CHAPTER 6: JANUARY: A BATTLE WON

Baking security in

So why do you need to keep on explaining what your ICT colleagues ought to be doing to support what should actually be BAU functions? It is a long battle of constantly having to explain to internal ICT management what ICT colleagues should be doing normally, never mind adding any other extra duties for an initial period whilst you go through a transition to a new infrastructure or new platform.

Any large infrastructure-based project can have the unsettling ability to highlight a level of work not being done that should have been being done as part of BAU. Therefore, the difficulty is that somehow this work needs to be done post-haste – both to catch up for the time for which it has not been done, and also to attempt to provide you with some relatively up-to-date data with which to work, in order to move forward in a sensible manner.

Once a project receives its initial injection of support from management and team delivery of tasks to reach the first milestone, there is usually an immediate claw-back to the day job, and you find your resources are significantly depleted and you are once again starting from ground zero. It’s a hamster wheel of jostling for position, which should really be seen for the folly that it is, given that the work should already be being done as part of BAU and as part of best practice in information security management, were it to be baked into the organisation properly, in a meaningful way.

Desktop refresh versus consumerisation

When doing a desktop refresh, there will always be issues of prioritisation, pecking order and contingency requirements to be juggled. There is no doubt that the increasing march of consumerisation (bring your own device) is changing the landscape of any ICT department-based strategy for infrastructure refresh. But given the age, budget and maintenance cost of some existing organisational portfolios, there are likely to be those still with this pain to go through.

Considerations must include the age of the desktops (machines, PCs, call them what you will); those with a certain type of monitor (and costing the replacement monitors into your plans is an important element of the overall cost of the budget portion); knowing which ones need CD/DVD writing facilities; knowing which ones may be for front-line services and which ones for back office; which ones require payment functionality and which ones will be in shared areas. Who needs SD cards? There are those for whom photography is an important part of their job function and, therefore, this may be a requirement.

Will switch and router cabinets require replacing, too? If so, in what order do things need to be planned out? There is a contingent disruption factor to users when this kind of infrastructure upgrade work is going on, which requires appropriate communication planning in advance, so that preparations can be made. With the volume of laptops available to users, homeworking arrangements can be put in place to help alleviate any perceived downtime or lack of connectivity to expected corporate systems.

Incident reporting

By now, more and more people should be aware of what you are doing in your organisation. Therefore, you actually start to hear more and more war stories, skeletons appear from closets, and long-standing gripes and issues start to get aired. Whilst you may be being used as the whipping person for things that may never be resolved, you need to allow an open-door policy to exist wherever possible, as within the silt may be some gold.

To make it more official, I put in an enhanced incident reporting process in order to ensure that people knew they had a ‘right of say’ (which psychologically can be more important an imperative than a ‘mandate to say’) and, thus, a gem appeared. This was to be handled through the ICT help desk for visibility. An individual ‘raised a ticket’ to say that they were told that they were not allowed to buy more encrypted memory sticks. As a result of this purchasing clampdown, the users were utilising their own USB sticks at home – by implication, unencrypted and probably not anti-virus protected either.

The reality was that this was a misrepresentation of a larger project-wide situation, but helped, through raising it as a ‘ticket’ incident, to flush out, by way of evidence, the need to increase appropriate organisation-wide communication and to progress the intended project much faster to incorporate a wider number of users, to ensure a greater level of protection of information assets. The particular information being put on the ‘home owner’ USB sticks would, in most circumstances, be classified as ‘sensitive personal data’ and would be labelled (protectively marked) as ‘restricted’ at minimum.

Either way, you need your users to be able to report incidents, and you need there to be a record of these to collect data that can be analysed and reported to management in a meaningful way. This will all help to build up your metrics and measurement of the effectiveness of the information security management framework that you have been seeking to implement across the organisation. Incidents that occur should be categorised and reported to senior and executive management in a way that is palatable and comprehensible for them. Some people prefer numbers (rising or falling statistics); others prefer pictures (pie graphs, bar charts, etc.). You need to understand what works best for your organisation and be able to create some kind of compliance dashboard that provides a ‘confidence count’ for security – i.e. is the organisation, as a result of the improvement measures you are putting in place, getting more or less secure? Is it explainable, translatable, measurable and tangible?

Information security is a very subjective delivery mechanism for your organisation and continues to require visible representation to explain the benefits. People tend to notice when it’s not there. This is most notable when data breaches and information losses are being experienced, particularly if the incidents arising are making it into the media (national press or otherwise). When it is working, when information security has become embedded, i.e. baked into the DNA of your organisation, it is likely that people won’t really notice, day to day, as it should not be getting in their way.

Data-sharing protocols

The industry, on whose periphery we operate, loves its acronyms and its reused phraseology. So, when a colleague comes and asks you what it means to be a ‘trusted source’, you need to be able to construct an answer! Context is, of course, very important. But how is this identified and what makes someone ‘trusted’?

The difficulty is that the context is related to trying to deliver on the promise of information sharing. It seems that each agency within the public sector is making up its own language, just as each industry in the private sector does, too. You need to watch out for this, as your role as ISM is often one of translator. Wherever possible, you need to develop relationships across the various agencies that your organisation has connections with, in order to learn their language twists and be able to translate for your own colleagues. You cannot operate in isolation and, somehow, you need to try to be one step ahead. Then there are all the conflicting initiatives that are the harbingers of change attempts. Again, you need to keep abreast of these as every politically related change has an impact on an information system that will, in all likelihood, be used to produce statistics or manage a requirement, and your organisation will need to secure the data therein and the people managing it. There are usually far wider implications from small changes than were originally considered.

But back to the ‘trusted source’. It was a crossed-wires scenario where one agency was claiming that it wouldn’t trust our connectivity unless we proved certain things. Yet both agencies were in the same sector and should have been adhering to the same policies, procedures, guidance, network connectivity, connection protocols, legislation, regulations and standards. It was a clear example of the need for data-sharing protocols to be in place – and for them to be meaningful, in terms of having the right breadth of security controls in place to support the clauses contained therein. As an ISM, you end up needing to know about contracts and agreements. This involves having to understand legalese. It hurts, but it’s worth it! Data protection clauses – think of these as information asset protection clauses – need to be better referenced in contracts from the outset – either directly or as an annex in the form of a security schedule.

You need to be able to provide a sensible response to providers when their sales teams are determined to sell you the world, when the reality may fall short. In particular, with the Cloud and virtualisation intentions moving forward apace, it really is important to know where (in the world) your information is, who is going to look after it, for how long, how you will be able to get it back and how long that would take. You can’t be afraid to challenge the legal jargon and ask for what the actual facts might turn out to be, because, in breach mode, it might just be too late to find things out. Time will always be of the essence. There are times when you have to be explicit about data disclosure, data sharing, data retention and data destruction, obviously, throughout the life cycle of the data.

Over and above that, you need to have a register of protocols, so that you have visibility of who signed them on behalf of which organisations, and when they are due to be renewed. This is ultimately part of your mitigation strategy for risk reduction. The reality may be that the only time you need to know this information is if something goes wrong, but the same can be said of your car and house insurance policy details. Regulatory bodies expect an organisation to have control and visibility over its information assets and know who has access to them, where they are being transmitted to, who they are being shared with, how long they are being kept for, under what conditions, in what circumstances and on what media – USB drives, CDs, DVDs, laptops, etc. Hence the need for the early establishment of the inventory as highlighted in Chapter 1.

