
The problem is that the outsourcer frequently does not know what it is doing. That makes it essential once again to establish a set of policies and procedures with your partner. It's important that you have the right to review their technologies and systems. Get the outsourcer to sign a document to establish control of what flows in and out of your business. Establish staff rights and access controls -- and don't forget to set a limit on the outsourcer's access to your data.
"We see holes drilled right through a company's protection mechanisms so the outsourcer can come in remotely," says Krzyzewski. While that situation might be handy for the outsourcer, it neglects the fact that the security opening is in a business that will be bonded to other networks it is servicing.
To make matters worse, Krzyzewski constantly encounters firms where password controls could scarcely prohibit a gnat intending to find its way in. "At every single site I audit I find users who have never changed their default password," he says. "Or they simply recycle their passwords. On average, I will have found 30% of user IDs within just two minutes. These users are usually given automatic remote access rights through Citrix or Microsoft Terminal Server, whatever. Now, because we have a weak password system and a weak remote access system, we've left the front door wide open for people to get in."
Then there is the failure to update and patch operating systems. "Without a single exception, every site I review has missing patches," says Krzyzewski. He recalls visiting a site a few months ago where the IT manager assumed the facilities management company was maintaining the patches. It wasn't. No patches had been applied for three years.
"When I went through the review process I was told the company had so many servers it didn't have time to do all the patches. We put processes in place to ensure they were done. It's important to review security with your facilities manager. It's common to assume that things are happening and have no review process."
Yet another area of potential disaster is the firewall itself. IT people often establish test connections for a particular project and then forget to remove them. It's a situation that Krzyzewski sees frequently. The attitude within IT can be a little too relaxed.
"Why do you have this remote service enabled?" he asks IT.
"Well, we put it in a year ago when we were doing this and that..."
"So why is it still on?"
"Oh yes, I suppose we should shut it down..."
Many IT leaders appear to assume that firewalls protect only against intruders. Krzyzewski frequently sees IT teams putting in firewalls without enabling protection on outbound connections. This omissions means that if hackers get into an organization they have a free flow of information to the outside world. Even after 10 years in the networking and security business, Krzyzewski says he still finds that many installers fail to add a lot of depth to their security. He refers to a case where a New Zealand business had a firewall installed, only to find -- too late -- that it had not been properly implemented. The business suffered a serious attack.
"Mail is a typical area where we will basically open a port to an internal server, which will then get attacked. It's like saying, 'Let's put in a firewall and open the front door.'"
Web servers prompt another frustrated reaction from Krzyzewski. Organizations setting up web servers often fail to do any basic lockdowns, he says. "You go to sites that have been attacked or tagged over the past year and the list goes on and on." Almost without exception, the fault lies with inadequate implementations. Krzyzewski often sees complex websites where no consideration at all has been given to security. The end-user assumes the developer is doing a good job and the site later gets tagged or worse. It's a situation Krzyzewski encounters frequently.
It's not just the small businesses that are getting attacked. Attackers fear neither big nor small organizations. Krzyzewski sees at least one site a year that has been savagely attacked -- to the point where its profitability has taken a major dive. In most cases, though, the business has suffered severe embarrassment, perhaps a loss of face or a damaged image in the marketplace. In one recent case a business came close to facing an embarrassing situation in the Employment Court because of its failure to control its security. Don't think it can't happen to you.
It's too easy to think that security vendors are just trying to scare you. Krzyzewski makes you face reality as he leans across his desk and reads off the security breaches at eight sites his business monitors. His monitor lists 3217 attempts to breach the systems during the past 24 hours. Flavor of the month are automated probes, looking for unprotected Microsoft machines hooked into the internet. These are opportunist probes, hunting for vulnerable machines they can take over. Where they are successful, their zombie machines could be used as an agent of attack against other systems. You don't want to be part of the problem.
In fact, if a hacker has, say, 300,000 zombies at his service he can launch a very serious attack on an unsuspecting business. Krzyzewski's own business suffered a recent attack but managed to defend itself successfully via its mail firewall. "Someone decided they didn't like us and tried to flood us with more than a quarter of a million emails," he says. We had bandwidth management systems in place and we could dampen the attack down. But we know of other organizations where they have had to take their mail offline for days."
With many New Zealand businesses tending to under-invest in security technology, Krzyzewski and the numerous security vendors have a major education issue on their hands. Krzyzewski believes that investment in security is like an insurance policy -- you don't know you need it until you actually need it. He puts the issue into another context: "How many organizations wouldn't insure their buildings and plant? Education is what's required at this time."
One of the challenges for a security specialist is knowing when to stop. Krzyzewski has a pragmatic approach -- he believes that security levels should be appropriate to the business. If security enforcement is so strict it doesn't allow a business to fully perform its functions, it is self-defeating. What you allow in some businesses, then, you will not permit in others.
"You might have a policy that says the internet shall be used only for business purposes. But if the business says it doesn't want that, you might adjust the policy to say that the internet shall be used predominantly for business purposes but some user browsing is permitted. Then you put in technical controls to limit the user's access to those browser sites. You might give them half an hour a day for internet banking and TradeMe."
Krzyzewski smiles as he recalls what he describes as a classic case of an organization failing to control internet usage. "We got called in because the company wanted to know why its internet bills were so high. We put in a scanner and found, within a day, that the heaviest user was spyware and the most accessed site was TradeMe. It's addictive."
Be careful of blocking too much and don't forget that activity in the workplace is a social environment as well as a place of business. Too much blocking can create unnecessary antagonism among staff. It's best to have a system that allows staff to access, say, TradeMe during their lunchtime but not at other times. Or perhaps you might allow half an hour a day of discretionary browsing. At least that way you can count the cost of a user's browsing activities.
Remember, too, that internet usage is part of the culture of younger people. Computers are an essential part of their lifestyle, like cars are to someone of an earlier generation. If you are a parent you will no doubt have seen by now that your kids are big users of instant messaging. When they finally enter the workplace, instant messaging will be something they will expect as a basic right. It's a tough one because giving them that right is tantamount to craziness, says Krzyzewski.
As a security chief you will have to confront some tough issues. You will have to weigh what people see as their right against the potential for damage to the company. If you are too relaxed in your approach you will have people downloading software to their desktops. Krzyzewski has even seen people handling private bulk email from the workplace. And we have all know about the police and their sharing of porn. On that topic, it pays to make your users understand that your role is not that of a censor: it's about company policy and allowing what is appropriate in the workplace. It's the user's right to watch porn at home if they want to.
If you, as the security chief, have to take action against someone, do it with education rather than a big stick initially. Tell your user that you have monitored him going to certain locations. Bring it to his attention that visits to these sites are inappropriate and refer him to the policies and procedures relating to that. Make your policies and procedures accessible via the web so the user can find them at the click of a mouse. If the user misbehaves again, you have already tagged him and now you can issue a disciplinary warning. This approach typically complies with employment contract regulation.
There's no question that computing plays a big role in security. But let's not forget that it all starts with your assessment of what you need to secure and your formulation of processes and procedures to enforce your rulings. If you have a large business you might want to appoint a chief security officer, as so many US businesses have done. If your business is smaller, perhaps you should consider setting up a team to do the planning. Whatever you do, you can't under-estimate how important security might be to your business. In some cases a security disaster could also spell disaster for your business.
The VOIP conundrum
Business is starting to merge its voice and data networks into a single structure over voice over IP.
"What happens if the network is compromised?" asks Kaon's Tony Krzyzewski. "What happens if a virus goes rampant on your data network and causes your links to fail? You've now lost your voice services as well."
What are the implications of taking VOIP out into the field? You could be creating another opportunity for information to flow uncontrolled back into the network.
What if the person you think you are talking to isn't that person?
"We are already seeing the development of SIP (session initiation protocol) firewalls for security of VOIP," says Krzyzewski.
"We are seeing organizations putting in VOIP without thinking of the security implications. There is a core acronym within security -- CIA. That stands for confidentiality, integrity and availability. We've been using CIA for years."
Krzyzewski reminds security chiefs that users will reluctantly put up with a network outage but when the telephone system breaks down there is hell to pay.
Beware of Skype
Kaon's Tony Krzyzewski has just finished creating a set of policies for users of Skype, the voice system that works over the internet. Right now he is urging business against Skype, at least until its security issues are worked out. Too little is known about the organization that runs it, he says. Also, the Skype agreement specifically states it may download software onto your computer.
Not only that, but Skype may use your computer for routing if you have good bandwidth.
But, hey, it's cheap.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.