A multi-layered response

‘Security in depth and security in breadth’ is the key when putting together an information policy, says Paul Barker, Technical Architect at Integralis. Many of the problems associated with information security arise from the tendency of most organisations to take a ‘sticking plaster’ approach to the issue, in that they identify that a threat exists or that a security incident has occurred and then determine a specific control in order to manage or mitigate the particular threat. The problem with this approach is that it is generally reactive and inconsistent, and it is simply not extensive enough as it does not consider other threats. A lack of consistency can be a serious problem, as security incidents can take a variety of forms. In its broadest sense an incident can be anything from the loss, damage, theft or non-availability of information to the violation of internal policies. Furthermore, these risks can come from within or from outside the organisation, and they may be purely accidental or blatantly malicious. In reality approximately 80 per cent of reported incidents come from within the organisation and are mostly the result of ignorance or carelessness. Only a small percentage are malicious and these tend to come from disgruntled employees, ex-employees or hackers. The major concern is that these malicious incidents tend to have a high cost in terms of lost revenue or company credibility – in some instances share prices of companies have tumbled. The obvious conclusion is that information security must address equally internal threats and external threats. Incidents originating from outside the organisation are generally:  website defacement – this is where a page on the web server (typically the home page) is modified in order to announce to the world that the site has been hacked;  denial of service (DOS) – this is where a hacker will cause a system or application to crash (often repeatedly);

this results in loss of revenue and, potentially, loss of customers. Incidents originating from inside the organisation are generally:  web surfing of non-business-related sites resulting in loss of productivity (ie revenue);  service disruption resulting from unscheduled or untested changes to the environment;  illegal activity such as downloading pornographic material (such as paedophilia);  unwittingly introducing some form of virus into the environment, typically through email or file sharing;  attempted access to systems or information by unauthorised persons (either accidental or malicious);  leaving classified or sensitive information on screen, visible to unauthorised persons;  leaving systems logged in, unattended and accessible to passing persons;  wrongful disclosure of personal information (in contravention of the Data Protection Act 1988);  accidental deletion of information. The most serious incidents are rare but can prove very costly, whether they are internally or externally inspired. Internal staff are better positioned to exploit situations as they are typically ‘trusted’, with a good understanding of the systems, applications and architecture. An external hacker needs to be highly skilled, using a combination of analysis skills, code creation and even social engineering (the manipulation of people to obtain information). These rare types of incidents include:  theft of information – such as customer details. These would typically be sold to, or taken to, competitive companies.  theft of information – such as credit card details. Once extracted these can be sold to the criminal world for fraudulent purposes.  theft of information – such as ideas, products or solutions (ie industrial espionage). This could provide a company with a competitive advantage.  embezzlement – this requires the perpetrator to understand how an organisation’s business operates, specifically in terms of accounting and cash-flow, in order to divert funds (easier for internal staff).

People controls

When considering the controls to be used to address the security issue, we must consider where and how we can influence behaviour. When considering the external threat, an organisation can exert very little influence over the behaviour of users entering its website, and as such are dependent on utilising technology products or product configurations in order to either make the environment (internet access, servers and applications) robust, or to detect, alert and potentially repel malicious activity. When considering the internal threat, an organisation has far more influence over the behaviour of users utilising internal systems and information. Users must be made aware of what is acceptable behaviour and of the consequences of unacceptable behaviour. This can be achieved by utilising policies and training to educate users, to commit them through employment contracts and to engender security awareness as part of day-to-day activity. Another cause of internal security breaches arises from modifications to applications, systems or infrastructure, without adequate consideration for testing, back-up and back-out where these cause down-time and cause the risk for security weaknesses to be brought into the internal infrastructure. This is adequately addressed within an effective change control process that has consideration for security impact.

Reporting and recovering from a security breach In any instance that a security breach occurs, the training and education process should ensure that staff recognise an event and are aware of the process for reporting the event (who has responsibility), and that those persons with responsibility know the process for handling the event. These policies and procedures would entail such elements as:  procedures for handling staff who have contravened company security policies – such procedures should contain the ultimate threat of dismissal or prosecution;  procedures for detecting security breaches (tools, logs etc).  procedures for recovering from specific types of incident (rebuild of operating system, restore from back-up etc).  communication procedures – keeping users, customers and trading parties informed of the incident, its impact and the progress of recovery.  management procedures – identifying the forum to manage the incident process and consider damage limitation in the communication process.

