Mobile // Mobile Applications
Commentary
4/2/2012
02:51 PM
Jim Ditmore
Jim Ditmore
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Security Practices From The Front Lines

In the age of LulzSec, industrial espionage, and everyday breaches, it's more important than ever to be proactive about security. These security measures and best practices will help keep your information safe.

Mark Twain observed 150 years ago: "A lie can travel halfway round the world while the truth is putting on its shoes." With the advent of social media, these days that lie has likely made it all the way around the world and back while the truth is still in bed.

The stakes are raised even higher by hackers and others who expose confidential data and emails. A group calling itself LulzSec Reborn recently hacked a military dating website releasing the usernames and passwords of more than 170,000 of the site's subscribers.

Then there are the for-profit attacks by nation states and companies seeking intellectual property, and fraud by organized crime outfits. Consider the blatant industrial espionage conducted against Nortel and more recently, AMSC, or the recent fraud attack against Global Payments.

[ Help your employees take part of your company's security practices. Read more at How To Make Information Security Everyone's Problem. ]

One of a CIO's most critical responsibilities is to protect his or her company's information assets. Such protection often focuses on preventing others from entering company systems and networks, but it must also identify and prevent data from leaving. The following recommendations can help you do this. They are listed in two sections: conventional measures that focus on system access, and best practices given the profiles of today's attacks.

Conventional Measures

Establish a thoughtful password policy. Sure, this is pretty basic, but it's worth revisiting. Definitely require that users change their passwords regularly, but set a reasonable frequency--any less than three months and users will write their passwords down, compromising security. As for password complexity, require at least six or seven characters, with one capital letter and one number or other special character.

Publicize best security and confidentiality practices. Do a bit of marketing to raise user awareness and improve security and confidentiality practices. No security tool can be everywhere. Remind your employees that security threats can follow them home from work or to work from home.

Install and update robust antivirus software on your network and client devices. Enough said.

Review access regularly. Also, ensure that all access is provided on a "need-to-know" or "need-to- do" basis. This is an integral part of any Sarbanes-Oxley review, and it's a good security practice as well. Educate your users at the same time you ask them to do the review. This will reduce the possibility of a single employee being able to commit fraud resulting from retained access from a previous position.

Put in place laptop bootup hard drive encryption. This encryption will make it very difficult to expose confidential company information via lost or stolen laptops, which is still a big problem. Meanwhile, educate employees to avoid leaving laptops in their vehicles or other insecure places.

Require secure access for "superuser" administrators. Given their system privileges, any compromise to their access can open up your systems completely. Ensure that they don't use generic user IDs, that their generic passwords are changed to a robust strength, and that all their commands are logged (and subsequently reviewed by another engineering team and management). Implement two-factor authentication for any remote superuser ID access.

Maintain up-to-date patching. Enough said.

Encrypt critical data only. Any customer or other confidential information transmitted from your organization should be encrypted. The same precautions apply to any login transactions that transmit credentials across public networks.

Perform regular penetration testing. Have a reputable firm test your perimeter defenses regularly.

Additional Best Practices

Provide two-factor authentication for customers. Some of your customers' personal devices are likely to be compromised, so requiring two-factor authentication for access to accounts prevents easy exploitation. Also, notify customers when certain transactions have occurred on their accounts (for example, changes in payment destination, email address, physical address, etc.).

Secure all mobile devices. Equip all mobile devices with passcodes, encryption, and wipe clean. Encrypt your USD flash memory devices. On secured internal networks, minimize encryption to enable detection of unauthorized activity as well as diagnosis and resolution of production and performance problems.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Further strengthen access controls. Permit certain commands or functions (e.g., superuser) to be executed only from specific network segments (not remotely). Permit contractor network access via a partitioned secure network or secured client device.

Secure your sites from inadvertent outside channels. Implement your own secured wireless network, one that can detect unauthorized access, at all corporate sites. Regularly scan for rogue network devices, such as DSL modems set up by employees, that let outgoing traffic bypass your controls.

Prevent data from leaving. Continuously monitor for transmission of customer and confidential corporate data, with the automated ability to shut down illicit flows using tools such as NetWitness. Establish permissions whereby sensitive data can be accessed only from certain IP ranges and sent only to another limited set. Continuously monitor traffic destinations in conjunction with a top-tier carrier in order to identify traffic going to fraudulent sites or unfriendly nations.

Keep your eyes and ears open. Continually monitor underground forums ("Dark Web") for mentions of your company's name and/or your customers' data for sale. Help your marketing and PR teams by monitoring social networks and other media for corporate mentions, providing a twice-daily report to summarize activity.

Raise the bar on suppliers. Audit and assess how your company's suppliers handle critical corporate data. Don't hesitate to prune suppliers with inadequate security practices. Be careful about having a fully open door between their networks and yours.

Put in place critical transaction process checks. Ensure that crucial transactions (i.e., large transfers) require two personnel to execute, and that regular reporting and management review of such transactions occurs.

Jim Ditmore is senior VP of technology infrastructure and innovation at Allstate.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KT000
50%
50%
KT000,
User Rank: Apprentice
4/9/2012 | 5:28:14 PM
re: Security Practices From The Front Lines
I am constantly traveling and have to email my colleagues whenever I get the chance. I telesign in to all of my email accounts to make sure that even when I am using public wi-fi or when I'm at an unfamiliar location I know my email is still secure. This implementation of two-factor authentication has really helped keep my sensitive information protected.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 2:13:52 AM
re: Security Practices From The Front Lines
Brian - auditing list of users with superuser access is a requirement for Sarbanes-Oxley compliance and should be tested quarterly, if not more often.

Few other things to mention here:

1. Baseline your systems and network to know what it's traffic patterns look like on a daily basis - makes it easier to spot things that are out of the ordinary, which would warrant further investigation.
2. Use properly implemented, strong encryption when encrypting anything - AES 128-bit would be a good starting place.
3. Encrypt all backups, especially all that are leaving the premises. All of the security measures in the world are useless if your data walks out the door and into an adversary's hands.

and finally

4. Investigate and document all incidents - lessons learned and remediation implemented from one incident can help prevent/minimize the next incident.

Andrew Hornback
InformationWeek Contributor
Bprince
50%
50%
Bprince,
User Rank: Apprentice
4/3/2012 | 9:54:28 PM
re: Security Practices From The Front Lines
Since super users got mentioned, it is important to keep track of super user accounts and monitor them. The Independent Oracle Users Group security survey from last year found that just 24 percent of those surveyed were sure they were able to prevent privileged users from reading or tampering with sensitive data.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.