This chapter covers the following topics:
Risk Management of New Products, New Technologies, and User Behaviors: This section covers the challenges presented by constant change.
New or Changing Business Models/Strategies: Topics covered include partnerships, outsourcing, cloud, and acquisition/merger and divestiture/demerger.
Security Concerns of Integrating Diverse Industries: Topics covered include rules, policies, regulations, and geography.
Internal and External Influences: Topics covered include competitors, auditors/audit findings, regulatory entities, internal and external client requirements, and top-level management.
Impact of De-perimeterization (e.g., Constantly Changing Network Boundary): This section covers the impact of telecommuting, cloud, mobile, BYOD, and outsourcing and ensuring third-party providers have requisite levels of information security.
This chapter covers CAS-003 objective 1.1.
An IT department does not operate in a vacuum. It is influenced by business objectives and corporate politics that color and alter decisions. Making the job of an IT security professional even more difficult are the additional considerations introduced by factors outside the enterprise, such as legal considerations, regulations, and partnerships. Add to this the constant introduction of new technologies (in many cases untested and unfamiliar), and you have a prescription for a security incident. This chapter covers security risks introduced by these business influences, along with some actions that can be taken to minimize the risks.
New products, technologies, and user behaviors are never ending for a security professional. It is impossible to stop the technology tide, but it is possible to manage the risks involved. Each new technology and behavior must be studied through a formal risk management process. In Chapter 3, “Risk Mitigation Strategies and Controls,” you will learn how the risk management process works. One of the key points you should take from that chapter is that the process is never ending. While the process should arrive at a risk profile for each activity or technology, keep in mind that the factors that go into that profile are constantly changing, and thus an item’s risk profile may be changing as well. So risk management is a never-ending and cyclical process.
When a company decides to use cutting-edge technology, there are always concerns about maintaining support for the technology, especially with regard to software products. What if the vendor goes out of business? One of the approaches that can mitigate this concern is to include a source code escrow clause in the contract for the system. This source code escrow is usually maintained by a third party, who is responsible for providing the source code to the customer in the event that the vendor goes out of business.
It also is necessary to keep abreast of any changes in the ways users are performing their jobs. For example, suppose that over time, users are increasingly using chat sessions rather than email to discuss sensitive issues. In this situation, securing instant messaging communications becomes just as important as securing email. To keep up with the ever-changing ways users are choosing to work, you should:
Periodically monitor user behaviors to discover new areas of risk, including identifying not only new work methods but also any risky behaviors, such as writing passwords on sticky notes
Mitigate, deter, and prevent risks (through training and new security policies)
Anticipate behaviors before they occur by researching trends (for example, mobile devices, cloud usage, and user behavior trends)
One of the factors that can change the risk profile of a particular activity or process is a change in the way the company does business. As partnerships are formed, mergers or demergers completed, assets sold, and new technologies introduced, security is always impacted in some way. The following sections look at some of the business model and strategy changes that can require a fresh look at all parts of the enterprise security policies and procedures.
Establishing a partnership—either formal or informal—with another entity that requires the exchange of sensitive data and information between the entities always raises new security issues. A third-party connection agreement (TCA) is a document that spells out exactly the security measures that should be taken with respect to the handling of data exchanged between parties. This document or another common business document should be executed in any instance where a partnership involves depending on another entity to secure company data.
Partnerships in some cases do not involve the handling or exchange of sensitive data but rather are formed to provide a shared service. They also may be formed by similar businesses within the same industry or with affiliated or third parties. Regardless of the nature of the partnership, a TCA or some similar document should identify all responsibilities of the parties to secure the connections, data, and other sensitive information.
Third-party outsourcing is a liability that many organizations do not consider as part of their risk assessment. Any outsourcing agreement must ensure that the information that is entrusted to the other organization is protected by the proper security measures to fulfill all the regulatory and legal requirements.
Like third-party outsourcing agreements, contract and procurement processes must be formalized. Organizations should establish procedures for managing all contracts and procurements to ensure that they include all the regulatory and legal requirements. Periodic reviews should occur to ensure that the contracted organization is complying with the guidelines of the contract.
Outsourcing can also cause an issue for a company when a vendor subcontracts a function to a third party. In this case, if the vendor cannot present an agreement with the third party that ensures the required protection for any data handled by the third party, the company that owns the data should terminate the contact with the vendor at the first opportunity.
Problems caused by outsourcing of functions can be worsened when the functions are divided among several vendors. Strategic architecture is adversely impacted by the segregation of duties between providers. Vendor management costs increase, and the organization’s flexibility to react to new market conditions is reduced. Internal knowledge of IT systems declines and decreases future platform development. The implementation of security controls and security updates takes longer as responsibility crosses multiple boundaries.
Finally, when outsourcing crosses national boundaries, additional complications arise. Some countries’ laws are more strict than others. Depending on where the data originates and where it is stored, it may be necessary to consider the laws of more than one country or regulatory agency. If a country has laws that are less strict, an organization may want to reconsider doing business with a company from that country.
In some cases, the regulatory environment may prevent the use of a public cloud. For example, there may be regulatory restrictions with credit cards being processed out of the country or by shared hosting providers. In such a case, a private cloud within the company should be considered. You should create an options paper that outlines the risks, advantages, and disadvantages of relevant choices and recommends a way forward.
While using a public cloud offers many benefits, this arrangement also introduces all sorts of security concerns. How do you know your data is kept separate from other customers’ data? How do you know your data is safe? Outsourcing data security makes many people uncomfortable.
In many cloud deployments, the virtual resources are created and destroyed on-the-fly across a large pool of shared resources. This functionality is referred to as elasticity. In this scenario, the company never knows which specific hardware platforms will be used from day to day. The biggest risk to confidentiality in this scenario is the data that can be scraped from hardware platforms for some time after it resides on the platform.
Another type of cloud is a hybrid cloud, which uses both public and private cloud environments. The public and private clouds are distinct entities but are connected. For example, company data may be kept in a private cloud that connects to a business intelligence application that is provided in a public cloud. As another example, a company may use a private cloud but contract with a public cloud provider to provide access and resources when demand exceeds the capacity of the private cloud.
Finally, a community cloud is shared by organizations with some common need to address, such as regulatory compliance. Such shared clouds may be managed either by a cross-company team or by a third-party provider. A community cloud can be beneficial to all participants because it reduces the overall cost to each organization.
When two companies merge or when one company acquires another, it is a marriage of sorts. Networks can be combined and systems can be integrated, or in some cases entirely new infrastructures may be built. In those processes resides an opportunity to take a fresh look at how to ensure that all systems are as secure as required. This can be complicated by the fact that the two entities may be using different hardware vendors, different network architectures, or different policies and procedures.
Both entities in a merger or acquisition should take advantage of a period of time during the negotiations called the due diligence period to study and understand the operational details of the other company. Only then can both entities enter into the merger or acquisition with a clear understanding of what lies ahead to ensure security. Before two networks are joined, penetration tests should be performed on both networks so that all parties have an understanding of the existing risks going forward. Finally, it is advisable for an interconnection security agreement (ISA) to be developed, in addition to a complete risk analysis of the acquired company’s entire operation. Any systems found to be lacking in required controls should be redesigned. In most cases, the companies adopt the more stringent security technologies and policies.
In other cases, companies split off, or “spin off,” parts of a company. If a merger is a marriage, then a divestiture or demerger resembles more of a divorce. The entities must come to an agreement on what parts of which assets will go with each entity. This may involve the complete removal of certain types of information from one entity’s systems. Again, this is a time to review all security measures on both sides. In the case of a sale to another enterprise, it is even more important to ensure that only the required data is transferred to the purchasing company.
One of the greatest risks faced by a company that is selling a unit to another company or purchasing a unit from another company is the danger of the comingling of the two networks during the transition period. An important early step is to determine the necessary data flows between the two companies so any that are not required can be prevented.
One recommendation that can help ensure a secure merger or demerger is to create a due diligence team that is responsible for the following:
Defining a plan to set and measure security controls at every step of the process
Identifying gaps and overlaps in security between the two firms
Creating a risk profile for all identified risks involved in moving data
Prioritizing processes and identifying those that require immediate attention
Ensuring that auditors and the compliance team are utilizing matching frameworks
Data ownership is affected by a changing business model. Depending on the business model that is being adopted, management needs to make decisions on the ownership of the data.
In a business acquisition or merger, security professionals need to determine if data will remain under separate ownership or will be merged as well. If a merge of data is to take place, a comprehensive plan should detail the steps involved in the data merge.
In a business divestiture or demerger, management needs to decide which entity will own the data. Detailed plans and procedures need to be written to ensure that the appropriate data will be properly extracted.
Laws, regulations, and standards governing the two organizations must be taken into account. Whether data is being merged, retained as separate entities, or separated based on ownership, the organization must ensure that data security remains a priority. For example, suppose a healthcare company has decided to divest itself of an application that it developed. Management needs to work with security professionals to ensure that all data related to the application—including source code, development plans, and marketing and sales data—is given to the acquiring organization. In addition, management needs to ensure that no private healthcare data is inadvertently included with the data that will be extracted as part of the divestiture.
Security professionals need to examine the data classification model when an acquisition/merger or divestiture/demerger occurs. In the case of an acquisition/merger, the security professionals must decide whether to keep the data separate or merge the data into a single entity. In the case of a divestiture/demerger, security professionals must ensure that legally protected data is not given to an entity that is not covered under the same laws, regulations, or standards. Laws, regulations, and standards governing the two organizations must be considered. It may be necessary for the organization to carefully design the new data classification model and define the procedures for data reclassification.
In many cases today, companies are integrating business models that differ from each other significantly. In some cases, organizations are entering new fields with drastically different cultures, geographic areas, and regulatory environments. This can open new business opportunities but can also introduce security weaknesses. The following sections survey some of the issues that need to be considered.
When integrating diverse industries, the challenge is one of balance with respect to rules. While standardization across all parts of a business is a laudable goal, it may be that forcing an unfamiliar set of rules on one part of the business may end up causing both resistance and morale problems. One unit’s longstanding culture may be one of trusting users to manage their own computers, which may include local administrator rights, while another unit may be opposed to giving users such control.
While it may become an unavoidable step to make rules standard across a business, this should not be done without considering the possible benefits and drawbacks. The benefits should be balanced against any resistance that may be met and any productivity losses that may occur. But it may also be necessary to have a few different rules because of localized issues. Only senior management working with security professionals can best make this call.
Policies may be somewhat easier to standardize than rules or regulations as they are less likely to prescribe specific solutions. In many cases, policies contain loosely defined language, such as “the highest possible data protection must be provided for data deemed to be confidential in nature.” This language provides flexibility for each department to define what is and what is not confidential.
Having said that, the policies of an organization should be reviewed in detail when an acquisition or a merger occurs to ensure that they are relevant, provide proper security safeguards, and are not overly burdensome to any unit in the organization. Policies are covered in Chapter 2.
Regulations are usually established by government entities (for example, FCC, DHS, DOT) to ensure that certain aspects of an industry are regulated. When companies in heavily regulated industries are combined with those from less heavily regulated industries, there are obviously going to be major differences in the levels of regulation within each business unit. This situation should be accepted as normal in many cases as opposed to being viewed as a lack of standardization.
Export controls are rules and regulations governing the shipment or transmission of items from one country to another. This includes the disclosure or transfers of technical data to persons outside the country. Both the United States and European Union (EU) have laws and regulations governing exports.
Concerns over exports arise for three primary reasons:
The characteristics of the item itself
The destination of the item
The suspected end use of the item
Export controls are implemented to protect security, implement foreign policy, and maintain a military and economic edge.
Governing bodies, including entities in the United States and EU, issue lists of items that are subject to restrictions. Lists usually include an entity list, disbarred parties, denied persons, and embargoed nations. While there are exclusions to the export controls, organizations should work with legal representation prior to exporting any entities. Failure to comply with export control regulations may have consequences including criminal charges, monetary penalties, reputation damage, and loss of export control privileges.
Organizations that have questions regarding export controls in the United States can contact the Office for Export Controls Compliance (OECC), part of Northwestern University.
Legal compliance is a vital part of any organization’s security initiative. To ensure legal compliance, organizations must understand the laws that apply to their industry. Examples of industries that often have many federal, state, and local laws to consider include financial, healthcare, and industrial production. A few of the laws and regulations that must be considered by organizations are covered in the next few sections.
While you do not have to memorize the laws and regulations described in the following sections, you need to be generally familiar with how they affect organizations to assess the scenarios that you may encounter on the CASP exam.
The Public Company Accounting Reform and Investor Protection Act of 2002, more commonly known as the Sarbanes-Oxley (SOX) Act, affects any organization that is publicly traded in the United States. It regulates the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
HIPAA, also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearinghouses. It is enforced by the Office of Civil Rights of the Department of Health and Human Services. It provides standards and procedures for storing, using, and transmitting medical information and healthcare data. HIPAA overrides state laws unless the state laws are stricter.
