Addressing Security Threats
An Anti-virus is not an Option
The volume of malware that can hit organizations today is enormous and the attack vectors are multiple.Viruses may spread through email, websites, USB sticks, and instant messenger programs to name but a few. Ifan organization does not have an anti-virus installed, the safety of the desktop computers will be at the mercyof the end user – and relying on the end user is not advisable or worth the risk.
Protecting desktop workstations is only one recommended practice. Once virus code is present on a desktopcomputer, it becomes a race between the virus and the anti-virus. Most malware has functionality to disableyour anti-virus software, firewalls and so on. Therefore you do not want the virus to get to your desktopcomputer in the first place!The solution is to deploy content filtering at the gateway.
Anti-virus can be part of the content filtering strategywhich can be installed at the email and web gateway. Email accounts are frequently spammed with maliciousemail attachments. These files often appear to come from legitimate contacts thus fooling the end user intorunning the malware code. Leaving the decision to the user whether or not to trust an attachment received byemail is never a good idea.
By blocking malware at the email gateway, you are greatly reducing the risk that endusers may make a mistake and open an infected file. Similarly, scanning all incoming web (HTTP) traffic formalicious code addresses a major infection vector and is a requirement when running a secure networkenvironment.
A large percentage of successful attacks do not necessarily exploit technical vulnerabilities. Instead they rely onsocial engineering and people’s willingness to trust others. There are two extremes: either employees in anorganization totally mistrust each other to such an extent that the sharing of data or information is nil; or, at theother end of the scale, you have total trust between all employees.
In organizations neither approach isdesirable. There has to be an element of trust throughout an organization but checks and balances are just asimportant. Employees need to be given the opportunity to work and share data but they must also be aware ofthe security issues that arise as a result of their actions. This is why a security awareness program is soimportant.For example, malware often relies on victims to run an executable file to spread and infect a computer ornetwork.
Telling your employees not to open emails from unknown senders is not enough. They need to betold that in so doing they risk losing all their work, their passwords and other confidential details to thirdparties. They need to understand what behavior is acceptable when dealing with email and web content.Anything suspicious should be reported to someone who can handle security incidents. Having opencommunication across different departments makes for better information security, since many socialengineering attacks abuse the communication breakdowns across departments.
Additionally, it is important tokeep in mind that a positive working environment where people are happy in their job is less susceptible toinsider attacks than an oppressive workplace.
A lot of information in an organization is not centralized. Even when there is a central system, information isoften shared between different users, different devices and copied numerous times. In contrast with perimetersecurity, endpoint security is the concept that each device in an organization needs to be secured. It isrecommended that sensitive information is encrypted on portable devices such as laptops.
Additionally,removable storage such as DVD drives, floppy drives and USB ports may be blocked if they are considered to bea major threat vector for malware infections or data leakage.Securing endpoints on a network may require extensive planning and auditing. For example, policies can beapplied that state that only certain computers (e.g. laptops) can connect to specific networks. It may also makesense to restrict usage of wireless (WiFi) access points.
Policies are the basis of every information security program. It is useless taking security precautions or trying tomanage a secure environment if there are no objectives or clearly defined rules. Policies clarify what is or is notallowed in an organization as well as define the procedures that apply in different situations. They should beclear and have the full backing of senior management. Finally they need to be communicated to theorganization’s staff and enforced accordingly.
There are various policies, some of which can be enforced through technology and others which have to beenforced through human resources. For example, password complexity policies can be enforced throughWindows domain policies. On the other hand, a policy which ensures that company USB sticks are not takenhome may need to be enforced through awareness and labeling.
As with most security precautions, it isimportant that policies that affect security are driven by business objectives rather than gut feelings. If securitypolicies are too strict, they will be bypassed, thus creating a false sense of security and possibly create newattack vectors.
Separation of duties, auditing and the principle of least privilege can go a long way in protecting anorganization from having single points of failure and privilege creep. By employing separation of duties, theimpact of a particular employee turning against the organization is greatly reduced. For example, a systemadministrator who is not allowed to make alterations to the database server directly, but has to ask thedatabase administrator and document his actions, is a good use of separation of duties.
A security analyst whoreceives a report when a network operator makes changes to the firewall access control lists is a goodapplication of auditing. If a manager has no business need to install software on a regular basis, then his or heraccount should not be granted such privileges (power user on Windows). These concepts are very importantand it all boils down to who is watching the watchers.