Part II – Security Policy, SMB - Security Is At The Forefront

View Part I

For a lot of SMB’s a good security policy is the basis for a strong network defense.  However for those companies who have not designed and implemented a security policy within their organizations, security issues are lying in wait.

A security policy is the backbone and foundation for information security.  However in this day and age some SMB’s have ignored or not kept up with current security concerns and their policy or lack of policy may allow for a severe security breach.  This may in fact prove fatal for a SMB.

In Part II of my series for SMB, I am going to look at what makes a good security policy.

1.  Executive Management Buy In

All security policies should begin with an executive management summary that includes the purpose, direction and approval of the policy.  This informs IT as well as employees that security is supported in all aspects of the business.  Security needs to be addressed from a top down approach when it pertains to support.  By supporting security initiatives from this approach employees know that security is not only implemented but supported at all levels.

2.  Policies

A security policy is actually a collection of different types policies put together to create one policy.  The other types of policies are created from different areas that need to be secured, such as identification, authentication, authorization and auditing.   Other types of policies would include a user access policy, password policy, vpn policy, remote access policy, wireless policy and acceptable use policy.  Each one of these policies would address a certain set of guidelines and procedures when implementing these technologies.

3)  Standards


Each policy will have standards of how the technology can be implemented.  Standards are important because they allow us to measure by a metric.  For example, if the password policy has a minimum length of 8 characters, then when we set passwords we have a value to measure if we have met the standard.

4)  Guidelines

As mentioned earlier, each policy may also have a set of guidelines.  Guidelines are helpful because they allow us to implement technology with variables that may differ from one area to another area.  Guidelines provide a range of values because if we set a standard it may not be appropriate for that technology.  An example of a guideline would be the types of hardware purchased for laptops.  No one laptop may fit all the needs so guidelines are put in place to ensure secure hardware is purchased.

5)      Procedures

These are the details that go along with every policy that explains the how, who, what and when of how the technology is implemented.  An example of a set of procedures would be how a Cisco wireless thin client would be installed and managed.

6)      Acceptable Use Policy

This is part of the security policy that informs everyone on how company assets and resources are to be used inside and outside of the company.  The acceptable use policy has guidelines, procedures and standards from how you can use a company laptop to where you can go on the internet.  It is important that companies ensure this is updated and employees are made aware of changes.

If you would like to get some more information of creating a security policy and download some templates for the creation of different types of policies try SANS: Information Security Policy Templates

Next month in part 3, I will be discussing how SMB’s can implement and improve security awareness. 

Thank you and if you have any questions during the series please feel free to email me at wpruett@centriq.com

Tom Pruett
Consultant/Instructor


Connect with Tom!
LinkedIn 
Facebook
Twitter
KC IT Security Blog
YouTube

The Need For Forensics - Finding The Why and The How In Security

Computer forensics has been around as long as computer crimes.  People have stolen money, information and disabled businesses all while thinking they are the smarter criminal since they are using an electronic device.  So what happens when law enforcement is notified of a cyber crime or IT security is notified of a security breach?  Every crime or security breach is investigated and goes through a computer forensic process.  Law enforcement and IT security are trained as computer forensic specialists to try and find out not only the why a crime or breach was committed but also how it was done.

Forensics is the first part of a good incident response plan.  It is the first action item that is performed during the IRP when a crime or breach is detected.  It is also the most crucial.  In the last 10 years computer forensics has come along way.  New tools and techniques have been developed to help not only law enforcement but also security professionals in the private sector.  Computer forensics is more than just using your troubleshooting skills or break it and fix skills. Its about using that knowledge in a methodical way to prepare a hypothesis about an event.  Maybe its finding out how someone got a password for accessing files that they were not authorized to see or even how they developed a script to change a time sheet remotely.  Regardless of the event, there is always a need for a computer forensic professional.

There are two main areas of forensics we deal with in IT security.  One is the network and the other is the host. Each area has different methodologies and tools we use to dissect the why and the how.  Also each area has its different areas of expertise and knowledge.  To understand how a security event happened in forensics you have to first understand how the network or host is suppose to work.  This is where training and experience play a crucial role in becoming a computer forensic investigator.

For over 7 years I have taught Eccouncil's Certified Hacking Forensic Investigator (ChFI) course.  In March of 2012 Eccouncil will be bringing out a new version 8 of ChFI. This course will be bringing a fresh perspective for those interested in getting into computer forensics.  The course will have plenty of hands on learning as well as an introduction into a wealth of forensic tools.  The major premise behind using the tools in the labs is to get a base understanding of the forensic process which includes:

1. Search and seizure
2. Secure a crime scene
3. Documenting the chain of custody
4. Acquiring electronic evidence and secure transportation of evidence
5. Examine and analyze forensic images using sound methodology 
6. Design your review strategy of the e-evidence and interpret and draw inferences based on facts gathered from the e-evidence.
7. Prepare a report on your analysis and findings
8. Expert witness

So if you would like to know more about computer forensics and use those break and fix skills to find out the how and what, make sure you sign up at Centriq Training for ChFI.

Hope to see you there.

- Tom Pruett, Cisco & Security Expert; MCT, CTT+, CISSP, CWNA, CEH, CHFI, CCSI, CCNA, MCSE LinkIn with Tom

Where is Security Headed in 2012?

2011 was a very difficult year for IT Security.  It seems as though everyone is now taking security very seriously and are now trying to make up for it.  Hackers have definitely gained the advantage and those in security are slowing losing ground.  The reasons for this are many, some are business, some are technology and some are the fact that a lot of companies are just now looking at security.  There is plenty of blame to go around; however hackers may be winning the battle now but are far from winning the war.   None of this was more real to me than after attending Hacker Halted 2011.  

After being exposed to so many new attack methodologies and threats in this cyber war, I came to the opinion that it is still in the reality that we can combat these new threats.   The realization from those on the front line, the trenches of IT security, is still upbeat and hopeful.  Most believe it will take a concerted effort by everyone to gain the upper hand because this is not a war that is won or lost but fought to gain or maintain the upper hand.
 

So what are the challenges for 2012?  This time of year everyone has put out a list of what to look for in the coming year.  I thought I might give a few thoughts on what I think are the main challenges going forward are for 2012.  You’ll see some are challenges we have had for a few years and some are new.
 

1.    Mobile technology threats
Smart phones are around 30% of the phone market.  Users use their phones from getting the latest sports news to paying bills.  The ability now for users to have portable technology almost like a computer, more than doubles the vulnerabilities on a network.  The number will increase over the year because smart phones are just about all that being introduced to the market.  The tablet market is growing by leaps and bounds.  Phones and tablets portability and complexity provide new challenges for securing data.  This is the new frontier of hacking victims.   
 

2.    Small businesses (SMBs) will enter the crosshairs of cyber attacks
SMB’s are the new large victims of hackers.   These types of businesses are the last ones to really start understanding security and its impact.  No more can they just focus on revenue.  What happens when you have no way in making revenue because of a security breach?  SMB’s are the most susceptible to a cyber-attack because of the lack of attention to security.  Although SMB’s are behind, they will be catching up in the coming year.
 

3.    Social media will increase in popularity as a conduit for social engineering attacks
Social media will continue to increase in popularity as the most effective way for social engineering attacks. Social media is fast being adopted by small and large businesses.  Companies can expect to see more social media profiles used as a way for social engineering tactics.  Hackers will use clever tactics to trick end-users into disclosing sensitive and private information and to downloading malware.  Facebook with its 850 million users are prime targets for data breaches.
 

4.    Companies will continue to overlook key vulnerabilities, hoping and waiting for governmental compliance to drive security. 
Governmental regulations remain the yardstick by which most company’s judge and conduct security.  Using a checklist that is developed for security initiatives is dangerous because a number of security regulations overlook basic IT security controls. Sure these regulations address the need for encryption or the development of an incident response plan but few require a wide range of best-practice controls such as up-to-date anti-virus software. More breaches occur as a result of security gaps.
 

5.    Cloud computing services, a storm is coming.
Cloud services continue to gain in popularity, so too will related security breaches will also flourish. Companies are smartly embracing the cloud for the associated cost savings and ease of use. These types of services have been around for years, it has only been in the last couple of years due to increased and stable bandwidth that companies are looking at cloud services.  Unfortunately, current reports indicate that companies are underestimating the importance of security due diligence when it comes to using these cloud providers.   

This is only a few of the security challenges we face in the future.  2012 will see more vulnerabilities, threats and exploits than in any time in the history of security.

- Tom Pruett, Cisco & Security Expert; MCT, CTT+, CISSP, CWNA, CEH, CHFI, CCSI, CCNA, MCSE LinkIn with Tom