The Gramm-Leach-Bliley Act (GLBA) of 1999 affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing of financial information with third parties. This act directly affects the security of personally identifiable information (PII).
The Computer Fraud and Abuse Act (CFAA) of 1986 affects any entities that might engage in hacking of “protected computers,” as defined in the act. It was amended in 1989, 1994, and 1996; in 2001 by the Uniting and Strengthening of America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act; and in 2002 and in 2008 by the Identity Theft Enforcement and Restitution Act. A “protected computer” is a computer used exclusively by a financial institution or the U.S. government or used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the interstate nature of most Internet communication, ordinary computers—even smartphones—have come under the jurisdiction of the law. The law includes several definitions of hacking, including knowingly accessing a computer without authorization; intentionally accessing a computer to obtain financial records, U.S. government information, or protected computer information; and transmitting fraudulent commerce communication with the intent to extort.
The Federal Privacy Act of 1974 affects any computer that contains records used by a federal agency. It provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies on collecting, maintaining, using, and distributing PII.
The Computer Security Act of 1987 was superseded by the Federal Information Security Management Act (FISMA) of 2002. This act was the first law to require a formal computer security plan. It was written to protect and defend any of the sensitive information in the federal government systems and to provide security for that information. It also placed requirements on government agencies to train employees and identify sensitive systems.
The Personal Information Protection and Electronic Documents Act (PIPEDA) affects how private-sector organizations collect, use, and disclose personal information in the course of commercial business in Canada. The act was written to address European Union (EU) concerns about the security of PII in Canada. The law requires organizations to obtain consent when they collect, use, or disclose personal information and to have personal information policies that are clear, understandable, and readily available.
Basel II affects financial institutions. It addresses minimum capital requirements, supervisory review, and market discipline. Its main purpose is to protect against risks that banks and other financial institutions face.
The Payment Card Industry Data Security Standard (PCI DSS) affects any organizations that handle cardholder information for the major credit card companies. The latest version is 3.2. To prove compliance with the standard, an organization must be reviewed annually. Although PCI DSS is not a law, this standard has affected the adoption of several state laws.
The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency. It requires each federal agency to develop, document, and implement an agencywide information security program.
The Economic Espionage Act of 1996 affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities. A trade secret does not need to be tangible to be protected by this act. Per this law, theft of a trade secret is a federal crime, and the U.S. Sentencing Commission must provide specific information in its reports regarding encryption or scrambling technology that is used illegally.
The USA PATRIOT Act of 2001 affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including email communications, telephone records, Internet communications, medical records, and financial records. When this law was enacted, it amended several other laws, including Foreign Intelligence Surveillance Act (FISA) of 1978and the Electronic Communications Privacy Act (ECPA) of 1986.
Although the USA PATRIOT Act does not restrict private citizens’ use of investigatory tools, there are exceptions (for example, if the private citizen is acting as a government agent—even if not formally employed—if the private citizen conducts a search that would require law enforcement to have a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to help the government).
The Health Care and Education Reconciliation Act of 2010 affects healthcare and educational organizations. This act increased some of the security measures that must be taken to protect healthcare information.
The EU has implemented several laws and regulations that affect security and privacy. The EU Principles on Privacy includes strict laws to protect private data. The EU’s Data Protection Directive provides direction on how to follow the laws set forth in the principles. The EU has created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy.
Some of the guidelines include the following:
Data should be collected in accordance with the law.
Information collected about an individual cannot be shared with other organizations unless the individual gives explicit permission for such sharing.
Information transferred to other organizations can be transferred only if the sharing organization has adequate security in place.
Data should be used only for the purpose for which it was collected.
Data should be used only for a reasonable period of time.
Do not confuse the term safe harbor with data haven. According to the EU, a safe harbor is an entity that conforms to all the requirements of the EU Principles on Privacy. A data haven is a country that fails to legally protect personal data, with the main aim being to attract companies engaged in the collection of the data.
The EU Electronic Security Directive defines electronic signature principles. According to this directive, a signature must be uniquely linked to the signer and to the data to which it relates so that any subsequent data change is detectable. The signature must be capable of identifying the signer.
