Before permitting BYOD review these facts and tips on mobile device security.
Uncover the top 7 causes of organizational data breaches in this infographic. Forward to your staff and get a handle on unintentional data loss.
Do you have a dedicated Chief Information Security Officer? If not, the cost of implementing security may be up to 62% higher according to the Veracode Infrographic that discusses securing web applications. A CISO can help focus on the top 10 application security risks that are detailed in the infographic.
Interesting infographic but I think they saved the best for last. 92% of breaches were preventable. A great stat that I wish more business would embrace. Our motto at Savid is “If you can’t prevent it, you must detect it” and we developed that from years of seeing business ignore preventable security issues and found that if we at least forced them to detect it the likelihood they would move to a prevention control was higher. Most of the conversations involved “Well if we do that we might as well do X”.
As anyone predicted, the move to virtualization is gradually being adopted by more and more organizations. And why not? It saves space, uses less electricity, and ultimately saves a company more money on their IT infrastructure. What could possibly go wrong?
As it turns out, there are an alarming number of insecure virtual servers out there. A Gartner study from a few years ago suggested the percentage of virtual servers was greater than physical servers (although that percentage has gone down in recent years and I’d say they are about 50/50 now).
Why Are We Ignoring Virtualization Security?
The reason for insecure virtual servers has nothing to do with the inherent concept of virtualization, but rather on how operating teams are naively implementing virtualization.
The aforementioned Gartner survey said that 40 percent of virtualization deployment projects did not involve the information security team involved in the initial architecture and planning stages. This is because operation teams feel like nothing is really changing, the same workload is just moving from a physical server to a virtual one. Or sometimes people think that virtualization is just somehow inherently secure.
Meet the Hypervisor, Your Target for Cyber Attacks
But this assumption ignores the new layer of software in the form of the hypervisor and the virtual machine monitor (VMM) that present new security issues that must be considered. The hypervisor and VMM is introduced to the security picture when workloads are virtualized, and this changes the basic operation of the server – opening up new vulnerabilities.
The hypervisor has privileged access to the system, making it a juicy target for cyber-attacks. If someone can take control of just the hypervisor, they have control of just about everything. This is something that many virtualization deployments are still not paying attention to. Access to the hypervisor must be tightly controlled.
How Can you Make Sure your Virtual Servers are Secure?
To correct this common oversight, an organization’s security team needs to be included in the initial discussion of virtualization of workloads from the very beginning. They need to realize virtualized systems are not inherently secure and they systems require the same type of monitoring as physical systems. Finally, administrative access to the hypervisor must be tightly controlled and monitored.
It’s an internal combative relationship found within most organizations. Users attempt to sneak in instant messaging software, use BitTorrent and P2P file sharing, access company data with their unauthorized mobile devices, and store data on USB flash drives.
Why are end users trying to destroy your IT security? Well, despite what it may seem to the security engineers who have to corral end users into the IT safe zone at all times, the end users are just trying to do their job in the easiest and most efficient way they know how. That doesn’t sound so bad does it?
Ease of Use Trumps Security for End Users
Instant messaging, typically a big no-no for IT security, is a fast and convenient way of exchanging information – information necessary for end users to do their jobs. USB Flash drives are another quick and easy way to move information from one location to another. And smart phones allow end users to access vital data while on the go.
The point is that end users break security policy because they want to do their jobs better and not for any heinous reason. And instead of spending all our energy fighting against this and keeping them in line, we should be working with them to accommodate their needs.
In a way, it’s our fault that these end users are violating security policy, because we haven’t given them or shown them how to operate within security guidelines as effectively. Instead, we are giving them strict rules that they inevitably circumvent, creating more security problems than we are solving.
Ending the War and Finding Common Ground
Consumers are going to continue to bring in outside hardware and software if they are more comfortable using it. IT security can’t fight this forever. What we can do is use this as an opportunity to learn what the needs of the end users are and then find new, secure solutions that meet these needs.
Working with end users as opposed to against them also allows the IT department to be more aware of what’s going on. And end users will be more inclined to follow IT policy if they feel the department is working to help them achieve their ends. But the more quarrelsome the relationship between end users and IT becomes, the more end users will fight against policy and subvert it – to the detriment of the entire organization.
Unless you are an extraterrestrial, you probably don’t want planet Earth to be reduced to an inhospitable wasteland. And you’ve probably heard that “going green” can greatly reduce the negative impact your business has on the environment. But times are tough. If your business is struggling to just stay afloat during a recession, how can you be expected to worry about the whole planet too?
There’s good news. Saving money and going green do not have to be mutually exclusive. Some green IT solutions actually help save you money while saving the earth at the same time.
Start with the easy stuff. Turning off PCs and monitors after business hours can save 40 percent on your electricity bill. That’s an obvious one. But did you also know you can set timer switches on your printers to automatically turn off when they aren’t in use? That’s less drain on the planet’s resources, and more money in your pocket.
