Calum Macleod European director of Cyber-Ark, offers advice on how companies can keep access to information secure and under control.
As a fifty something male, personal grooming takes on whole new meaning. You realise that when you start typing Botox on Google that things are getting serious. The bottom line is how can I cover up the cracks brought upon by years of abuse and misuse? Its pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT, eventually catches up with you and its impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you dont take steps to control things you will be caught out.
If most us are honest with ourselves we complain about the nanny state banning everything that is bad for our health but deep inside we know that many things are probably for our own good. And in the same way we complain about the increasing interference in our private IT worlds of controls and regulatory compliance but deep down we know that internal controls for privileged user access rights and controls has been abandoned, or in many cases only given lip service in many organisations, and these controls are bringing us face to face with results of years of neglect.
And the result is that we risk being hacked either by thrill seekers, the curious, or the downright vindictive employee. Independent research clearly shows that a lack of improper segregation of duties, failure to control users with superuser access to files in production systems, failure to secure data in applications, a lack of processes coupled with a lack of reconciliation of these processes to the IT systems used, and a failure to secure access to operating systems and databases that support corporate financial applications and transactions, are the prime cause of most breaches and compliance failures.
Theft and fraud
The increase in computer-related theft and fraud is forcing the issue of internal users and privileged access into the open. This is clearly shown by the current case in the US courts of the IT executive who is alleged to have used his knowledge of system passwords to hack into a companys system remotely and accessed emails and other information. And the bottom line is that it is simply too easy for people with a limited amount of knowledge to do this. I mean who would expect an IT executive to be able to do this! Most of us so-called IT executives are considered to be in the Dilbert Managers category when it comes to understanding bits and bytes, and yet even an IT executive can hack a system today with the tools that are so easily available.
So there is a challenge for you as a security officer, or as an internal auditor face up to the fact that the sooner you deal with the organisational grooming, the better for all concerned. So today, every organisation should take the security of their systems and applications seriously. Start by ensuring that you have effective policies and procedures in place to control privileged access to every system, including your workstations, and applications, and make sure that you can enforce them. And remember that regulations do not make allowances for unintentional errors, just as speed cameras are not able to differentiate between the accidental speeding granny and the Jensen Button wanabee. Human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. So here are a few suggestions when you have a look at these policies and procedures.
Policies must be realistic The policy must fit the requirements and ensure that the complexity is not such that users are inclined to try and bypass it. Policies must be enforceable - Having well documented procedures that can be bypassed will be quickly exposed by any audit. The only effective way to make policies both realistic and enforceable is to automate the critical processes. For example, having policies that require privileged users to have the correct authorizations must be enforceable. Likewise, policies that require regular changing of passwords only work effectively if they are automated. Policies must auditable Having policies in place is a good first step, but they will not hold up to regulatory scrutiny unless there are audit trails proving the policy is in place and enforced on an ongoing basis. However, simply having an audit capability is not the solution. The sheer scale and diversity of systems in an enterprise require that tools are cross-platform. In other words, IT security staff must be able to provide reports that are consistent across all platforms and take account of the information produced by heterogeneous systems.
When you consider the amount of time and effort required to collect raw data from key systems and applications, including critical network devices, there can be literally hundreds if not thousands of logs that must be examined for the purpose of an audit report. This data needs to be converted into a standardized, audit compliant report format that can auditor can read.
So when youre examining what options are open to you remember like your personal grooming options, dont expect miracles overnight, make sure you stick to the treatment regime, and most of all make sure that the results are there for all to see. So treat yourself for Christmas Botox your policies before its too late.
Cyber-Ark is exhibiting at Infosecurity Europe 2007, Europes number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on 2426 April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.