- Email: [email protected]
Compliance today – and tomorrow
FEATURE and audit-ready approach to providing system and application access for workers and others who must share account passwords. They dramatically reduce the risk that enterprise systems will be compromised by the unauthorised use of privileged accounts. Not only does this close the security gaps associated with shared password management but it also provides a costefficient way for organisations to comply with data protection and PCI DSS regulations that prohibit the sharing of accounts between users.
Adopting best practice With the new generation of ESSO, eliminating passwords is no longer a pipedream. Backed up by two-factor authentication, to add extra layers of security, it allows organisations to adopt password best practice – that passwords be application-specific, frequently changed and complex. The password problem could soon be over.
About the author Marc Boroditsky is the president, CEO and a co-founder of Passlogix. Over the past 15
years, he has led organisations that have developed enterprise computing and commercial software products in the financial services and healthcare markets. Prior to cofounding Passlogix, he was the president of Numera, where he directed the development of products dealing with the management of personal identification numbers, passwords and security codes for related telecommunications and financial service products. Prior to Numera, Boroditsky was a founder, president and CEO of Novus Technologies. Passlogix is the developer of the v-GO Access Accelerator Suite (www.passlogix.com).
Compliance today – and tomorrow Rob Warmack, Tripwire
Rob Warmack
Most organisations still view compliance as an annual or quarterly ‘project’ – an exercise in performing the minimum requirements to pass the audit. The end goal of each project is to tick the box marked ‘compliance’ rather than to improve security and ensure the safeguarding of valuable corporate assets – including brand reputation. The result is a massive increase in preaudit effort, with staff distracted from key business-facing initiatives to go gather the right reports and respond to discovered deficiencies. Once the tick is achieved, staff slide back to their original tasks, and the company slides straight back out of compliance, until the next time. Even in just one week of business as usual, changes to the IT infrastructure, patching systems, or rolling out new applications can have direct and serious implications for an organisation’s security and compliance situation. Also, the business risk is significant, and growing, as both the threat of breaches and the sophistication of security attacks continue to escalate. According to figures from the September 2010 PandaLabs report, cyber-criminals are creating 57,000 malicious websites each week (see Figure 1) with many of these sites emulating famous brands.1 And a recent mid-year report catalogued 10 million new pieces 16
Network Security
of malware in the first half of 2010, making the first six months of 2010 the most active half-year ever for total malware production.
“Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infrastructure that incorporates both physical and virtual environments” Furthermore, this tick-box attitude is simply not sustainable in today’s fast expanding regulatory landscape. More regulations are being imposed, while the frequency and rigor of audits continues to increase. Many companies are actually in a continual state of compliance response. Unfortunately, by taking a periodic approach to the audit of each regulation, they are not in a continuous state of compliance. The result is not only staff disruption and unnecessarily higher costs but a
significant undermining of the security posture of an organisation. The 2010 Verizon Payment Card Industry Compliance Report recommends that companies treat compliance as a continuous process, not an event.2 As the report identifies: “The goal of any organisation should be to maintain its state of security in adherence with the minimum baseline compliance requirements set by the standard.”
Sustainable model In reality, periodic assessments enable organisations to achieve compliance but little else. But there is a shift. The ISO/IEC 27000 series of information security standards (jointly published by the International Organisation for Standardisation and the International Electrotechnical Commission) advises that organisations continuously demonstrate high levels of adherence to established information security policy. Fortunately, this standard of security best practice has significant influence over other regulations – for example the EU’s Data Protection Directive, the Sarbanes-
November 2010
FEATURE Oxley Act (SOX) and industry standards such as PCI DSS. The PCI Security Standards Council now believes that achieving and maintaining compliance with PCI DSS and continuous vigilance regarding security practices is an ongoing process that must be systematically integrated into every organisation’s operational practices in order to serve as the best line of defence against the compromising of cardholder data. This is echoed by the Verizon 2010 report, which suggests that, “in the case of PCI DSS there are daily … weekly … quarterly … and annual requirements that an organisation must perform in order to maintain this continuous state called ‘compliant’.” However, this is not easy to achieve. Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infrastructure that incorporates both physical and virtual environments, as well as in-house and outsourced services.
