IT and risk managers are now beginning to work more closely together to ensure security controls don’t become self defeating. Shaun Drummond reports
Dealing with IT security risks seems as much about complying with legislative and assurance requirements these days and the associated costs as the hackers and identity fraudsters themselves. Of course the controls are there to make sure these systems are robust, but the fix can sometimes become part of the problem by diverting resources. So as well as implementing more efficient, and less error prone technological means to keep vital systems safe, identifying where the risks really lie is becoming even more paramount.
Computer Associates CIO, Dave Hansen, noted at his company’s recent conference held in Sydney that in his earlier days as an IT manager, up to a third of his time used to be spent on compliance, including not only legislative requirements but audit. He says these are vital functions, but their demands always have to be balanced with costs and it doesn’t matter how much money and resources you throw at controlling your systems, identifying that weakest link in the chain is always vital, be it human or technological.
It looks like the requirements are going to only get tougher as headlines on massive “data leakages” now seem to come out every few months – and they’re the ones we know about – with a lot of pressure now mounting in several jurisdictions, including Australia, to beef up the data protection rules.
Mounting responsibility
Although the auditors would hardly have approved, one of the biggest data leakages (now common parlance, although perhaps deluge would be a better term in this case) to capture worldwide attention last year was the loss of the entire database of all 25 million child benefits recipients in the UK – including names, dates of birth, bank and address details – when they were sent on two CD-ROMs by Her Majesty’s Revenue and Customs (HMRC) to auditors via courier and unrecorded mail. One of those weak links, that nevertheless could have been much strengthened via a few standard procedures.
Barclays Bank also had two major breaches, including the successful theft of £10,000 from the bank account of the chairman of Barclays when someone managed to dupe a call centre into sending out a new credit card.
In fact, in the UK alone, helped along by HMRC, 37 million personal records reportedly went missing last year prompting the minority Liberal Party there to proclaim 2007 the worst year yet for data protection and privacy.
Several other major incidents also occurred last year, including the theft of the personal data of 1.6 million users from Monster.com, and TJ Stores could lose up to US$1 billion from a breach of systems that process and store customer transactions including credit card, debit card, cheque, and merchandise return transactions.
And that doesn’t include the large amount of personal data now voluntarily put online via social networking sites.
Then there are targeted data thefts, which although more often than not are perpetrated by people inside organisations or just by physical theft, can come via convoluted routes from locations anywhere in the world.
Mark Goudie, principal security architect at Verizon, recalls one recent case they were called in to investigate, which looked like a simple problem, and ended up involving a lengthy investigation where a hacker was using computers at other companies to carry out the attack remotely.
“Once we started looking at the traffic pattern, we had to involve a lot of different organisations,” he said. “[It was] an online merchant who had a vulnerability and the connection seemed to be coming from around the world and it was not just coming from one IP (internet protocol) address. They wanted to hide behind somebody else’s system.”
So the scary examples of how the complexities of interconnectedness of IT systems can bring a cropper any organisation are again coming thick and fast, and these probably represent only a tiny proportion of the mass of data on individuals now held by private organisations.
So clearly, there’s some better risk managing to do. But how are organisations going about it?
The costs and time swallowed up by legislative compliance and addressing reputational risk are forever mounting part of IT departments’ and general managements’ time, so many organisations are intent on streamlining their risk assessments to ensure they are focusing resources effectively. At the same time this is driving the introduction of more efficient ways to verify identity and protect data.
At a management level, Tommy Viljoen, an IT security specialist at Deloitte, says a handful of large organisations are now working to de-duplicate IT risk assessments and response processes by centralising the decision-making processes, and ensuring risk professionals and IT managers are regularly working together.
“If you look at the financial institutions in particular, they have had wave upon wave of regulation thrust upon them, and every time that happens it is your chief information security officer who gets hit again,” he says.
“So we have certainly been working with the likes of CitiBank, Barclays and WalMart and we’ve now got a concept of starting to bring all of that regulation and all of the different stakeholder requirements into one set of a requirements so that from a risk management perspective, you are only making one assessment.”
Phil Cracknell, an IT security specialist from Deloitte’s UK office, says the fact that information systems are now critical to so many organisations has resulted in more and more companies now having board level representatives who decide and report on IT related risks.
“Organisations are very much wanting to identify [IT issues] at the board level, because the role of [managing IT risks] has grown so big.” He says those that do have individuals with such a central role and access to senior management still reside mainly in the biggest firms, but he argues this kind of priority would be important to any company dealing with any level of regulatory requirement.
A Symantec survey confirmed that small and medium sized businesses also found that after “greater awareness of the consequences of data loss”, a key driver for 27 per cent of them to secure, protect and manage their information was regulatory compliance.
