Security: Train for security

It’s not enough to have the latest anti-virus software or firewall. To ensure a secure infrastructure, you must also focus on educating your staff.

John Vacca

Adapted from “Computer and Information Security Handbook” (Elsevier Science & Technology books)

Just as having a robust, secure environment is a dynamic process, creating a highly skilled staff of security professionals is also dynamic. It’s important to keep in mind that even though an organization’s technical infrastructure might not change that frequently, new vulnerabilities are discovered and new attacks are launched on a daily basis.

Very few organizations have a stagnant infrastructure. Employees are constantly requesting new software. And more technologies are added in an effort to improve efficiencies. Each new addition likely adds additional security vulnerabilities.

It’s important for the IT staff to be prepared to identify and respond to new threats and vulnerabilities. Those interested in gaining a deep security understanding should start with a vendor-neutral program. A vendor-neutral program focuses on concepts rather than specific products.

The SANS Institute offers two introductory programs: Intro to Information Security, a five-day class designed for people just starting out in the security field, and the SANS Security Essentials Bootcamp, a six-day class designed for people with some security experience. Each class is also available as a self-study program, and each can be used to prepare for a specific certification.

Another option is to start with a program that follows the CompTIA Security certification requirements, such as the Global Knowledge Essentials of Information Security. Once you have a good fundamental background in security, you should then undergo vendor-specific training to apply the concepts learned to specific applications and security devices utilized in the work environment.

A great resource for keeping up with current trends in security is to become actively involved in a security-related trade organization. The key concept here is actively involved. Many professionals join organizations so that they can add an item to the “professional affiliations” section of their resume.

Being “actively involved” means attending regular meetings, serving on a committee or in an executive position. Although this seems like a daunting time commitment, the benefit is a professional network of resources available to provide insight, serve as a sounding board or provide assistance when a problem arises. Participating in these associations is a cost-effective way to get up to speed with current security trends and issues.

These organizations can prove helpful:

  • ASIS International: This is the largest security-related organization in the world. It focuses primarily on physical security, but has recently started addressing computer security as well.
  • ISACA: Formerly the Information Systems Audit and Control Association.
  • High Technology Crime Investigation Association (HTCIA)
  • Information Systems Security Association (ISSA)
  • InfraGard: This is a joint public and private organization sponsored by the Federal Bureau of Investigation (FBI)

In addition to monthly meetings, many local chapters of these organizations sponsor regional conferences that are usually reasonably priced and attract nationally recognized experts.

Consider certification

Arguably one of the best ways to determine whether an employee has a strong grasp of information security concepts is if she can achieve the Certified Information Systems Security Professional (CISSP) certification. Candidates for this certification are tested on their understanding of the following 10 knowledge domains:

  1. Access Control
  2. Application Security
  3. Business Continuity and Disaster Recovery Planning
  4. Cryptography
  5. Information Security and Risk Management
  6. Legal Regulations, Compliance and Investigations
  7. Operations Security
  8. Physical (Environmental) Security
  9. Security Architecture and Design
  10. Telecommunications and Network Security

What makes this certification so valuable is that the candidate must have a minimum of five years of professional experience in the information security field or four years of experience and a college degree. To maintain certification, a certified individual is required to attend 120 hours of continuing professional education during the three-year certification cycle. This ensures folks holding the CISSP credential are staying up-to-date with current trends in security. The CISSP certification is governed by International Information Systems Security Certification Consortium, also known as (ISC)2.

Think ‘outside the box’

For most businesses, the threat to their intellectual assets and technical infrastructure comes from the “bad guys” sitting outside their organizations, trying to break in. These organizations establish strong perimeter defenses, essentially “boxing in” their assets.

However, internal employees have access to proprietary information they need to do their jobs. They often disseminate this information to areas where it’s no longer under the control of the employer. This data is generally not done with any malicious intent, but simply for employees to have access to data so they can perform their job responsibilities more efficiently. However, this becomes a problem when an employee leaves and the organization takes no steps to collect or control their proprietary information in the possession of their now ex-employee.

One of the most overlooked threats to intellectual property is the innocuous and now ubiquitous USB flash drive. These devices, the size of a tube of lipstick, are the modern-day floppy disk in terms of portable data storage. They’re a convenient way to transfer data between computers.

The difference between these devices and a floppy disk is that USB flash drives can store a large amount of data. A 16GB USB flash drive has the same storage capacity as more than 10,000 floppy disks. You can buy a 16GB USB flash drive for less than $15. Keep in mind that as time goes by, the capacity of these devices will increase and the price will decrease, making them extremely attractive.

These devices aren’t the only threat to data. Because other devices can be connected to the computer through the USB port, digital cameras, MP3 players, and external hard drives can also remove data from a computer and the network to which it’s connected. Most people would recognize that external hard drives pose a threat, but would they recognize cameras and MP3 players and other devices as a threat?

Cameras and music players are designed to store images and music, but to a computer they’re simply additional mass storage devices. It’s difficult for people to understand that an iPod can carry word processing documents, databases and spreadsheets, as well as music. Fortunately, Microsoft Windows tracks the devices connected to a system in the HKEY_Local_Machine\System \ControlSet00x\Enum\USBStor Registry key. It might prove interesting to look in this key on your own computer to see what types of devices have been connected.

Windows Vista has an additional key that tracks connected devices: HKEY_Local_Machine\Software\Microsoft\Windows Portable Devices\Devices.30. Analyzing the Registry is a great way to investigate the activities of computer users. For many, however, the Registry is tough to navigate and interpret. If you’re interested in understanding more about the Registry, you might want to download and play with Harlan Carvey’s RegRipper.

Another threat to information that can carry data outside the walls of the organization is the plethora of handheld devices. Many of these devices have the ability to send and receive e-mail as well as create, store, and transmit word processing, spreadsheet, and PDF files.

Though most employers won’t purchase these devices for their employees, they’re more than happy to let their employees sync their personally owned devices with their corporate computers. Client contact information, business plans and other materials can easily be copied from a system.

Some businesses feel they have this threat under control because they provide their employees with corporate-owned devices and they can collect these devices when employees leave their employment. The only problem with this attitude is that employees can easily copy data from the devices to their home computers before the devices are returned.

Because of the threat of portable data storage devices and handheld devices, it’s important for an organization to establish policies outlining the acceptable use of these devices. It’s also advisable to implement an enterprise-grade solution to control how, when or if you can copy data to them.

Develop a culture of security

One of the greatest security assets is a business’s own employees, but only if they’ve been properly trained to comply with security policies and to identify potential security problems. Many employees don’t understand the significance of various security policies and implementations. They consider these policies nothing more than an inconvenience. Gaining the support and allegiance of employees takes time, but it’s time well spent.

Begin by carefully explaining the reasons behind any security processes. One of the reasons could be to ensure employee productivity, but focus primarily on the security issues. Downloading and installing unapproved software can install malicious software that can infect user systems, causing computers to function slowly or not at all.

While most employees understand that opening unknown or unexpected e-mail attachments can lead to a malware infection, most are unaware of the advanced capabilities of recent malicious code. “Advanced Persistent Threat,” or the ability for a system to remain infected despite the diligent use of antivirus programs, has become a major problem. Employees now need to understand that indiscriminate Web surfing can result in “drive-by” malware installations.

Perhaps the most direct way to gain employee support is to let employees know that money needed to respond to attacks and fix problems initiated by users results in money unavailable for raises and promotions. Letting employees know that they have some “skin in the game” is one way to get them involved in security efforts.

If there’s a budget set aside for responding to security problems and employees help stay well within the budget, the difference between the money spent and the actual budget could be divided among employees as a bonus. Not only would employees be more likely to speak up if they noticed network or system slowdowns, they would probably be more likely to confront strangers wandering through the facility.

Another mechanism that can gain security allies is to provide advice regarding the proper security mechanisms for securing home computers. Although some might not see this as directly benefiting the company, keep in mind that many employees have corporate data on their home computers. This advice can come from live presentations or a newsletter.

The goal of these activities is to encourage employees to approach management or the security team voluntarily. When this happens on a regular basis, you will have expanded the capabilities of your security team and created a much more secure organization.

John Vacca

John Vacca is an information technology consultant, professional writer, editor, reviewer and internationally known best-selling author based in Pomeroy, Ohio. He has authored more than 50 titles in the areas of advanced storage, computer security and aerospace technology. Vacca was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA’s space station program (Freedom) and the International Space Station Program from 1988 until his retirement from NASA in 1995.

For more on this and other Elsevier titles, check out Elsevier Science & Technology books.