VP of Product Development, Three Pillars, Inc.
Since Sept. 11, companies have started to think, "If that could happen, what else should I be worried about?" That is exactly the right mentality for business continuity planning. Risk management 101 dictates that you ask: What are the risks? What is the likelihood that each will occur? What are the costs to protect myself? What are the repercussions if I don't?
The issue goes beyond terrorist attacks to include any form of business interruption. How much of an IT interruption could your business withstand? Could you afford to be down for a week? If yours is like most businesses, the answer is "probably not."
The short answer is to secure your network as best you can. In reality, the types of attacks that your network faces from cyberterrorism are no different from the types of malicious activity companies have been facing on the Internet for years - only the intent is different. If you take steps to protect yourself from one, you are protecting yourself from the other as well.
There are two sides to the protection equation: technical and operational.
Operational security is given the least attention, so let's start there. Most of the responsibility for good operational security doesn't fall within the parameters of the IT department. Rather, elements of the job are spread throughout the organization and thus require companywide buy-in, including the need to:
Secure passwords. Password security means that users keep their passwords private, and don't share them with anyone. There should never be a situation where a user has to share a password. If another user needs access to a system, there should be a process for that person to gain access under his or her own credentials. A strong operational password policy should cover all of the basics, even the obvious details such as not putting passwords on sticky notes under the keyboard, not using passwords based on easily guessed words (like a pet's or a child's name), and not sharing passwords with anyone over the telephone.
Use caution when sharing information. Most companies train their employees to be helpful and courteous to customers and partners. Unfortunately, someone with malicious intent can easily exploit this helpful attitude. So employees should also be trained to be cautious and not volunteer too much information. If someone begins to ask questions that are outside expected parameters, it should raise a red flag. And anything that raises a flag should be documented and brought to a supervisor's attention.
Control content. Send documents or internal email to the smallest possible distribution list. Use passwords on sensitive documents that are sent via email in case they are shared outside the organization, accidentally or not. Shred paper documents instead of throwing them away; dumpster diving for confidential information is one of the most successful ways for intruders to find what they want to know, and secure disposal is the only way to safeguard against it. Treat every email, letter, document or communication as if it includes personal information about you when considering its distribution and/or disposal.
Be careful whom you hire. Any employee who will have access to critical information or systems should be thoroughly checked out, including references, former employment, education, criminal record and drug screening. Be on the lookout for signs of dishonesty, such as someone who claims to have a degree that they don't, because dishonesty in one area might point to dishonesty in another. Good people make a huge difference to the performance and morale in your organization; don't forget that bad people do as well.
Create and emphasize strong policies. Policies are the root of operational security, but they are only useful if they are followed. IT generally develops information security policies, but it is up to human resources and business unit managers to keep up with the day-to-day compliance and enforcement. As a result, making sure that there is companywide buy-in is vital to the long-term success of the policies.
Operational security is hard to create and harder to implement. It is not always easy to balance the need for security with the need for expediency, as the two are usually at odds with each other. One of the main reasons for involving representatives from all parts of the organization is they will have insights that the IT staff alone does not. Sometimes it even takes an outside consultant to bring the different parts of an organization together and move a policy project forward.
Lastly, one of the key factors in a successful policy is to revisit it every six to 12 months. Things change over time, and it is important that the policies stay fresh and current. Revisiting the policy and redistributing the changes to the staff keeps the policies up-to-date and reemphasizes the importance of the policies to the organization.
While responsibility for operational security spans the organization, responsibility for technical security falls more squarely on the shoulders of IT. The major points to consider include:
Using the right technology in the right places. Every piece of security technology has its place, but no one piece is a panacea that will solve all problems. It is important to recognize the strengths and weaknesses of each product, and use each in its proper place. Use firewalls at the perimeter and for segregation of highly sensitive or easily compromised segments. Use network-based intrusion detection systems (IDS) in front of network choke points to get maximum efficiency, and fine-tune the attack signatures based on the deployment point. Use virtual private networks (VPNs) to ensure that there are no clear channel communications into your network.
Keeping patches up-to-date. Most attacks can be prevented if available patches are applied to your various systems. This is doubly true for IDS and anti-virus signatures. If they are not kept up-to-date, assume they are providing you with zero security. While that's a slight exaggeration, it's a mindset that will help keep you out of trouble.
Using the security features of non-security devices. Every device on your network can help provide an improved security posture if used properly. Turn on the enhanced logging functions of your servers and you gain many more sets of eyes watching the network. Use access control lists on your routers to prefilter traffic reaching the firewall. Activate the virtual LANs on your switches to segregate users into more easily handled segments.
Reading your logs daily. Reading logs is a pain. There's too much data, and you don't have the staff. But the reality is if you don t monitor your logs, you have no idea what is happening on your network. You could be lulled into a false sense of security because you haven't seen any visible signs of attack, and yet you have been compromised and hackers are stealing data or using you as a launching point for other attacks. Not reading your logs is the equivalent of going to the doctor for a physical and having blood work done, then having your doctor throw away the results unread. The whole point is to be able to catch things in time for a response to be effective.
As Irish orator John Philpot Curran once said, "Eternal vigilance is the price of liberty." The same can be said of the price of information security. Internet security is a 24-hours-a-day job. The bad guys probably don't keep the same schedule as your IT staff, so expect attacks and intrusions during off-hours. Intruders also have lots of data regarding vulnerabilities. You need to counter by taking advantage of organizations that gather intelligence and provide the data and analysis that can keep you ahead of the curve. If your IT staff doesn't have sufficient security expertise, hire someone who does or consider outsourcing.
The dangers are real, and we will have to work together to guard against them.
Robert McMillon is VP of product development for Three Pillars, Inc. (originally DigitalMojo), the company he co-founded in June 2000. Three Pillars is a digital security company offering information risk management to the Fortune 2000, either as a supplement to internal IT resources or as a complete turnkey security service. For more information, visit www.threepillars.com.