by Michael McKinzie, CISSP

Well as we are in our final week of this series with just a few comments I will briefly summarize and conclude this topic as best as I can. One reader indicated his organization currently uses a strict policy about internet use, and content is blocked based on type or category. I support enforcing a computer use or internet use policy with content filtering. It would be interesting to know if the organization blocks access to webmail and social media sites in addition to the standard blocked categories or at least have a more detailed understanding how they handle this.  These sites   pose certain risks due to their public and widespread use and since they are easy mediums to transport or publish potentially sensitive information. I understand it is neither feasible nor common practice to “lock-down” the network to prevent any and all access to the outside world. Although I do not think most users are malicious or have ill intent, but employees changing jobs, facing a lay-off or just disgruntled may not keep the company’s best interest in mind.

Recommendation #1 – Use ISO 17799 as a Guide for Information Security

This recommendation ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It may provide a good foundation which you can tailor to your needs and industry.

Recommendation #2 – Implement an End User Computer Use Policy & Awareness Program

Although it is only one component, it can be powerful by just informing users there are consequences to their actions and they can and will be held accountable. This should be handled by IT, Legal, and Human Resources or drafted by a contracted Law firm in the event legal action is necessary. I believe keeping the End User Computer Use Policy very simple and concise is an effective approach. It should be updated, and revised as necessary and presented periodically for instance during employees’ annual performance reviews.

Recommendation #3 – Auditing & Logging

An easy and often neglected area is simply turning on user auditing and logging. You may not have the resources physically (manpower) or technically (software) to capture, review and manage all interesting network events, but even native Windows and Linux (audit daemon) auditing can give you quite a bit of information about users’ behavior and  mis-configured users and systems.  Random reviews might be enough for your organization but there are a number of open-source utilities, commercial applications and even managed services which will aggregate, and correlate the data. In addition most event management systems and services will alert or take action based on the event and defined policy.

Recommendation #4 – Control the Data at the Endpoint

Many organizations have established multiple locations or a mobile work force to compete effectively, serve widespread customers, and increase domestic and international presence. This paradigm has created new challenges for IT departments not only in terms of supporting this infrastructure but to maintain reasonable control over company data. Based on a 2008 PC World survey (http://www.pcworld.com/businesscenter/article/147739/laptops_lost_like_hot_cakes_at_us_airports.html), over 10,000 laptops are reported lost or stolen each week from the 36 largest airports in the U.S. This is just one facet of data loss not including such risks as lost disks, tapes, malicious attacks or users, mis-configured systems, accidental data incidents and so forth.

1. Endpoint Security and Full Disk Encryption (FDE) should be a consideration especially as it can be a very effective solution for lost or stolen devices.
2. Apply appropriate rights and permissions to prevent accidental or intentional data discovery. I have personally seen many “snooping” incidents where users are curious about what others earn in the company, or interested in personal information which may be on file with Human Resources.
3. Enforce Web and Email Content Filtering. Implementing tools to help mitigate and prevent accidental or intentional data leakage is an effective way to protect sensitive information being sent right out the front door.

Recommendation #5 – Hold Affiliates and Business Partners Accountable

Understand how your data flows through business processes and if the data is shared or provided to third parties. Hold your affiliates and Business Partners to high standards in protecting this data as you both fall into a chain of responsibility which may have legal and monetary consequences. Sharing your concerns and security policy may be an effective way to collaborate and improve the security posture for all interested parties.

Recommendation #6 – Have an Incident Response Plan

An incident response program can be very involved and resource intensive. A number of security companies provide services in this area, but an organization may implement a simple plan to handle the technical and logistical aspects. Organizations may want to prepare a notification plan to let affected persons or parties know the details, and recommended actions in the event a security incident occurs.

I appreciate the time you have spent to read our blog and we hope you find the information useful or provide some points for discussion. I think the way technology continues to evolve will provide a constant challenge to maintain security and privacy. It is important for security professionals and organizations to continually adapt and share information to battle security threats. Our goal is to help organizations find better and practical ways to implement and manage security. If you have questions or comments, I can be reached at mckinzie@securstar.com

Building on my post from last week I want to invoke thought about how you as an individual or on behalf of your organization approach data loss prevention (DLP). I used an example of the way we (generally speaking) expect, and rely on our financial institutions to keep our money safe and accurately accounted for but I also mention the expectations banks and institutions place on users and consumers. If we apply this same model to computer use, it is form of a privileged system model (authentication and permissions). i.e. proper authentication to access resources , and permission based rules to govern activities just as the bank controls access to accounts.

