Holistic Security: Protecting the Entire IT Infrastructure
By Bob Violino
Information security attacks are becoming more sophisticated and are coming from a growing number of sources. At the same time, more workers than ever are using mobile devices to access corporate data, and social networking and cloud computing continue to gain traction in the enterprise.
These trends are setting off alarm bells for IT, security and risk management executives regarding the safety of information assets. Never before have organizations faced such complex information security challenges.
For many companies, the solution to addressing vulnerabilities is to implement an end-to-end, or layered, defense so that all key elements of the IT infrastructure are protected against a variety of threats. In addition to a layered defense, enterprises are making security the business of everyone in the organization—it’s not just IT’s problem.
While the biggest concerns with security are typically related to critical infrastructure, monetary systems, intellectual property, and individual financial and private records, attackers can—and do—go after virtually any type of information.
“There is nothing we do that is not digital in nature, and all aspects are important to someone,” says Hord Tipton, executive director of the International Information Systems Security Certification Consortium Inc., (ISC)², a not-for-profit organization in Vienna, Va., that provides education and certification for information security professionals.
The reason a layered approach to security is vital is that individual layers “don’t have to be perfect, provided you have enough layers, because each layer covers the shortcomings of the others,” adds Roger Thompson, chief emerging threats researcher at ICSA Labs, a Mechanicsburg, Pa., firm that provides testing and certification of security products.
Seeing Real Improvement
Companies that have deployed layered security report seeing real improvements in the level of their vulnerability. For instance, Redwood Credit Union, in Santa Rosa, Calif., has built a multilayered defense that includes a first layer consisting of dual firewalls with multiple DMZs (i.e., perimeter networks) to segment traffic, coupled with virtual LANs on switches and a segmented IP network.
At the second layer, the company has a set of intrusion detection systems (IDS) and intrusion prevention systems (IPS) that watch all inbound, outbound and cross-network traffic. Redwood also uses an email scanning and spam filtering tool that further reduces threats, along with virus protection on all its PCs and servers.
“We also have an aggressive set of policies on the network, with access restrictions to almost all files and directories on an 'as needed’ basis,” says Tony Hildesheim, senior vice president of IT. “To ensure further protection, we have a set of controls that includes network monitoring and periodic checks and audits.”
Other components of the company’s security framework include central software management; patch management; encrypted hard drives; Internet access monitoring and limitations; and segmented, monitored and controlled network storage.
The efforts at Redwood Credit have paid off. “We have been fortunate to not have had any loss or issues as a result of an attack,” Hildesheim says. “We have been able to stop a number of virus and Trojan attacks, typically at the IDS/IPS device, prior to it attacking a PC or other device. We’re also careful to not draw attention to our organization and to address phishing or other attacks aggressively to ensure that we are not an organization that provides an easy target.”
Hildesheim estimates that his company deals with about 40 attacks monthly—malware, trojans or other viruses—but all of them are averted, largely because of email scanning tools and the local scanning and IDS/IPS that augment the firewall. The company also experiences about 100 "suspicious hits" and about 20 validated hits a month, all of which are averted by firewalls, patching and security procedures.
Having robust security is a high priority for business executives at Redwood Credit Union. “As a financial institution, maintaining the trust of our customers is paramount, and maintaining our reputation is huge,” says Wade Painter, CFO. “We can’t afford to drop the ball anywhere.” The company reports that it has suffered no financial or customer losses because of an intrusion or attack on its systems.
Painter adds that having multiple layers of defense also creates resiliency in systems. “Having a security event doesn’t necessarily mean you’ve been compromised,” he points out, “but if you have lousy security, it could make you susceptible to downtime. The resiliency of our systems is hugely important to us, and being available to our customers and employees is critical.”
Layered security is especially vital for organizations that are increasingly relying on mobile technology.
Active Interest Media, an El Segundo, Calif., media company that produces enthusiast magazines and related consumer shows, Internet sites and books, has deployed a multifaceted security strategy that’s not overly complex but takes into account the growing population of mobile device users, according to Nelson Saenz, vice president of IT.
“We take what I like to describe as a simple but effective approach to overall security,” Saenz says. To protect the company’s corporate network, Active Interest Media recently refreshed its perimeter hardware with Cisco ASA 5500 Series Adaptive Security Appliances, which set up firewalls at each of its gateways. The ASAs “provide us with top-level protection from malicious attacks via a combination of strict access lists, for example, only opening ports and services that must be used for our day-to-day [operations],” he says.
Because Internet access and email routing are necessary for business, the company applies additional layers of protection via two security appliances: McAfee’s Web Gateway (formerly WebWasher) and Email Gateway (formerly Ironmail).
“By proactively scanning and filtering for Web- or email-bound viruses and malware, [the appliances] significantly reduce the likelihood of an attack coming in via the two main methods of entry,” Saenz says. “And because they are hardwareappliances, they are easy to manage and maintain.”
As the company moves increasingly to mobile devices and beyond the firewall, the principle “battlefield” for security is becoming smartphones and tablets, according to Saenz. “With the advent of mobile devices and the 'consumerization of IT,' instituting sufficient measures for this new breed of enterprise tools is a vital part of our security blueprint,” he says.
Active Interest Media uses Good Technology's Mobile Device Management (MDM) products to deliver enterprise data to devices, as well as to protect and secure employee-owned devices. “I realized early on that as mobile increasingly became where the majority of innovation was occurring, it would become vital to focus on implementing the proper solutions” to ensure that devices were secure, Saenz says.
