I’ve been involved in various ways with information security topics and issues since around 1980. I even spent a year as the acting head of information security for one of the global credit reporting agencies. In that job, I looked after the security of 500 million identities, securing a network with more than 100,000 connections to the providers and consumers of credit data.
Over the years I’ve also parsed a lot of the rhetoric surrounding the challenges related to information security as well as developed some pragmatic approaches to what’s become a very difficult operational issue for any organization that transacts any part of its business digitally. B2B, B2C, B2M — it doesn’t matter. If you move anything of value (yours or others) over the wire, you’re exposed to some degree of risk.
The recent incidents reported at Target and Snapchat (and with 2013 reportedly the worst year yet for overall consumer-data security breaches) it’s worth reviewing where we are with information security and what the CFO should be asking the chief information officer (and chief information security officer, if the business has one) regarding their plans for 2014 and beyond.
Let’s start with the bad news first: there is not and never will be a completely secure public (and in most cases private) network. As soon as data leaves your perimeter (and inside if you have a wireless network), it’s visible to others, both necessarily (to make sure it gets to where it’s supposed to go) and inadvertently. Unless you own the end-to-end transport medium (such as private optical fiber), your traffic is mixed in with everyone else’s.
Just as you can stand on the side of the freeway and see every vehicle that goes past, data traffic is visible to anyone with the technical capability to monitor the network. Just as your vehicle is covered with information (make, model, license, other windshield stickers), so is your data. And just as your vehicle is increasingly able to respond to electronic inquiries about where it’s been and where it’s going, your data may be too.
Second, certification of adherence to standards is no guarantee of safety. Most breaches have occurred at organizations that were certified as “compliant” by organizations such as the Payment Card Industry (I make few friends by pointing this out). However, that’s not an excuse for avoiding compliance wherever you need it.
Third, people (and their habits, abilities and level of awareness) are a bigger security problem than technology. That’s no excuse for ignoring what technology can and should be doing to help. It does, however, mean that you and all of your service partners will have to have clear human-resource policies related to hiring checks and periodic checks on current employees. Trust but verify needs to be the approach.
Fourth, information security is an arms race between the good guys and the bad guys. The bad guys are generally better funded (they don’t have CFOs watching what they spend), they have access to just as much (or more) talent as the good guys and, most importantly, they don’t have to obey the rules. In general, that gives them a significant advantage. I sometimes think it’s inevitable that they will eventually win. Until then, however, there are things we should all be doing to improve security, and the CFO can take a leadership role in ensuring they happen.
Let’s run through the questions CFOs should be asking CIOs and CISOs, and the answers they should expect:
Do we have a clear Information security policy (or set of policies) and does every employee know what they are? It’s a best practice to ensure that everyone reads (and that the company confirms they have read) the policy at least once a year. It’s also best practice to have every employee take a short information-security training session annually. There’s a lot of very good material available for this and it can generally be delivered digitally, so make sure everyone (from the top down — walk the talk) participates. Training and policies won’t stop some people from doing dumb or malicious things, but they will establish that the employee should have known better. I prefer to get the office of the general counsel and the head of HR involved in the formulation of the policy, ensuring that the legal aspects of the policies are aligned with both the law and with HR hiring and performance-management practices.
Do we block access to known bad sites and categories of content? There’s no excuse for letting people stumble on or seek websites that are known to deliver malware, generate spam or host inappropriate content. It’s easy to sign up for a service (or install an appliance) that checks each outbound request against a constantly updated list of known bad sites (a “black list) and prevents such requests from going out. Offenders can be contacted and warned, or if persistent, disciplined or terminated. That’s another reason to have a policy in place. The systems aren’t perfect and users will occasionally be blocked from doing something innocuous (some anniversary gifts for spouses trigger warnings) but these can usually be tolerated or corrected via “white lists” of permitted accesses.
Do we have a formal vulnerability scanning process in place and an active plan to address vulnerabilities that are discovered? There are and will continue to be bugs and holes in software we that can be exploited. Your vendors will (or at least should) be doing their best to fix them as fast as they can, but the fixes won’t help if you don’t know you need them and then don’t deploy them. Remediation is going to be disruptive to normal operations, so you need an active plan and proven process for ensuring that the work gets done in a timely fashion.
Do we have a regular process for penetration testing of our network perimeter? Penetration (“pen”) testing attempts to gain unauthorized access to your network and data using the same tools the cybercriminals use. One of my CISO friends likes to remark that he doesn’t need to pen test because the Chinese do it for him every day as they try to get to his intellectual property. Most organizations, though, should contract with an external organization to do this on a periodic and systematic basis — probably at least quarterly, given the rate at which new vulnerabilities emerge. And, as with vulnerability scanning, you need a process in place to address any issues (there will be some) that the contractor discovers.
Do we have strong access controls and user authentication rules in place? Everyone is familiar with usernames and passwords, but these are just minimum protection. Password rules should enforce minimum length and complexity and require change regularly. The problem with all approaches to authentication (confirming identity) and access control (what you can do or get to once you are identified) is that users find it difficult to remember usernames and passwords that are “strong” enough — that are reasonably hard to guess or otherwise discover.
The current best approach is to use multiple “factors” that go beyond just a username and password (something you know) and add electronic tokens (something you have — such as the familiar RSA security token) or biometrics (something you are). Two- or three-factor authentication is much stronger (and not that much more expensive) than even the strongest scheme for passwords and usernames. You’ll also need to make sure that authenticated users can get to only the systems and data they need to do their jobs. Although it’s fairly easy to set this up (“role-based access control,” in security jargon), it’s far from trivial to establish just what systems and data an employee actually needs — which is often what triggers breakdowns in access.
Do we have adequate activity logging and log analysis tools deployed? Today, pretty much every network and computing device can create a record of everything it does or is asked to do and store those activity records in a log file. This activity has a slight performance cost, but with the power of today’s equipment it’s usually negligible. In a typical modern business infrastructure, log files get very large very fast, and scanning through them or analyzing them is beyond the reach of humans. One reaction is to turn down the level of logging (or turn it off altogether), but that should be resisted. Instead, log monitoring and analysis tools are available that can spot suspicious patterns of activity and alert network managers to pending (or actual) incidents. Even better may be for the company to subscribe to a service that does this and that can better keep up-to-date with what to look out for.
Do we have a data-loss prevention strategy in place and the appropriate tools to enforce it? At its simplest, data loss prevention (DLP) is an approach that looks at all of the data that is or could be on the way out of the organization and checks to see that it’s appropriate based on what it is, where it is going, and some other heuristics that identify suspicious patterns. So an employee’s credit card number going to Amazon.com is probably OK; the CEO’s expense report going to the Ukraine isn’t. Various common personally identifiable information (PII) patterns — like Social Security numbers, driver’s license numbers and so on — can be spotted and blocked.
One of the ways that sensitive data can leave an organization is on a physical device, ranging from a laptop or tablet through to smart phones and down to portable storage media. A security policy should indicate clearly whether the use of mobile data storage and media is permitted. And there should be some level of enforcement in place — at the extreme, these devices can be disabled on user’s desktops and laptops. DLP tools can help find the data on these “endpoints,” but for additional security against loss or theft of the device, data on laptops should be encrypted, which leads us to …
Do you have a data-encryption strategy in place and the tools to implement it effectively? Encryption changes human- or machine-readable data into an unintelligible pattern of bits using a “key” and an algorithm. To get the original data back requires another algorithm (decryption) and either the same key (symmetric encryption) or a different key (asymmetric). With modern cryptosystems, it’s possible to make the task of deciphering the encrypted content arbitrarily hard at the cost of slowing down processing for the encryption and decryption steps. This is OK for data that aren’t retrieved very oftten, but data that are frequently retrieved and must be readily available may not be able to tolerate a heavy decryption delay, so there are tradeoffs to consider. In some industries, encryption to a specified level may be a requirement.
Along with the processing overhead required, cryptosystems have to have a way to manage the keys used to encrypt (and perhaps decrypt) data. Keys need to change from time to time, and if a key is compromised, the organization is in big trouble. Large amounts of data may be at risk, so the key systems also have to have security considerations applied to them. And if the key management system fails, you have to have a way to recreate the keys or you’ll never get the data back.
Do we have an adequate incident response process defined and have we practiced our responses to an incident? Remember I started out with the observation that perfect security isn’t possible? Sooner or later, a business is going to have an incident of some kind, maybe minor, maybe major. When it does it needs to have a response prepared. Damage limitation, remediation and restoration activities need to happen in the right order. Communication needs to happen — to all the impacted stakeholder groups. Forensic analysis needs to occur. There are plenty of templates (including some in the IT Infrastructure Library) that are easy to customize to your situation. And remember, in a worst-case scenario, you might not have any network services available. So no email alerts; maybe no mobile services either. Your response plans need to take that into consideration.
Do we have established relationships with a forensics firm, just in case? It’s unlikely that your internal information security team, however good it is, will have all the tools and experience needed to do a deep forensic analysis of an incident. Plus the leadership team and the board will likely want an objective analysis of what happened and how it can be avoided in the future. I have found it useful to build a relationship (sort of an insurance policy) with a forensic services provider so that I am not starting from scratch when I call them. The best firms will understand that this is a worthwhile investment on their part and will be happy to work with you for a modest retainer, even if they are never actually called on to perform.
Do we have an adequate change- and configuration-management and control process for our technology infrastructure? Change is a fact of life in modern technology infrastructure, but it’s also a potential source of new vulnerabilities. Previously secured configured devices or software are replaced by newly installed versions that may not have been configured correctly. Many devices and software products still ship with minimal or no security settings and need significant configuration effort before they are installed. New devices should be scanned.
Do we have a strategy of “defense in depth” in place, and do we know if it’s working? While a lot of attention is paid to “perimeter” defense, it’s equally important that the internal structure of your network be built with security in mind. You don’t want anyone who finds a way in to be able to roam freely within the network. Network segmentation divides the network (physically or logically) according to traffic type and security level. Segmentation keeps production, test and development areas separated and ensures that lower-security devices (multifunction printers, for example) don’t share traffic with production databases.
Do we have a strong governance structure or information security activity? One critical aspect of information security awareness is the level of knowledge and engagement among the leadership team. At the credit reporting agency where I was CISO (and CTO) the security council was an all-executive group that met quarterly to go over incidents, issues and the status of vulnerabilities and threats. It was a board topic twice a year and an executive agenda item every month. The challenge was distilling a mountain of very technical data down to a 30-minute agenda slot, while still getting everyone comfortable with both the concepts and what the security team was doing. A big part of the challenge was getting the security team to talk in business terms, and we never fully got there, but at least the executives and the security managers created a basis for a common understanding of the issues. While I was there we never had a major incident (although we caught plenty of minor ones), despite getting millions of breach attempts every day.
If you know or believe that your business is or will likely be a target of hackers or other “bad guys,” there are some others things your security team can do to strengthen the organization’s defenses:
- Create areas in the network where there are no attached devices. These are called “dark nets” by the security team. Any traffic going to them or originating from them is automatically suspect and can be tracked and blocked.
- Create areas that contain seemingly attractive but actually false data stores. These are called “honey pots” or “honey nets,” and they will usually have deliberately weaker security to attract cyber criminals (who generally look for the easiest way in). The idea is to identify threat sources and patterns so that they can be blocked before the criminals try for the really valuable content.
By now you’ll be feeling more than a little overwhelmed — probably wondering if all this is really necessary and the considerable expense and effort worthwhile. Good information security isn’t cheap, but it is generally worthwhile — especially the policy, education and basic monitoring aspects. After that, it’s generally a question of weighing the risks — from a disruption of operations, from a blow to the business’s reputation and from potential legal and regulatory redress.
Information security is too often relegated to the responsibility of the CIO or the CISO. But with the levels of cost and risk involved, the CFO can and should be taking a leadership role in making sure all the parts are in place and working as well as possible.
Perfect security may not be possible, but that doesn’t mean we shouldn’t do the best we can.
John Parkinson is an affiliate partner at Waterstone Management Group in Chicago. He has been a global business and technology executive and a strategist for more than 35 years.