Archive for the ‘Security Policy’ Category

Last month we mentioned that Lanxoma was conducting a survey about insider threats and how companies are tackling that issue. The results of the survey came out, and were quite interesting!

The press release does not indicate how many people took the survey, so the results must be read with that in mind. Nonetheless, like many similar surveys, Lanxoma’s survey revealed that 43% of respondents had experienced fraud, theft or losses that are a direct result of employees with access to sensitive information.

Given the economic situation, many companies involved in the survey have had to make layoffs, cut raises or defer promotions. 72% of the respondents feel this has increased their risk for insider attacks.

The survey also revealed that 28% of respondents believe that employees with a technical background are more likely to commit insider attacks. However, industry experts have shown that it is not technical know-how that increases risk of attack, but rather the dissatisfied employee who simply has access to information. Employees with existing access to sensitive information do not need to know much in order to take it.

Of those surveyed, only 20% of respondents say they have processes and security measures in place to combat insider threats. Most respondents believed they could do more. One area needing improvement would be in user privileges, which determines which type of user has access to what kind of data. This helps restrict sensitive information to only those employees that need it. Most companies interviewed had no such safeguards, nor were they consistently monitoring what data was accessed and by whom.

RSA’s Meena Raju asks if “you are scared of the word policy,” in a blog post about Asking the Right Questions When Implementing a Data Loss Prevention Policy. I think that’s a fantastic way to bridge into this topic. Scared is exactly the word. Individuals and companies are scared of putting together a policy on something that seems as complicated as security. Particularly since whatever is ’set down on paper’ becomes an actionable set of guidelines. What if it misses areas? What if it’s confusing? What if it is an accurate policy, but one that’s ‘wrong’ for your company?

The RSA team put together a series of best practices when considering a data loss prevention (DLP) policy.

What is the data that you want to protect? And how should you protect it? Sounds simple, right? As our customers find, there are many more questions that need to be asked upfront.

Some of the questions that RSA suggests asking are:

1. Who is the policy going to apply to and how does it impact them? 
2. What type of information are you trying to protect?
3. Why are you protecting it?
4. Where should you protect it? Is data in motion or in a datacenter? Is it being used at endpoints? Strategize which information state needs protecting first.
5. When should you trigger a violation?
6. How should you protect the information? Audits, encryption, blocking, etc. Choices should be made depending on the type of information. 

As Meena notes, “policy” isn’t a bad word or a word to be scared of. “Be smart and be strategic and you’ll love your policies.”

Stay tuned to our Security Policy category for tips on how to create effective security policies, as well as relevant studies or facts on the topic.

SANS Internet Storm Center’s Lenny Zeltser put together an article that caught my attention for being both accurate and blunt: “Security Awareness Training Is Boring.”

So true, and perhaps why it’s not kept up, or is completely ignored. And when something is ignored, it’s a good time to shake it up. We’ve offered some suggestions in the past for being creative in training methods.

Lenny put together some ideas for shaking things up in the security training department – doing things that are unsual and personally relevant to make them remember. Ideas include making a “commercial” style interruption during another meeting, one that reminds employees of security issues. Rewarding employees for reporting unsafe IT practices anonymously can work, and has been suggested in many articles. Also, “bribes” like food at security meetings can help bolster attendance.

And you can integrate funny videos like this one, “The Duhs of Security,” created by the Virginia Government:

The SANS article references another great article written by Marcum Ranum entitled “The Six Dumbest Ideas in Computer Security“. Worth a read.

Secunia has followed-up to a survey done one year ago to see if PCs are any more secure this year than last. The data was collected from 20,000 new users of their software in the period of a week, mirroring the same sample from a year previous. The software is thus able to give a snapshot of how many installed programs are “secure” or “patched.”

Based on the data, PCs are more insecure than they were last year. Only 1.91% of PCs scanned could claim to have full secure / patched programs. The rest were not running the latest (and most secure) version of software available on at least one program.

• 0 Insecure Programs: 1.91% of PCs
• 1-5 Insecure Programs: 30.27% of PCs
• 6-10 Insecure Programs: 25.07% of PCs
• 11+ Insecure Programs: 45.76% of PCs

Quite scary that nearly half of those 20,000 PCs had more than 11 programs unpatched! Leaving programs unpatched makes them targets for hackers, which can lead to data leak issues if not stopped up. Mainstream programs like Microsoft Office, Adobe Flash and broswers are major targets for hackers.

So, perhaps now is a time to run your security updates? On PC and Mac, most programs can be updated automatically, or all together. In a few instances, you may need to ‘check for updates’ in individual programs. Of course, in a corporate environment, where you’re dealing with hundreds or thousands of computers, you need a way to manage this at once. Absolute’s asset tracking can help inventory what software and patches are installed, but other strategies (including Secunia PSI) can supplement in rolling out updates regularly.

Via security focus

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Cisco recently released a whitepaper about data leakage worldwide and the resulting costs. The global study, polling more than 2000 employees and IT professionals in 10 countries, indicated that insider threats were far more prevalent than previously thought.

Cisco commissioned the security study from InsightExpress in order to understand if social and business cultures had any impact on data leakage. The results indicate that “insider threats”, caused by uninformed, careless or disgruntled employees accidentally or purposefully doing something which breaches data, have the potential for greater financial losses than outside attacks to the company. In the context of this survey, they also considered that every device capable of storing data added to “insider threats”, given that the loss of these devices pose a high risk.

Cisco put together two papers focused on employee behavior that could put corporate data at risk. The papers found that IT professionals are often unaware of the employee behaviors which put data at risk – this obviously makes preventing loss quite the challenge.

