ZIFFPAGE TITLEStep NoBy John Moore | Posted 2006-05-15 Email Print
New threats to your computer infrastructure emerge every day. Baseline's Security Survival Guide provides tips and techniques to help you safeguard your organization.. 5: Learn From Experience">
Step No. 5: Learn From Experience
Security groups check to make sure that the remediation efforts truly eradicated the problem and patched the afflicted systems. Different types of attacks call for different recovery procedures. An unauthorized access incident could involve the attacker gaining root access to a system. If that's the case, the recommended course of action is to change all of the passwords on the system, according to the National Institute of Standards and Technology's Computer Security Incident Handling Guide.
But organizations "don't always follow all the steps" toward comprehensively recovering and securing a system," says Zajicek, the technical member of the CERT Coordination Center. He works with the center's CIRT development unit, which provides guidance on establishing incident response groups.
"Changing all users' passwords in a big organization is a very tedious job and a time-consuming and very intensive manual process," Zajicek says. "I don't know how many times someone has said, "I've changed the root password.' That's not sufficient."
An intruder who gains root access has obtained administrator-level access to the system.
Run a Vulnerability Scan
Security teams usually conduct a post-incident scan with vulnerability assessment tools to ensure that necessary actions, such as applying required patches, have been taken. But security managers say they are continuously scanning anyway to uncover vulnerabilities or violations of security policy.
Hanson, the manager of I.T. security at Quad/Graphics, says he uses Pedestal Software's SecurityExpressions to scan desktops, servers and networking gear for compliance to its security policies. "We can use that information to go back and harden things up," he says.
SecurityExpressions checks for gaps in several key areas including system security configuration settings, security patches, antivirus status, personal firewall status and industry-known vulnerabilities, according to Pedestal Software.
Quad/Graphics has customized SecurityExpressions to help assess compliance to the company's acceptable-use policy. The result is an executive-level snapshot in time of whether end users are following policy. The company also brings in an outside analyst every few years to perform a vulnerability assessment.
The University of Georgia runs vulnerability scans and has vulnerability management applications installed on sensitive and critical servers, says chief information security officer Gatewood. The vulnerability management applications check configurations or settings on servers and generate a report card, which covers areas such as operating systems level and patch, open vulnerable ports and user accounts, Gatewood says.
"We do vulnerability assessment and scans on a regular basis," adds Abels, UPS' manager of security policy strategy and business continuity planning. The scans, performed by a managed security services provider, may also be scheduled on an on-demand basis as a follow-up to an event.
A vulnerability assessment is largely a technical exercise. Enterprises also convene post-incident meetings with representatives from different areas of an organization, which focus on process as much as technology.
Gatewood says his security group holds an "aftermath party" with the university's security advisory council, including the chief information officer and representatives from the legal, public affairs and HR departments, among others.
The meeting dissects the security team's response to the incident, assessing the effectiveness of processes and procedures, Gatewood explains. The follow-up meeting also serves as a springboard to spread the word about a given incident, with an eye toward avoiding it in the future.
Learn From Mistakes
Security experts point to education as the most important safeguard against future incidents. At Electronic Data Systems, an employee undergoes security awareness training when he or she first joins the company and annually after that, says chief security and privacy officer Morrow. Managers are held accountable to make sure all who report to them have gone through the training, which is largely handled online, he adds.
Morrow says security training crops up in other guises. "We integrate the security messaging and data protection messaging into all of our leadership training," he says. The company also schedules a security awareness week each year.
The University of Georgia runs a campuswide program, educating students on desktop security and identity theft. To illustrate the latter vulnerability, Gatewood tells the tale of a professor who left his attaché case in the school library with his wallet inside. In less than an hour, Gatewood says, the absent-minded professor's credit card was purchasing airline tickets and other items from an off-campus IP address.
"People are watching," Gatewood cautions.
The university's security arm also tutors faculty not to post grades with Social Security numbers on the Internet. In general, Gatewood aims to "educate our staff on how to change business processes from a wide-open environment to something a little more secure."
The university's training methods stretch from instructor-led training to the occasional security flyer. "There are all sorts of ways," Gatewood says. "It is being an evangelist from end to end."
Training aims to prevent incidents, but an educated user can also contribute to early detection. "They'll know what not to do ... and they'll know when to call if they see something funny," says Lawson, the director of global services at Acumen Solutions.
Education initiatives must be flexible, enabling security groups to take lessons learned from security incidents and fold them back into the training regimen. They also study changes in attack types and methods and update the curriculum.
Bank of New York conducts quarterly threat assessments to close existing vulnerabilities and anticipate new exploits. It reviews its security posture annually with a third party. The bank's new understanding of the threat environment is incorporated into training programs for technical people and awareness programs for the rest, according to Guerrino, its head of information security.
Keeping information-technology departments up to speed on security is another dimension of the security group's education initiative. Application developers, for example, need to incorporate the organizations' latest security principles as they generate code.
"When we go down this path to integrate security into the ... development life cycle, we need to have an ongoing training and awareness program for the technical staff," Guerrino points out. Through this program, the bank offers three to five secure-coding classes every year from a third-party training firm.
Application development teams at Bank of New York go through a security review process to see whether required controls have been implemented, Guerrino says. The code review "makes sure they adhere to controls and documents the reason why some controls may not be applicable to them," he says. The bank uses a third-party firm to conduct the review.
Ongoing training efforts help keep security on the front burner, say security executives, who warn that the absence of major incidents tends to lead to complacency.
Companies "that are not successfully attacked get lax and you have to reinvigorate them," says Miracle, the global security practice leader at BearingPoint.
"Understanding the hazards and risks and threats of doing business in a networked environment," Gatewood sums up, "will help you become much more secure."