Security: Fighting the enemy within
COMMENTARY--Kevin Mitnick was placed in solitary confinement in 1995 out of fear of a revolutionary corporate security risk that Mitnick had learned to exploit. The reserved and non-violent Mitnick had for years been breaking into some of the nation’s most secure networks with a combination of solid computer hacking ability mixed with an uncanny way of coaxing information out of people--information about computer passwords, for example. Mitnick had already served time for stealing computer phone network information after convincing a security guard to let him into the phone company headquarters.
Mitnick’s abilities spooked the judge assigned to his case. The judge’s move to physically separate him from any person he could “influence” is a tremendous validation for the threat of social engineering, or the ability to prey on people’s trust of others. Mitnick had used social engineering to hack into computer systems as valuable as those housed at the U.S. National Security Council. Simply put, social engineering encompasses varied methods a hacker uses to pretend to be an authorized user of the network. Social engineering can occur through many methods, including online, telephone and even by physically impersonating an individual in the office.
Social engineering exists today. Any employee can leak valuable security information about computer networks to outsiders. As no company can exist without employees, the fact that people individually are security risks is an inevitable reality. Beyond social engineering, users can leave computer systems vulnerable by accidentally (or purposely) changing the security settings on their machines. By both employee interactions with other individuals, and by employees’ use of their own computer equipment, the risk of security vulnerabilities is significant.
Fortunately, there is an answer to the risk of social engineering and the threats posed by employee use of company machines. Security policy automation, an emerging security software concept, removes many security risks by implementing a security policy across enterprise systems and consistently auditing and monitoring systems for compliance.
In many ways, security policy automation is the missing link within an organization’s plan for security.
Establishing policies
For many companies, the concept of a security policy is not new. Written security policies are a set of documented security rules and configurations that are intended to guard a company from threats to its equipment, employees and computer information. As an exercise, these policies are helpful in raising the visibility of security concerns and creating a heightened understanding of security risks. Companies correctly establish company-wide committees representing multiple departments to handle the task of creating written standards for an organization to follow. Often, written security policies include guidelines for the physical security of company offices, the protection of written or produced intellectual property, and the electronic security of information stored on or transferred by computers.
The motivations for the new wave of security policy creation are numerous. Most companies are motivated by the heightened attention to homeland security and have created security committees or task forces to make recommendations on security procedures. Written security policies are often the result of these efforts.
Companies are also under pressure to develop policies to comply with federal regulations. The Health Insurance Portability and Accountability Act, or HIPAA, requires all healthcare organizations to have in place a system for ensuring privacy of patient records and health information by April 2003. It is not that healthcare organizations are not relatively secure today. Now, the federal government wants these organizations to prove their security is sound. Writing security policies is a way to help satisfy this requirement.
Similarly for financial institutions, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement certain technical and physical safeguards. Often times, in order to evaluate where network vulnerabilities are hiding out as part of the compliance process, a full network audit needs to be conducted.
Using the right tools
No matter what the motivation, security policies are a solid fundamental toward a secure enterprise. Tools exist for helping in the creation of written security policies. Software applications are available to lead company security officers through a series of templates that define security policy standards.
Templates within these software applications exist for crafting security policies that meet a variety of guidelines. Policy templates include ISO 17799 for enterprises, a GLBA template for financial institutions, and a HIPAA template for healthcare organizations.
The templates are critical, since writing an effective security policy is not easy. Templates help ensure that the security policy created is practical enough to be consistently implemented across an enterprise. Simply put, creating a policy without thought of implementation of that policy is a means to failure. As InfoWorld’s Mandy Andress wrote in a November 2001, “There's a fine line between creating an enforceable policy and discussing the technologies used to enforce that policy.”
Many security consulting companies understand the importance of security policies, but they also know that the vast majority of security policies are not implemented and instead are sitting on shelves collecting dust. And if they are implemented, policy compliance is verified only periodically, which is not often enough. Ongoing enforcement of security policies is vital, not only to eliminate the threat of security breaches, but also to ensure necessary compliance with federal regulations.
Quite often, internal threats to a network's security are caused by users performing legitimate actions that unintentionally cause significant security consequences. For example, when a user installs a new software package on a network desktop system, it could change configurations on the user’s machine. These new configurations, such as altering password settings, leave the user’s machine and ultimately the entire network vulnerable to security violations, intrusions and infiltration. The vulnerability might go unnoticed for days or weeks if the written security policy is not constantly and consistently enforced.
Enforcing the rules
Having a written security policy by itself also does not eliminate the threat of social engineering. The most effective means of preventing a social engineering attack is implementing a security policy that addresses these types of issues. In order for a policy to be effective, it needs to leap from the written document into operational configurations that can be enforced across a company.
Some companies achieve this manually by hiring personnel who can check systems against a security policy one system at a time. This process is costly and prone to human error. An alternate choice is security policy automation software that checks network configurations against defined policies. In addition, security policy automation encompasses auditing, or checking networks for inconsistencies and vulnerabilities and checking compliance on a system against the written security policy or against a “benchmark” or “golden machine”
Yet again, software is coming to the rescue. Solutions exist that allow IT personnel to ensure that specifications created by written security policy are enforced consistently across an enterprise. This process is not easy, as it involves translating the written policy into a set of guidelines for each machine. The guidelines describe the actual settings on certain machines, and they differ depending on the type of machine and the operating system it is running. These “implementation standards” define how the written policy can be established on each system within a company.
Beyond the creation of implementation standards, software exists to scan network systems to ensure that they are in compliance with the written policy vital concept for companies who want to prove compliance with Federal mandates. More importantly the software industry understands that enforcing the written policy consistently across a company is an expensive human endeavor, so solutions exist to handle this process. The software can even notify IT personnel when a system is out of compliance.
Consistent enforcement of computer policy completes the security policy automation process and makes written security policy live. Security policy automation works to identify any changes to the system environment that infringe on company security requirements. A company’s security policy automation strategy should include a real-time method for checking the configurations of systems against the written policy.
Threats from all sides
The bottom line is that companies are facing tremendous pressure protecting valuable company information. Threats come from all sides, as in the case of social engineering, often from where you least expect it and can exploit even the most seemingly minor weaknesses in the network. In fact, the Carnegie Mellon University IT security research group CERT estimates that 95% of network intrusions result in exploitation of known vulnerabilities or configuration errors where countermeasures were available.
Traditional manual processes related to written security policies are doomed to failure due to limited resources, prohibitive price, and inadequate auditing techniques. To efficiently stay ahead of potential threats, companies should rely on security policy automation software to define, detect, deploy and document any violations and eliminate the threat of attacks.
It is no surprise that industry leaders are recognizing the importance of security policy automation. "The biggest problem is the policy compliance management problem,” said Scott Charney, chief security strategist at Microsoft. “How do you manage the growing complexity of security in the enterprise? There is a need and an opportunity for a coherent framework for the management of security systems.”
"Security has new meaning to every American in every way," said Richard Clarke, White House Special Advisor for Cyberspace Security. "Security now extends to every company faced with the possibility of electronic threats to their intellectual property. I am excited by the activity within the private sector, including in the area of security policy automation, which will help companies protect their networks."
The White House and the federal government are rapidly ramping up its influence on corporate security. The government is imposing federal guidelines, such as HIPAA and GLBA, to dictate protections that present a huge challenge to many companies. In addition, Richard Clarke’s recent draft report, National Strategy to Secure Cyberspace, touts the importance of security policies and the need to automate their implementation.
The report states, as one of its recommendations to corporations: "Create a regular process to assess, remediate [sic], and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats.”
It is not surprising, in many ways, that the government is so actively involved. Back in 1995, it was the FBI that ultimately caught Kevin Mitnick and presented his case to a federal judge. It was that case that frightened the judge and landed Mitnick in a padded cell simply because of the power of computer hacking and social engineering. Thankfully, that power can be monitored closely thanks to software products that implement and automate written security policies, making them the bedrock of a secure enterprise.
Biography
Roberto Medrano is CEO of PoliVec, a provider of automated security policy software. He is also founder and first vice president for Hispanic-net, a non-profit organization.