The study examined the effectiveness of security policies – how they are created, communicated and how compliance is enforced. The lack of a policy and compliance with existing policies were large factors in data loss. Unfortunately, the survey showed that IT professionals lack an awareness of how many employees understand and comply with security policies.

Highlights from the study:

• 39% were more concerned about the threat from their own employees than the threat from outside hackers
• 33% were most concerned about data being lost or stolen through USB devices
• 27% admitted that they did not know the trends of data loss incidents over the past few years
• 43% said they are not educating employees well enough
• 19% said they have not communicated their security policy to employees well enough
• 9% reported that they have lost or had their corporate device stolen (26% of those experienced more than one incident in the past year)
• IT professionals believe that employee behaviors slipping, in terms of safeguardint intellectual property, stem from too much information being dealt with (48%) and a growing apathy towards security stemming from faster-paced jobs (43%)
• 11% reported that they or fellow employees accessed unauthorized information and sold it for profit, or stole computers

The study concludes that a lack of awareness and of diligence, as well as purposeful defiance, place a significant risk to data loss. The report lumps the loss of laptops and other portable devices in with the “diligence” section, for the most part. Sadly, most lost laptop reports back up the findings: that employee behaviors are to blame for a lack of data safeguards in laptops. Leaving laptops logged on, leaving passwords in sight, leaving laptops in cars, etc.

“Preventing data leakage is a business-wide challenge. IT professionals, executives, and employees at every level of responsibility must work together to protect critical data assets…

Like outsider threats, addressing the insider threat demands a comprehensive approach that includes education, policy, and technology.”

The recommended approach focuses on education and accountability. Technologies can help, such as Absolute’s Computrace solutions, which solves some compliance issues by tracking assets and even monitoring software.

Download link: Data Leakage Worldwide White Paper: The High Cost of Insider Threats [PDF]

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
3. Define how data is disposed – for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
6. Detail actions associated with the policy – for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
7. Define disposable documents – those documents that don’t need to be retained. For example, duplicates or “trivial” documents.
8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
9. Assign a person or group to maintain the program and answer questions
10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

• Four in five Australian companies suffered data breaches in past five years
• Express Scripts customers threatened on data breach (millions perhaps affected)

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

Joan Goodchild has put together an article entitled “Social Engineering: Eight Common Tactics” for CSO Online. Knowing some of these tricks, and integrating tips such as these into regular employee training, can help ward off some of the threats to data security. Several of the tactics regard employees unwittingly giving information to criminals via the phone, while others are more traditional cybercrime issues.

“Social engineering is the art of manipulating people into performing actions or divulging confidential information… The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” - Wikipedia

8 Common Social Engineering Tactics to Avoid

1. Ten degrees of separation - criminals may try to draw out information from the “front line” employees, each time gaining information to access employees further inside the organization. Another tactic is to be friendly, slowly drawing out more and more information.
2. Learning your corporate language - if a criminal sounds familiar, your guard may be down to disclosing confidential information
3. Borrowing your ‘hold’ music – to pretend to be from inside the company
4. Phone-number spoofing – as above
5. Using the news against you – as lures for spam, phishing and other scams. Particularly dangerous if targeted to company news.
6. Abusing faith in social networking sites – suggest typing site names manually, not clicking links
7. Typo Squatting – for web URLs
8. Using FUD to affect the stock market - FUD = fear, uncertainty, doubt. Can be used in a number of ways to scam stock prices.

You can read the full details here. You can also read the latest McAfee Security Journal report about the increase in use of social engineering techniques in cybercrime.

Also of interest, ScanSafe has released the 3rd quarter results of their Global Threat Report. [PDF]

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

Network World’s Mark Gibbs has posted a great article about how to exorcise the “ghosts” of past employees that haunt your systems.

Employees, whether they work for you for a short or long period of time, leave a trail of digital information behind. Emails on your mail servers, files, information on desktops, laptops and perhaps even smartphones, customized application settings, contributions to shared spaces like blogs, and much more.

When an employee leaves a company, most (sadly, not all) companies will think to restrict their user access. To delete mail accounts, remove FTP access, restrict privileges and so on. But, what do you do with the rest? And are there issues surrounding any of that clean up (well, of course, there always are!).

“Remove their files without understanding how their work related to the bigger business picture and, for example, the design and supportability of an entire product line could be compromised. Dump their e-mail messages and your ability to be in legal compliance could be lost. There are hundreds of potential consequences to removing their data and it adds up to what we in the pundit business call “a crap shoot.”"

The solution is not just to restrict access privileges, as that doesn’t tell you what the data is used for. Or if any ex-employees have left any surprises behind. The solution that Mark Gibbs poses is not an easy one, but it’s one that improves data security overall. The solution is to rethink data handling architecture - a centralized ID system that defines roles and access from the start. This way you can spot issues, as well as manage exit cleanup.

“This is a combination of identity management and strategic, top-down planning that displaces the old “strong passwords are good enough” approach because they aren’t.”

Of a related note, make sure you read our recent post: Passwords are Not Enough. Absolute Software can also help with some user issues, including software inventory management - knowing what’s installed, tracking machines as they change hands, sending alerts if users operate outside policies, & monitoring data changes.

Also of note, Lanxoma is conducting a survey about insider threats and how companies are tackling that issue. Since that’s something we talk about often on the Absolute blog, perhaps you’d like to take the survey here. Looking forward to seeing the results!

Clipart via Microsoft / Presentation Pro