Geographic differences play a large role in making a merger or demerger as seamless as possible. In addition to the language barriers that may exist, in many cases the type of technologies available in various parts of the world can vary wildly. While it may be that an enterprise has companywide policies about using certain technologies to protect data, it could be that the hardware and software required to support this may be unavailable in other countries or regions, such as Africa or the Middle East. Therefore, it may be necessary to make adjustments and exceptions to policies. If that is not acceptable, the organization may be required to find other ways to achieve the long-term goal, such as not allowing certain types of data to be sent from one location where the needed technologies are not available.
Another issue is that countries may have different legal or regulatory requirements. While one country may have significant requirements with respect to data archival and data security, another may have nearly none of these same requirements. The decision again becomes one of how standardization across countries makes sense. It could be that the cost of standardization may exceed the benefits derived in some scenarios. It might also be necessary for the organization to decide to prevent data that has higher security requirements from being stored in countries that do not have the appropriate regulations or laws to protect the data.
Data sovereignty is the concept that data stored in digital format is subject to the laws of the country in which the data is located. Affecting this concept are the differing privacy laws and regulations issued by nations and governing bodies. This concept is further complicated by the deploying of cloud solutions.
Many countries have adopted legislation that requires customer data to be kept within the country in which the customer resides. But organizations are finding it increasingly difficult to ensure that this is the case when working with service providers and other third parties. Organizations should consult with the service-level agreements (SLAs) with these providers to verify compliance.
Keep in mind, however, that the laws of multiple countries may affect the data. For instance, suppose an organization in the United States is using a data center in the United States but the data center is operated by a company from France. The data would then be subject to both U.S. and EU laws and regulations.
Another factor would be the type of data being stored, as different types of data are regulated differently. Healthcare data and consumer data have vastly separate laws that regulate the transportation and storage of data.
Security professionals should answer the following questions:
Where is the data stored?
Who has access to the data?
Where is the data backed up?
How is the data encrypted?
The answers to the four questions will help security professionals design a governance strategy for their organization that will aid in addressing any data sovereignty concerns. Remember that the responsibility to meet data regulations falls on both the organization that owns the data and the vendor providing the data storage service, if any.
A jurisdiction is an area or a region covered by an official power. However, jurisdictions are often very fluid, based on reciprocity agreements between different jurisdictions. For example, the United States has entered into mutual legal assistance treaties with many countries whereby information is readily shared between the different jurisdictions. Therefore, organizations may not simply need to understand the laws and regulations that are applicable in a single country or regulating body. Because many countries—such as France, Germany, Japan, and Australia—have begun addressing questions of data residency and data sovereignty, security professionals must document the jurisdictions that may affect the organizational data.
Security policies are not created in a vacuum. Balancing security, performance, and usability is difficult enough, without the influence of competing constituencies. Both internal and external forces must be considered and in some way reconciled. The following sections discuss the types of influences and the effects they can have on the creation and implementation of security policies.
Enterprises should always be looking at what competitors are doing when it comes to security. While each company’s security needs may be unique, one concern all companies share is protecting their reputations.
Almost every day we see news stories of companies having their digital reputations tarnished by security breaches. It has almost become another business differentiator to tout the security of a company’s network. While it certainly is a worthy goal to increase the security of the network, security professionals should ensure that unnecessary measures are not taken just as “monkey see, monkey do” measures. In almost all cases, inappropriate security measures impair either the performance of the network or the usability of the network for the users. So while organizations should work to increase their security to be better than that of their competitors, security professionals should thoroughly research any new controls they want to implement to ensure that the advantages outweigh the disadvantages.
Accountability is impossible without a record of activities and review of those activities. The level and amount of auditing should reflect the security policy of the company. Audits can either be self-audits or performed by a third party. Self-audits always introduce the danger of subjectivity to the process. Regardless of the manner in which audits or tests are performed, the results are useless unless they are incorporated into an update of the current policies and procedures. Most organizations implement internal audits periodically throughout the year and external audits annually.
The International Organization for Standardization (ISO), often incorrectly referred to as the International Standards Organization, joined with the International Electrotechnical Commission (IEC) to standardize the British Standard 7799 (BS7799) to a new global standard that is now referred to as the ISO/IEC 27000 series. The ISO is covered in more detail in Chapter 8, “Software Vulnerability Security Controls.”
Many organizations operate in a regulated environment. Banking and healthcare are just two examples. Regulations introduce another influence on security. In many industries, a third party ensures that an organization complies with industry or government standards and regulations. This third party performs an analysis of organizational operations and any other areas dictated by the certifying or regulating organization. The third party reports all results of its findings to the certifying or regulating organization. The contract with the third party should stipulate that any findings or results should be communicated only with the organization that is being analyzed and with the regulating organization.
