SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Transcription

1 SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

2 2 On June 3, 2009, Plante & Moran attended the Midwest Technology Leaders (MTL) Conference, an event that brings together top technology professionals in the Midwest to share trends, best practices, and opportunities. With the help of MTL, Table Sponsors, CIOs, and additional conference attendees, we conducted 12 roundtable discussions on a variety of timely and important IT topics. As an outgrowth of the roundtable discussions, we produced a series of educational white papers. Contents Abstract 2 Introduction 2 Best Practices in Information Security 2 Security Officer 3 Management and User Responsibilities 3 Identification and Authorization System 4 Latest Software Updates and Patches 4 Firewalls and Security Policy 4 Intrusion Detection System (IDS) 4 Penetration Testing 4 Logging 5 Backups 5 Documentation 5 Independent Testing 5 Conclusion 5 ABSTRACT In today s world, breaches in information security are a common occurrence. Recent advances in technology have increased both our access to and requests for information and data. IT professionals are faced with the complex task of providing access while at the same time mitigating security risks. INTRODUCTION The largest breach of 2009 occurred at Heartland Payment Centers where it was reported 130 million records were stolen. Some believe that number is low based on the fact that the company processes more than 100 million records per month and that the hackers had access for 18 months 1. The sources of breaches can be external or internal, probing, coordinated, or random attacks, and as technology advances and laws change, criminals find new ways to infiltrate into private and secure information. Steps can be taken to significantly reduce the risk by adhering to the following best practices in information security. BEST PRACTICES IN INFORMATION SECURITY In today s technology infrastructure, an organization needs to implement multiple security strategies and technologies to protect its information assets. The process should begin with an analysis of risks the organization is exposed to from its current use of technology. Simply put, these risks can be broken into four broad categories: Interruption, Interception, Modification, and Fabrication.

3 3 To mitigate risks identified, an effective information security programs should develop control strategies including prevention, protection, recovery, detection, and investigation. The controls should span across people, process, and technology. Documenting controls in the form of policies and procedures further assist in the consistency of controls. Lastly, the information security program should be independently assessed through IT general and technical audits. Security Officer All companies need to establish a security officer who is responsible for managing the information security in accordance with the Security Handbook. It s important for the security officer to understand the associated security risks and to update policies and procedures based on those risks. In addition, the security officer should ensure compliance to procedures, conduct risk assessments, test contingency plans, and coordinate awareness programs. Management and User Responsibilities Ultimately, it s management s responsibility to ensure that the documented procedures and policies are in place, and that there s a formal approval process for the security policy and handbook. In order to do this, management must understand the security risks and threats, how they can change, and ensure the policies continue to get updated. It s also important to instill a security conscious atmosphere throughout the organization, which includes ensuring that people selected for critical positions are of the highest integrity and reliability.

4 4 New, current, and temporary users must all receive the proper training to ensure security is effective. Guidelines must be in written form and include specifics about what users should and should not do. Users should be asked to sign an acknowledgement that they ve read and understood all the requirements. The guidelines should be available to reference at all times, preferably online so that the latest revisions are always included. Identification and Authorization System There are a number of security identification systems, including biometric systems, chip cards, and magnetic chip cards, but the most common is passwords. A large number of breaches occur because default usernames and passwords are never changed, providing easy access for attackers. Implementing a strong password policy will help to mitigate risk. Below is a list of best password practices: Do not share passwords. Passwords should be at least six characters long, with a mix of numbers, uppercase letters, lowercase letters, and special characters. User IDs and passwords should be unassociated. Change passwords every 30 days. Passwords should expire if not changed, locking users out of the system. Do not reuse passwords. Remove passwords and deactivate user IDs immediately if an employee leaves an organization. The strongest identification systems are ones that include multiple systems. Latest Software Updates and Patches Ensure that the latest software updates and patches are running on your applications and operating systems so that they re less vulnerable from outside attacks. Not complying with this guideline is like leaving a purse in a locked car with the windows down. There are products on the market that can help ensure your computers and systems are up to date with the latest patches. Firewalls Firewalls are used to secure the internal network from an external network such as the Internet by using a defined set of rules to allow or deny network traffic to pass through it. A firewall acts as a gate to ensure that private or confidential information doesn t go out and that unwanted content or unauthorized users don t come in. They should have an alarm mechanism that warns system administrators of a potential breach, and all traffic that crosses the firewall should be tracked in a log for reference purposes. The security policy should address the use of the firewall and its requirements. Intrusion Detection System Even with a firewall in place, an intrusion detection system should be used to detect unusual actions or patterns that could indicate an attack on the system. Since intrusions can be internal or external, having both a firewall and an intrusion detection system will provide your organization with the best protection. Penetration Testing A yearly penetration test should be performed to uncover any security vulnerabilities. This handson, active approach will provide much better

5 5 information about the strengths and weaknesses of your security system than just conducting a paperbased audit. Penetration testing helps safeguard your organization against fraud, financial loss, loss of consumer confidence, and provides industry compliance to regulators, customers, and shareholders. Logging History logs are generally a part of any system and, from a security standpoint, are critical so that breaches can be quickly identified and analyzed. Most importantly, network activity logs, particularly software installations and firewall logs, need to provide details of who, when, where, and what occurred to determine if they match patterns or violate the rules. Backups All data and information files on the system should be backed up on a regular basis. A bolt of lightning, human error, or other disaster could take place and result in the loss of information. Procedures and policies should be outlined in the security policy and/or security handbook to address backup media, location to store the media (preferably off site), number of copies, frequency at which backups occur, and include intervals at which backups will be tested to ensure data can be retrieved and restored. Documentation It s important to document your organization s IT security policies, procedures, and contingency plans in detail in a Security Handbook. Documenting your procedures displays that management has taken security seriously and in the event of a breach or major incident, the Security Handbook will guide internal resources through the proper steps to follow. Independent Testing The effectiveness of your information security program should be assessed by independent auditors. The assessment can be general such as IT general controls, technical such as penetration testing or specific such as firewall review. The security risk and control landscape is constantly changing and as such at a minimum, the independent assessment should be performed annually. The assessment is also helpful when demonstrating compliance with regulations such as Sarbanes Oxley, and Privacy (GLBA, HIPAA) or standards such as Payment Card Industry Data Security Standards (PCI DSS) and SAS 70. CONCLUSION The task of granting increasing access to data and information while keeping tighter and tighter control over system security is difficult in a technology environment that s constantly evolving. Every time one type of security breach is solved, attackers figure out a new way to get in, which is why it s important for organizations to understand and follow IT security best practices. Understanding the risks and then documenting, monitoring, and constantly updating security policies and procedures to address them requires time and effort but are critical in keeping your system safe. Putting barriers such as identity and authorization systems, firewalls, and intrusion detection systems in place and making sure they re tested and upgraded as required will minimize the risk of system attacks. And, if in spite of every best effort, a breach still occurs, keeping history logs and backups will allow you to recover your system and investigate the attack. Lessons learned may require updates to policies, procedures, and barriers, and the cycle starts again.

6 6 THANK YOU Plante & Moran would like to thank Govind Rammurthy, Table Sponsor from MicroWorld Technologies; Joe Sawasky, CIO from Wayne State University; and all roundtable participants for their contributions. Sources Cited 1. Top 10 Information Security Breaches & Blunders of Breaches and Blunders of 2009.pdf 2. IT Security and Crime Prevention Methods eprev/itsecurity.asp# Ways to Avoid IT Security Breaches For more information, please contact: Doug Wiescinski IT Security Series Part 1: Information Security Best Practices formation security best practices