There are constant perceptions of differences in security requirements across industry sectors, agencies, government and the national, private and public sectors. The perspective of the ISM should really be that whatever is at the heart of the requirement, there is a need to protect information assets and the task is find the best way to do so that suits all. You often need to cut through all the rhetoric and polysyllables, as the solutions are invariably tried and tested – and simple – and this can be hard for people to take, as they don’t believe anything can be easy anymore! But it’s too easy to make things seem complicated and that isn’t what you want to be known for. You want to be seen as the ‘department of yes’, not the ‘department of no’! You want to be seen as a solution provider.

Linking InfoSec with records management

Once you have fully grasped your role as a provider of protection for information assets and solution creator for future projects and programmes across the organisation, your custodian-style role needs to extend across the life cycle of the information assets for which you are seeking to provide the protection. If you are lucky, as previously mentioned, there will already be a records manager employed by your organisation. You should seek to work closely with them to ensure that your protection mechanisms are in keeping with legislative retention requirements, amongst other maintenance elements of records’ life cycle.

Certainly with the Cloud technology take-up that is continuing apace, there are some interesting access and storage discussions required moving forward. The organisation needs to establish whether it is necessary to have all of the data available, all of the time and, if not, how best to store it in a secure way that is suitable for the likely classification of the information itself. Of course, there’s the rub. If you haven’t identified the information assets and applied the classification in a way that labels your information sufficiently to be identified and distinguished, then it will be difficult to know how to make distinctions between the different types of information and how best to look after it.

One aspect of this is working with various project teams in order to ensure that considerations surrounding the life cycle of the information are built into the procurement process for all systems. So often, archive facilities are not considered as part of the initial requirements for intended new systems, and yet there should be some understanding that data cannot be kept forever, legally, and, therefore, it has to be managed through stages. There must be some kind of transition plan for it – from day-to-day usage, to short-term archive and then to longer-term retention.

Also, depending on the nature of the data, the security requirements need to be dictated in order to ensure the long-term safety, as well as security, of the data. There will also need to be authentication arranged for the requirement to reinstate data or to access it outside its retention periods.

Penetration testing results

As we saw in Chapter 3, vulnerability management is a key task that an ISM needs to manage and monitor. Part of achieving this is done through arranging for penetration tests to take place on all systems and using the reported findings to manage the resultant mitigation activities.

The following are the most consistent findings from penetration testing reports:

• No one appears to be in charge of network security as a whole. This can be a result of the fracturing of responsibilities, often due to workforce reduction, which a lot of organisations have experienced in the last five to 10 years, and also is symptomatic of a focus on the functionality of systems, rather than the security of them. This is manifested in no one appearing to be taking responsibility for the life-cycle maintenance and day-today management and upkeep of systems at a network level – through not applying updates, patches, etc. – causing real risk to both systems and ultimately data; nor do they appear to know about the top 10 or top 20 vulnerabilities for systems that have already been identified industry wide and applying the required solutions or designing systems from the ground up, so that their future does not contain these weaknesses.

Some of the key issues that result out of the above lack of ownership are as follows:

• Blank passwords still being used on the installation of new equipment – this is a classic, and something we all know to deal with and change, but time appears to get in the way and everyone moves on to something else and forgets to go back and make the obvious changes.
• SQL database with default and blank passwords – similar to the above issue, but at least it again served to highlight the scale of the issue for management and confirm that there were system management issues at a number of layers of the ‘stack’ that needed to be addressed.
• Passwords easily cracked – this can be a most fascinating revelation. Of course, in my case, it was the one that caught the eye of senior management the most, particularly given the password change project we had been through as an organisation. It required careful management and communication, given that the immediate assumption could have been a failure of the password change roll-out. What it highlighted, in fact, was the need to keep communicating to users the need to create relatively complex, but memorable, passwords – an almost impossible task that was made even more difficult as a result of the layers of corporate systems that still needed to be brought up to the same level of security. Ultimately, there were too many passwords for the user to manage, and highlighting this as a result of having been able to ‘crack’ too many, meant that more effort could be afforded to seeking solutions.
• Patch management appears to not be being managed in a timely fashion and, thus, exposes the architecture and infrastructure to vulnerabilities.
• Excessive number of administrator accounts found – and at the time, this was a disappointing finding, given the work that had been ongoing with the password change project. However, it served as a useful highlight for why the significant number of exceptions to the new password policy regime needed to be addressed, rather than left to languish, buried and ignored under the volume of other tasks that needed to be tackled, day to day, on the security front.

