With no sign of a silver bullet when it comes to security  technology, policies and procedures are becoming all the more important when  facing increased threat levels. Guiding how a company responds to data breaches  and denial of service attacks, experts say getting things right at the policy  level has never been so critical, reports JJ WORRALLimages[1] (2)
Read more:
Organizations who  require superior security solutions are demanding more at policy level than ever  before, with many accepting that the security technology available at present  simply cannot be expected to withstand increased numbers of malicious threats.

Donnachadha Reynolds, security consultant with Integrity Solutions told  ComputerScope that, “The current state of affairs regarding technical ‘silver  bullet’ solutions is, unfortunately, that technical solutions alone are failing  to meet the challenges posed by newer risks such as malware and social  engineering. What we see is that solid security starts with the unglamorous  basics. Good policies and procedures reflect a business that knows what it is  trying to protect.”

It’s a point which Cisco Ireland country manager, Adam Grennan concurred with  to a large degree. “Security always starts with the setting out of the security  policy for the organisation and clearly communicating that policy throughout the  organisation. Once this has been done then the policy can be implemented through  the use of security tools.”

David Keating of DataSolutions though, warned against underestimating the  importance of choosing the right tools alongside effective policies. “Security  has to be driven by policy and procedure but with all the information that is  generated by both users and the solutions they use; most organisations need  tools to effectively monitor this information to enforce policy,” he said

Keating continued, “If you take something simple like a firewall or router  logs; on their own they will create reams of information that policy and  procedure might determine should be reviewed by IT to identify the tell-tale  signs of security incidents. In reality to do this without the right tools would  be a full-time job so to implement policy, security event and incident  management (SIEM) tools such as EnVision from RSA need to be deployed.”

IT GOVERNANCE With incidents of data breaches, advanced persistent threats  (APTs) and denial of service attacks on the rise, and being regularly discussed  at boardroom level, RSA’s own Robert Griffin was keen to point out that while  policies and procedures are an essential part of any security infrastructure,  they remain “only a part”.

The chief security architect would note that polices and procedures have to  participate in a larger IT governance process that ensures that IT is looking at  risks appropriately, investing wisely in technology, operating as effectively as  possible and “responding to the real business needs”.

Said Griffin, “IT governance itself needs to be part of the larger enterprise  governance program that addresses the risks that could threaten the enterprise,  its employees, its customers and the larger society in which we all  participate.”

For the RSA man, the most important development in terms of security policies  and procedures in the recent past has been the recognition that they must be  part of a “larger risk-based governance model”. He added that frameworks such as  the ISO 27000 series of standards or industry guidelines, including as the  oft-commented on “Cloud Security Alliance threat taxonomy”, enable enterprises  to define and assess the mechanisms they want to use to address the threats they  face.

“There are many mechanisms that enterprises can use to provide the control  and transparency required for responding to threats,” revealed Griffin. They  include clear privacy and security policies that encourage appropriate employee  behaviour; risk-based step-up authentication technologies for enhanced security  on high-value transactions and so on. Decisions related to policies and  procedures-like decisions related to technology investments-have to be made in  the light of the risks the enterprise faces and the appropriate ways to respond  to those risks.”

Read more:—incident-handling#ixzz2YjlOlMeN

WORRYING One major concern for Integrity’s Reynolds is the basic policy  failures of Ireland’s businesses. He asserted that “development and maintenance  of policy and procedure has not kept pace with either legal or technical  developments” in this country. In fact, he contended that the average policy he  sees “is over five years old”.

Expanding on his point, Reynolds added that those half-decade-old policies  don’t reflect legal standards at work across Europe regarding personal data  protection in the workplace. “We have never seen a requirement for internal  mandatory reporting of incidents. Most worryingly, there is no appetite to  address these concerns. Most incidents in Ireland go unreported. Due to poor  policy and procedure, legally pursuing individuals who steal your information is  difficult for most companies. The end result is stark.”

He continued, “Companies embrace new technology, such as mobile intelligent  devices, without looking at basics. They need to look at what they are trying to  protect, what are the risks associated with this data on the platforms it is  being accessed on, and what practical precautions staff should follow to protect  this data. They also need know what they should do if something goes wrong, and  how they can verify the integrity of the devices handling the data.”

FULLY TESTED Sian John, a security strategist with Symantec made the point  that to handle any security attacks correctly, it’s essential to have a “fully  tested and understood incident response procedure”. This, she added, is  something that’s routinely overlooked by many organisations.

“They either do not have an incident response procedure or if they do, it has  not been tested. This document should not be purely technical but also include  the reactions of executives, PR and business leaders,” she said.

“With the advent of many of the cyber-security issues we’ve seen over the  last few months, it’s key to ensure that these policies are not only developed  but also tested via dry runs of the procedure to identify any gaps and issues  before an incident occurs.”

Read more:—incident-handling#ixzz2YjlJ1Ftz

DATA BREACHES Following up on John’s point regarding incident response  testing, several of the security experts who spoke to ComputerScope were asked  what approach they would take to handle both data breaches and denial of service  attacks were they to find their own companies under attack. In the case of the  former, Cisco’s Grennan said the best response is simply to concentrate on the  advice in the Security Breach Code of Practice in Ireland’s Data Protection Act,  while Reynolds also said the Office of the Data Protection Commissioner is “a  very worthwhile place to ask for advice”. RSA’s Griffin commented that  handling a data breach requires maintaining an IT security approach which is  based on data collection and analysis in the first place. This, he added,  creates security intelligence that detects both inadvertent security issues and  “skilled adversaries”.

“For example,” he continued, “data loss prevention (DLP) technologies can  look for the presence or movement of sensitive information in unexpected or  risky places, such as by discovering private banking customer information in  spreadsheets attached to e-mail messages, a situation that exposes the financial  institution to legal problems and erosion of customer confidence. But the  security intelligence that’s needed now has to be able to identify potential  malicious activity from even more subtle and complex indicators.”

Read more:—incident-handling#ixzz2Yjl9dqPm

Take financial institutions for instance, Griffin noted how trading  algorithms can be of inestimable value. Detecting that those algorithms may be  at risk of theft by an employee leaving the company requires “correlation of  access patterns related to those algorithms, indications of the algorithms being  collected in unauthorised locations and association of that correlation with  information about the employee, such as indicators they might be thinking of  leaving the company”.

Similarly, he said, detecting the movement of personal information across  national borders requires correlation of geographical information with knowledge  of sensitive information. “This new approach to security requires not only  effective technology, but also organisational structures and business processes  that support proactive security intelligence,” Griffin added.

DENIAL OF SERVICE What then, should be done in response to a potentially  crippling denial of service attack? “This,” said Grennan, “is one area where  technology can help to mitigate the effects of such an attack.” On a similar  note Integrity’s Reynolds said handling such incidents in a practical manner  “requires some sort of solution where huge connections to the Internet are used  that cannot be saturated by malicious traffic”. Large organisations, he said,  can afford these or “alternatively, third party organisations can provide a  transparent front-end service with this capability fronting for your web  services”.

Read more:—incident-handling#ixzz2Yjl3hrjX

Continuing his point, Reynolds said that mitigation may require “religious  patching” for both operating system and applications. “Anyone who believes they  can leave a service hooked up 24/7 to the Internet and not patch it properly is  inviting trouble. Every organisation should have a stated policy to patch,” he  added.

For his part, Griffin said a combination of security intelligence derived  from technology such as continuous external monitoring of response time,  internal tracking of IP patterns and evaluation of traffic against empirical  performance models, with adaptive strategies for response, “such as contracting  for availability of virtual resources for burst responses”, will be “very  effective” in handling denial of service attacks.

UNDERSTAND THE RISK EXPOSURE Looking ahead, Symantec’s John was keen to  point out that the next year will see IT and information security becoming “more  connected to the business”, having “being seen much more as an enabler” in the  past. The security strategist claimed this there will be a greater focus on  ensuring that “any spend is helping to drive forward the business’ objectives,  whether that is policy or technology driven”.

John also said that there’s currently a drive towards “integrated risk and  threat views across the estate”. So rather than defining technical issues and  “buying lots of point product technology” to deal with the issues, she claimed  it will be important to understand the risk exposure across the business and how  the organisation stands against mitigating that risk.

“Therefore,” she continued, “the focus is on unified threat and risk  management reporting and the ability to model different actions in order to  ensure that the actions being taken appropriately mitigate risk.”

GOVERNMENT For Reynolds, any evolution of polices and procedures over the  coming year to 18 months depends, in Irish terms, on “the Government changing  its attitude to data protection”. The security consultant added that, “we have a  voluntary ‘Code of Conduct’ for personal data protection. There isn’t much to  stop this becoming a mandatory law except the will to do it.”

Elsewhere, advanced security management will, according to Griffin, leverage  enhancements in visibility and in governance capabilities to put in place more  effective processes, organisational structures and security technologies to  combat data breaches and occurrences of denial of service. He also noted that  advances in security controls themselves, such as in new cryptographic  techniques that support limited visibility into encrypted information, will also  emerge over the coming year.

BYOD Meanwhile Cisco’s Grennan addressed the burning issue of the bring  your own device (BYOD) revolution. The security and risk mitigation of this,  Grennan claimed, is becoming a rising concern in businesses across the globe.  “Policies need to be adapted to cater for BYOD along with the rollout and  development of new tools to implement these policies,” he said.

Grennan also commented that, as the surge of interest in the cloud and Big  Data continues feverishly, “the true nature of shared services and  infrastructure will have an impact on both tools and policies, how they are  implemented, governed, controlled and monitored”. Organisations will need, he  said, to be more mindful of the impact which transmission and continued storage  of “personal identifiable data” may have on their customer base.

“Authentication, authorisation and auditing of applications and data will be  key to the continued success and measurement of a good infosec policy,”  concluded Grennan. “When addressing APTs, trust of auditing data and the ability  to demonstrate a segregated control/management/data plane in order to protect  the network will be invaluable. Also, it’s inevitable that software defined  networking (SDN) and OpenFlow will allow for additional segregation in the data  plane with differing levels of control, based on the signature or classification  of that data plane.”

Read more:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


This entry was posted on July 11, 2013 by in SECURITY.

Top Posts & Pages


Enter your email address to follow this blog and receive notifications of new posts by email.


%d bloggers like this: