Protecting Your Corporate Assets
By Bob Violino
Cyber-crime is a growing threat for organizations, and the collateral damage from suffering a breach can be significant and widespread: lost revenue, diminished customer confidence, bad publicity and damage to the brand—to name a few of the potential consequences. As a result, information security is both a challenge and a priority for organizations.
Attackers are going after a variety of targets and for different reasons. According to the "2013 Data Breach Investigations Report" by the risk team at Verizon Enterprise Solutions, 37 percent of breaches affected financial organizations. However, other types of businesses are also in the line of fire: 24 percent of breaches occurred in retail environments and restaurants, and 20 percent of network intrusions involved manufacturing, transportation and utilities. IT and professional services companies are also common targets.
The Verizon report includes data covering more than 47,000 reported security incidents and 621 confirmed data breaches from the previous year, gathered from 19 global organizations including law enforcement agencies, national incident-reporting entities, research institutions and private security firms.
The modes of attack and motives of the attackers also varied, according to the report. About three quarters of network intrusions exploited weak or stolen credentials; 52 percent used some form of hacking; 40 percent incorporated malware; 35 percent involved physical attacks; and 29 percent leveraged social tactics. Three-quarters of the attacks were driven by financial motives.
And while security experts often talk about the threat of security attacks from within organizations, the report notes that 92 percent were perpetrated by outsiders.
"Organizations should stay vigilant in their efforts to protect information and prevent data loss," says Steve Durbin, global vice president of the Information Security Forum (ISF), a nonprofit organization in New York and London that provides guidance and best practices for information security and risk management. "Established controls—from managing employee access to monitoring network traffic and removable media—should be maintained and updated. A risk assessment should be carried out, in conjunction with the business and other functions, to determine what is essential to the organization."
Deploying Security Strategies
Enterprises are deploying various strategies to defend against cyber-criminals. As a defense company, Raytheon in Billerica, Mass., is a critical infrastructure provider and has a responsibility to protect its operations, and "that goes beyond even our corporate responsibilities," says Michael Daly, CTO and information security solutions director, Cyber Sciences & Technology Centers at Raytheon.
"In our unclassified computing environment, we have typical front-office and back-office information such as customer contact information, supplier data, financial information, personnel records, etc.," Daly says. "In addition, our research and development—and all or part of many programs—operate at the classified level. All of this information is important for us to protect."
In addition to firewalls and intrusion prevention systems, Raytheon has implemented RShield, an advanced malware detection platform that the company built. "It examines all files coming into the enterprise by email, USB or Web download inside a virtual machine farm running our standard desktop image," Daly says. "It operates in conjunction with our insider-threat management tool, SureView, running on our desktops."
The insider-threat tool is also tuned to look for advanced persistent threat behavior. "These tools also help us automatically extract new indicators from malware and enable rapid deployment of new signatures for our global intrusion prevention framework," he adds.
There are always challenges in enterprisewide deployments, Daly points out, including security initiatives. One was minimizing the performance impact of desktop sensors and their rules on the environment. "We address the performance challenges by testing any new desktop rules in a pilot group, and then [roll] them out to select communities and [watch] for negative impacts," he says.
Perhaps the most important security process the company has established is its information security training program. "We require all employees to take computer security training every year, and we go beyond simple hygiene practices to include very specific guidance on detecting advanced persistent threats such as socially engineered emails," Daly explains.
Raytheon also requires all information systems administrators to take further training and pass a test to ensure that they understand the company's policies and practices. "Beyond this, we have established advanced cyber-training for our cyber-security staff to ensure they are capable of dealing with the most difficult attackers," he adds.
In addition to training, Daly strongly recommends that organizations implement firewall controls in their data centers to protect inbound, outbound and cross-bound traffic. "Have all Internet traffic routed through Web proxies that implement white-listing for the data centers and, at a minimum, category and specific black-listing for user networks, including VPN users," he says. "Know where your key assets—data and systems—are located, and spend extra time thinking about those assets."
Protecting Key Assets
Security is especially critical for financial services companies. Andrews Federal Credit Union in Suitland, Md., is particularly diligent about protecting key information assets, such as credit union member information residing on all servers, databases, local networks and mobile devices; all staff and vendor personal, confidential and proprietary information; and all system configurations and documentation.
The firm has implemented a variety of security technologies as part of its defense-in-depth strategy, says Bill Wallace, information security manager. "Many of these are your basic fundamental security systems," he says. "We have been very successful and hope to stay that way."
The security products the firm uses include firewalls, intrusion prevention systems, anti-virus software, spam filtering, data encryption and network segregation.
One of the key security tools is a network access system from StillSecure called Safe Access. The product is "a perfect example of a system that does one thing correctly and keeps the configuration and administration simple," Wallace says. "IT shops with limited staff and resources can't afford to implement systems that are too complex and attempt to cover all security vectors."
This is important because most of the implementation challenges Andrews Federal has encountered with security products "revolve are around training and use of the systems," he says. "Misconfiguration and administrator errors will render the best solution ineffective."
In addition to the technology strategy, the credit union also relies on processes and procedures to protect information assets.
"We have policy and procedures wrapped around every process executed," Wallace explains. "This includes both automated and manual processes. The importance is to create a foundation of acceptable use, confidentiality, integrity and accessibility of all information. Enforcement, consistency and standardization are the fundamental purposes of policy and procedures."
Among Wallace's key recommendations for strong security are constant monitoring of systems data, networks and people; protecting data at all stages of its life cycle; quality training for users, administrators and data owners; and strict adherence to policy and procedures.
Perhaps the most important best practice: communication and transparency. "Security by obscurity doesn't work," he says. "Total understanding of the mission by all levels of the organization [is] paramount."
Wallace emphasizes that it's vital to have to have a buy-in for every solution for it to be successful. "Most people will circumvent any system they can to make life easier," he says. "If they understand the importance of why we need to secure assets, and understand the systems doing the securing, you tend to get better and safer systems, workflow and user experience."
Providing Business Benefits
While security is often viewed as a necessary expense, it actually can provide business benefits. When a company implements strong security measures, it sends a message to business associates that the company values its clients and their data, says Joyce Sigler, vice president, administration at Jones & Wenner Insurance Agency in Fairlawn, Ohio.
"Beyond those benefits, you sleep better at night knowing that you are doing what is prudently the best you can do, and that you have an eye on the value of your business and the business of your clients," he explains.
Jones & Wenner is especially protective of the personal data of its active customers, agency prospects and past agency clients.
"Years ago, you never thought that more than a lock and key were necessary to protect agency and customer data because it was on site within the confines of your office," Sigler says. "Today, with a majority of data transactions done electronically, the game has changed. Every aspect of a client's information is at risk and needs protection, particularly [information] that would allow a perpetrator to duplicate an insured."
The company uses encryption, firewalls, password protection and user authentication to safeguard data. One technology it has deployed is software from AppRiver that enables Jones & Wenner to protect its customers with layers of security. "We rely on AppRiver for spam filtering, encrypted email, email continuity and Web filtering," Sigler says.
In addition, the agency stores as little as possible internally on its physical equipment. "Agency desktops are wiped free every night of any items that are downloaded by users during the day and restored to the agency standards," Sigler says. "This ensures that integrity of our internal standards and [settings are] in place."