A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part Two

Picking up where we left off, let’s move right into the fourth step.

Step No. 4: Dealing Effectively with Corporate Management

False alarm rate to business people has to be low for it to be taken seriously. If a security shop warns erroneously more than twice a year, people tend to ignore the next one. The experience and intuition of the security manager plays a major role along with knowing what is of interest to senior executives and what's not.

The University of Georgia's triage team always assesses the scope and severity of an incident before contacting higher-ups M&T Bank ranks incident severity on a 1-to-4 scale, with Level 1 deemed the most critical. A Level 1 incident must involve at least one of the following: unauthorized disclosure, modification, destruction or deletion of sensitive information or data; disruption of business continuity and critical business processes or communication; an impact on the long-term public perception of the organization; or identity theft of an individual or group.

In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank's incident response coordinator makes contact and provides further instruction.

At New York Presbyterian Hospital, the priority of an incident rises as a particular segment of a network becomes sluggish, and then escalates up to the point where there is a complete disruption of service which has to be reported. At the health-care facility, any incident that could potentially affect patient care must be communicated upward as well. Incidents all get reported, but not at the level of individual viruses and not every day.

At Pitney Bowes, context counts. An attack involving one application may sound small, but if that application is a key enterprise system that impacts many people, it may become a need-to-know incident. Incidents judged not to rate the C-level executives' immediate attention are periodically summarized and presented to them in a group.

Some security professionals provide an incident summary to a board-level committee of senior executives every six months. The summary includes the number of incidents by category, including unauthorized access, disclosure, usage, or destruction; loss or theft of information or equipment containing information; service disruptions; and copyright or trademark infringements. Incidents are further classified by impact and severity.

To ensure reasonably smooth communication in a crisis, security groups need to open a channel of communication with management. Having an established foundation for dialogue is crucial to the security officer's effectiveness even in the normal course of business, and more so in an emergency, security experts say. Security experts tout a close relationship with the top brass as critical for maintaining a healthy security budget and a corporate culture that values security. There is tremendous turnover among chief information security officers with some former security officers insisting they won't take that assignment again. But some security officers have established solid executive-level ties.

Security managers, for their part, have been working to build closer links not just to executive management, but to all levels of an organization. Good communications and partnerships within the business as the biggest boons to a successful security strategy. Having liaisons working with a company's technology and software development team helps in maintaining contacts in key business units and subsidiaries. For example, a security group's outreach could be as simple as bouncing ideas for new security policies or technologies off business-unit representatives. The group may also provide assistance in implementing a security system.

Security has this negative connotation that surrounds it and corporate security groups at some companies have a "Big Brother" image. Some groups build consensus rather than dictate security directives because they want the business to see the security team not as a roadblock, but as a security-minded business partner.

The university environment, in particular, demands communication and consensus-building, because higher education is very slow to change. It's extremely difficult to turn that ship around, if they don't want to be turned around. Some security professional find it easier and more productive to foster and build relationships with students, faculty, and staff before trying to do so with department heads.

Step No. 5: Learning from Your Company Security Experience

The follow-up to a security incident typically involves a round of vulnerability assessment. Security groups check to make sure that the remediation efforts truly eradicated the problem and patched the afflicted systems. Different types of attacks call for different recovery procedures. An unauthorized access incident could involve the attacker gaining root access to a system. If that's the case, the recommended course of action is to change all of the passwords on the system, according to the National Institute of Standards and Technology's Computer Security Incident Handling Guide.

But organizations don't always follow all the steps" toward comprehensively recovering and securing a system. Changing all users' passwords in a big organization is a very tedious job and a time-consuming and very intensive manual process. An intruder who gains root access may have obtained administrator-level access to the system.

Security teams usually conduct a post-incident scan with vulnerability assessment tools to ensure that necessary actions, such as applying required patches, have been taken. But security managers say they are continuously scanning anyway to uncover vulnerabilities or violations of security policy.

Vulnerability scans are used to scan desktops, servers, and networking gear for compliance to corporations' security policies. Then the resulting information is used to improve security measures. Some corporations check for gaps in several key areas including system security configuration settings, security patches, antivirus status, personal firewall status, and industry-known vulnerabilities.

Others have customized their security measures to help assess compliance to their acceptable-use policy. The result is an executive-level snapshot in time of whether end users are following policy. They may also brings in an outside analyst every few years to perform a vulnerability assessment.

The University of Georgia runs vulnerability scans and has vulnerability management applications installed on sensitive and critical servers. The vulnerability management applications check configurations or settings on servers and generate a report card, which covers areas such as operating systems level and patch, open vulnerable ports and user accounts.

Some corporations do vulnerability assessment and scans on a regular basis. Scans at UPS are performed by a managed security services provider and may be scheduled on an on-demand basis as a follow-up to an event.

A vulnerability assessment is largely a technical exercise. Enterprises also convene post-incident meetings with representatives from different areas of an organization, which focus on process as much as technology.

Some security group holds an "aftermath party" with the university's security advisory council, including the chief information officer and representatives from the legal, public affairs and HR departments, among others.

The meeting dissects the security team's response to the incident, assessing the effectiveness of processes and procedures. The follow-up meeting also serves as a springboard to spread the word about a given incident, with an eye toward avoiding it in the future.

Security experts point to education as the most important safeguard against future incidents. Some companies ensure their employees undergo security awareness training when they first join the company and annually thereafter. Managers are held accountable to make sure all who report to them have gone through the training.

Sometimes security training crops up in other guises. Sometimes security messaging and data protection messaging are integrated into all of leadership training ands sometimes a company may schedule a security awareness week each year. Training aims to prevent incidents, but an educated user can also contribute to early detection. Because they'll know what not to do and when to call if they see something out of the ordinary, many serious incidents are prevented.

Education initiatives must be flexible, enabling security groups to take lessons learned from security incidents and fold them back into the training regimen. They also mus study changes in attack types and methods and update the curriculum.

Some banks conduct quarterly threat assessments to close existing vulnerabilities and anticipate new exploits. They may review their security posture annually with a third party. Their new understanding of the threat environment is incorporated into training programs for technical people and awareness programs for the rest.

Keeping information-technology departments up to speed on security is another dimension of the security group's education initiative. Application developers, for example, need to incorporate the organizations' latest security principles as they generate code.

Ongoing training efforts help keep security on the front burner, say security executives, who warn that the absence of major incidents tends to lead to complacency. Companies that are not successfully attacked get lax and you have to reinvigorate them. Understanding the hazards and risks and threats of doing business in a networked environment will help employees and companies become much more secure.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVII, Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator