1 / 26

Identifying Worst Information Technology Practices

Identifying Worst Information Technology Practices. Where’s the risk?. Why examine worst-practices. Occur in many organizations Practiced in the name of efficiency Unmanaged risks result in wasted money, resources and loss of reputation What’s cost-effective when:

rianna
Download Presentation

Identifying Worst Information Technology Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identifying Worst Information Technology Practices

  2. Where’s the risk?

  3. Why examine worst-practices • Occur in many organizations • Practiced in the name of efficiency • Unmanaged risks result in wasted money, resources and loss of reputation • What’s cost-effective when: • Heavy dependence on IT to achieve goals • Organizations are increasingly subjected to vulnerabilities • Scope and magnitude of IT investments are increasing • IT can dramatically change the organization and service delivery • IT represents the organization’s most valuable assets

  4. Why organizations implement worst practices • Abdication of responsibilities • Inability to segregate activities • Calculator mentality • Putting out fires • Information overload • Expectation gap • Inadequate training • Ignorance and false pride

  5. What’s cost-effective (revisited) ? • Technology that is capable of operating without material error, fault, or failure during a specified period in a specified environment RELIABILITY

  6. What constitutes reliability? • Per the ISO 177799 trust: Principles and Criteria for Systems Reliability (v 2.0) • Security • Integrity • Availability • Maintainability

  7. And what if your organization uses worst-practices? • Your service delivery is not cost-effective • High probability of your information and related resources being unreliable • Usually, if properly done, required changes are very cost-effective and deliver high ROI on the investment required to improve

  8. Network not as important as physical security • Terminated Employees or Consultants • HR policy typically requires • all keys and cards be turned in • consider changing locks and combination • Security policy • may (not always) mention the need to adjust security settings • vast majority of audit reports cite that terminated employees and consultants still have access to system resources

  9. Network not as important as physical security (cont) • How To Manage The Risk • Build the responsibility into the corporate culture • approver is always accountable for what they approved (user) • incorporate notifying security as part of the termination process (HR and yes it is your job!!!) • question inactivity (security) • Estimated Cost/Benefit • Low Cost/High Return

  10. Not enforcing need to have access • “it won’t happen here” • “the security group (or user admin) doesn’t have the time or resources” • “we need the flexibility for cross-training or backup” • “Mary’s been with us for over 30 years so she deserves to be designated a security administrator” • “we only need to worry about external hackers”

  11. Not enforcing need to have access (cont) • Consider these issues • 60%-70% of unauthorized system break-ins are from internal sources • Based on forensic experience, this worst-practice is a primary contributor to internal fraud and facilitates the circumvention of management designed controls (including organizational chart responsibilities) • Prime Directive • Many professionals believe that it is impossible to maintain a control environment that satisfies “stakeholders” expectation while using this worst-practice • Estimated Cost/Benefit • Low Cost/High Return

  12. Leaving “factory” default settings unchanged • “Operating systems are often shipped with default users with default passwords to make setting up easier. If the systems administrator doesn’t know about the default accounts, or forgets to turn them off, then anyone who can get hold of a list of default accounts and passwords can log into the target computer” • “Anyone who knows how to do basic research using the internet can get hold of these lists”

  13. Leaving “factory” default settings unchanged (cont) • Security is not the only exposure – incorrect parameter settings in a core application could negatively impact the business and result in: • Inappropriate access • Invalid use of validation controls • Incorrect financial reporting • Incorrect exception reporting • Regulatory compliance violations • Incorrect calculations and postings • Incorrect customer records • Loss of credibility • Poor customer service • Wasted investment in technology • Payments to consultants to get things back in order

  14. Not applying security patches • “Finding the low-hanging fruit should always be your top priority – mainly because it is the attacker’s first priority. Devastating web vulnerabilities still exist after years of being publicly known” • “Typically this is what “kiddie scripts” use and results in embarrassment for the organization”

  15. Not monitoring security-related advisories & updates • Respected organizations (e.g., CERT, SANS) distribute free newsletters providing guidance on recent and projected security threats. For example, • SANS/FBI released a Top 20 vulnerability list with appropriate tools (free) to detect if a particular organization is exposed. • CISECURITY.ORG provides generally accepted benchmarks to effectively manage technology risk. • These warnings/guidance are typically ignored in worst-practices organizations

  16. Does your organization have worst security practices? • To many these sound like a good thing to do • Vulnerability Review • Penetration Test • But to what extent do they just confirm what you already knew (be honest!!) • And how do they help you prevent future occurrences

  17. Popular network security testing techniques • Network Mapping • Vulnerability Scanning • Penetration Testing • Security Testing and Evaluation • Password Cracking • Log Reviews • File Integrity Checkers • Virus Detectors • War Dialing

  18. STRENGTHS Fast Efficiently scans a large number of hosts Many excellent freeware tools available Highly automated Low cost OTHER INFO Quarterly Medium level of complexity, effort and risk WEAKNESSES Does not directly identify known vulnerabilities Generally used as a prelude to penetration testing not as a final test Requires significant expertise to interpret results BENEFITS OF DOING Enumerates the network structure and what’s active Ids unauthorized hosts and services Identifies open ports Network mapping

  19. STRENGTHS Fairly fast & efficient Some freeware tools available Highly automated for known vulnerabilities Often provides advice for mitigating strategies Easy to run regularly Cost varies by tool used OTHER INFO Every 2-3 months High level of complexity and effort with medium risk WEAKNESSES High false positive rate Large amount of network traffic Not stealthy (detected) Not for rookies Often misses new stuff Identifies the easy stuff BENEFITS OF DOING Enumerates the network structure and what’s active Identifies vulnerabilities on a target set of computers Validate up-to-date patches and software versions Vulnerability scanning

  20. STRENGTHS Employ hacker “methodology” Goes beyond surface vulnerabilities to show how they can be exploited to gain access Shows that vulnerabilities are real Social engineering allows for testing of procedures and human reactions OTHER INFO Annually High level of complexity, effort and risk WEAKNESSES What’s a hacker “methodology” Requires great expertise – dangerous when conducted by rookies Due to time requirements not all resources tested individually Certain tools may be banned or controlled by regulations Legal complications and organizationally disruptive Expensive BENEFITS OF DOING Determines how vulnerable and level of damage that can occur Tests IT staff response and knowledge of security policies Penetration testing

  21. STRENGTHS Not as invasive or risk as some other tests Includes policies and procedures More comprehensive – focuses on prevention strategies and roots of problems Generally requires less technical expertise than vulnerability scanning or penetration testing Addresses physical security OTHER INFO Every 2-3 years High levels of complexity, effort and risk WEAKNESSES Does not generally verify vulnerabilities Generally does not identify newly discovered vulnerabilities Labor intensive & expensive BENEFITS OF DOING Uncovers design, implementation and operational flaws that could allow the violation of security policy or the existence of vulnerabilities Determines the adequacy of security mechanisms, assurances and other properties to enforce security policies Includes effectiveness & efficiency Emphasizes the process and how well risk is managed. Security testing and evaluation

  22. We’re safe, right? • “Our organization’s auditors engage an outside firm to conduct an annual vulnerability test. Last year we didn’t have any major findings. This review proves that we’re safe – right?” WRONG!!!!!!!!

  23. Typical “findings” • Inappropriate policies at the macro and micro levels • Vendor provided patches not applied • Exploitable files and services not removed or disabled • Ineffective security configuration strategy • Outdated vulnerability scanning and intrusion detection tools used • Unclear understanding of responsibilities with service providers and vendors • Ineffective monitoring of activity and new vulnerabilities • False comfort relating to level of security and understanding of risks to the business

  24. How much to fix? • Not as much as you would expect • You don’t necessarily need to purchase advanced technology • 80% of the problems can be resolved very cost-effectively • Organizational culture and behavior modification require the greater efforts

  25. “And what of these patches we keep hearing about?” • Create an organizational software inventory • Identify newly discovered vulnerabilities and security patches (remember the free emails?) • Prioritize patch application • Create an organization-specific patch database • Test patches • Distribute patches and vulnerability information as appropriate • Verify patch installation through network and host vulnerability scanning • Train system administrators in the use of in vulnerability databases

  26. Security conclusion A team sport that doesn’t necessarily require the most fancy equipment to win - but does require you to understand the fundamentals of the game and that you and your team must provide best efforts to win! Otherwise – you are playing to just give the ball to the other side.

More Related