Like everything else, technology has got its ugly face which can no longer be ignored. With every patch released for a particular weakness, being followed by the next exploit at the very next moment, you can never be sure that your systems, your processes, your business and ultimately the economy are in safe hands. How good it would have been if technology alone could help us confide in it of totally securing ourselves? Unfortunately, that’s not the case.
With a wholesome increase in internal employee frauds, gone are the days when only firewall or IDS or other security devices could protect our networks and systems. As per the 2010 Cyber Security Watch Survey, insiders were rated as the second largest threat after hackers and also the worst since they are mostly silent and hence difficult to detect. Even a big list of policies, procedures and safe practices falls short owing to a small mistake, intentional or unintentional, by an employee. Putting money every time does not solve the problem. You may invest millions in building thousands of security controls, but a minor inexpensive measure, if not taken may cost you a fortune. As per the survey report, the most often neglected simple measures are listed below:
1. Patch Management: With ever growing business requirements, increases the number of softwares and applications fulfilling them with a single constant governing their complexity- the number of available patches. Each software vendor releases large number of patches continuously. The grave problem in many organizations is that the need for a patch is not realized until the business is impacted. The strategy adopted is often reactive and not proactive. The requirement for a particular patch is at times realized six months after the patch has been released.
The other problem is unmanaged changes. Patches, if not validated, approved and tested in a disciplined manner may cause other business functionalities or controls to break or malfunction. The challenges faced in patch management are affected by compound factors like volume and complexity of patches, speed of implementation, impact on business, events driving the need and environment changes.
Hence, an ongoing proactive process should be followed to identify the available patches, determine the organization’s need, validate, test, implement and continuously monitor the patches for compliance.
2. Log Analysis: Improper log analysis is a cause of many unauthorized and suspicious activities going undetected. Logs are often analyzed just for complying with regulatory and legal requirements. While focusing on compliance, an abnormal event is ignored at times. Organizations should set up rules to perform continuous analysis of daily logs to detect, alert and act upon any suspicious activity found. While doing this, business critical assets and the activities performed on them/by them that need to be monitored, should be identified first. Also, a baseline for security configuration settings should be developed for each device/type of device within an organization and any violation to these settings needs to be alerted. All network, system and critical server logs should be closely monitored to understand the implementation and health of security controls within the organization and their compliance with organizational policies and procedures.
3. Privilege Restrictions: Unmanaged user roles and privileges are similar to open doors of a treasury which can be escalated to gain control of critical systems within an organization. User roles and the privileges assigned to them if not managed and reviewed periodically may lead to privilege escalation attacks. Internet facing services are more risky and hence need foolproof protection against privilege escalation. There may be few services like SSH used in the organization which require complete security throughout their life cycle. All such critical services and business critical applications should be identified. A list of different users that require access to these services or applications should be prepared and privileges should be judiciously assigned based on their roles or “Principle of Least Privilege”. Such lists need to approved, authorized and regularly reviewed.
4. Password Expiration: In spite of thousands of things said, written, talked, and published about password security, needless to say, the lack of awareness still persists. Password policies of different organizations have many aspects in common like no. of characters, password history, type of characters etc. But the expiration period often varies in different organizations from 30 days, 45 days, 60 days or 90 days. The password expiration is always recommended to be set depending on the value of the data to be protected. Some even suggest that never expire passwords, rather than making them weaker by users adopting unsafe practices to choose new passwords and to remember them. Too short password expiration periods may cause user inconvenience leading to increase in number of helpdesk calls for password reset. On the other hand, too long periods have their own disadvantages of password being compromised due to user negligence or any other reasons.
There is no standard definition for password aging periods. The organization should set the expiration periods by striking a balance between data protection, password safety and user convenience.
5. Termination of Former Employees: Off late, the cases of access controls broken by terminated employees are on constant rise. Disgruntled employees taking revenge by deleting all of company’s data or by hacking own company’s systems or by leaking company’s confidential information are often heard. Despite of many security controls in place, improper removal of access rights of the employees who have been transferred, terminated or resigned may lead to huge loss to business. The amount and severity of loss depends on the position, roles and responsibilities of the employee and the privileges assigned to him/her. Organizations should follow a well-defined termination procedure with a separate checklist for removal of access rights from different systems for the IT department. Such removal should not be delayed for any reason and should be on top priority on the termination of employee.
The list of access rights on all systems and applications should be prepared, updated and constantly reviewed.