Securing your business

In this article, the second in our series, we look beyond the fundamentals of security in your business and cover the basics of corporate information security and digital asset protection.  We cover 4 additional subjects and continue developing our insight into keeping our business information as secure as is practically possible.  The 1^st three topics were briefly discussed in the 1^st article IT Security Essentials : The Fundamentals, and covered backups, perimeter security and device security.  That article can be found here.

It is appropriate for the SME with up to 1000 computers.  The same principle will apply in any size organization but larger corporations will have a slightly different composition of resources, issues and options available to them.

This article will discuss people, systems, knowledge and process.

People

We will categorize people interacting with our business information into 6 primary groups.  Each group has a particular impact on the security of our assets, secrets, information and systems in our business.  Regardless of the size of the organization, every organization operating today will have these to consider in their planning and operations.

Management

Management and owners often require access to many if not all sets of information in the business.  Or at least, they think that they do.  It is seldom true that the management team members need access to every possible piece of information though.  HR management don’t have much need to access technical specifications, financial reports, marketing strategies or sales plans.  Likewise Finance management seldom access personnel records.

Every access point to company intellectual property represents a potential threat or risk to the business.  Securing information and controlling access to that information on a need to know basis is a good practice to reduce exposure and to simplify security processes.

Employees

Employees are referred to as the greatest assets a business has by progressive organizations.  If that is the case, they also happen to be the greatest liability the business has, too.  Employees are often trusted and required to work with sensitive information.  Restricting their access to only the information that they need to complete their deliverables is the first and simplest step.  Controlling what they are able to do with that information is the next and equally important step.  Is there a need to be emailing all company documents to external parties?  Or even internal parties?  Will emailing a link to the document not be a better alternative for internal communications and work flow practices?

Should employees be able to install software on their work computers?  Uncontrolled and unmanaged software installations carry potential risks ranging from unlicensed software (piracy), to virus infections, to ransomware and even to the reduction of operating capacity on user devices and computers.

How sure are you that your trusted employees are not copying sensitive information onto removable devices and distributing that information to your competitors?  Employee computers need to be correctly secured and fit for purpose.  Their applications need to be monitored and re-assessed periodically and their ability to inflict harm needs to be minimized.

Ex-employees

Ex-employees represent at least 2 very different threats to the business.  These are the risk of the ex-employee accessing systems and information remotely after they have left the employer, as well as their colleagues who remain behind gaining access to unauthorized information by making use of the computer accounts of the ex-employee after they have left.

When employees have left the organization, their accounts need to be disabled initially and deleted eventually.  This goes for network logon accounts, application accounts and cloud services accounts.  Many business tend to leave accounts active and they remain that way for many years after the employees have left the business.

Visitors

Visitors including family members, clients, suppliers and service providers may be able to access the information stored on the business network by means of Wi-Fi or other means such as kiosks, payment and self-service terminals.

We classify visitors differently to other non-employees because they are expected and needed in our business environment.  This, however, does not mean that they pose no risk themselves or that their accommodations do not leave the business exposed to threats from other sources, trying to exploit weaknesses in the provisions made for the bona-fida visitor.

Visitors may need internet access during their meeting, or may need connectivity in order to complete their assignment or transaction.  Secure access is possible for visitors which will not give the visitor access to the network resources or information stored on the company devices.  Isolated Wi-Fi channels will allow them the access they require as well as retain the security and confidentially of the information stored in secured folders on the network devices.

Preventing the removal of cabled devices from physical cabling will reduce the threat of loss by someone connecting their device onto the physical cabled network, either accidentally or intentionally unplugging a printer and plugging network cable into the visitors laptop is a very simple way of bypassing most of the other security controls and having access to all business sensitive information.

Neighbours

Neighbours present a different set of threats to visitors.  Neighbours are also expected, but they are not expected to access the resources of the business.  Neighbours are also not expected to be direct threats, although they may be, but their unsecured systems may offer a means for another party to gain unauthorized access to the business information.

Securing wireless devices with complex passwords, requiring periodic unique password changes and controlling availability by means of MAC addresses will reduce the risk to your business.  Opportunistic neighbours may even attempt to make use of your businesses Wi-Fi in order for them to access internet sites and download things at the expense of your performance or available capacity.

Scoundrels

Scoundrels are those that seek to exploit your business intentionally.  Hackers, thieves, competitors and ex-employees make up the bulk of those in this category.  These will exploit every and any weakness in your environment.  Hackers are able to direct attacks against your business from anywhere in the world with little effort.  Some will scan wireless networks while driving through neighbourhoods and launch their attacks from the streets.  Thieves may stake your business out over a long period of time and even troll your dumpsters for information that will give them insights into your weaknesses.  Competitors face the same issues as you face, and will probably know where you are underinvested in terms of securing your systems because they are weak in the same areas too.  Ex-employees may have spent a long time in your employ and will have detailed knowledge of your environment.  They may even have left ‘back-doors’ before leaving in order to access your information at a later time.