Another survey by the IT Governance Institute and PricewaterhouseCoopers, and sponsored by the Information Systems Audit and Control Association (ISACA) bore out the anecdotal evidence. The IT Governance Global Status Report–2008 found a steady increase in the number of respondents since 2003 that said IT issues were ‘always’ discussed at board meetings, rising from 22 per cent to 32 per cent in 2007, and only 1 per cent said this was never discussed, down from 5 per cent four years ago.
Human frailties
Thanks to the big incidents that are making the headlines, the regulatory burden is only likely to become greater, with governments being pushed to take a much tougher stance to ensure that data doesn’t get into the wrong hands.
As well as moves by the UK Government to give tougher enforcement powers to the Data Privacy Commissioner there, in its review of the Australian Privacy Act, the Australian Law Reform Commission has recommended greater powers for the Privacy Commissioner so that, among other things, it can order companies to report significant data breaches or losses, as is now required in several US states.
This all means more audit checks. Hansen at Computer Associates says the risks now being scrutinised by governments means many companies, not just those in the banking and finance sector, are now being subject to much closer scrutiny.
As a result, allied with increasing complexity and demands on their networks, many are having to invest more in systems that automate security measures as much as possible, reducing the reliance on the all-too-fallible human element, as well as streamlining their risk assessment, and compliance controls and, perhaps paradoxically, ensuring that basic manual verification checks are followed.
For instance, companies are now attempting to build IT systems and procedures that have an inbuilt capability to absorb new compliance requirements, rather than dealing with them on a per regulation basis, says Viljoen, which is very costly, labour-intensive and time consuming. This includes being able to update the all-important risk-profile and resultant controls information quickly.
“We need to be friends with our auditors,” says Hansen, “[but] one of the problems the audit professionals have is that auditors aren’t concerned about the cost of people, they’re concerned about risk – it is not a dollars and cents issue,” he says. “So when a risk is identified to the corporation, there is always a feeling that they have to solve that risk – so to mitigate the risk as much as possible.”
For instance, he said while two-factor authentication is desirable, it is not always feasible. “It is a balancing [act]…to ensure that you have a portfolio of how you get the risk profile of this happening within the company.”
As far as dealing with compliance and governance requirements, he said many organisations were now on a journey from dealing with most regulatory impositions on an ad-hoc basis, to a more systematic approach.
“In the early 2000s, part of it was regulatory compliance and auditors were becoming more savvy too. Over the past couple of years, people have been automating a lot of these controls,” he says. And they can also track the cost of remediation of systems, and are working towards a single view of their risk profile.
He says this then helps IT managers to convince management more easily about the controls that need to be implemented. “CEOs are not going to focus properly on the security vulnerabilities if you do not see what the ultimate risk is.”
Building in security
From a technical perspective, GE Money for one is trying to reduce its exposure to human error in the form of programmers writing code to secure their sites.
Berin Lautenbach, information security leader at GE Money, says one of the biggest issues he is tackling now is how to introduce authentication that doesn’t require software developer input, but utilises already inbuilt “configured authorisation” so that even if someone gets through the external shell of the organisation, the system knows which aspects of the internal data that person should have access to, if any at all.
For his company, which offers a range of insurance and financial products across numerous sectors, often via brokers, reducing software developer input is an important way to reduce their costs as they don’t keep a lot of software expertise in-house. He says it also means they can reduce the amount of changes they have to make to the existing architecture as the functionality is already available.
“When the programmer gets the security wrong, then we tend to blow our projects budgets fairly quickly. One of the things we are trying to do is get it right at the front end. To make sure that by the time we get to the penetration testing or ethical hacking at the end of that project, this just runs, and it runs securely,” he explained to the CA conference.
He said the findings from penetration tests had changed significantly over the years. “Originally you’d see issues coming out of penetration tests around the infrastructure. That we’d opened up [Identity Management and Access Control] protocols to the internet that we probably shouldn’t have, or we hadn’t locked the server down.”
“That’s slowly disappeared and turned more into ‘I can do things like a SQL injection, and I can manipulate the environment at the backend without affecting it directly’.”
He says authentication is the one area organisations keep getting wrong. And the source is often programming errors. Instead they will be utilising the existing Java Authorisation Contract for Containers standard in the Java 2 Enterprise Edition Platform, and websphere infrastructure to implement a system whereby each layer of an application will be able to check on specific access permissions for the individual user.
But if the individuals get access to systems because they have stolen identification materials, for instance, the systems need to be monitored for unusual activity and checks then often physical checks need to be made.
Paul Curwell, from Booz Allen Hamilton, told the Risk Management Institution of Australasia last year that basic steps for detecting identity fraud included determining the risks of fraud at your organization, verifying the bone fides of authentication documents at the source of issuing, investigating anomalies and then incorporating these procedures into the tasks of internal audit.
However, he said it was costly and time consuming to take these measures, and the Australian Government is now working on a document verification service for government agencies, but as yet there was no plan to extend this to the private sector.
News