Contrary to popular belief, corporate sabotage is among the least likely causes of computer security breaches, according to an April 2002 survey by the Computer Security Institute. Its Computer Crime and Security Survey reports that sabotage accounted for just 8 percent of system attacks in 2002. Security breaches are more often due to errors by end users or administrators. The inadvertent gaffes are the main culprits for introducing viruses, allowing denial of service attacks, and opening entryways to supposedly secured data.
CIOs can reduce, and possibly eliminate, an organization’s risk from these errors by creating and implementing a comprehensive set of IT security policies aimed at user behavior. These policies, along with efforts to educate users about how to eliminate security weaknesses, can thwart future vulnerabilities and boost awareness about security issues throughout the enterprise.
What to cover within policies
Defining IT security policies and making them operational is no light task, according to TechRepublic members. A good security policy must address both end users and administrators. On the user side, policies should address how the staff is allowed to make use of computer equipment and applications, according to TechRepublic member William Graham, president of G&G Computing consultancy in Fort Campbell, KY. Graham recommends that end-user policies include the following:
- Data and application ownership: Help users understand what applications and data they can access and share with others.
- Hardware use: Reinforce the guidelines that are currently in effect across the enterprise pertaining to appropriate use of workstations, laptops, and handheld devices.
- Internet use: Define appropriate use of the Internet, user groups, instant messaging, and e-mail.
On the administrative side, end-user policies should be reinforced through the implementation of policy-based rules that cover the following:
- Account administration: Define acceptable password configurations and how administrators can shut down access to specific users when needed.
- Patch management: Define appropriate responses to news of patch releases, patch monitoring, and regular upkeep.
- Incident reporting practices: Not all emergencies are created equal, so the policies must include an escalation plan and define appropriate people to notify for each emergency level.
Once policies are in place, they must be continually updated and monitored to account for changes in network, OS, and software configurations, and the addition and subtraction of users.
Enforce the policy
As with any policy, a user security policy isn’t valuable unless it’s enforced. All too often, administrators implement policies and then walk away, says security expert and CEO of PoliVec Roberto Medrano.
PoliVec makes automated policy creation tools for use in the enterprise. Other automated policy creation tools on the market include BindView's Policy Center and PentaSafe's VigilEnt Policy Center. The latter includes online quizzes to build user awareness of the policies.
TechRepublic member Adam Lambert, a one-man IT force at Palisades Federal Credit Union in Rockland County, NY, estimated he saved hundreds of hours by using PoliVec's Builder and Scanner software; he defined his policies in a little under two hours.
In addition, some vendors offer compliance modules within the policy packages. PoliVec’s Enforcer monitors policy compliance and document breaches.
As part of his security effort, Lambert said he also began security education efforts with the credit union's staff about the importance of following security policies. Communication and awareness is critical to smooth user operations, he said. Lambert regularly e-mails staffers security notes and reminders about system updates.
Security seminars, train-the-manager sessions, and online or paper-based quizzes are also good approaches to help build staff awareness and modify behavior.
Policies require educational effort
There will always be staff members who either don't pay attention to the security rules or believe technology will make up for their lapsed judgment. Lambert found that out quickly when he changed the password policy prior to implementing the new security policies. Passwords had required eight characters with a mixture of letters and numbers. The change required seven-character passwords with letters, numbers, and a special character. Staffers who ignored Lambert's communications ultimately met with obstacles—denied network access—when they tried to log in to the credit union's system.
At the Army base at Fort Campbell, user disregard of security policies contributed to a recent attack of the Klez virus, said Graham. The virus hit one area of the Fort's computing system and though Graham wasn't able to trace the introduction of the virus to a particular user's computer, he suspects a less sophisticated user opened an e-mail and launched the virus. Ultimately, Norton Corporate AntiVirus allowed Graham to contain it.
Lambert and Graham agree that a policy alone doesn’t change behavior, though the policies can make a dent in getting users educated.
"The users who are already aware of the threat are already doing the right thing," said Graham. "Other users aren't very sophisticated. They don't understand the need for security policy, nor the ramifications for not following security policy."
So while creating and implementing IT security policies is a great first step toward reducing risks from user mistakes, the IT department has to follow through with staff training, regular updates, and constant monitoring.
"You still have to be aware, be diligent, and do the hard work," said Graham.