The common message here is ‘Trust no-one’.  Secure your information and systems.  Assume nothing and cover as many of the bases as possible.

Systems

Systems refer to the applications and services that business use to simplify, automate, realize efficiencies and improve accuracy.  These range from websites, to self-service portals; from manufacturing to accounting and from off-site storage to cloud based communications.  Systems have the ability to deliver competitive advantage but also to expose the business to risks in an ever increasing manner.

Cloud Services and Applications

Just how secure are your favourite cloud services?  How do you know?  How could you be sure?  24 November 2014 saw Sony Pictures hacked with 47,000 social security numbers stolen from the corporations systems. If one of the world’s largest entertainment firms could be hacked, how secure is your business information stored at your cloud services?

There are at least 2 security aspects around any service or application.  The 1^st is the obvious ability of the application to retain the information it holds from programmatic attack.  The 2^nd is less obvious and deals with the ethics of those managing the application or service.  How can you be sure that your information is not being sold to other parties either by the technical staff of the cloud service provider, or by the marketing department of that service provider?  Have you read all the terms and conditions of the service?  Did you understand them?  Or did you simply click ‘I accept’?

Your information and the information of the businesses and people you are doing business with, is less secure than you think it is and it is more valuable to criminals than you think it is.

Well behaved apps

Changing your password frequently will help keep your information secure.  Having different passwords for different systems will add extra security.  Not repeating passwords and using complex passwords all improve security.  All of these things reduce convenience.  The question you need to ask yourself is whether you value convenience more than the security of the information you are entrusted with.

Well behaved apps will insist that you take security seriously.  They will force users to change their passwords periodically, they will ensure that the passwords are not reused and that they meet complexity requirements.  Unfortunately they are also the services and apps that will most likely have the highest customer churn rate because of the inherent lack of convenience for the user.

Another characteristic of well-behaved applications and services is that they conform to best practices and sensible architectures.  Use of the applications does not trigger false positives in the organizations security framework.  The most appropriate and up-to-date technology, protocols and techniques keep the well behaved apps off the radar and in doing so, do not consume the available resources and capacity in the business.

Poorly behaved apps

Poorly behaved applications behave in the opposite manner.  They trigger alerts and cause a diversion of resources to deal with the false alarms.  Over time these alerts are ignored or turned off, and therein lies the own goal.  Hackers employ the same tactics through targeted attacks.  Seemingly inexplicable events cause alerts to be triggered and the unsuspecting technology custodian eventually disables the alerts out of sheer frustration.  Once this is done, the criminals are free to bombard the environment using brute force until they gain access to the information within.

The services intended to add security and resilience to the business information systems are often responsible for these compromises.  While unintentional, poorly designed and behaving applications lead to vulnerabilities.  Some cloud backup services register as questionable on security subscriptions services resulting in the real time threat management and intrusion prevention capabilities of security appliances being scaled down or even turned off completely in favour of the successful backup operation to the cloud.  This is a classic Trojan app scenario.  Once the security is relaxed to allow a seemingly important application to run without warnings, the rest of the environment is also exposed.  The moral of the story is change the Trojan app instead of reducing the security effectiveness.

Personal and private devices at work

Employees bringing their personal devices to work introduces a whole new set of consideration.  Information.  Think about how these devices can be used to move business information from the network to another location and if that should be allowed.  Think about the type of control you have over these devices (or don’t have), and what these devices could do to your environment if they were compromised prior to arriving at your workplace.  These devices may introduce a range of threats to your environment which makes their desirability in the workplace something to reconsider.  If they do need to be present, implement policies that will govern their usage while in the workplace.  What can they connect to?  What can they be used for?  What can be done to ensure that they do not access the environment if they are compromised by viruses or ransomware?

There are answers to all these questions, and the answers will vary from business to business, environment to environment and by device type.

Knowledge

Security is one area in your business where you really don’t want the wrong people involved.  Unless you are able to engage with the appropriate knowledge level, you are going to find that you are wasting your money and exposing your business at the same time.  Security is really not the thing you want to talk to the kid at the corner shop about.  You need to have experience and current knowledge in your camp.

While the difference between a hacker and a virus may seem irrelevant to you, the impact of the one over the other is potentially significant and mitigating the risks posed by each requires a different approach.  Having the best intrusion prevention systems in place, with the most advanced sandboxing technology to back that up will really not count for a whole lot while your organization has not applied complex password policies and users use their usernames as passwords.  A wholistic approach is required when it comes to security.

