According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office.
This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees. What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!
Porn sites are one of the biggest security risks out there. Porn sites commonly install malware, adware, tracking cookies, and other security risks that could cause a security breach to your organization.
In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day. This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure. Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate. Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.
Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!
How does this happen? This is typically a by-product of PCs that are used for things that are outside their intended business purpose. For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used. It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites. Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.
As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring. This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly. These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.
I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.
I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.
Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.
That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.
According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.
The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.
The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.
In the past few postings we have covered why you should seriously consider implementing a Security Awareness Program, what the goals of a successful program are, and some of the challenges that many face when putting this program in place. As a wrap up to National Cyber Security Awareness Month, today's final installment will focus around how to go about implementing a successful Security Awareness program within your organization.
As a disclaimer before we go into specific detail, let me first point out that there is no "one size fits all" solution to implementing this type of program. Each program will need to be tailored to fit within your company culture and to merge well with the work habits of the other employees. If your new security policies introduce unnecessary process, are poorly outlined/conveyed, or make people less efficient it will be rejected.
First and foremost when going about putting together your SA program, before you do anything make sure you have executive approval for your program. Put a presentation together which outlines some of the things that we have spoken about here in the past month and make a good business case for why your company needs to prioritize SA as an important company initiative. If you go forward without this approval from the beginning you will end up either redoing a lot of work to make the program fit executive direction or it will be shot down outright.
The next item that will ensure the success of your program is the development of meaningful security metrics. Once you have the program in place, it will be important to be able to justify its successes (and also to point out what areas still need work). Create metrics that are easily measurable, preferably automatable, and have an achievable target. Once that target is consistently reached, change your focus and start collecting metrics on other areas that need improvement. The goal of a successful metrics program should be agile enough to be able to change what is being tracked so that you are reporting on areas that are currently being improved upon. If all of your metrics always show 100%, then they are not showing continual process improvement. They are only showing what has already been successfully implemented across the company.
Be sure to have regular (Monthly? Quarterly? Whatever works best for you) checkpoints with internal stakeholders to determine if they have any needs in supporting the mission of your SA program. If they need additional tools or training, be sure to provide them. If other managers do not feel as if they can implement your program successfully within their group for whatever reason, they likely will not do it.
Always remember that you need complete buy in across the organization in order for your program to succeed. That isn't just at the manager level. All employees need to buy in. It only takes one person to not participate and that person can be responsible for a major security leak or information breach.
The most important thing to remember is that security is a journey, not a destination. Continual communication and education will be necessary in order to assure the continued success of your program and to make sure that it remains a high priority for everyone.
Best of luck implementing your own SA programs. It can be one of the most difficult, yet also one of the most rewarding tasks to undertake as a security professional as you see your efforts begin to bear fruit. Missteps along the way are certainly not failures, rather opportunities to learn and grow!
MX Logic has announced that we will be joining the National Cyber Security Alliance (NCSA) to actively promote awareness of internet safety and security issues in conjunction with National Cyber Security Awareness Month (NCSAM) during the month of October.
As such, I have pledged to devote a series of blog postings this month to assist with the development of a Security Awareness Program within your organization.
Before we get into the meat and potatoes of developing a Security Awareness (SA) program, the question one must first answer is "Why should I implement a security awareness program? Aren't security programs for the Techies?" This is an excellent question, especially for organizations who might not be anything Information Technology related.
The answer to that question is that no matter what field you are in, security should be a part of your organization. Security doesn't just mean making sure someone doesn't hack your web site or that your computer doesn't get infected with a virus. The concept of corporate security also involves physical security of your office as well as data that you might be storing there.
Let's use a car repair shop as an example. Should they be concerned about security? Absolutely! We'll put aside for the moment that a car repair shop may have thousands of dollars of inventory sitting right in their main lobby area (tires and the like), but where the real money is to be had from a thief's perspective is from the customer records. A car repair shop has customer lists with customer names, addresses, phone numbers, and potentially credit card numbers. If this information isn't properly secured by the shop, your personally identifiable information could be at risk.
As organizations, who are we trying to defend ourselves against? From a technology perspective there are virus writers, hackers, spammers, etc. Those are a given. Data and physical property thieves are also a risk. What are companies doing though to protect against their internal employees? As much as you want to believe that everyone that works for your organization is there to advance the progress of the company, a 2006 E-Crime Watch Survey reports that insiders were responsible for 27% of all security incidents. More than 1 in 4 security incidents (either accidental or intentional) were the result of an employee at a company obtaining access to information that they shouldn't have had access to.
Why is that? For starters, it is easier to get information. The higher up you are in an organization, the more critical data that you likely have access to as part of your normal network access levels which means that your potential risk to a company is also much higher. Why break into the house to steal the jewels when you are already in the bedroom?
Over the next few blog entries we'll go into some more detail on what the goals of a successful SA program should be, some of the inherent challenges that come along with the implementation of such a program as well as steps that you can take to start implementing a security awareness program at your organization. Different types of companies have varying requirements for security (Do you have servers? Do you accept credit cards? etc), but the discussion can certainly be made general enough to apply to everyone.
Hopefully over the rest of October the information that is presented here will be of use to you and will help jog some thoughts of your own on how a security awareness program could work for you.
The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.
It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.
Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?
I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?
We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.
Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.
Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.
One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.
So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?
There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.
These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?
Let's discuss some best practices that companies can use when implementing a work from home policy:
-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.
-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).
-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.
-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.
As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.
|
