The need for information security is indisputable, and the increased commitment to it in recent years has been impressive. All too often, however, the decision to commit more resources to security in an organization is in reaction to either an event or fear, the latter of which can stem from a news article, strange traffic on the network or a nagging feeling. This reactivity can lead to poor outcomes when trying to increase an organization’s security.
“Security vendors take advantage of this fear to sell their products,” says Lou Rabon, Cal Net Technology Group’s information security practice manager. “Many of these products are effective at solving specific problems, but those products, examined one at a time, may not completely fill your needs.”
He says if you do not have an idea of what your criteria and desired future look like, you’re more likely to walk away with something more expensive and riddled with features you don’t really need.
Smart Business spoke with Rabon about information security strategies to keep your data and systems protected.
How can organizations best secure their information?
The easiest and most effective way is to make a commitment to an information security strategy or framework. It’s obvious from reading the news that security incidents are happening as frequently as car accidents. Any organization that has not yet implemented a security program has just been lucky that its proprietary or confidential information has not walked out the door. Unfortunately, in many cases it already has. A 2012 study by Trustwave found that attackers had an average of 173.5 days within the victim’s environment before detection occurred.
What is involved in creating an information security strategy?
The global standard for information security is the ISO27000 series of standards, which specifically sets up an information security management system (ISMS) framework and a number of the implementation elements. An ISMS framework is a list of policies and procedures that define an organization’s information security strategy. This can be considered the map that charts an organization’s course through the murky waters of information risk. It allows security decisions to be made against a set of established business practices and procedures, which means less waste and a much higher level of security.
An appropriate first step towards implementing an information security strategy or framework would be to conduct a security review at a high level with a trusted third party. This strategy is valid for organizations that are just starting to review their approach to security, as well as those that have an existing strategy but have not reviewed it within the last year.
How might a real-life scenario unfold without a security strategy?
Let’s say a CIO reads that a new attack vector consists of a phishing attack that spoofs a LinkedIn invitation email using the lure of a high-paying job to entice potential victims to click a link to malware.
Without a security strategy and depending on the size of the organization, the CIO would either call in the company’s security lead, infrastructure manager or third-party managed services provider to discuss the situation with them. Without an overarching strategy and no mandate to refer to, a number of point products then are considered to plug the hole. Taking for granted the organization is already using a mail filtering program, it’s decided that the easiest way to solve the problem is to either block LinkedIn completely or to implement an additional malware detection device that would detect and possibly block these attacks were someone to click on the link.
However, blocking LinkedIn is wrong for a number of reasons, namely:
- There is an organizationwide business need for that website.
- Blocking it will not block the attack vector or the attack since it is email based.
- Even if blocking LinkedIn proved to be effective for this attack, it would not address the myriad other attack vectors that could be used in the future. This is the equivalent of playing Whac-A-Mole with one’s network.
Adding an IPS/IDS solution is a good idea, but without a strategy, there are a number of factors to consider, such as the part of the network it would protect, if the device will block potential attacks or just provide an alert, the person who will respond to IPS incidents and a way to deal with false positives. Failure to address these issues can lead to a very expensive paperweight sitting in the data center.
How would the same threat be managed with a security strategy?
The CIO calls the team together to address the LinkedIn threat. They first review their strategy and policies, and then they note:
- Users do not have administrative access to their machines, which will prevent most malware from being installed without user knowledge.
- An intrusion prevention and detection device was on the strategic roadmap, and therefore, the time frame is accelerated to implement this solution.
- An incident handling team has been defined and a third party is responsible for dealing with alerts, so the internal and external teams coordinate to ensure they have heightened awareness of this alert.
- Their security framework defines that security awareness sessions are conducted quarterly for all staff; therefore, the staff has already been educated about clicking links from untrusted sources and is less likely to fall victim to this attack.
This proactive approach saves much time, money and consternation. Committing to a security framework makes it easy to make decisions around information security and ignore the hype with which we’re constantly bombarded. Committing proactively rather than reactively to security will avoid information-related emergencies and aid in getting a good night’s sleep.
Lou Rabon is information security practice manager for Cal Net Technology Group. Reach him at (818) 721-4414 or [email protected].
Insights Technology is brought to you by Cal Net Technology Group