A member of upper management should manage this process so that the third party is given access as needed. As part of this analysis, the third party may need to perform an onsite assessment, a document exchange, or a process/policy review.
An onsite assessment involves a team from the third party. This team needs access to all aspects of the organization under regulation. This assessment might include observing employees performing their day-to-day duties, reviewing records, reviewing documentation, and other tasks. Management should delegate a member of management to which the team can make formal requests to ensure secure control of the process. This testing may include both vulnerability and penetration testing, performed by a team that includes both employees and contracted third parties.
A document exchange/review involves transmitting a set of documents to the third party. The process used for the document exchange must be secure on both ends of the exchange. This is accomplished by using a level of encryption that reflects the sensitivity of the data involved or, in some cases, the level required by regulation or accepted industry standards.
A process/policy review focuses on a single process or policy within the organization and ensures that the process or policy follows regulations. The review is meant to uncover any deficiencies that should be addressed. This should be an ongoing process, and its frequency may be determined by industry standards or regulation. At a minimum, such a review should be done every six months.
Another factor that can play a role in determining the methods of security to be deployed is the security relationship that must be created with both internal and external customers. When we speak of customers here, we are talking about users who must interact with the network in some way.
When internal customers (those that operate within the LAN) and external customers (those that operate outside the LAN) must interact with the network (for example, uploading data, making a VPN connection, downloading data), the sensitivity of the operations they are performing and of the data they are handling determine which security measures should be deployed.
It is a well-known fact that security measures affect both network performance and ease of use for the users. With that in mind, the identification of situations where certain security measures (such as encryption) are required and where they are not required is important. Eliminating unnecessary measures can both enhance network performance and reduce complexity for users. For example, while implementing access control lists (ACLs) on a router can enhance security, keep in mind that ACL processing uses router CPU cycles and detracts from the router’s ability to do its main job, which is to route. An overdependence on such security when it is not warranted will unnecessarily slow the performance of the network.
While in most cases top management brings the least security knowledge to the discussion, these managers hold a disproportionate amount of influence on the decisions made concerning security. Their decisions are driven by business needs rather than by fascination with the latest security toys or by their concerns with security. In fact, most top-level managers think about security only when emergencies occur.
While the job of top management is to divide the budgetary pie in the way that is most beneficial to the bottom line, it is the job of an IT security professional to make the case for security measures that bring value to the company. This means demonstrating that the money that can be saved from preventing data breaches and losses exceeds the money spent on a particular security measure.
The chosen measures must be presented and analyzed using accepted risk management processes. Risk management is discussed in detail in Chapter 3.
At one time, security professionals approached security by hardening the edges of—or the entrances to and exits from—the network. New methods of working have changed where the edges of a network are. In addition, the interiors of most enterprise networks are now divided into smaller segments, with control places between the segments.
The introduction of wireless networks, portable network devices, virtualization, and cloud service providers has rendered the network boundary and attack surface increasingly porous. The evolution of the security architecture has led to increased security capabilities, the same amount of security risks, and a higher total cost of ownership (TCO) but a smaller corporate data center, on average. In summary, the game has changed because of the impact of de-perimeterization (that is, constantly changing network boundaries). The following sections cover some of the developments that are changing the security world.
For a variety of reasons, telecommuting is on the rise. It saves money spent on gas, it saves time spent commuting, and it is beneficial to the environment in that it reduces the amount of hydrocarbons released into the atmosphere.
Despite all its advantages, telecommuting was not widely embraced until the technology to securely support it was developed. Telecommuters can now be supported with secure VPN connections that allow them to access resources and work as if sitting in the office (except for the doughnuts).
Telecommuting has multiple effects on security. For example, technologies such as network access control (NAC) may be necessary to ensure that computers that are not under the direct control of the IT department can be scanned and remediated if required before allowing access to the LAN to prevent the introduction of malware.
Cloud solutions, discussed in Chapter 13, can move the perimeter of the network, depending on how they are implemented. While a private cloud may have no effect on the perimeter of the network, hybrid, community, and public clouds expand the perimeter. This increases the challenges involved in securing the perimeter.