The challenge remains there are constant threats to our data from vectors by misuse, social networks, theft, lost devices, malware, viruses, Trojans, botnets, social engineering, integrated business partners, outsourcing etc. IT administrators adhering to best practices are vigilant in protecting data but are required to balance it with usability for businesses to remain productive and competitive. Businesses continue to rely on faster and broader communications and data security is often perceived as a hindrance.

“Every day, CIOs face the challenge of putting the necessary technologies and processes in place to protect confidential data and comply with federal regulations, but they have to accomplish this without impeding daily business operations.” – CIO Magazine

So where do we practically begin? Does the organization know what their sensitive data is/classified, where it resides, how it travels through business processes, how it is shared and used? Some of these questions are easy to answer but some might be difficult. Who owns the data? If a user accesses his or her personal email account, or another personal use site, is any information or data downloaded belong to the organization? Does the company have a legal obligation to protect it? Should the company control the user’s content? Do they have a legal obligation to do so to protect company or customer information and interests?

How do we classify data? These are often the questions and challenges facing organizations on a daily basis. Is it practical to just restrict access? Perhaps sales and marketing or the executives of the company have specific needs requiring access? Maybe the company promotes control versus broad restrictions? I don’t have answers to all of these questions nor do I believe there is a simple answer which applies to all organizations. How do you approach it?

I am interested in hearing your thoughts on:

1. Do you think it is important to classify data formally? If so, have you done this and what was your experience?

2. What do you think is the largest threat to your confidential data? Users, malicious attacks, social networks, data leakage via lost or stolen devices etc.

3. Do you or your organization promote control over broad restriction policies or how do you determine the best practice? e.g. restrict or block webmail, and social networking sites versus providing limited access with monitoring

The mobile phones’ features grow light speed. We can’t even call some of them just “Phones” anymore – now they’re being called “Mobiles”-. You use them for everything. A mobile tells you what you have to do today, how is the weather, take pictures and make movies of your birthday party (and publish it on the Internet), play high quality games, tells you how to get somewhere. You can even play the guitar on some of them!

What I’m trying to say is that your mobile knows where you are, because it’s with you all the time, who you are,  cause it has a lot of information about you, and knows what you’re doing right now (oh, twitter!), as you are using it for everything, all the time.

There are lots of security issues that can be related to mobile phones, with different levels of danger, and different types of people. Ordinary people are unaware that when they lose their devices, they can get bigger problems than just losing some bucks. Even cheaper devices can store personal information like home address, email addresses, social network addresses. Using this information, a malicious person could gather even more personal data, and use this information to prejudice the owner of the device in many ways.

Moving into a business scenario, we can enumerate a lot of possibilities – we can start with wiretapping -. A lot of classified business information travels through GSM communication, and it’s well known that GSM has eavesdropping vulnerabilities. There are a lot of devices that can capture and record a conversation, and they are being sold on the internet for anyone who wants it. I think maybe you will check your office’s light switches and sockets today…

With GPRS and 3G technologies, things could get worse. You can do a lot of things connected to the Internet more than just talk to people. You can send and receive documents, check your bank account, etc. For this you use a lot of different protocols, and these protocols might be vulnerable to certain attacks. With the right tools and knowledge, a person can perform a MITM (man in the middle) attack and intercept your information – and that includes VoIP -.

Do you think you need to be talking at the cell phone for someone to hear your conversation? Think twice. With the right software installed on your device, a person could activate your phone’s microphone remotely and hear all sounds nearby.

Another widely discussed issue is about geographic positioning. You probably have seen some kind of spy movie where someone is being tracked through his mobile phone, and thought “Yeah right! They can’t do that!”. Well, I assure you: They can.  And not only the CIA or FBI, anyone can do it using the Internet.

Well, hope I didn’t scare you (much). So, what can you do to protect yourself? Let’s see some solutions:

- Keep your device off and remove the battery (easy, isn’t it?)

- Use a voice and SMS encryption tool (Did I say PhoneCrypt? Yes!)

- Keep your Bluetooth off, or at least configure an authentication for someone to connect.

- Before installing apps and games, search the net for security issues with them.

- Do not open or reply SMS of a unknown source.

- Keep an ear for breathing or click sounds at the background of your call.

- Don’t leave your mobile alone for a long period; people can get it and install malware.

- Beware other people’s phones left alone near you, they can use it as a eavesdropping device.

That’s it for the first post.
Hope you enjoyed it and found it useful.
A lot more will come soon.

Be safe! Bye!