Breach monitoring Furthermore, while the regulations are in place to specifically protect sensitive data, the only way to effectively mitigate the risks to this data and assess whether it is sufficiently protected is by continuously monitoring the activity and behaviour of the actual systems that store and process the data. Are the firewalls, routers and servers properly configured? Are the right user permissions in place? Have recent changes opened new vulnerabilities? And while events and changes to these systems may be registered in the log management and file integrity monitoring systems, the volume of captured data is simply too great to analyse and make actionable using manual means. Indeed, according to the Verizon 2010 Data Breach report, 86% of the breaches examined had evidence of a breach in log files prior to data compromise. The result is that the average time between a breach and the detection of a breach is now 156 days, according to Help Net Security. Furthermore, the longer it takes to discover the breach,
November 2010
Figure 1: Escalating threats: the business sectors targeted by fake websites. Source: PandaLabs.
the longer it takes to recover from the damage, adding further to the cost. What is required is a continuous approach to security – and hence compliance – that is supported by way of automating the detection of suspicious events and changes that may lead to data compromise and, when needed, the rapid response to these changes to bring the organisation back into a secure and compliant state. With this continuous approach, organisations can move away from the
expensive, inefficient peaks of audit activity. A compliant state is attained and then sustained through the ability to proactively fix vulnerabilities caused, say, by a failed patch or a seemingly harmless administrative change, or to quickly react and defend systems from a live attack. This use of intelligent monitoring is key to protecting data and improving security, while automatically supporting compliance with both internal policy and regulatory mandates.
Figure 2: The percentage of organisations that fully met various PCI DSS requirements at Initial Report on Compliance (IROC). Source: Verizon.
Network Security
17
FEATURE
Conclusion
About the author
References
Obviously regulations are having an impact on security strategy. But regulations are, at best, a security baseline. Organisations should be far more focused on the implications of security to the business as a whole. The goal, therefore, should not be merely to achieve compliance, but to create a culture of continuous security. It is by adopting the latter model that compliance will be achieved more easily and with less cost, and organisations can raise security from the base of regulatory compliance to a standard that truly reflects today’s level of corporate threat.
Rob Warmack is the senior director of international marketing at Tripwire. During his six-year tenure with the company he has pioneered Tripwire’s customer advocacy programmes, brought the company’s flagship product, Tripwire Enterprise, to market, and has held overall responsibility for corporate marketing, product management and marketing communications. He has over 25 years of experience in the high technology and enterprise software industries. Tripwire is a global provider of IT security and compliance automation solutions.
1. ‘Every week, hackers are creating 57,000 new fake Web addresses to trick or infect users’. Panda Security, 6 September 2010. Accessed Oct 2010..
Preventing data loss by securing USB ports
Nick Cavalancia
Nick Cavalancia, ScriptLogic As business professionals, we are experiencing unprecedented industry turbulence. In recent times we’ve seen world financial markets plummet and leading banks throughout the world collapse. Small businesses struggle to get credit to foster growth, and business budgets for additional resources are shrinking. As businesses buckle, employees at all levels face the fear of job cuts and this is encouraging the growth of another threat – data theft. Though employees are just the victims of the global financial crisis that dominates our daily discussion, employers must anticipate a backlash and understand that more than ever before, it is easy for an unhappy, dismissed employee to walk away from a company with large volumes of confidential data in his pocket. UK businesses are required by law to protect all data under the Data Protection Act, which means no business executive can afford to ignore this threat – the fines could drown a business altogether. The repercussions of a confidential data breach extend beyond fines, however. A data breach can affect a business’ customer loyalty, reputation and competitive advantage. It is the responsibility of com18
Network Security
pany executives and their IT departments to ensure that company data – whether it is customer information, bank account numbers, patient medical records or internal account information – remains within the company. To do this, executives should understand how data breaches occur and support IT administrators in their efforts to lock networks.
Common devices become security risks IT administrators and business executives need to be more proactive and preventative in their approach to data theft. With the ever-improving advances in storage technology, business profession-
als can easily use personal storage devices such as USB memory sticks, iPods, digital cameras and smartphones to remove or copy sensitive information, either for malicious intent or personal gain. There are multiple outlets for data on the modern PC, including USB and Firewire ports, CD and DVD recorders and even built-in storage media slots. The USB port can be used in many ways for extracting data at high speed, including removable hard drives and media players, and is one of the most common ways for sensitive data to leave a company. In recent months, two newer methods for removing corporate information have surfaced – podslurping and bluesnarfing. With podslurping, employees download a large amount of data from the corporate network on their iPod or MP3 devices and leave the company, taking that information with them. To add to the headache, many third parties have created malicious podslurping software, which allows employees to search for
November 2010
Adopting best practice With the new generation of ESSO, eliminating passwords is no longer a pipedream. Backed up by two-factor authentication, to add extra layers of security, it allows organisations to adopt password best practice – that passwords be application-specific, frequently changed and complex. The password problem could soon be over.