The threats presented by the introduction of mobile devices (such as smartphones, tablets, and USB flash drives) to an organization’s network include:
Insecure web browsing
Insecure Wi-Fi connectivity
Lost or stolen devices holding company data
Corrupt application downloads and installations
Missing security patches
Constant upgrading of personal devices
Use of location services
Insecure data storage
While the most common types of corporate information stored on mobile devices are corporate emails and company contact information, it is alarming to note that almost half of these devices also contain customer data, network login credentials, and corporate data accessed through business applications.
The increasing use of mobile devices combined with the fact that many of these devices connect using public networks with little or no security provides security professionals with unique challenges. Educating users on the risks related to mobile devices and ensuring that they implement appropriate security measures can help protect against threats involved with these devices. Some of the guidelines that should be provided to mobile device users include implementing a device-locking PIN, using device encryption, implementing GPS location, and implement remote wiping. Also, users should be cautioned on downloading apps without ensuring that they are coming from a reputable source. In recent years, mobile device management (MDM) and mobile application management (MAM) systems have become popular in enterprises. They are implemented to ensure that an organization can control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.
The pressure from users to use their personal computing devices—such as smartphones, tablets, and laptops—in the work environment is reminiscent of the pressures to use wireless networks in the enterprise. Although the entire idea gives security professionals nightmares, the “bring your own device” (BYOD) genie is out of the bottle now.
The effect this has on security is similar to that of telecommuting in that technologies such as network access control may be necessary to ensure that personal devices that are not under the direct control of the IT department can be scanned and remediated if required before allowing access to the LAN to prevent the introduction of malware.
It should be pointed out that government regulations that apply to medical, banking, and other types of PII apply to the data and not to specific devices. This means that the responsibility to protect that data still applies to data that resides on personal devices that have been brought into the network under a BYOD initiative. Also keep in mind that while standard company images and restrictions on software installation may provide some data protection, they do not address all dangers (for example, an employee using a corporate FTP application to transfer customer lists and other proprietary files to an external computer and selling them to a competitor).
In some cases, BYOD initiatives fail because they are not restrictive enough. Some organizations have had to revisit and update their policies to disallow non-company endpoint devices on the corporate network. It may also be beneficial to develop security-focused standard operating environments (SOEs) for all required operating systems and ensure that the needs of each business unit are met.
As a security professional, when supporting a BYOD initiative, you should take into consideration that you probably have more to fear from the carelessness of users than you do from hackers. Not only are users less than diligent in maintaining security updates and patches on devices, users buy new devices as often as they change clothes. These factors make it difficult to maintain control over the security of the networks in which these devices are allowed to operate.
Centralized mobile device management tools are becoming the fastest-growing solution for both organization issues and personal devices. Some solutions leverage the messaging server’s management capabilities, and others are third-party tools that can manage multiple brands of devices. Systems Manager by Cisco is one example that integrates with the Cisco Meraki cloud services. An example for iOS devices is Apple Configurator. One of the challenges with implementing such a system is that not all personal devices may support native encryption and/or the management process.
Typically, centralized mobile device management tools handle company-issued and personal mobile devices differently. For organization-issued devices, a client application typically manages the configuration and security of the entire device. If the device is a personal device allowed through a BYOD initiative, the application typically manages the configuration and security of itself and its data only. The application and its data are sandboxed from the other applications and data. The result is that the organization’s data is protected if the device is stolen, while the privacy of the user’s data is also preserved.
Regardless of whether a centralized mobile device management tool is in use, a BYOD policy should add the following to the security policy of the organization:
Identify the allowed uses of personal devices on the corporate network.
Create a list of allowed applications on the devices and design a method of preventing the installation of applications not on the list (for example, software restriction policies).
Ensure that high levels of management are on board and supportive.
Train users in the new policies.
In the process of deploying and supporting a mobile solution, follow these guidelines:
Ensure that the selected solution supports applying security controls remotely.
Ensure that the selected vendor has a good track record of publicizing and correcting security flaws.
Make the deployment of an MDM tool a top priority.
In the absence of an MDM system, design a process to ensure that all devices are kept up-to-date on security patches.
Update the policy as technology and behaviors change.
Require all employees to agree to allow remote wiping of any stolen or lost devices.
Strictly forbid rooted (Android) or jailbroken (iOS) devices from accessing the network.
If possible, choose a product that supports:
Encrypting the solid state hard drive (SSD) and nonvolatile RAM
Requiring a PIN to access the device
Locking the device when a specific number of incorrect PINs are attempted
Outsourcing is covered earlier in this chapter. When data is exchanged with a third party, the connection between the companies becomes a part of the perimeter. Security of the connection is therefore critical. Outsourcing increases the importance of measures such as ISAs and contract language that specifically details required security implementations.