With MDM, the company can more easily manage its growing fleet of heterogeneous devices; push standard security policies, such as passwords and lock limits to devices; and lock down and remotely wipe any lost or stolen devices. “We are able to adapt and deploy a proactive security framework for the ever-changing mobile landscape,” Saenz says.
“Multiple layered network security as a whole is very important for a variety of reasons,” says Brian Sellstrom, CFO and treasurer at Active Interest Media. “What immediately comes to mind is loss of revenue as a result of a malicious attack aimed at destroying our business. Any kind of significant downtime that would result from an attack on our network is, by itself, reason enough to take a proactive approach when it comes to securing our computing and mobile infrastructures.”
Fending Off Attacks
A layered security approach has helped the University of Georgia’s Small Business Development Center significantly cut down on malware attacks, such as viruses and spyware. Prior to implementing a more in-depth security posture about three years ago, the department was experiencing attacks via the Internet that forced its IT department to rebuild computers on a weekly basis. Following the improved security, the center has seen just two incidents in the past two years, says Rick Lanard, senior IT manager at the department.
Among the security products the department is using are an Edge router firewall from Juniper Networks that protects the entire university’s enterprise network. In addition, the center has deployed separate firewalls from Microsoft and Watchguard Technologies that protect individual operating systems and applications used within the department.
The department doesn’t use antivirus software, Lanard says, but instead uses a host intrusion protection system (HIPS) and application whitelisting from LANDesk Software for endpoint security. Application whitelisting allows only specific, approved applications to run on a client computer.
The initial whitelist is created by giving end-user devices a sufficient “learning period” to account for applications and tasks a user performs during a specific work cycle. After the initial learning period, the whitelisting setting is placed into block mode.
When a device is placed into this mode, it’s locked down so only approved applications are permitted to run. Because only whitelisted applications can run, the department significantly reduces the likelihood of attacks by malware.
Putting in place multiple levels of security is the best way to thwart the variety of potential attacks, Lanard says. “We’ve found that running a high level of security is a better way to manage IT,” he says. “We’re not out rebuilding machines daily, so we can, instead, do things that benefit the organization. There’s no reason for us to have super-layered security—we just wanted to have the ability [be able to] chose the type of problems we have to deal with and where we devote our resources” by improving security.
Another key component of effective corporate security strategies is to involve the entire organization in the effort to protect systems and data.
“Everyone should be involved in security, because not all threats will be preventable” by using software alone, ICSA Labs’ Thompson says. “There are also physical threats, and social engineering, where someone will call on the phone—perhaps pretending to be from the helpdesk or trying to get the victim to share his user ID and password. Software can’t help in those situations, but education, training and awareness can.”
Adds Tipton of ISC², “there is no way any security solution has a chance of protecting our computing environment without all levels of education and skills applied across the enterprise.”
Organizations should think about security in terms of process, people and technology, says Kevin Curran, head of the School of Computing and Intelligence Systems at the University of Ulster, in the United Kingdom. “This will involve creating security policies with internal departments, performing audits, implementing physical security control and classifying risk.”
The University of Georgia, including the Small Business Development Center, requires that all employees partake in an annual security training program that was developed in-house. “Because of this requirement, the end user’s baseline understanding of security is increased, and terminology is better understood,” Lanard says.
Employees are given a choice of either watching six videos about security practices or taking an extensive test that covers multiple facets of security, including how to avoid threats such as computer viruses and phishing attacks. The program was launched about three years ago and has helped make all university employees more aware of security threats and how to protect against them, Lanard says.
Redwood Credit Union has mandatory security training at new employee orientations, annual security training updates and validation. The company practices standard password rotation for employees, tests for social engineering, and also performs penetration and controls testing.
“We have ad-hoc alert response teams that are called for any indication of a potential breach of any level of security,” Hildesheim says. “At a previous organization, we had an enterprise risk management team that consisted of key leaders from every major operational area that met monthly to review security issues and set security standards. We have not instituted that at this organization yet, but it’s something that’s worth the effort and will be established in the coming year.”
Redwood also has an education and awareness campaign for its customers. “This is critical in assisting them in maintaining privacy,” Hildesheim says. “To further support this effort, we have strict practices in our use of email and links in emails with our consumers.”
At Active Interest Media, “We mainly try to educate users via educational emails, short videos and posts to our help desk Website,” Saenz says. “In many ways, employees are the biggest threat to security because they already have physical access. A bad click or two is all it takes sometimes.”
Because of this, the company makes an effort to get the word out about “thinking before you click” and setting up community sections of its internal help desk Website for discussions and threads pertaining to smarter, safe computing.
“I think our work is paying off,” Saenz says. “We have never been hit with a major companywide breach. There have been minor malware attacks, but nothing that would be considered show-stopping.”
Tips for Stronger Security
· Recognize high-risk people and behaviors. Many risks come from internal users and their access to data and ability to transmit information.
· Accept the new realities of a mobile workforce. Tablets, smartphones and other consumer devices are becoming part of the work environment. Put in place plans that will allow you to secure and manage devices effectively, while still delivering enterprise data to users.
· Test your security periodically. When it comes to IT infrastructure, it’s not always “set it and forget it.”
· Hire competent, certified people for the IT security team.
· Don’t underestimate the importance of effective security training and education throughout the organization. These efforts should be ongoing, because the security landscape is constantly changing.
· Ensure that all managers are responsible for information security.
·Develop a data-classification methodology that establishes criteria for classes of data or applications based on their value to the business, and protect data and apps accordingly.