About the author Marc Boroditsky is the president, CEO and a co-founder of Passlogix. Over the past 15
years, he has led organisations that have developed enterprise computing and commercial software products in the financial services and healthcare markets. Prior to cofounding Passlogix, he was the president of Numera, where he directed the development of products dealing with the management of personal identification numbers, passwords and security codes for related telecommunications and financial service products. Prior to Numera, Boroditsky was a founder, president and CEO of Novus Technologies. Passlogix is the developer of the v-GO Access Accelerator Suite (www.passlogix.com).
Compliance today – and tomorrow Rob Warmack, Tripwire
Rob Warmack
Most organisations still view compliance as an annual or quarterly ‘project’ – an exercise in performing the minimum requirements to pass the audit. The end goal of each project is to tick the box marked ‘compliance’ rather than to improve security and ensure the safeguarding of valuable corporate assets – including brand reputation. The result is a massive increase in preaudit effort, with staff distracted from key business-facing initiatives to go gather the right reports and respond to discovered deficiencies. Once the tick is achieved, staff slide back to their original tasks, and the company slides straight back out of compliance, until the next time. Even in just one week of business as usual, changes to the IT infrastructure, patching systems, or rolling out new applications can have direct and serious implications for an organisation’s security and compliance situation. Also, the business risk is significant, and growing, as both the threat of breaches and the sophistication of security attacks continue to escalate. According to figures from the September 2010 PandaLabs report, cyber-criminals are creating 57,000 malicious websites each week (see Figure 1) with many of these sites emulating famous brands.1 And a recent mid-year report catalogued 10 million new pieces 16
Network Security
of malware in the first half of 2010, making the first six months of 2010 the most active half-year ever for total malware production.
“Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infrastructure that incorporates both physical and virtual environments” Furthermore, this tick-box attitude is simply not sustainable in today’s fast expanding regulatory landscape. More regulations are being imposed, while the frequency and rigor of audits continues to increase. Many companies are actually in a continual state of compliance response. Unfortunately, by taking a periodic approach to the audit of each regulation, they are not in a continuous state of compliance. The result is not only staff disruption and unnecessarily higher costs but a
significant undermining of the security posture of an organisation. The 2010 Verizon Payment Card Industry Compliance Report recommends that companies treat compliance as a continuous process, not an event.2 As the report identifies: “The goal of any organisation should be to maintain its state of security in adherence with the minimum baseline compliance requirements set by the standard.”
Sustainable model In reality, periodic assessments enable organisations to achieve compliance but little else. But there is a shift. The ISO/IEC 27000 series of information security standards (jointly published by the International Organisation for Standardisation and the International Electrotechnical Commission) advises that organisations continuously demonstrate high levels of adherence to established information security policy. Fortunately, this standard of security best practice has significant influence over other regulations – for example the EU’s Data Protection Directive, the Sarbanes-
November 2010
FEATURE Oxley Act (SOX) and industry standards such as PCI DSS. The PCI Security Standards Council now believes that achieving and maintaining compliance with PCI DSS and continuous vigilance regarding security practices is an ongoing process that must be systematically integrated into every organisation’s operational practices in order to serve as the best line of defence against the compromising of cardholder data. This is echoed by the Verizon 2010 report, which suggests that, “in the case of PCI DSS there are daily … weekly … quarterly … and annual requirements that an organisation must perform in order to maintain this continuous state called ‘compliant’.” However, this is not easy to achieve. Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infrastructure that incorporates both physical and virtual environments, as well as in-house and outsourced services.