Penetration testing and vulnerability assessments provide valuable insights into the state of the security implementation of an organisation. These are often confused. A vulnerability assessment should be considered to be linked to risk assessment. Systems (assets, resources) are identified and a value (importance) is assigned to them. Then, the potential threats to each asset are identified. The expectation is obviously that mitigation steps are put in place as a result of presenting the findings – at least for the most valuable resources and most serious vulnerabilities. A penetration test proves the vulnerabilities that are found (it is effectively a ‘proof of concept’ of them), providing an impact analysis of the flaws on the underlying network, operating system, database, etc.

None of the above findings are uncommon, but nor do they display any level of good security practice being in place.

It is expected that these tests will be carried out at regular intervals throughout the year. Doing so can involve some trepidation, but remember our mantra – there’s no such thing as 100% security and you will never be 100% risk free, so never expect a clean bill of health. Always use these opportunities for learning and set expectations accordingly. Then plan in the remediation work alongside the, no doubt, already intended network (and otherwise) improvements.

Here is a small further note on this, to reflect that it will come up again and again. Depending on the system you are rolling out, or already have available to you through your IT provision, service packs versus critical patches – how do you make the decision as to the order in which these should be done and on what priority basis, when your landscape spans thousands of machines? There is a difference in how the network responds to the updates and how IT deals with machines that are struggling. Where possible, you want to have these updates running in the middle of the night – harder, obviously, if you are operating in an ‘always on’ environment. So, again it may be that you want to cluster your machines as per our physical layout example, and be able to deploy updates to specific sets on the basis of their priority and criticality to the organisation. Whichever way you choose to do it, be prepared to have to deal with fallout from even just one machine not working ‘the morning after’, as it can create a ripple effect, a chain reaction of bad press across a team that extends outwards, and that’s the last thing you want when you are on a programme of change – or at any time really.

Back to physical security issues

I have often wondered at the separations and silos we have built up in our organisations and our industries, and what useful purpose they really serve, apart from maintaining empires and egos. For the sake of the organisation in the future, co-ordination and collaboration are usually required. One of these fractures is between emergency planning and the need to ensure that business continuity plans are in place. It’s hard enough sorting out DR plans, but these need to relate to systems and the business continuity plans need to relate to the business processes that utilise those systems. There is plenty of separate literature available on all this. The point of the introduction is to get back to emergency planning as an example of a misunderstanding of the similarities of activities and seeing risks differently. I visited an emergency planning room once and was surprised to see all of the emergency plans for each service area, with the folder titles visible (for ease of access). It was suggested, perhaps, that these could be moved into the new lockable cabinet that was available within the room, given that on a Thursday, Friday and Saturday night there were external third parties who occupied the room, carrying out night marshal activities, to whom these plans should not be so readily available. This had not occurred to the information custodians up to that point. Also, updates to the plans appeared to be difficult to manage, but they also contained a lot of personal data with home phone numbers and general contact details contained therein. So, the learning point of the visit of the ISM was that greater care needed to be afforded to this kind of material on a day-today basis.

Another finding was that there were two users who found it necessary, as a perceived result of previous poor corporate system performance and server storage space, to utilise 8 GB external USB sticks as their file storage system. These were stored securely on site at the end of every day. The USB sticks stored sickness records, timesheets, etc. containing personal data, all of which were stored manually as well. This highlighted a significant amount of duplication in terms of both electronic and manual data, creating storage challenges. The ISM was able to reassure the users that there had been significant improvements in the corporate network and infrastructure, and to suggest that they should review their processes, particularly given the availability of the secure storage area within the storage area network. Also, the users needed to consider that the information was not ‘theirs’ as such, but belonged to the organisation, and, therefore, the files needed to be more readily accessible by other colleagues across the organisation.

Beyond the emergency planning visit, there was a visit to the CCTV team, which was equally educational. In general, recordings were normally kept on tape for 31 days and then overwritten. However, CCTV evidence was burnt to CDs when requested and these were kept in A4 folders in sleeves on the shelves, openly accessible, rather than in lockable cabinets. There were two A4 folders a month of ongoing and transferred sheets collated. This seemed to be a significant undertaking, and whilst not directly referencing people, the CD contents presumably provided visual recognition of individuals. As this represented personal data, under the UK Data Protection Act it would be expected to be stored safely and securely at all times.

Maintaining situational awareness is a phrase I’ve been hearing often during the past few years. It means what you think it does – having eyes in the back of your head and being aware of your surroundings and the situations you find yourself in. With awareness, you then have to work with whatever resources you have to hand. In the case of this review, there was an extra storeroom, near a main entrance, that was literally piled high with tapes that were waiting to go to the police for appropriate shredding. The team had asked for this to be done, but it was a classic example of having asked for support, but getting nowhere, because the people being asked did not appreciate the nature of the material (its effective labelling and, therefore, the requirement to handle it in a certain way) nor the impact were the information to end up in the wrong hands; i.e. the request itself was not risk assessed so was sadly ignored. The ISM needed to step in and make something happen. These kinds of situations must not be left, but must be attended to, and this needed to be reflected back to the service desk, so that they learnt to appreciate the nature of the random requests they might receive and speed up their response mechanisms more appropriately.

Reduce, reuse, recycle

The programme of desktop refresh continued to rumble on as it spread more widely across the organisation. By now, there was a stockpile of returned machines that could potentially be reallocated and this required some careful consideration as to the needs of the users – as opposed to their wants and desires!

There was obviously going to be a large amount of equipment requiring destruction, having established those that were no longer of use. After all, you wouldn’t want your organisation ending up on a BBC documentary. Earlier project plans included building a relationship with a recycling provider that would certify the quantity of equipment that was taken away and ensure that it was appropriately destroyed or recycled, each and every time. The physical certificates for the quantities removed were maintained as records. This led to an interesting aside of statistics available to present to management, including the tonnage of equipment removed, the volume of that which it was possible to reuse, the volume recycled, any value brought back into the organisation, the number of machines replaced and the number of machines upgraded – all of which could be measured against the total estate to assess progress and provide useful feedback to the wider organisation.

For some machines, it was possible to provide the short-term fix of just updating or upgrading the memory chips, to at least extend their current life whilst other, more critical, machines were replaced. For others, their machines and connectivity were so old that they were connecting through dial-up modems. They still exist out there, believe it or not!

The project team working on the desktop refresh were trying to keep certain types of machine in single locations – i.e. all Dells in one, all HP in another, etc. – in order to ensure a level of ease of maintenance on sites. If an engineer turned up at one building, they would know what type of machine they would be facing throughout and the likely issues it would have, and would be able to resolve these faster than if there were a number of different machine types that would have complicated varieties of conflicts, system faults and failures. This, equally, made it easier to apply patches and updates across the network to blocks of machines at a time, rather than necessarily to the whole estate in one move. The more you can control the delivery of changes, the easier it is to manage any glitches that arise along the way.

On top of this, there is likely to be a quantity of old pieces of equipment out there, languishing in cupboards, storage areas and old filing cabinets across your geographical outreach, and you need to actively encourage people to hunt these out and feel that they can turn them in, with impunity – ensuring that they are appropriately disposed of or recirculated in line with your infrastructure strategy.

As a final note on this area, it is helpful to encourage people to bring in their old PCs from home, to be either refurbished or recycled in an appropriately secure and environmentally friendly way. At first reading, this sounds like an expensive (or mad!) undertaking, but it will pay dividends in the long run. You have to consider that it is likely that many of your users have actually used their own home machines to do your organisational work, reviewing reports, editing them, forwarding them on … There may be all sorts of information, sensitive, personal or otherwise, stored on that home PC, over many years of service. Taking control of the disposal of equipment is a risk reduction mechanism, appropriate in the current working environment where the Information Commissioner is expecting you to have both visibility and knowledge of the whereabouts of all of your organisational information assets, at all times throughout their life cycle.

Other security tasks for this month

Job descriptions

In Chapter 1, I mentioned that you needed to provide a framework to effectively manage employees before, during and after their time with your organisation. Part of this activity is ensuring that security roles and responsibilities are allocated and tasks are referenced on job descriptions. It is also worth considering implementing a personal information security plan to be linked with their annual personal development plans. This would be a plan of skills, training and development that they would commit to undertaking, to improve their understanding or their performance on behalf of the organisation, to ensure that they were doing all they could to protect the information assets in their care. It stems from getting the users – all users, from the CEO down – to understand that they are the ones creating the information assets that need to be managed, stored, transmitted, shared, and kept safe. ICT is only ever a custodian of the information – it is not the owner. So the user population needs to understand the importance of its role and, by ensuring it is tied to their annual performance and appraisal, this tends to focus the mind. It is even better if it can be linked to the actual financial element of it!

Users’ understanding

Remember that whilst we assume that our users must know a lot about technology these days, because it is all around us, what they in fact know is their consumer-related experience of it, rather than any level of ‘under-the-bonnet’, hands-on experience. So many users have been, over the years, sat in front of a computer and told to get on with it, with little or no training provided for them. They have had to muddle along and, if they have come unstuck, prevail upon their colleagues for assistance. But you can see the flaw in that kind of approach. If their colleagues have had the same training pattern – i.e. none! – they have a very loose grasp on the benefits of the systems they are sat in front of, and it can be surprising to learn what they genuinely don’t know. So, another string to the ISM bow is being able to provide that safe environment in which those attending, for example, an information security awareness briefing, know that they can share their concerns and their limitations in the hope that you can help to provide them with a route through to a solution.

There are lots of users that do not know what a .pst file is, nor how to look for it. (Just in case, it’s what Microsoft calls your post file for all your mail.) In many cases, they never even thought to ask. They only ever appreciate the significance of this information once they lose it – and are grateful for the learning, both at work and to help them in being better home users, too. So it is worth investing the time in explaining a bit more to them as time goes by.

People management

If you are on a long programme of change, you need to be able to continue to motivate your colleagues when they return from holiday or absence, so that they continue to do a job that, by now, may appear boring. For example, the tasks may be across a significant number of machines for upgrade, replacement, repair and restore; or a large server farm that needs a lot of tender loving care on the patching side, for example. There are a great many tedious tasks in the ‘engine room’, but that is very much what it is, the engine that keeps the rest of the organisation motoring. You need all your colleagues – both technical and otherwise – to appreciate these bare facts and step up their game accordingly.

Security awareness theme

This month’s information security theme could pick up on the fact that January is usually a time for New Year’s resolutions. For example, ‘So what’s yours …? Ours is to always update our anti-virus …’ or ‘New Year, new attitude … let’s lock down those devices!’ However trite these may seem, the user population will have some appreciation for the mix of irony and humour, and at least will see that there is a theme and a messaging effort going on.

Chapter summary

This chapter has really started to share the breadth of the scope of activities that can be expected of an ISM in any given month, not all of which are technologically based – nor should they be expected to be. The clue is in the title!

The next few chapters embed this broad-brush view of the ISM role with a myriad of tasks that all need to be undertaken in the shadow of understanding what it is that your organisation does in its totality, both purpose and intent, so that you can provide better advice for the safe and secure use of its information assets and resources.