printer friendly version

Information security, governance and compliance

There’s a hole in my bucket, dear Liza, dear Liza… . This old kids’ song relates to a conversation between Henry and Liza about a deadlocked, no-win situation. Henry’s bucket leaks and Liza’s list of suggestions on fixing it end with a need to fetch water for the hole-mending process. But there’s a hole in my bucket, dear Liza….

This is a fair analogy for the deadlock situation in corporate IT security. The very same tools that were broken in the first place are still being used to try to fix the problems of leaks, breaches and cybercrimes. These broken tools are of course IT access cards, PINs and passwords. All of which are clearly badly holed as security measures and are frankly beyond repair as secure credentials.

Enormous losses from IT-based crime continue to escalate and credential abuse doggedly remains the number one security failure.

The approach to fixing the mega-problem of credential abuse has traditionally been to apply more of the same. In an attempt to prevent abuse, passwords and PINs have become longer and more complex. Many organisations require them to be changed on a regular basis. So-called ‘smartcards’ have also been added to the credential mix to try and plug the holes in user-authentication.

But none of this tinkering with the problem alters the fact that anyone can still use your password, your PIN and your card. The main challenge in information security still revolves around authentication.

Undermining IT security, governance and compliance

If we cannot authenticate IT users, how can we possibly govern what they are doing and ensure compliance? We cannot. It is as simple as that.

Released in October 2012 by Wolfpack Information Risk, The South African Cyber Threat Barometer focuses on cyber crime issues from a local perspective. In light of the damage caused by IT-based crime in all its guises, Wolfpack deserves credit for encouraging public and private sector responses to increasing SA incidents of cybercrime.

Protecting information assets by preventing their theft is clearly a key element of IT security. It also underpins the implementation of policies concerning IT governance and compliance. So it is significant that the Barometer’s executive summary says: “Criminals are typically mainly after logon credentials, bank or credit card information and personally identifiable information.”

The criminal hunger for corporate IT access credentials is also underlined later in the report: “Although software and security technology has improved, logon credentials are the main information asset targeted or compromised during a cyber attack.”

It has long been recognised that credential theft lies at the very heart of almost every sort of IT-based crime. For example, having conducted investigations into over 2000 data breaches since 2004, the annual Data Breach Investigations Report (DBIR) from Verizon and the US Secret Service is an authoritative examination of what cyber villains are doing and how they are doing it.

In an April 2011 interview with SearchSecurity.com, Bryan Sartin, Verizon’s director of investigative response had this to say about credential theft: “With prices reaching $30 000 per account, usernames and passwords are the most common type of records traded on the cyber black market and have the highest per-record value.”

Add to this the fact that successive DBIRs have cited credential theft as the number one cyber ‘threat action’ and you are beginning to get a clearer picture of the enormous security risks directly caused by CPPs – cards, PINs and passwords. Failure to authenticate is undoubtedly a major problem. However, preventing the unauthorised access and activity that stems from credential theft is something that organisations really battle with.

Controlling access

A 2011 survey of its global members by the Information Systems Audit and Control Association (ISACA) revealed that the biggest challenge to achieving regulatory IT compliance relates to segregation of duties and privileged access monitoring. This comes down to controlling who can do what. And why do corporates battle with this? Because they cannot authenticate the people who use their systems.

And the inability to authenticate IT users means the policies that direct governance and compliance are perpetually vulnerable to being circumvented.

The annual reports of all sorts of organisations refer to board level commitments to implementing best practices in governance and compliance. Such corporate statements are used to reinforce trust and to encourage doing business with them. Very few organisations – if any – describe themselves as primarily being a secure organisation.

And yet corporate cybercrime has the very real potential to inflict long-term damage on an organisation’s continued stability and future success. These are two key areas of responsibility for any board of directors.

But this is completely at odds with another key finding from the ISACA survey: among senior managers and executives there is little commitment to taking robust measures to reinforce IT security. It seems the issue is not only under resourced, it is persistently swept under the carpet.

IT governance demands stronger security

Locally, the most influential guidance on corporate governance, risk and compliance is The King Code of Governance, the latest version of which is often referred to as King III, and as of June 2010, companies listed on the JSE must comply with it. King III requires board members to take overall responsibility for IT governance. Directors need to ensure that prudent and reasonable steps have been taken to protect intellectual property, company and client information.

Surely the question for directors is this: can CPPs be regarded as prudent and reasonable steps to safeguard these assets? In light of the overwhelming evidence to the contrary, the answer to that question is clearly no.

Rigorous control of who can do what within corporate IT systems is obviously essential for maintaining information security. As Wolfpack’s MD, Craig Rosewarne, says, “The faster we can move towards the automation of a number of important controls including the full range of detective and preventive countermeasures in the authentication arena, the better we will become at thwarting cybercrime.”

People are often surprised that South Africa is a world leader in its use of fingerprint-based authentication. Within their physical security and payroll management systems, thousands of local companies have replaced access cards and PINs with fingerprint scanners.

Marius Coetzee, MD of Ideco Biometric Security Solutions says, the straightforward business case for replacing traditional credentials with fingerprint authentication is based on the fact that the technology pays for itself, “It cuts the losses caused by unauthorised access and activity. That is the reason why it is used so extensively by so many SA organisations.”

However, in comparison to the world of physical security, Coetzee stresses that the losses arising from unauthorised IT access are much higher. He points out that fraudulent EFT payments routinely involve millions of rands and that this particular type of IT-based crime is consistently based on the simple abuse of IT access cards, PINs and passwords.

Given the advanced state of local biometric applications, Coetzee urges organisations to capitalise on local experience and expertise in order to dramatically increase security within their IT systems. “Implementing fingerprint authentication of users will prevent the repetitive occurrence of all sorts of IT-based crime by ending the abuse of credentials and the losses this causes.”

Share this article:

Further reading: