Effective Strategies to Manage People and Processes to Leverage Current Investment in Security
Effective Strategies to Manage People and Processes to Leverage Current Investment in Security
We should all be well aware that numerous risk management and information security concerns have come to plague the industry. What many people do not know is that there are numerous solutions that can be implemented without adding infrastructure and in many cases without additional cost.
I will state that again, contrary to common belief many of the current security concerns can be solved without spending money.
In some part, it comes from implementing effective economic Incentives. There are always better incentives and simple ways to motivate your staff. These will allow for the creation of more secure systems without adding cost. The first comes from using your existing IT infrastructure more effectively. Most systems already have numerous controls that have not even been considered (and in many instances go unnoticed). Using these correctly will reduce costs and increase security within your organisation.
Next, we have to understand that a focus on compliance alone can actually lead to less secure systems. Compliance, security and governance are all related to some extent, but only as they focus on the same structures and controls. Better governance does lead to lower risk, but a stricter compliance to a set of arbitrary standards does not make a more secure system. There are reasons for this and they are all economic.
In spending on compliance, we take the same funds that are used to provide security. At times, these overlap, but as we start to spend more and more on compliance, we start to spend less on securing systems that are outside the compliance regime. Here, many compliance regimes miss routers and switches leaving them in an insecure state that then makes the other sections of the network insecure.
Monitor risk and compliance
Continuous monitoring is essential. It is simple to state, but few seem to actually understand why this is the case. In watching logs and system alerts, an attentive administrator still misses most of what transpires, but they do start to learn the standard patterns that are created from the normal state of these systems. This means that they are able to start to know what looks out of place on their systems.
Automation is an aid, but it does not replace people, it allows them to do more. TO achieve this, we need to make systems that are designed to be secure and not to simply fulfil a checklist. What a checklist is for is to help us remember what we have to do.
Security and Compliance
The existing audit industry provides compliance services under the guise of security. These services provide little if any increase in security and yet consumers purchase them. In addition, it is demonstrable that these services are extremely inelastic for large organizations. There are several reasons for this. First, government or commercial groups (e.g. PCI-DSS) mandate many compliance regimes. Next, negligence rules and the governance functions of companies require that boards and senior management take action to protect the value of the company. Unfortunately, this also means using reports that demonstrate compliance from audit companies in place of a real effort to ensure that data protection occurs.
Fig. 1. Misaligned incentives and a lack of accuracy delivered to the auditor (%)
The consequence of these misaligned incentives is obvious, misinformation. Figure 1 displays the results of the audit when the employee has incentives and knowledge or neither.
Right now, very few organisations know of the existence of controls such as NAP and NAC, health certificates and the ability to create secure domains. They have not implemented effective monitoring and alerting let alone good system management. For the most part, we are stuck with complex filtering and protocol control as the sole means of securing a network, the use of which leads inevitably to failure without application level controls.
Patching is aligned to Audit
Patching is a test for compliance. Auditors assert that this compliance test aligns to good security practice. A correctly patched system is less likely to experience issues and be more secure. This is agreed. The question is what is "correctly patched" and “have the patches been applied correctly”? Audits generally test for the application of patches. The problem is that this is generally limited to testing the existence of operating system (e.g. Windows 2003 Server) with all required patches applied. Application patches are another matter.
Fig. 2. Patching, just enough to be compliant, too little to be secure.
Tests of the patching processes for Windows Servers, clients, applications, routers, switches and firewalls are displayed as boxplots in Figure 2. The patch date is determined as the difference in time between when the software vendor has released the patch to the installation of the patch on the system. In a few instances, this result is statistically censored due to the lack of patching. This can take place where the system is installed and left running without the application of updates. In this case, the difference between the installation date of the device and the date of the patch or update that should be applied is used to determine the interval. This situation was found to be most common in network equipment (with several routers and switches never having been patched or updated) as well as with selected examples of user application software.
We can say that whilst some systems are well configured and patched others are terrible. It all depends on what is audited and whether the employees know about the audit. As systems become more compliant, more is taken from security.
Controls
Controls are the mechanisms through which we reach our goals, but what are controls? Controls are useless if they are not effective so we need to ensure that any control is effective and may be justified in cost terms. This is one of the main purposes of an audit. That stated, the breadth of the controls makes the difference between aiming for compliance and actually seeking to create a secure system.
Controls are the countermeasures for vulnerabilities. There are four types:
1. Deterrent controls reduce the likelihood of a deliberate attack
2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
3. Corrective controls reduce the effect of an attack
4. Detective controls discover attacks and trigger preventative or corrective controls.
Policies are themselves controls.
Every policy in the organization should relate to a business or organizational objective. This is a point that seems to be too frequently overlooked by information security teams.
What you need to ask is:
· Who sets policy and how?
· Who checks the policy? Is it being enforced?
· Some of the other questions to ask include:
· What practices are employed?
· How does our organization ensure that the practices are what is in effect?
· Policies and practices should match, how is this checked?
This of course takes us to a point in time, But when a practice doesn't match the policy, there is an issue. We also need to ensure that we have a process that details just how do issues get resolved.
Identify and classify risk.
Relative computer security can be measured using six factors (Avcock, 2006):
1. What is the importance of the information or resource being protected?
2. What is the potential impact, if the security is breached?
3. Who is the attacker likely to be?
4. What are the skills and resources available to an attacker?
5. What constraints are imposed by legitimate usage?
6. What resources are available to implement security?
Any effective risk analysis is a process that consists of numerous stages. In addressing how is a threat determined, what a vulnerability is for our systems or in determining the is the probability of an event, we need to become familiar with each of these questions. Once we have become familiar with these, we can conduct a Business Impact Analysis to determine how a particular event will impact your organization’s business. These individual components need to be merged in order to deliver the overall risk rating for an organization.
To conclude
There are NO Absolutes. I will state this again, there are NO absolutes in information security and risk! Being that security is always a risk exercise and an economic function, we cannot measure any absolute level of security. The best we can hope to achieve is to measure the state of a system when compared against the state of a comparative system. This even goes as far as a point in time, our systems today are at a different security level than those of next month should nothing else change.
No comparison to levels of security can be made other than to a relative measure. This is where we have to start to focus. We can no longer seek to create a perfectly secure system, it is a state that does not exist and cannot be achieved. Like all related economic systems, a perfect state of security is one that is infinitely expensive. Small gains start to require exponentially greater investments.
What we need to remember is that security requires that we expend an optimum amount where the last dollar spent on security will be expected to return a dollar in reduced losses.
0 Response to "Effective Strategies to Manage People and Processes to Leverage Current Investment in Security"
Post a Comment