Effective IT Security
How to identify emerging vulnerabilities.March 3, 2011
by Brian Thomas, CISA, CISSP
As technology gets more sophisticated, so does IT attack schemes. Given the difficult economic times and budget cutbacks we've faced for the past several years, many of us have to protect against more threats with less resources. That is a daunting challenge because just one successful IT attack can be costly.
In July 2010, the Ponemon Institute, a Michigan-based research center dedicated to information management and security, released its First Annual Cost of Cyber Crime Study. The study found that a typical cyber attack goes undetected for 14 days, with average daily losses of $17,696.
Other recent studies offer similar findings regarding financial costs. What are more difficult to quantify are the other costs that follow such attacks. What is the cost of reputational damage? How much confidence and trust is lost among customers, regulators, shareholders and other stakeholders?
None of us can totally guarantee IT security. There are concerns, though, that we can address in making security efforts more efficient and effective, even as we face limitations in available resources. Those concerns include:
Strong Authentication Measures
Authentication policies define the requirements your organization places on its users to validate their identity. The standard protocol is single-factor authentication, i.e. the requirement of a user ID and a password. A two-factor authentication system requires a standard login and password combination (one factor), plus another factor that verifies that the person using that login and password is indeed the authorized user.
That second factor may be a token, such as a PIN number stored on a USB drive that the individual keeps or it could be a feature unique to the individual, such as a thumb print. A two-factor authentication system is considered a strong authentication system and should be considered when the information being protected is particularly sensitive or for users whose identity may be more questionable (remote users for example).
In a one-factor authentication system, it is even more important that your password policies require combinations of upper- and lower-case letters, as well as numbers and special symbols. Individuals should be required to regularly update login and password combinations, too.
Establishing and maintaining group membership directories regularly enable your company to define the common security requirements (including authentication requirements) for different individuals in your company, based on work-related needs and access requirements.
What settings are used for your company's workstations, laptops, mobile devices, applications and files? While the proper settings for such items will reduce individual options, those settings will also reduce vulnerabilities. Web browser security settings may limit user functionality and/or limit what may be viewed or downloaded. Such settings, though, also provide protection against web-based threats. The proper balance must be defined.
What happens if an employee forgets to log out of a crucial application or file before leaving for lunch? How much information would be exposed? Automatic log off settings close any open applications or files after brief periods of inactivity.
In addition, automated activity logs will record all events that occur within one of your company's IT systems. Those logs provide documentation for any unusual or unauthorized activities.
Centrally managing, enforcing and monitoring such settings offers an additional, efficient measure of IT system protection.
Bank Wire Transfer Systems
How easily could someone transfer funds from one of your accounts without anyone noticing? Not all bank-utilized wire transfer systems are well designed from a security perspective and may require additional measures on your part. Evaluate your wire transfer systems to ensure that unauthorized wire transfers cannot occur without the knowledge of designated individuals within your organization.
Workstations, smart phones, laptops, tablets and other mobile devices are considered endpoints, locations where someone can access your IT systems and data.
Security configurations for those various endpoints should conform to industry best practices to reduce the risk. For example, laptops containing vast amounts of nonpublic information are often lost or stolen. Requiring whole-disc encryption for laptop hard drives represents a best practice and will reduce the risk of the information falling into the wrong hands. Implementing and enforcing that and other end point security practices provides another critical layer of IT security.
IT Response Times
Security Event and Incident Management (SEIM) systems can immediately identify and report unusual IT activities, such as someone attempting to send a massive database file containing nonpublic information as an email file attachment.
Various other tools identify entries in voluminous IT activity logs that may indicate network intrusion attempts or other incidents requiring investigation. Such automated functions enhance response time and reduce the damage your company suffers whenever any improper actions occur.
Existing Compliance Activities
Your company may already face various IT security requirements related to payment card industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley or other compliance measures. What processes exist for evaluating and mitigating related risks? How can you adapt and extend what is already being done to cover your entire organization in a consistent, efficient manner?
Ongoing Security Efforts
Technology continually evolves and new threats continually emerge. Complacency is a risk as well. Regularly updating your threat assessment and evaluating security helps identify any emerging vulnerabilities. Developing metrics enables you to measure current effectiveness or needs for improvement, too.
Taking a holistic approach assures that all crucial concerns and vulnerabilities receive attention. That holistic approach also needs to include making individual employees aware of the need for controls and precautions and what they can do to sustain and enhance IT department efforts.
Rate this article 5 (excellent) to 1 (poor). Send your responses here.
Brian J. Thomas, CISA, CISSP, is the partner who offers IT management consulting services through Advisory Services at Weaver, ranked the largest regional independent certified public accounting firm in the southwest with offices throughout Texas. He can be contacted at 713-800-1050.