Mark Kelly, CIO/VP of IT and Services, Curvature
For any “computer nerd” (read: IT professional), how can you ever pass up an opportunity to immerse yourself in the creative and innovative world of security circumvention? After all, protecting your organization’s network and data is of utmost importance, especially if you want to avoid being in tomorrow’s headlines as a victim of the latest data breach. So I still relish the opportunity I had in attending a recent BlackHat USA conference course on active defense, offensive counter measures and cyber deception.
What I learned continues to resonate—from reviewing case studies of hacking successes, discovering new methods by which outsiders can gain access to enterprise data, and hearing about new techniques by which attackers can be tracked. We individually walked a knife’s edge of ethical challenges as we practiced counterattacking the attackers. Anyone responsible for network operations—regardless of whether you’re in a security role—should attend a course like this as it makes you think twice about established security theories as well as wonder about the possibilities of isolating data on networked systems.
"While a network’s user base is its largest risk, it also can be its biggest security asset. In most cases, the risks presented by users don’t exist from malice, rather from ignorance"
When I got back to the office, I focused on many activities that could be done immediately to protect our enterprise data from the organization’s largest threat: internal users. While it’s not nearly as exciting as mounting a multi-pronged cyber defense, following these three steps on a regular basis will reinforce security policies and procedures while enabling you to better meet the changing needs of your organization.
Step 1: Categorize Your Data in Order of Importance to the Business
It’s important to realize that not all the data on your network has the same value. It just doesn’t. By classifying your data, you can focus on a smaller universe of mission-critical corporate information assets that necessitate a higher degree of protection.
The act of categorizing data is like eating your lunch; no one else can do it for you. To start, classify your data based on its sensitivity (i.e., what’s the risk to the organization if it is disclosed or corrupted?). Your customer data, while important, probably doesn’t represent the largest risk if disclosed. In most B2B markets, your competition knows who your customers are. Intellectual property, however, is a perfect example of sensitive data, so take commensurate care to safeguard it properly.
Set up standard data classifications consisting of sensitive, confidential, private and proprietary. Once classified, the path is clearer as how the data should be managed, transferred and stored. Make sure your most critical data is encrypted. And not only when it is stored, but also when it is moved. Encryption doesn’t come cheaply, so quantifying the value of your critical data will help you justify the investments in systems to protect it. Additionally, establishing a data classification framework will set the stage for an access control review.
Step 2: Establish Proper Access Controls
Establishing effective access controls go hand-in-hand with data classification, so make sure you have clear policies that limit access to critical data. This sounds like a riddle, but the correct access policy is somewhere between “everyone needs access to all the data and no one needs access to any data.” Don’t over-complicate the process, just audit who has access to what data and restrict access to the smallest group possible. The simplest route to this determination usually is the most effective.
Start with taking away access from everyone except the data steward. Then, grant access only to those with a defined business need. The most important activity is to set up the evaluation process so that it is repeatable and includes recorded approval processes. This will provide an audit trail of who has access to what data at any point in time.
System administrators and data stewards should be held to a higher logging burden than standard users. As such, they should be required to use different accounts and leave large footprints through the system logs. For data deemed most valuable, encryption can be used in which administrators are not provided the keys. But in general, standard segregation of duties with checks and balances should meet security requirements while ensuring that users don’t abuse their positions. Finally, keep in mind that your access controls can change frequently, so audit and update lists accordingly.
Step 3: Make Security Education a Priority
While a network’s user base is its largest risk, it also can be its biggest security asset. In most cases, the risks presented by users don’t exist from malice, rather from ignorance. Companies that have a training program should incorporate security know-how into the process. No matter which department owns the education program, IT must be actively involved. Training is key to the feedback loop as it’s critical to have an active dialog with all users.
User training should be given every six months at a minimum. There will always be enough security lapses in the media—or perhaps even within your organization—to provide pertinent content for training sessions. Optimally, all communications on this subject are done proactively. But if there is a threat, the most effective communication will be face to face. As it’s nearly impossible in today’s business world, in-person communication warrants focused attention and is rarely used, which makes it all that much more important when utilized. Have a PA function on your phone system? Try that! Just don’t send an email, which will likely get lost or unread. Remember: An educated user base will provide the largest return for any security program.
System maintenance should be the responsibility of IT. Users, even remote ones, can be kept from accessing network resources until critical updates have been applied. This topic bleeds into IT asset management, which is another foundational step in any security program, but it also is vast enough to warrant its own article—so more on that next time.
Never stop preaching that security is everybody’s job. The most effective way of garnering support is to make an articulate business case. Then, clearly communicate everyone’s role with regard to network security. This can be very empowering to users as when they understand network security is dependent on the overall resilience of a group effort, most users will respond positively. Also, be sure to solicit the support of executive management and business line owners as they should clearly understand and value the ROI of mitigating risks. It may be a tough road to travel at times, but following these three steps will put you on a path to making great strides in taking your security efforts to the next level.