Contractual controls Another element to consider is the potential threat (either accidental or malicious) from third parties with whom there is some formal relationship (such as trading partners or service providers); these may in some instances be considered as trusted, however, the threat still exists. With a trading partner a sensible approach is to make them responsible for their own actions, in addition to providing protective controls. A contract may state that they must demonstrate that ‘reasonable and considered’ controls are taken relative to the form of communication, sensitivity of the information and the potential threat. Contractual terms would then seek agreement on an interpretation of these controls and should also provide regular opportunities to have the controls demonstrated to the satisfaction of your organisation. At the point that the third party enters an organisation, controls should also be implemented. With a service provider, a contract should not only consider those conditions that apply to a trading partner, but should also consider how loss of the service provided by them would impact the service offered to customers and trading partners. In this respect, the contract should agree service level commitments that can be effectively monitored and proven, and should agree compensation for failure to achieve the service levels.

Technology controls Where technology controls are used, it is important that they are configured and maintained as effectively as possible. Some security controls will be inherent within the products being used, such as operating systems (account passwords, file permissions etc); others will require specialist security products such as perimeter controls (firewalls etc) and content controls (anti-virus or mobile code protection, intrusion detection systems (IDS) etc). There is little point in deploying such controls merely to achieve a ‘tick in the box’ to a ‘top-leveldown’ exercise to implement security. Many organisations will be dependent upon utilising a specialist security company in order to ensure effective security through technology controls. This will often encompass multi-layer security (security in depth) to exploit and combine:  tight access controls;  strong authentication;  protection of information in transit (encryption);  hardened operating systems, services and applications;  high availability;  quality of service;  performance.

Acts of God or terrorism In the event that an incident occurs that is considered exceptional, such as flooding, lightning, vehicle crash, bomb explosion or significant loss of key staff (to lottery win, for example), an organisation must have plans in place to minimise the impact to the business by restoring a level of service within a pre-determined time-frame and managing the communications process between staff, partners and customers (ie business continuity).

Insurance When all reasonable measures have been taken, an organisation should also consider insurance. In the case of a significant security incident, insurance funds will limit the damage to the business by providing some element of (or all of) the revenue to recover the business to the point of normal operation. This form of insurance is often referred to as cyber-liability insurance. Some insurance companies specialise in such policies, but will often require some evidence that adequate controls have been implemented before a policy can be obtained.

Maintaining effective security A management process for information security (policy-based controls) needs to encompass a mechanism for review. This mechanism should consist of an audit process to regularly review the business operations, the risks and the controls in order to ensure the policy-based controls remain effective. The technology controls also need to encompass a mechanism for review. This mechanism should consist of a regular audit of the complete technology infrastructure to review the technology operations, the risks and controls, and, importantly, to ensure that the technology controls remain effective. In addition, this review should encompass regular vulnerability and penetration testing. In both cases the primary purpose is to refine the controls each time the review is performed, thus optimising the controls, or ensuring that the controls are the most appropriate through experience. The process also ensures that information security adapts with changes to the organisation and changes with the way business is performed.

The standards-based approach Any organisation that undertakes an exercise to implement ‘information security’ using the management approach to achieve consistent, extensive and comprehensive security will normally need to look for guidance. An own ‘best efforts approach’ has obvious limitations; it is far better to utilise an approach based upon best practice that has some form of track record – the obvious being an existing standard that specifically addresses the requirement. Several such standards exist that address the requirements to varying degrees.

The BS 7799 and ISO 17799 standards The ISO 17799 standard started life as the British Standard BS 7799 Part 1 Code of Practice for Information Security in 1995. The creation of the standard was instigated by the Department of Trade and Industry (DTI) within the United Kingdom under instruction from the British Government. The DTI charged the British Standards Institute (BSI) with producing the standard; it was formed with input from leading British and international companies based upon best practices. The code of practice (BS 7799 Part 1) provides guidance on what should be encompassed in, and the methodology for structuring, resources and processes to achieve information security. This was then accompanied by BS 7799 Part 2, this being a specification for an information security management system (ISMS). In 2000 the BS 7799 Part 1 code of practice was submitted to the ISO committee for consideration as an international standard and was accepted and ratified later in 2000 as ISO 17799. The ISO 17799 standard has now superseded the BS 7799 Part 1 standard (which has been withdrawn). The BS 7799 Part 2 standard continues to apply and continues to provide a process for achieving certification.

The ISO 17799 standard defines information security as:  confidentiality: ensuring that information is accessible only to those authorised to have access;  integrity: safeguarding the accuracy and completeness of information and processing methods;  availability: ensuring that authorised users have access to information and associated assets when required. This top-level-down approach (management process) is more likely to succeed than many other approaches because it recognises the need for top-level commitment to ensure that the company has the desire and motivation to undertake such a project; and through top-level commitment come the resources and funding to achieve success. Without board-level buyin, a successful implementation is very difficult to achieve. The ISO 17799 standard focuses upon ten key areas:  security policy – a board-level statement of commitment and approach to information security;  security organisation – the structure of people, functions and responsibilities in relation to information security and the standard;  asset classification and control – the identification of what should be protected and the importance placed on the various assets;  personnel security – the vetting, contracts, acceptable behaviour and disciplinary procedures relating to employees, third parties and service providers;  physical and environmental security – the physical locks, monitoring systems, access control systems, services and utilities required for the environment to be protected and to function;  computer and network security – the infrastructure, third-party network and Internet controls, help desk and support services;  system access controls

– the password control, authentication, authorisation, systemsbuilds and privileges;  systems development and maintenance – the code and version control, testing facilities and change control processes;  business continuity planning – ensuring that a plan exists specifying what actions an organisation will take to recover business operation in the event of a major incident;  compliance – this ensures that an organisation operates within the law in respect of applicable acts and laws, including copyright, piracy, data protection etc. In very simple terms the ISO 17799 approach is to:  determine the scope;  create a ‘people environment’ to make the process work;  identify what information needs to be protected based upon some form of priority;  determine the policies, procedures and technical controls that currently exist;  perform an audit of the information and environment;  determine if the existing policies, procedures and controls are suitable or require enhancement;  perform a risk analysis;  select controls;  implement controls;  perform periodic audits to refine, update or replace the controls. One of the significant points about the ISO 17799 approach is that any existing policies, procedures or controls that are currently used by an organisation are retained wherever possible. These may need to be enhanced before they are adequate and suitable, but only if they are totally unsuitable are they disregarded. Neither the ISO 17799 standard nor the BS 7799 Part 2 standard are intended to specify the technology products to be implemented, or to specify how technology controls should be configured or tested to obtain the most effective security possible. This is not a failing of the standard, but these limitations should be recognised. Organisations should NOT assume that, because controls have been implemented in accordance with the standard, the technology controls are effective.

Conclusion This methodology is suitable for any organisation that aims to utilise a dual approach to the provision of information security that is extensive, consistent and effective – ie ‘security in depth and security in breadth’. The management element based upon the ISO 17799 information security standard, and the use of audit, installation, project and testing services to provide the effective technology controls. It is the process of integrating these two elements, such that the results of the technology services are reflected back within the ISO 17799 process, which creates a unique approach and an effective overall solution. Integralis, the corporate solutions division of Articon-Integralis, provides information security solutions to all industry sectors throughout world, allowing organisations to grow and achieve their business goals securely. These solutions combine services and system integration, the deployment of ‘best-of-breed’ security products and managed security services, and employ some of the leading technologists and most skilled engineers in the industry. Integralis is recognised as a leading and trusted provider of Information Security Solutions in the European IT and ecommerce security market. For further information contact: Integralis Ltd, Theale House, Brunel Road, Theale, Reading, RG7 4AQ, UK. Tel: +44(0) 118 9306060; Fax: +44(0) 118 9302143; Email: info@integralis.co.uk; Website: www.integralis.co.uk