FEATURE

16Network Security November 2010

and audit-ready approach to providing system and application access for work-ers and others who must share account passwords. They dramatically reduce the risk that enterprise systems will be compromised by the unauthorised use of privileged accounts.

Not only does this close the security gaps associated with shared password management but it also provides a cost-efficient way for organisations to com-ply with data protection and PCI DSS regulations that prohibit the sharing of accounts between users.

Adopting best practiceWith the new generation of ESSO, elimi-nating passwords is no longer a pipedream. Backed up by two-factor authentication, to add extra layers of security, it allows organi-sations to adopt password best practice – that passwords be application-specific, frequently changed and complex. The password problem could soon be over.

About the author

Marc Boroditsky is the president, CEO and a co-founder of Passlogix. Over the past 15

years, he has led organisations that have developed enterprise computing and com-mercial software products in the financial services and healthcare markets. Prior to co-founding Passlogix, he was the president of Numera, where he directed the development of products dealing with the management of personal identification numbers, passwords and security codes for related telecommu-nications and financial service products. Prior to Numera, Boroditsky was a founder, president and CEO of Novus Technologies. Passlogix is the developer of the v-GO Access Accelerator Suite (www.passlogix.com).

Compliance today – and tomorrow

Rob Warmack

The result is a massive increase in pre-audit effort, with staff distracted from key business-facing initiatives to go gather the right reports and respond to discovered deficiencies. Once the tick is achieved, staff slide back to their original tasks, and the company slides straight back out of compliance, until the next time.

Even in just one week of business as usual, changes to the IT infrastructure, patching systems, or rolling out new applications can have direct and serious implications for an organisation’s secu-rity and compliance situation. Also, the business risk is significant, and growing, as both the threat of breaches and the sophistication of security attacks con-tinue to escalate.

According to figures from the September 2010 PandaLabs report, cyber-criminals are creating 57,000 mali-cious websites each week (see Figure 1) with many of these sites emulating famous brands.1 And a recent mid-year report catalogued 10 million new pieces

of malware in the first half of 2010, making the first six months of 2010 the most active half-year ever for total malware production.

“Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infrastructure that incorporates both physical and virtual environments”

Furthermore, this tick-box attitude is simply not sustainable in today’s fast expanding regulatory landscape. More regulations are being imposed, while the frequency and rigor of audits continues to increase. Many compa-nies are actually in a continual state of compliance response. Unfortunately, by taking a periodic approach to the audit of each regulation, they are not in a continuous state of compliance. The result is not only staff disruption and unnecessarily higher costs but a

significant undermining of the security posture of an organisation.

The 2010 Verizon Payment Card Industry Compliance Report recom-mends that companies treat compliance as a continuous process, not an event.2 As the report identifies: “The goal of any organisation should be to maintain its state of security in adherence with the minimum baseline compliance require-ments set by the standard.”

Sustainable modelIn reality, periodic assessments enable organisations to achieve compliance but little else. But there is a shift. The ISO/IEC 27000 series of information security standards (jointly published by the International Organisation for Standardisation and the International Electrotechnical Commission) advises that organisations continuously dem-onstrate high levels of adherence to established information security policy. Fortunately, this standard of security best practice has significant influence over other regulations – for example the EU’s Data Protection Directive, the Sarbanes-

Rob Warmack, Tripwire

Most organisations still view compliance as an annual or quarterly ‘project’ – an exercise in performing the minimum requirements to pass the audit. The end goal of each project is to tick the box marked ‘compliance’ rather than to improve security and ensure the safeguarding of valuable corporate assets – including brand reputation.

FEATURE

November 2010 Network Security17

Oxley Act (SOX) and industry standards such as PCI DSS.

The PCI Security Standards Council now believes that achieving and main-taining compliance with PCI DSS and continuous vigilance regarding security practices is an ongoing process that must be systematically integrated into every organisation’s operational prac-tices in order to serve as the best line of defence against the compromising of cardholder data. This is echoed by the Verizon 2010 report, which suggests that, “in the case of PCI DSS there are daily … weekly … quarterly … and annual requirements that an organisa-tion must perform in order to maintain this continuous state called ‘compliant’.”

However, this is not easy to achieve. Organisations have to manage the ever-expanding attack surface created by a complex and dynamic IT infra-structure that incorporates both physi-cal and virtual environments, as well as in-house and outsourced services.

Breach monitoringFurthermore, while the regulations are in place to specifically protect sensi-tive data, the only way to effectively mitigate the risks to this data and assess whether it is sufficiently protected is by continuously monitoring the activity and behaviour of the actual systems that store and process the data. Are the fire-walls, routers and servers properly con-figured? Are the right user permissions in place? Have recent changes opened new vulnerabilities?

And while events and changes to these systems may be registered in the log management and file integrity monitor-ing systems, the volume of captured data is simply too great to analyse and make actionable using manual means. Indeed, according to the Verizon 2010 Data Breach report, 86% of the breaches examined had evidence of a breach in log files prior to data compromise.

The result is that the average time between a breach and the detection of a breach is now 156 days, according to Help Net Security. Furthermore, the longer it takes to discover the breach,

the longer it takes to recover from the damage, adding further to the cost.

What is required is a continuous approach to security – and hence com-pliance – that is supported by way of automating the detection of suspicious events and changes that may lead to data compromise and, when needed, the rapid response to these changes to bring the organisation back into a secure and compliant state.

With this continuous approach, organisations can move away from the

expensive, inefficient peaks of audit activity. A compliant state is attained and then sustained through the ability to proactively fix vulnerabilities caused, say, by a failed patch or a seemingly harmless administrative change, or to quickly react and defend systems from a live attack.

This use of intelligent monitoring is key to protecting data and improving security, while automatically supporting compliance with both internal policy and regulatory mandates.

Figure 2: The percentage of organisations that fully met various PCI DSS requirements at Initial Report on Compliance (IROC). Source: Verizon.

Figure 1: Escalating threats: the business sectors targeted by fake websites. Source: PandaLabs.

FEATURE

18Network Security November 2010

Though employees are just the victims of the global financial crisis that dominates our daily discussion, employers must anticipate a backlash and understand that more than ever before, it is easy for an unhappy, dismissed employee to walk away from a company with large volumes of confidential data in his pocket. UK businesses are required by law to protect all data under the Data Protection Act, which means no business executive can afford to ignore this threat – the fines could drown a business altogether.

The repercussions of a confidential data breach extend beyond fines, however. A data breach can affect a business’ cus-tomer loyalty, reputation and competitive advantage. It is the responsibility of com-

pany executives and their IT departments to ensure that company data – whether it is customer information, bank account numbers, patient medical records or inter-nal account information – remains within the company. To do this, executives should understand how data breaches occur and support IT administrators in their efforts to lock networks.

Common devices become security risksIT administrators and business execu-tives need to be more proactive and pre-ventative in their approach to data theft. With the ever-improving advances in storage technology, business profession-

als can easily use personal storage devices such as USB memory sticks, iPods, dig-ital cameras and smartphones to remove or copy sensitive information, either for malicious intent or personal gain. There are multiple outlets for data on the mod-ern PC, including USB and Firewire ports, CD and DVD recorders and even built-in storage media slots. The USB port can be used in many ways for extracting data at high speed, including removable hard drives and media players, and is one of the most common ways for sensitive data to leave a company.

In recent months, two newer methods for removing corporate information have surfaced – podslurping and bluesnarfing. With podslurping, employees download a large amount of data from the cor-porate network on their iPod or MP3 devices and leave the company, taking that information with them. To add to the headache, many third parties have created malicious podslurping software, which allows employees to search for

Preventing data loss by securing USB ports Nick Cavalancia

ConclusionObviously regulations are having an impact on security strategy. But regula-tions are, at best, a security baseline. Organisations should be far more focused on the implications of security to the business as a whole.

The goal, therefore, should not be merely to achieve compliance, but to create a culture of continuous security. It is by adopting the latter model that compliance will be achieved more easily and with less cost, and organisations can raise security from the base of regula-tory compliance to a standard that truly reflects today’s level of corporate threat.

About the author

Rob Warmack is the senior direc-tor of international marketing at Tripwire. During his six-year tenure with the company he has pioneered Tripwire’s customer advocacy pro-grammes, brought the company’s flagship product, Tripwire Enterprise, to market, and has held overall responsibility for corporate marketing, product manage-ment and marketing communications. He has over 25 years of experience in the high technology and enterprise software industries. Tripwire is a global provider of IT security and compliance automa-tion solutions.

References

1. ‘Every week, hackers are creating 57,000 new fake Web addresses to trick or infect users’. Panda Security, 6 September 2010. Accessed Oct 2010. <http://press.pandasecurity.com/news/every-week-hackers-are-creating-57000-new-fake-web-addresses-to-trick-or-infect-users/>.

2. ‘Verizon 2010 Payment Card Industry Compliance Report’. Verizon. <http://www.verizonbusi-ness.com/go/pcireport>.

Nick Cavalancia, ScriptLogic

As business professionals, we are experiencing unprecedented industry turbu-lence. In recent times we’ve seen world financial markets plummet and leading banks throughout the world collapse. Small businesses struggle to get credit to foster growth, and business budgets for additional resources are shrinking. As businesses buckle, employees at all levels face the fear of job cuts and this is encouraging the growth of another threat – data theft.