If you drop your desktop printer altogether and switch to a multi-function device, you can have fewer electronic devices running in the office. If the printer is duplex, now you’re saving on paper too.
Data centers are a big area where green IT can create an impact. Server consolidation through virtualization can save on the cost to buy, maintain, administrate, and power multiple servers. At the same time, you’re using less energy and fewer physical resources to accomplish the same thing.
Salesforce.com had a study showing how cloud computing was 95 percent more carbon efficient when processing data than on-premises. This is because the cloud does not require the same hardware and resources as physical servers. Cloud computing saves money too, of course, with some estimates as much as 50 percent on hardware and 90 percent on management. In fact, a report by the Carbon Disclosure Project on how cloud computing may save businesses $12.3 billion annually by the year 2020.
An unnecessary hardware upgrade is also a wasteful and expensive practice. Instead of buying new hardware each year, you should question the business case of the upgrades. Avoidable hardware refreshes not only cost you more, but they waste time in staff retraining and other overheads involved.
If you do need new hardware, there are many affordable, energy efficient devices that will lower your overall consumption of electricity. As green initiatives increase in momentum, new energy-saving technologies are emerging every day.
I’ve noticed that there is often a communication breakdown when a security expert talks to upper management regarding exactly what is “risk.” While we may define risk as the probability of a threat overcoming security controls to exploit a vulnerability resulting in loss, the confusion lies in these assumed “security controls.” What security controls, if any, are we factoring in before gauging risk? For this reason, we need to clarify the difference between inherent risk and residual risk.
Inherent Risk – We can define inherent risks as the risk to a company in the absence of any security controls or actions that might be taken to alter, mitigate, or reduce either the likelihood or impact of a data loss. In other words, the inherent risk of a system is the risk that the system poses “out of the box,” before any processes, technologies, or people are put in place.
Residual Risk – The probability of loss that remains to systems that store, process, or transmit information after security measures or controls have been implemented. Implemented controls may include best practice control frameworks such as ISO 27002, and regulatory compliance requirements such as HIPAA or PCI.
Risk management is something that every one of us does every waking minute. Not a second goes by that we do not evaluate risk and make a decision based on our assessment. It becomes so automatic, that we are not entirely aware we are doing it.
A great example I like to use to illustrate the difference between inherent risk and residual risk is walking across the street. If you cross the street, there are a nearly infinite number of inherent risks. One of the inherent risks with a high probability and large impact would be getting hit by a car. So to mitigate this risk we implement the control of “looking left and right to check for oncoming traffic before crossing.” But this will not eliminate every possible risk and residual risks remain. For example, you could still be hit by a meteor because you did not look up.
Despite the devastating impact of such an event, we don’t look up for meteors when crossing the street because of the low probability of one hitting us. As security experts, our job is to determine when the cost of reducing risk is more than the cost of having the risk occur.
The purpose of defining inherent risk is so we can assess the residual risk and arrive at the optimal cost point:
Inherent Risk = Threats x Vulnerability
Residual Risk = Inherent Risk x Control Risk
The goal in the end is to link risk to budget.
ISO 27001 implementation and certification is a difficult sell for security analysts. When it comes to convincing upper management to take steps towards any information security goal, we have to keep in mind that they think in terms of investment versus benefit, or ROI.
This means that we have to clearly understand the benefits of ISO 27001 certification in order to make it palatable to decision-makers. There are several approaches to take here:
Compliance Readiness – ISO 27001 makes sense for organizations where information security compliance is already mandated by client, regulatory, or legal requirements. For financial, health, or government organizations that must comply with various regulations regarding data protection, privacy, and IT governance anyway, ISO 27001 can create a methodology allows itself to specific compliance regulations like SOX or HIPAA. In the language of upper management, “ISO 27001 implementation saves money on conforming to mandatory compliance regulations.”
Customer Confidence – The key objective of ISO 27001 is to ensure that confidentiality, integrity, and availability is assured for critical data assets. This can actually be strong selling point and differentiator for organizations where not all competitors can boast such claims. ISO 27001 can give your organization a marketing edge to capitalize on, especially if your organization handles sensitive customer information.
Better Performance – While security is typically about the doom and gloom of loss prevention, we have to remind ourselves that better performance can be a welcome side effect of security measures such as ISO 27001 implementation. Fewer interruptions in service, less data leakage, and happier employees increase productivity and efficiency – and this means more money for the organization.
More Organization – By establishing a formal information security framework for implementing security controls and objectives, your organization will have practices in place that it can rely on as it grows in size and scope. Rather than scrambling to determine who has to decide what, who is responsible for certain information assets, or who has to authorize access to information systems, these roles are already defined by your ISO 27001 implementation. Your internal organization is strengthened by forcing you to define very precisely the responsibilities and duties regarding your security practices.
