Friday, September 3, 2010

The buck stops here: the role of CEOs in data security

Ray Bryant, CEO of idappcom explains why the big chair in most organizations can carry a lot more responsibility than you might think:

You would never consider purchasing an inferior accounting system that opens your organization up to financial loss through bad record keeping - potentially putting it out of business and generating the wrath of shareholders and other stakeholders this would cause.

Yet many managers will cheerfully purchase an inferior, but lower-cost, IT security defense system for their company, and later regret that purchase when hackers successfully compromise their firm's data, ruining the firm's reputation and opening it up to financial penalties that could well put it out of business.

Welcome to the business horror that is a data breach.

As with all technology-driven issues, to make a decision on which IT security system to go with, the CEO (and his team) must first understand where the problem is - in this case, where a data breach originates.

While the popular media perception is that IT security defenses are there to protect an organization's digital assets from external attack, the reality is that a large number of incidents are the result of internal threats compromising the firm's data. However, a quick scan through the constant stream of media reports about the unfortunate companies - and their equally unfortunate senior managers - who are put through the data breach wringer, will frequently reveal that the data breach was due to an internal hack.

Beware, internal does NOT always mean the person is physically in your premises. It just means they are internal to your systems. More and more cases revolve around a hacker gaining entry through ‘back doors’ into your computer, they could be anywhere on the net certainly outside your jurisdiction even if you ‘caught’ them.

But it gets worse, as an increasingly common hacker methodology is to crack the security of one company and use that system as a launch pad to hack into other systems. Ever had an email returned “undeliverable” and you did not send it? You’ve been hacked and probably been sending emails with attacks/backdoors in them to your entire contact list, and a list the attacker wanted to send to. You may now be a spammer as well.

The liability for all attacks including ‘secondary’ attacks lies with the CEO who has allowed - either directly or indirectly - his/her company systems to be misused in this manner.

The problem of inter-linked computer systems is a growing one, as the larger the company, the more reliance it places on computers and connections. These connections are the lifeblood of the cybercriminals, who tap into the fact that the privilege levels of user IDs that interconnect with third-party systems invariably tend to be higher than direct external accounts. Put simply, this means that an internal account from company A will have a much greater degree of access to company B's computer systems than an individual’s external account to company B's systems.

It's all about trust - as today's IT professionals will confirm, the interconnectivity between companies is now so pervasive it increases the risk profile of inter-system IDs to much higher levels than most people are aware of. This is the stuff that lawsuits are made of and can you guess who carries the can for these problems? That's right - the CEO and his/her senior management.

In many `hacked' systems, a risk analysis/penetration test - no matter what the size of company concerned - would normally have revealed the weaknesses in its security that the hacker(s) exploited. Questions that are asked by a risk assessor include what are the system's entry points and what data is accessible, and, of course, whether fraudulent transactions can be originated.

Issues addressed by the risk assessor include whether the data is classified, and what levels of protection are used in which areas of the system. Other topics up for discussion include whether the organisation has the level of expertise available, internally or externally, that understands the security requirements, and whether the security devices are configured to meet the organizational needs.

We often find that following a data breach, it becomes apparent that not only was the organisation's security lacking and poorly configured, but there is often a lack of understanding amongst senior management as to what the role of IT security is within the business. This brings us back to the popular misconception that IT security systems are there to protect the company IT resources against external attacks, ranging from fraudsters all the way to cybercriminal phishing attack vectors.

The reality, as our research team has discovered, is that fraud normally comes from the inside - either a rogue employee generates the fraud or, increasingly, a hacker who has got through a security device and installed a backdoor on the system that now allows them to freely move around, monitor and appear to be an internal person. You don’t know they are there until it’s too late.

One of the most interesting aspects of dissecting a given security breach is how often, apart from the breach itself, the hacker has been able to get inside the company's IT systems. This has the potential to be even more damaging than it may at first appear because in the build up to the fraud and subsequent data breach, most cybercriminals operate in `stealth mode' and can therefore milk the company's finances for a lengthy period before they are rumbled by conventional IT audit methodologies. This means that, for almost all organizations, enhancing the IT security of the company - by ensuring it is maintained as up to date as automatically possible - is an absolute necessity, and not the IT luxury that many senior managers perceive it to be.

Put simply, this means that spending hundreds of thousands of dollars, pounds or Euros on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organisation as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.

Assuming that the ROI charts have been prepared and the risk analysis process completed, the next step on the road to deploying effective IT security is to ensure it is working properly, and stays that way. This is a stumbling block that many companies fall at, as frequent verification checks on the efficiency - and efficacy - of an IT security platform need to be made. Whatever the system - and whatever the smoke and mirrors from the 'theory' sellers - there is only one way to validate against KNOWN threats, and that is to play those threats in a controlled way, through the company's actual live prevention set-up. Test, review, and test again - not in the lab, but in a real business environment, where actual threats exist and can be tested against. It's my supposition that a good CEO should also look for the IT teams ability to not only define the threat but also have a solution that can be deployed to meet that threat in as short a timeframe as possible.

Our own tests suggest, in fact, that one of the most popular (free) security systems will spot very few threats without the necessary configuration, and new security rules issued by the vendor each month represent about 10% of the actual new, very relevant, threats that appear each month. This issue arises because configuration needs a method of evaluation to ensure its efficacy and, in the event that faults are discovered during the review process, to allow the configuration to be revised and new rules introduced to remediate the problem; immediately not months later.

In an ideal world, it would be possible to remediate all threats, but in the real world, this would significantly slow the IT system down, meaning that a compromise between threat checking and system performance is usually required. By using an optimum configuration validation system, you can get the best of both worlds. The amount of IT security your organisation actually needs can only be judged by an effective risk analysis process, followed by a cost/benefit exercise.

It's also worth noting that in most countries - particularly the US and member states of Europe - there is now clear legislation and/or good corporate governance requirements that make the CEO clearly responsible for any security breaches.

CEOs are not only responsible for the effect of attacks to their own IT systems, but they are responsible for hackers who use their system to attack others. The growing trend for major corporations systems - particularly in manufacturing and distribution - to link their computers together using electronic data interchange (EDI) systems, with very little manual intervention, opens yet another `backdoor' for hackers to spread their activities. As with any pain, it comes after the attack. Your defences need to be up at all times, not just when audited or it will be the audit that shows you where you may have been slowly bleeding to death.

What do you think?

No comments: