Where Work-Life Balance Meets Information Security

With people being more connected with their job through laptops, tablets, smart phones, etc… it seems that more companies are worried about work life balance.  Some companies may define work life balance as giving employees more “privileges” with their company-owned computing assets.  By privileges I mean that they may allow the employees to do more with the company owned laptop or loosen the restrictions on what websites can be visited on the company network.

For example, some companies may let employees check personal, web-based email while on the company’s network.   Other companies may allow employees to visit Facebook while others block it. As companies come to expect employees to be connected 24/7 to work, I understand the need to allow employees some freedom at work to get away from the daily grind for a few minutes.  But allowing the freedom comes with some risk, and that risk needs to be discussed before the decisions are made.

By allowing employees to visit Facebook, the company has opened up a new attack vector into the company’s network.  Before opening it up, maybe a company needs to evaluate the reliability of their desktop protection software or look at a solution that will detect malicious traffic at the network border.  The same issues are present if a company allows employees to check personal email at work.  Additionally, if the connection is SSL, is the company going to break the SSL connection and monitor the traffic? What traffic is off-limits to monitoring?  What websites will be blocked and does the proxy server / service have a good track record of classifying websites? I suspect the HR and Legal will want to weigh in.  

I am not saying what is right or wrong, but management must include Information Security in the discussion prior to making decisions based on what is allowed on the network and what employees can do on their company-owned computing devices. 

Until next time...
~Skeeter

Bring Your Own Device - what's the big deal?

So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.   Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.   Don’t try to ignore it and bury your head in the sand because it isn’t going away.

If you haven’t done so yet, you better get some procedures developed or you will be playing catch up.  First, you need to decide what the Bring Your Own Device (BYOD) means in your environment.  Does it include only tablets and/or Smartphones?  Or are you going to allow laptops?   Just remember the line between tablets and laptops from a year ago is not the same line and is getting blurrier as I type this blog.    What data are you going to allow access to…email only or access to backend systems?   These are the decisions that need to be made and implemented via your policy with very few (preferably none) exceptions.

If you are going to allow tablets and smartphones access to data other that email, how are you going to manage the devices?  If your users want access to the data, they will need to give up some of their “ownership” of their devices.  You will want to be able to ensure password protection, remote wipe, certificates, and some sort of encryption on their device.  If they don’t agree to these requirements, don’t let them on the network. 

Another option, especially if you are going to allow BYOD laptops is to utilize virtualization.  Creation of virtual desktops for these users and allow the device to connect to a virtual desktop environment.  Most are configurable to control which services are or aren’t available…i.e. USB, drive mapping, etc…

You must also make the decision on what level of support your organization is going to provide.  If they parameters are identified up front, a lot of “un-forecasted” man-hours could be spent on troubleshooting user issues.  Also identify what operating systems will be acceptable and allowed to connect to the network.   For example, do you allow IOS devices, Android, Blackberry, and Windows Phones, or do you limited it to a smaller subset of devices?  What about laptops…Windows (all versions or just Win7), Mac, Linux?  

As you can see there are many decisions that need to be made and you must have management agreement.   One thing to remember is don’t back yourself into a corner that will force you to accept additional, unneeded risk in the future.  For example, make sure the controls you implement will adequately protect your most sensitive data because whatever your backend systems are, you can bet that the vendor is going to develop an app that will allow access to that system. 

~Skeeter

How welcome are your guests?

When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.  Is there a wired network connection in the lobby that would allow Joe to sniff your network?   If there is, you should probably disable the port for that specific jack.

After you come and get Joe and you go meet several other people in a conference room.  Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network?   The preferred option should be a wireless guest network, segregated from the corporate wireless network.   Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee.   This ensures that someone at your company will know that they are connected to your guest wireless network.

If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms.   Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.  

I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network?   If you are not requiring some type of machine authentication, you are at risk for access point spoofing.   How do you handle the ad-hoc networks your corporate laptops have previously connected to?  These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network.  Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?

~Skeeter

How do Information Security and Internal Audit play nice?

What is the relationship between your Information Security department and the Internal Audit?  Is it a friendly work together relationship or is there resentment between the two teams?

Both the Information Security and IT Internal Audit teams have similar goals.  Make sure the company’s data is properly protected from inadvertent disclosure, modification, or inappropriate access.  However the attitudes displayed by each of the teams and their members can go a long way to helping build a constructive, working relationship. 

Since I have worked both sides in the same company…moving from Internal Audit to the Information Security team, I can provide some information of this subject.   Clear lines need to be drawn as to the responsibility of each team when the areas might start to come together.   For example, if a project for an upgrade of an application that falls under the Sarbanes-Oxley (SOX) umbrella. Both teams are going to interested in it…Information Security will probably be more interest in the details of a set of criteria for new applications, while Internal Audit is probably more interested only in those controls pertaining to SOX.   However, a lack of understand as to the other team’s responsibilities could lead to ill thoughts about the other team.

I believe each team can provide some level of assistance to the other team, there needs to be a defined separation of duties and each team member of both teams needs to understand where their responsibilities begin and, more importantly where their responsibilities end.

~Skeeter

How do you measure your risk?

If you ask 10 security professionals that perform risk evaluations how that measure risk and what is important, you will probably get 9 different answers.   There is a slim change that 2 might agree.  Below are three possible approaches to risk evaluation:

(1) Do you use a well defined methodology such as the NITST SP 800-30, Risk Management for Information Technology Systems?   You follow it religiously never wavering from the formula and the living by the numbers.  If it comes out at the top of the list, then you address it first without fail.

(2) Or do you use a “fly by the seat of your pants”, “this is how it feels” system?   Maybe you read about an exploit for the same vulnerability, so it is at the top of the list.   No scientific approach, not a repeatable process (at least not one that works the same way every time).  Maybe that application has little value in your mind or the application owner pissed you off once, so you make it painful for them.   This is not the recommended approach to risk management.

(3) Maybe you are using a combination of the two, where you incorporate some level of structure around the vulnerability, but reserve the ability to adjust based on your gut feeling after many years of Information Security practice? 

Option 3 is the option I feel currently works best for my situation.   For applications, systems, and projects/initiatives,   I have criteria based on vulnerability scan, type of data, how users will access the data, whether system is considered critical to the company.   Additionally, there is a set of questions based on a set of standard IT controls, and based on how these are answered; they get entered on a risk matrix.  Here is where the gut feel comes in…when answering impact and likelihood of these vulnerabilities.  IT controls directly implemented for this system, enterprise controls, and manual controls, etc… are all considered when making these evaluations.  This system is repeatable with the ability to make some judgment based the specific factors around the system being evaluated.

If you need a new risk evaluations methodology…probably only the 1^st or 3^rd options above are recommended.  If choose the 2^nd option, good luck. 

~Skeeter

Standards are like Rules...Made to be Broken

Standards are the preferred; however, as we all know, not everything fits into the same box.   How does your company handle the exception to the standard? 

Let’s say your company has a password standard of 8 characters, to include at least one lower case, one capital letter, one number, and one special character.  You also require account locking after 3 invalid tries and limit password reuse of last 10 passwords. If a department, say marketing, finds an application they say would greatly increase the company’s presence on the Internet and has a great Return on Investment (ROI); however, the application doesn’t require account locking after 3 invalid attempts.  Although the information stored in the application doesn’t include any company confidential information, do you allow the application?   If so, do you document it, along with the reasoning behind the decision?  

Now, if that same scenario is for a HR application that has sensitive employee data, do you make the same decision?  Maybe, maybe not.  You need to make the decision based on your organizations appetite for risk and what other controls are in place that might help mitigate the risk?  For example, if the HR application does checking to validate that the user is in a certain group, maybe a HR managers’ group, then maybe the decision is made to allow it.  However if you have loose controls around software installation on desktops and laptops and this HR application doesn’t do any group membership checking (or other compensating controls), then you might not want to allow it; this is the prime situation for a insider data breach. 

There is nothing wrong with deviating from the standards as long as you document the deviation and reasoning and you must also evaluate the risk associate with the situation. 

~Skeeter

Information Security Leader…where do you live?

Where does the leader of your information security function fit into the corporate structure?   Whether you have a Chief Information Security Officer, the function is handled by your Chief Information Officer (CIO), or this function falls to a Director in the IT organization, does the function have the proper authority to carry out its assigned duties?

If you your security leader falls  somewhere in the middle of your IT organization you are probably dealing issue revolving around competing with other IT teams for resources, such as funding, personnel, and equipment.  Also, sometimes you might suffer from an identity crisis, where business people think you are just like every other IT support team and don’t associate you with doing security functions.   However, you do have some advantages; it is easier to get a seat at the table on important IT initiatives and to become involved in application implementation earlier in the process.   

If your Information Security Leader is the CIO, he or she probably has many other responsibilities and you are competing for attention and resources.  Additionally, if this falls on the outskirts of the IT organization, you will be seen as the “red-headed, step-child” and won’t be involved in the initial, important discussions.  

The CISO scenario has several variables.  If your CISO is completely outside the IT organization you will also experience the outsider treatment for the IT organization.  However, this can be somewhat reduced if the CISO is moved inside the IT group and having the CISO report to the CIO with a “dotted line” to a senior executive outside of IT.   Additionally, the CISO should be on the same level as any senior IT executives (i.e. Vice President).   This will help ensure an equal voice when it comes to budget, personnel, and input on IT issues that involve security.

Where ever the Senior Security Leader is placed in the organization, the security team must build a relationship of trust with all levels, from VP to system administrator for the Information Security program to be successful.   Once this relationship is developed, and information security isn’t seen as the “No” team, then they will be invited to the table and everyone will win.

~Skeeter