Last years knowledge is not going to help you much either.  Current knowledge with appreciation of the current trends and moving threat landscapes are crucial.  You need to keep up to date and continue making that investment week in and week out.

You need to consider a range of issues from keeping the threats from entering your business environment, to keep your intellectual property from leaving your business environment, and how you are going to deal with both in a practical manner. You may never entertain the notion that your business is too small to be of interest to threats.  Your business with fewer than 1000 users is a sweet target.  You aren’t investing the kinds of money that enterprises with 20,000+ people are investing, and you are downplaying the electronic risks that face your business.  These are the ideal targets of criminals.

You need to know how to protect the information stored on your systems.  The customer information that lives on your network, is not your information.  It belongs to those customers.  You need to ensure that that information does not fall into the wrong hands.  You need to demonstrate that you have taken care and precautions as far as their information is concerned.  How will you do that?  Can you show that all relevant information is inaccessible to outside parties as well as to internal parties who do not have need to see the information?  Is your information encrypted, even on laptops and mobile devices?  Will your backup restore?  Who else can see your information?  How do you protect information on mobile devices?

Cloud security, roles and responsibilities are developing.  Who is responsible for what is a topic that you will want to be on top of.  Large Cloud Service Providers will take security seriously, but not as seriously as you should.  Smaller service providers may lack the resources to implement the appropriate security levels and features in their systems, while you assume that your information is safe.  Look up the developing Cloud Shared Responsibility Model for more information.  Microsoft as well as a number of industry leaders in Cloud Services are developing this model to assist businesses in securing their critical information.  There are currently 7 areas of responsibility defined and modeled in the Microsoft shared responsibilities model with similar responsibility areas in other services such as Amazon and Google.

Application security considerations are crucial as are integration security needs.  SSL, encryption and development language security considerations play big roles in securing the information held by the business.  It is possible that APIs for system development met single tenant functional and security requirements, but in a multi-tenant environment these may expose sensitive information to unauthorized parties.  Executable codes and scripts could be inserted into web response forms which could compromise system integrity and return data which was not meant to be returned, e.g. ID numbers, telephone numbers, addresses, names, and so on, or to compromise system availability to users.

Invest in your knowledge.  Invest in securing your information.  Invest in your reputation.  Invest in your customers’ confidence.

Process

All the knowledge in the world will do little for any business without the appropriate processes to implement, monitor, respond and re-assess.  Consistently thorough methodologies will ensure consistently effective implementations.

Monitoring your environment is critical.  Without the ongoing monitoring of systems, you will be none the wiser when your security measures are compromised.  Monitoring can be done by means of a manual process, by means of automation or by a combination of the two.

Manual processes are typically more expensive, are error prone and require the people performing those processes to be present at work.  Provision must be made for when those people are absent from work, be it planned or unplanned.  Measures need to be taken to ensure that the repetitive nature of the tasks do not exceed the boredom threshold of those tasked with the job, and then verification that the monitoring is taking place is necessary too.

Automated monitoring is the preferred approach as it is normally considerably more cost effective and accurate than manual monitoring processes.  Automated monitoring comes with the added advantage that automated alerts can be triggered to notify systems and people of developing issues, sometimes before there is a complete failure.  System generated logs help improve quality in decision making by providing a rich and complete trail of relevant details leading up to an event.

Consider physical processes too.  Consider how you will ensure that visitor devices do not infect your network, or how their devices will not be used to gain access to sensitive information.  Likewise, consider the impact of environments you may be visiting on the devices you are carrying with you.  When you access a Wi-Fi hotspot and you complete the hotspot ‘signup’ process, do you know what is being done on your computer?  Can you be sure that malicious code is not being downloaded to your device when accessing these services?

Conclusion

Your business is not too small to be of interest to a cyber-criminal.  Unless your devices have never been connected to any other device, they have been exposed to risk.  But risk is a reality of our society and will be with us.  But we are able to manage that risk by being aware of the types of threats to our business information.  This document is at best a superficial primer and it is designed to make you think about security in your small business.  For most risks there are pragmatic counter measures but without understanding and acknowledging the risk, you will be vulnerable in ignorance.  Covering these aspects as well as those in the Essential Security document will provide your systems with a sound security management framework in your business.  Of all of these point, knowledge and process will be the key points to take care of.  Knowledge because things are changing all the time and process to help keep the knowledge applied.

Download a PDF version of this document here.

Download a PDF version of the preceding article covering Perimeter security, device security and backups here.

Mornay Durant – February 2017