printer friendly version

Botox and IT security: is it too late for you?

As a 50-something male, personal grooming takes on a whole new meaning. Never mind that my hair stops growing on my head and now appears to be sprouting from places I could never have imagined – today when I go to the hairdresser she no longer asks what but where?

The once youthful visage is being replaced by something that I last saw my grandfather wearing – I have discovered I can actually frighten myself first thing in the morning - and I am faced with the growing reality that it is becoming increasingly impossible to hide the cracks. You realise that when you start typing `Botox' on Google that things are getting serious. Bottom line, how can I cover up the cracks brought upon by years of abuse and misuse?

And it is pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and it is impossible to hide the tell-tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you do not take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.

If most of us are honest with ourselves we complain about the nanny state banning everything that is bad for our health but deep inside we know that many things are probably for our own good. And in the same way we complain about the increasing interference in our private IT worlds of controls and regulatory compliance but deep down we know that internal controls for privileged user access rights and controls has been abandoned, or in many cases only given lip service in many organisations, and these controls are bringing us face to face with results of years of neglect.

And the result is that we risk being hacked either by thrill seekers, the curious, or the downright vindictive employee. Independent research clearly shows that a lack of proper segregation of duties, failure to control users with superuser access to files in production systems, failure to secure data in applications, a lack of processes coupled with a lack of reconciliation of these processes to the IT systems used, and a failure to secure access to operating systems and databases that support corporate financial applications and transactions, are the prime cause of most breaches and compliance failures.

The increase in computer-related theft and fraud is forcing the issue of internal users and privileged access into the open. This is clearly shown by the current case in the US courts of the IT executive who is alleged to have used his knowledge of system passwords to hack into a company's system remotely and accessed e-mails and other information. And the bottom line is that it is simply too easy for people with a limited amount of knowledge to do this. I mean who would expect an IT executive to be able to do this? Most of us so-called IT executives are considered to be in the Dilbert Manager's category when it comes to understanding bits and bytes, and yet even an IT executive can hack a system today with the tools that are so easily available.

So there is a challenge for you as a security officer, or as an internal auditor - face up to the fact that the sooner you deal with the organisational grooming, the better for all concerned. So today, every organisation should take the security of their systems and applications seriously. Start by ensuring that you have effective policies and procedures in place to control privileged access to every system, including your workstations and applications, and make sure that you can enforce them.

And remember that regulations do not make allowances for unintentional errors, just as speed cameras are not able to differentiate between the accidental speeding granny and the Jensen Button wanabee. Human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. So here are a few suggestions when you have a look at these policies and procedures.

Policies must be realistic. The policy must fit the requirements and ensure that the complexity is not such that users are inclined to try and bypass it.

Policies must be enforceable. Having well documented procedures that can be bypassed will be quickly exposed by any audit. The only effective way to make policies both realistic and enforceable is to automate the critical processes. For example, having policies that require privileged users to have the correct authorisations must be enforceable. Likewise, policies that require regular changing of passwords only work effectively if they are automated.

Policies must be auditable. Having policies in place is a good first step, but they will not hold up to regulatory scrutiny unless there are audit trails proving the policy is in place and enforced on an ongoing basis. However, simply having an audit capability is not the solution. The sheer scale and diversity of systems in an enterprise require that tools are cross-platform. In other words, IT security staff must be able to provide reports that are consistent across all platforms and take account of the information produced by heterogeneous systems.

When you consider the amount of time and effort required to collect raw data from key systems and applications, including critical network devices, there can be literally hundreds if not thousands of logs that must be examined for the purpose of an audit report. This data needs to be converted into a standardised, audit compliant report format that an auditor can read.

So when you are examining what options are open to you remember your personal grooming options, do not expect miracles overnight, make sure you stick to the treatment regime, and most of all make sure that the results are there for all to see. So treat yourself - Botox your policies before it is too late.

Calum Macleod is the European director of Cyber-Ark Software.

Share this article:

Further reading: