Security

SMB IT risk management in action

Having established a framework for assessing IT risks, Mark Pimperton describes some of the changes his company made to protect systems and data.

At the end of my article about our IT risk management framework, I said that we review the IT Risk Register annually to check for incomplete assessments or mitigation tasks, and to add new risks. Since we add a "next review due" date to all completed risk assessments, we also check for risks that are due for reassessment.

In this article I describe typical examples of the work coming from our annual review.

Reassessments

Number one on our list of security risks is "Unauthorised Network Access", whether it's via a web server or any external gateway, firewall or SSL VPN appliance. It also includes the specific risks of wireless networks - sniffing or spoofed access points, for example - as well as unauthorised or infected devices connected directly to the LAN.

I last assessed this a year ago and gave it a 12-month review period because it's so crucial, given that the impact of a breach could include theft or destruction of data, defacement of web sites or injection of malware onto PCs. The reassessment is still in progress so I can't tell you what the outcome will be, but our list of Current Controls includes:

  • Network: Carefully-configured firewall rules. Tightened wi-fi security by restricting to specific MAC addresses.
  • Software: Password-controlled access to Web pages using HTTPS.
  • Devices: Sophos scans for data transfers and removeable devices. Spiceworks scans the network for new hardware. Visitors are not allowed to connect to the main LAN, only our DMZ. (This requirement is enforced only by our Acceptable Use Policy; we did evaluate Sophos Network Access Control but deemed it too complex and unreliable.) Finally, only authorized mobile devices can use ActiveSync to connect to Exchange.
  • External Scanning: External IP addresses are subject to external network vulnerability scanning as part of our PCI DSS compliance.

Another risk due for review is that of loss of data held on workstations. We did quite a lot of work on this last time, including a general move away from local .PST files to most mail being held on the Exchange server. We also publicized backup options and the use of network drives. As more staff migrate to Windows 7 I've been annoyed that the built-in backup program doesn't automatically remove old backups - so much so that I'm considering folder redirection to get most data off individual PCs altogether.

Incomplete risk assessments

I've had a long-standing task relating to our Web hosting. We have no SLA with our hosting provider and the site goes down from time to time, potentially causing us loss of customer goodwill or lost enquiries. Depending on the nature of the failure we can sometimes change the home page to redirect to a secondary site hosted elsewhere, but this isn't always possible. We know this isn't good enough and are due to migrate to a completely new platform. Once that migration happens we'll re-do the risk assessment.

There's a separate but related risk assessment for our corporate FTP site, where customers download product literature. That too is pending the migration.

New risk assessments

When I looked at the "personnel" risk category I realized that although it includes the risk of losing vital knowledge when staff leave, it didn't include dealing with long-term sickness. We'll be sitting down to try to pin down the most likely weak spots in the absence of particular staff members, and what we can do to try to get over them.

Recently we had to recertify our PCI DSS Self-Assessment Questionnaire and I noticed that the standard stipulates that "All traffic outbound from inside the cardholder data environment should be evaluated". In other words, we shouldn't really have any firewall rules that allow unfettered outgoing access from the LAN to the WAN, i.e. you can get to any address using any protocol. For historical (and convenience) reasons there are some people that have just that and although I suspect the risks are small, I need to review our policy and consider changing those rules.

Finally, the proliferation of cloud-based storage such as Dropbox has made me realise I have to get some visibility of at least who is using what. Apart from the risk of exposing confidential data, these services can theoretically also provide a malware injection point if an account is accessed and the files corrupted. With the Application Control function of Sophos it's possible to just block some of these services but I'm planning to start with discovery and take it from there. It looks like the cloud services discovery feature of the latest version of Spiceworks should help me with that.

Summary

IT risk management needs to be an ongoing activity. Having established a framework, make sure that known risks are kept under review and keep a constant lookout for risks that are new or that were just missed from your original list.

About

Mark Pimperton BSc PhD has worked for a small UK electronics manufacturer for over 20 years in areas as diverse as engineering, technical sales, publications, and marketing. He's been involved in IT since 1999, when he project-managed implementation ...

1 comments
mark1408
mark1408

A few weeks ago I'd updated key settings in our old router to hopefully enable it to serve as a temporary replacement in the event of our main (SonicWALL) router having a hardware fault. Although we have "next day replacement" cover, there'd be an interval where, without some other kind of provision, we'd have no Internet accesss. Just last week our main router was fried after a lightning strike. Cue the old one as emergency replacement - it worked and was good enough for almost two days. I was also glad to have a separate SSL VPN appliance providing an independent route in for branch offices; if we'd had all our VPN configured in the SonicWALL they'd have been unable to work as it wasn't set up in the old router. IT risk management really is worth doing.