Finally, processes being outsourced to a third party and the third party handling sensitive information or personal information protected by a regulatory agency most assuredly affects security.
Third-party outsourcing is a liability that many organizations do not consider as part of their risk assessments. Any outsourcing agreement must ensure that the information that is entrusted to the other organization is protected by the proper security measures to fulfill all the regulatory and legal requirements. Risk mitigation processes, including liabilities created by third-party relationships, are covered in Chapter 3.
Downstream liability refers to liability that an organization accrues due to partnerships with other organizations and customers. For example, consider whether a contracted third party has the appropriate procedures in place to ensure that an organization’s firewall has the security updates it needs. If hackers later break into the network through a security hole and steal data and identities, the customers can then sue the organization (not necessarily the third party) for negligence. This is an example of a downstream liability. Liability issues that an organization must consider include third-party outsourcing and contracts and procurements.
Due diligence and due care are two related terms that deal with liability. Due diligence means that an organization understands the security risks it faces and has taken reasonable measures to meet those risks. Due care means that an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur. Due care and due diligence often go hand-in-hand but must be understood separately before they can be considered together.
Due diligence is all about gathering information. Organizations must institute the appropriate procedures to determine any risks to organizational assets. Due diligence provides the information necessary to ensure that the organization practices due care. Without adequate due diligence, due care cannot occur.
Due care is all about action. Organizations must institute the appropriate protections and procedures for all organizational assets, especially intellectual property. With due care, failure to meet minimum standards and practices is considered negligent. If an organization does not take actions that a prudent person would have taken under similar circumstances, the organization is negligent.
As you can see, due diligence and due care have a dependent relationship. When due diligence is performed, organizations recognize areas of risk. Examples include an organization determining that regular personnel do not understand basic security issues, that printed documentation is not being discarded appropriately, and that employees are accessing files to which they should not have access. When due care occurs, organizations take the areas of identified risk and implement plans to protect against the risks. For the due diligence examples just listed, due care would include providing personnel security awareness training, putting procedures into place for proper destruction of printed documentation, and implementing appropriate access controls for all files.
It is important when dealing with third parties that you ensure that a third party provides a level of security that the data involved warrants. There are a number of ways to facilitate this:
Include contract clauses that detail exactly the security measures that are expected of the third party.
Periodically audit and test the security provided to ensure compliance.
Consider executing an ISA, which may actually be required in some areas (for example, healthcare).
In summary, while engaging third parties can help meet time-to-market demands, a third party should be contractually obliged to perform adequate security activities, and evidence of those activities should be confirmed by the company prior to the launch of any products or services that are a result of third-party engagement. The agreement should also include the right of the company to audit the third party at any time.
As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here and the practice exams in the Pearson IT Certification test engine.
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 1-1 lists these key topics and the page number on which each is found.
Key Topic Element
Responsibilities of the due diligence team
Third-party liability concepts
Define the following key terms from this chapter and check your answers in the glossary:
1. Your organization has been working to formally document all of its third-party agreements. Management contacts you, requesting that you provide access to a document that spells out exactly the security measures that should be taken with respect to the handling of data exchanged between your organization and a third party. Which of the following documents should you provide?
2. Which of the following cloud approaches offers the maximum control over company data?
3. Which cloud solution can reduce costs to the participating organizations?
4. Your company is merging with a larger organization. Which of the following is not a responsibility of the due diligence team?
Create a risk profile for all identified risks involved in moving data.
Ensure that auditors and the compliance team are using different frameworks.
Define a plan to set and measure security controls at every step of the process.
Prioritize processes and identify those that require immediate attention.
5. Which of the following outline goals but do not give any specific ways to accomplish the stated goals?
6. Which of the following refers to responsibilities that an organization has due to partnerships with other organizations and customers?
7. Which of the following tenets has been satisfied when an organization takes all the actions it can reasonably take to prevent security issues or to mitigate damage if security breaches occur?
8. Which of the following is most likely to be affected by the Sarbanes-Oxley (SOX) Act?
publicly traded corporation
federal contracting company
9. Which of the following is not an example of de-perimeterization?
10. Generally speaking, an increase in security measures in a network is accompanied by what?
an increase in performance
an increased ease of use
a decrease in performance
a decrease in security