Thoughts on Information Security
I was recently asked to give a 10-minute lecture on three topics relating to information security, of my own choosing. The article was written from the perspective of an information security officer in academia. Here it goes:
Organizations rely increasingly on information as a primary asset. Educational institutions have acknowledged this very early on, and while research and education benefits immensely from an open environment, universities were among the first organizations developing and adopting information security.
The field of Information Security is defined by three principles: Availability, Integrity and Confidentiality. By availability, we mean that any information system, including the information and data that is contained within them, is available to their intended users, whenever they need it to fulfill their assigned tasks. The integrity principle aims to ensure that data that is correct and complete. Confidentiality ensures that only duly authorized individuals can access information.
To assure the appropriate levels of Availability, Integrity and Confidentiality, organizations need to be aware of the risks that are threatening their information systems. Many risks can be easily reduced by assessing the vulnerabilities of information systems and taking appropriate measures. Information Security best practices have been captured in an international standard, known as ISO 17799. This standard describes a large number of controls that organizations may adopt to protect their information assets.
Given the time that we have today, I will speak a little more about three areas of information security: user awareness, monitoring and incident response, and regulatory compliance.
A phrase that is commonly heard when information security practitioners communicate, is that "perimeters are fading". That expression immediately betrays that information systems security originated as a technical discipline. With systems being accessed from increasingly mobile users, it becomes hard to define hard perimeters of a network. Users connect using wireless equipment, when they are traveling to conferences and are staying in hotels, or when they work from home. The era when 100% of an organization's network was fully under its control are over.
However, this perspective is flawed. An organization consists of a collection of individuals. Each of those individuals has a personal agenda, which always takes the front seat. Second to that comes their professional agenda. Social scientists, who have studied organizational dynamics acknowledge this, and even make it a fundamental principle in their theories. I believe that it is time that information security professionals also acknowledge this, and adopt the point of view that any organization, and certainly a university, should consider that the organization's perimeter is made up of its users: staff, faculty, students, third-parties, partners, etc.
When this view is adopted, it is immediately clear that information security controls that need to be in place must be focused on those users. Users must come to acknowledge that information is important, and that it is worth protecting. To do so, they must not be told what they can do, and what they cannot do, but they should be made to understand why controls are in place and why they directly benefit from having them. A good awareness program will lead to users willingly adopting information security controls.
The added value that an effective awareness program can deliver was recently illustrated by an article in the Wall Street Journal, which attracted much attention. The title of the article is: "Ten Things Your IT Department Won't Tell You". In the article, the author outlines how to circumvent file transfer restrictions using online services, such as YouSendIt, how to use software that the company won't let its users download or install, or how to store work files online. There are many more so-called "tricks" that the author lists. By doing so, the Wall Street Journal directly undermined much of the awareness work that was done in many organizations. "See, if the Wall Street Journal publishes it, it cannot be that bad, right?". What the article fails to mention is why an organization has those controls in place, how organizations monitor compliancy with the controls, and what the repercussions are for employees who willing bypass security controls.
As mentioned earlier, availability, integrity and confidentiality define the field of information security. In addition to implementing technical controls that are aimed at technical systems, organization should devote at least as many resources at implementing organizational controls, such as awareness programs, policies, and procedures.
The second topic that I want to touch on is incident response. Public safety officials acknowledge that, despite all the prevention efforts that are made, fires will break out, natural disasters will happens, shops will be burgled, and cars will be involved in accidents. This is why a large part of the public safety efforts are devoted to reactive capabilities of police officers, firefighters, and paramedics. Like their counterparts in the physical world, information security professionals will never be able to provide security for 100%.
Some measures will fail, and attack vectors will be developed for which no existing defenses are in place. Organizations, must be able to detect information security threats, and the incidents that follow from them, and develop the capability to respond to them.
Because of the increasingly interconnected nature of information systems, organizations cannot address these threats alone. Because of this, there are many ways to collaborate with other institutions, such as law enforcement agencies, US-CERT, the forum for incident response and security teams (FIRST), NSP-SEC, the University Security Operations Group, etc.
Universities are popular targets by attackers. Not so much because of the value of the information that can be obtained by them, although there is certainly much information of high-value in educational institutions, but much more because of the relatively high network bandwidth that University's have available, and the relative level of anonymity that can be obtained on university networks.
Computers in dormitories, in computer labs, and even Faculty PC's are very often infected with malware that turns them into so-called "zombies" or "bots". These bots are subsequently used to send spam, collect personally identifiable information, spread copyrighted materials, or to participate in large scale denial-of-service attacks. Implementation and execution of effective monitoring and response policies reduces the impact that compromises may have on networks, and also reduces the chance of undesirable media attention.
Universities also harbor some of the worlds most intelligent young people, who are driven by a constant drive to explore and experiment. While not that common, some students will not possess the appropriate level of ethics, that will prevent them from exploring the University network. Grade registration, tuition payments, admission information, etc., are all likely targets and an appropriate defensive, detective and reactive capability should be developed before incidents actually take place.
Whatever the controls will be that are put in place, they should be mandated, sponsored and practiced by senior management positions. While handling security incidents, it should be absolutely clear what the responsibilities of the responder are, but also by what authority his or her actions are mandated.
To assure that availability, integrity and confidentiality of information is kept at acceptable levels, even in times when normal operations are interrupted because of natural events, malicious attacks, or technical interruptions, organizations need to develop an incident response capability.
To develop this capability in a cost-effective and efficient way, cooperation with existing bodies should be established.
The final topic that I want to touch upon is regulatory compliance. Legislation and industry practices are putting increasingly stringent demands on the way that an organization structures its processes, protects its resources, and makes the controls that are put in place auditable. Legislation such as Sarbanes-Oxley for publicly traded companies, HIPAA in healthcare, or industry standards such as the Payment Card Industry's Data Security Standard are constantly developing and expanding.
When an organization, such as a University, is unable to meet these requirements, it will be faced with problems in attracting funding from many sources, including the federal government. It will also be faced with fines, or even with the inability to accept credit card payments. In some extreme situations, executive level employees might even face criminal charges.
A well-managed information security program can address regulatory compliance and prove to stakeholders that an organization practices due diligence and due care.
To summarize: information is the primary asset of many organizations, and especially of educational institutions. Protecting that information in terms of availability, integrity and confidentiality is the responsibility of an information security program. In addition to implementing technical controls, organizations must realize that information serves the organization's stakeholders and not the other way around. This is why effective organizational controls, such as awareness programs, well-written and though-out policies and procedures are at least as important as technical controls.
Despite all measures that an organization takes, security incidents will happen. When they happen, organizations must be aware of them, and have developed the proper capabilities to respond to them.
Regulatory compliance, originating from legislation, as well as from industry requirements, will put increasingly heavy requirements on organizations. Having a well-managed security program will prove to stakeholders that an organization practices due care and due diligence and will make compliancy easier to achieve. •