Part 3: Business Security
In Part 3 of this blog series we’re going to discuss security for businesses and organizations from a top-level view. In the previous parts, Personal Security and Employee Security, we got down into the nitty-gritty of what individuals should do to protect their information assets personally and as an employee. However, employees themselves can’t be held responsible for 100% of an organization’s assets and there are a variety of other methods an organization can put in place to protect the system.
Firewalls are the most common network security appliance in any organization. They’re often the most expensive as well. Not only is there the initial cost, but then you have the ongoing maintenance and configuration as the needs of the business shift. A common phrase heard throughout the InfoSec community after a compromise or breach, which has also become a bit of a joke about weak security practices, is: “But, we have a firewall!”
Unfortunately, many organizations simply buy a firewall, perform the initial configuration, and leave it sitting in a rack somewhere never to be touched again; which leaves them incredibly vulnerable to new attacks.
This is the “Common Sense” side of the argument: The key to firewall success is to continually audit, update, and generally maintain a firewall setup to achieve the highest possible level of security. At the very least, and I'm talking bare minimum, an organizations should be tending to the firewall any time a change is made to the system, update on a monthly basis, and audited quarterly to coincide with compliance requirements, and so forth. Used in conjunction with additional resources and strategies for securing information assets, firewalls can provide a layer of protection to deter most broad-spectrum attacks.
The “Arcane Magicks” side of the firewall argument is based on the methodology by which the firewall is configured. The best way to configure a firewall, despite the increased overhead for administration and configuration hours, is to leverage the “Deny All” rule. This rule comes standard in any firewall default configuration and you can build upon it by whitelisting services that are approved for your environment. Unfortunately, the common practice (not necessarily best practice) is to put a firewall into play, start with the “Allow All” rule, and start blocking the “bad stuff”. While this generally closes up holes in the environment over time, you’re still leaving your business open to vulnerabilities until someone on your security or IT team gets around to doing that actual configuration.
In the long run building your firewall policies via whitelisting against a "Deny All" rule can be cumbersome for whomever is in charge of configurations and maintenance. However, it's important to note that it allows for more flexibility and straightforward configuration than the reverse of trying to block all of the "bad stuff".
IDS/IPS & Anomaly Detection
Level: Arcane Magicks
Intrusion Detection and Prevention systems (IDS/IPS), when tuned properly, are an effective way to monitor and prevent external attacks against an organization’s network. Through the use of rules that look for matching parameters in packet data, an IDS/IPS can literally stop an attack in its tracks. These systems act as border guards for your network waiting for any and all traffic that is passing through before it reaches the firewall. In the event that malicious traffic is passed by the IDS/IPS systems, in theory, a properly configured firewall can stop it before it enters the network. These systems also create log data for analysis and further tuning of the environment’s protection measures.
There are many vendors and solutions for IDS/IPS implementation. Options for the open-source realm come in the form of Snort, Bro, and Suricata, or there are proprietary solutions through the likes of FireEye, CheckPoint, McAfee, and others.
Implementing these devices into your environment is not necessarily the easiest task; they take a lot of patience, configuration, know-how, and tuning by your security and IT teams to operate in an efficient manner that is conducive to a well-rounded, stable, heightened-security environment.
Level: Common Sense
As with the personal security section, antivirus is important for an organization’s information security strategies because a good product will stop the majority of threats to assets. Most antivirus solutions provide a decent layer of security for the user in that it will block and/or remove malicious software downloaded from the Internet, or through email attachments.
Stated previously, any antivirus is better than no antivirus. Many organizations implement Symantec Enterprise Protection, or Trend Micro Enterprise security suites, to protect their networks from the most common viruses, malware, and malicious attachments. Enterprise grade antivirus/anti-malware products are typically a centrally managed “security as a service” solution. These solutions utilize policies and groups configured in a management console on a dedicated system to handle updates and malware alerting within the network.
Level: Common Sense
Security policies are the framework for everything else inside an organization’s security planning. Policies will vary from business to business and can be as simple as “no social media sites from the corporate network” to more advanced strategies, such as “disabling all removable media and wifi connections on workstations within the facility”.
Through the use of policy in an organization, employees can be held accountable for not meeting the explicitly written criteria for access to company resources, malicious external entities, etc. In the event of foul play, the policy agreement can be used for enforcement of disciplinary actions.
Not only does policy help protect the employee and the organization through the easy reminder of “hey, you signed this NDA or acceptable use policy”, but it also allows the organization to change the requirements of employees to match the ever-changing environment in business.
Level: Common Sense
Training may be common sense, but adequate training and appropriate training are not. Employees need to be trained on how to spot possible infractions on organizational security and defuse the situation appropriately. That said, most training programs used by organizations of all sizes are laughable at best and are typically thought of as a “waste of time” by employees.
Like any other kind of training, security training should be more than an e-learning and a quiz. It should be a real, practical example of an event that has a high probability of happening. People learn best by being able to relate what they’re reading, watching, and/or hearing to a real-world example that they can place themselves in. It does no good to tell people to read a 40-page document and take a quiz at the end just to be able to say “user X took the assessment, they are culpable in the event something happens now”. That’s not how security works, that’s not even how training works.
Much like compliance standards, simply checking the box is not the solution to security training. Employees need to be able to understand, implement, and execute security best practices inside the organization. For that to be accomplished, it needs to feel like a real threat to them. For instance, everyone thinks about their house burning down because of the oven being left on at one time or another. For employees, that same sense of urgency and skepticism needs to happen in security thought processes. Every employee needs to be able to say, “Hey, that’s not right. Who are you? Why are you here? Can I see your credentials? Why isn’t someone accompanying you”. Pretend anyone you’ve never seen before is an oven that was left on and the organization is the house that it’s going to burn down if it isn’t handled appropriately.
SIEM / SOC Use
Level: Arcane Magicks
While this may be commonplace throughout the information security industry as a logging method and analytics tool, it should be noted that it is no easy task to simply “get the useful data”. SIEM tools bring together the concepts of Security Information Management, as well as Security Event Management. This combination adds capabilities to an organization’s environment such as data aggregation, correlation, alerting, dashboards, compliance data, historical retention, and the ability to have data on hand for forensic analysis. Commonly used SIEM tools in the industry are HP ArcSight, LogRhythm, McAfee ESM, Splunk Enterprise Security, and IBM QRadar, which are used to accomplish all of the aforementioned goals. SIEMs create an environment where the security team can gain visibility into what’s actually happening on the network.
It falls into an Arcane Magicks scenario in this context because it isn’t a simple “set it and forget it” solution. SIEMs require a lot of insight into how an organization’s systems and network behave, what users are (not) allowed to do, and how implementations of web filtering, antivirus, and access/authentication/authorization measures cooperate and interact in the environment to tune out the “noise” and get the real, raw, important data.
Most organizations want to leverage this machine data with a supplementary Security Operations Center (SOC), where individuals are tasked with tuning out the less important data, creating dashboards and reports for use in project and business planning, and analyzing alerts that come in for actions taken against the organization’s environment. This kind of situation requires a heightened level of communication and transparency between the organization’s IT personnel and the SOC to truly get the value out of the implementation.
Clear expectations must be considered about things like what should be alerting and what shouldn’t, what is important to the organization to monitor, and so on. These expectations should also be paired with existing security practices, policies, and procedures, along with any risk assessment and mitigation documentation, to better assist in the realm of compliance and organizational security.
Physical / Facilities Security
With regard to physical and facilities security in an organization, the infosec community could literally write a book on the topic (and has). Everything from the front door lock, through how you authenticate for authorized access to a server room, is included in this topic. I aim to cover some of the basic best practices in the industry. Keep in mind that just like other areas of information security, there’s no “one-size-fits-all” solution or methodology for every business environment.
Part of physical security also involves the training of employees to be on the lookout for certain behaviors in individuals and how to handle specific requests. One of the most common ways to breach a company is through a physical penetration test via social engineering (previously touched on in Part 2 of this series). An individual posing as a contractor, or perhaps a utilities employee requesting access to sensitive areas of the facility, is an easy way for them to get in. After getting in they can plant keyloggers and various tools used to exfiltrate data like usernames, passwords, or create a way for them to get into the environment through a backdoor from the outside. It is, in fact, such a common methodology for intrusion that an entire sector of the information security industry is devoted to the physical penetration test.
The idea during a physical penetration test is to find out how far into an organization’s facility you can get and how deep into sensitive areas you can reach before people call you out and want to confirm who you are and what you’re doing.
Physical security has three basic components: access control, surveillance, and testing. Access control, like in software solutions and network security, revolves around limiting who can get in without proper authorization and authentication methods. Surveillance involves watching the facility, the happenings therein on a day-to-day basis, and monitoring for suspicious activity. Testing involves periodic auditing and testing of all access controls and surveillance methodologies and processes in place within the organization to ensure that it is actively reviewed and improved upon.
Access control for a facility seems like an easy task at first, but in reality there are a number of things that the average planner and/or project manager takes into account in this realm of physical security. Often overlooked are things like company growth and changing needs on an organizational basis. There are stipulations put in place by compliance standards, such as PCI or HIPAA, that involve the company as a whole and don’t focus simply on “IT needs”; however, they ensure that the desired control mechanisms and the access control system itself work together and are tuned and maintained properly. As with many information security components, physical security is not a “set it and forget it” situation and is always going to be changing with the needs of the organization.
Surveillance for a facility is typically handled through the use of CCTV and similar camera approaches. Video recordings of people entering and exiting the building perimeter, server rooms, documents/records areas, anywhere that contains sensitive equipment or data can assist in the general security of a facility. It is not the end-all solution for facility security management and should be treated like every other component of securing and environment: it needs tuning along with policies and procedures to back it up.
Testing is probably the most important factor in facilities security because it’s literally the only way you’re going to be able to find out if the security implementations that are in place are working as intended, or if they need to be reworked to account for various situations. The testing phase should be completed with an internal test as well as an external test to achieve a better sense of where the loopholes are in logic and facilities penetration.
Throughout this three part blog series a lot of ground has been covered in the realm of personal, employee, and business security but it is very important to note again that security is not a “set it and forget it” scenario. Each part needs to be continuously reviewed and updated to match business needs, as well as the changing threat landscape. It is not enough to implement these security measures; they must be tested and tuned until they are the best they can possibly be without sacrificing usability too greatly. If you secure something to the point where it's cumbersome to use, no user will want to use it and will undoubtedly find a way around the security process. Leverage external resources from reputable companies for penetration testing (both physical and logical) to better enhance your overall organizational security and push the envelope beyond the ‘bare minimum’ for compliance, it might just save your organization and yourself a lot of difficulty in the long run.