Breach monitoring Furthermore, while the regulations are in place to specifically protect sensitive data, the only way to effectively mitigate the risks to this data and assess whether it is sufficiently protected is by continuously monitoring the activity and behaviour of the actual systems that store and process the data. Are the firewalls, routers and servers properly configured? Are the right user permissions in place? Have recent changes opened new vulnerabilities? And while events and changes to these systems may be registered in the log management and file integrity monitoring systems, the volume of captured data is simply too great to analyse and make actionable using manual means. Indeed, according to the Verizon 2010 Data Breach report, 86% of the breaches examined had evidence of a breach in log files prior to data compromise. The result is that the average time between a breach and the detection of a breach is now 156 days, according to Help Net Security. Furthermore, the longer it takes to discover the breach,
November 2010
Figure 1: Escalating threats: the business sectors targeted by fake websites. Source: PandaLabs.
the longer it takes to recover from the damage, adding further to the cost. What is required is a continuous approach to security – and hence compliance – that is supported by way of automating the detection of suspicious events and changes that may lead to data compromise and, when needed, the rapid response to these changes to bring the organisation back into a secure and compliant state. With this continuous approach, organisations can move away from the
expensive, inefficient peaks of audit activity. A compliant state is attained and then sustained through the ability to proactively fix vulnerabilities caused, say, by a failed patch or a seemingly harmless administrative change, or to quickly react and defend systems from a live attack. This use of intelligent monitoring is key to protecting data and improving security, while automatically supporting compliance with both internal policy and regulatory mandates.
Figure 2: The percentage of organisations that fully met various PCI DSS requirements at Initial Report on Compliance (IROC). Source: Verizon.
Network Security
17
FEATURE
Conclusion
About the author
References
Obviously regulations are having an impact on security strategy. But regulations are, at best, a security baseline. Organisations should be far more focused on the implications of security to the business as a whole. The goal, therefore, should not be merely to achieve compliance, but to create a culture of continuous security. It is by adopting the latter model that compliance will be achieved more easily and with less cost, and organisations can raise security from the base of regulatory compliance to a standard that truly reflects today’s level of corporate threat.
Rob Warmack is the senior director of international marketing at Tripwire. During his six-year tenure with the company he has pioneered Tripwire’s customer advocacy programmes, brought the company’s flagship product, Tripwire Enterprise, to market, and has held overall responsibility for corporate marketing, product management and marketing communications. He has over 25 years of experience in the high technology and enterprise software industries. Tripwire is a global provider of IT security and compliance automation solutions.
1. ‘Every week, hackers are creating 57,000 new fake Web addresses to trick or infect users’. Panda Security, 6 September 2010. Accessed Oct 2010.
Preventing data loss by securing USB ports
Nick Cavalancia
Nick Cavalancia, ScriptLogic As business professionals, we are experiencing unprecedented industry turbulence. In recent times we’ve seen world financial markets plummet and leading banks throughout the world collapse. Small businesses struggle to get credit to foster growth, and business budgets for additional resources are shrinking. As businesses buckle, employees at all levels face the fear of job cuts and this is encouraging the growth of another threat – data theft. Though employees are just the victims of the global financial crisis that dominates our daily discussion, employers must anticipate a backlash and understand that more than ever before, it is easy for an unhappy, dismissed employee to walk away from a company with large volumes of confidential data in his pocket. UK businesses are required by law to protect all data under the Data Protection Act, which means no business executive can afford to ignore this threat – the fines could drown a business altogether. The repercussions of a confidential data breach extend beyond fines, however. A data breach can affect a business’ customer loyalty, reputation and competitive advantage. It is the responsibility of com18
Network Security
pany executives and their IT departments to ensure that company data – whether it is customer information, bank account numbers, patient medical records or internal account information – remains within the company. To do this, executives should understand how data breaches occur and support IT administrators in their efforts to lock networks.
Common devices become security risks IT administrators and business executives need to be more proactive and preventative in their approach to data theft. With the ever-improving advances in storage technology, business profession-
als can easily use personal storage devices such as USB memory sticks, iPods, digital cameras and smartphones to remove or copy sensitive information, either for malicious intent or personal gain. There are multiple outlets for data on the modern PC, including USB and Firewire ports, CD and DVD recorders and even built-in storage media slots. The USB port can be used in many ways for extracting data at high speed, including removable hard drives and media players, and is one of the most common ways for sensitive data to leave a company. In recent months, two newer methods for removing corporate information have surfaced – podslurping and bluesnarfing. With podslurping, employees download a large amount of data from the corporate network on their iPod or MP3 devices and leave the company, taking that information with them. To add to the headache, many third parties have created malicious podslurping software, which allows employees to search for
November 2010