Building a smart and effective information security infrastructure is quite a challenging task many companies cannot embrace to the full extent, which results in gaps in corporate security. You have installed an antivirus – and an employee has opened a link in a phishing email. You have set up a firewall – and a disloyal employee has emailed your Business Plan to competitors. You have implemented a DLP system – and a DDoS attack has shut your web services down. Because of the diversity of threats, companies need a comprehensive approach to the protection of information resources. Falcongaze Analytics Center compiled a list of preventive measures that will help to minimize risks, prevent leaks of confidential information and ensure the safety of business.
A well-organized system of information storage and document management is an important, though often overlooked component of building information security infrastructure. Companies often do not have firm knowledge of where exactly their sensitive information resides on the network. The main objective in this situation is to gain knowledge about the location of sensitive information, its structure and access rights. It is pointless to try to protect a vague set of documents – all data should be classified and structured. These tasks are covered by various enterprise project management and DMS products. In cases, when operational convenience involves remote workforce, access to confidential data and corporate resources can be established over the Internet. The volumes of data in these situations should be minimized and the employees should connect to the resources over secure channels.
Access Rights Management
Every company is subdivided into divisions or departments, which have various levels of responsibility and competence. The bigger a company, the higher staff diversity, the more complicated corporate structure. Growth often comes with new divisions, remote offices and regional branches. It is quite obvious that each user group requires its own level of access rights, especially when dealing with confidential information. Bank accounts info and contract details are within the Accounting Department professional competence, and IT division has nothing to do with this data for sure. Accounting officers should be definitely kept away from servers and development resources. To ensure such an approach there is diverse identity management functionality available, and most of the corporate systems allow creating group policies.
Some information security products, like SecureTower by Falcongaze, provide division managers with access to information on their staff only; information security officers have access to security incidents only and cannot browse through user activities; information on financial documents, transmitted by accounting officers, can be available to the CEO solely. All components of corporate infrastructure should be tuned in a similar way: configuration of various prohibition levels on firewalls, access to documents can be easily configured in all major project management solutions, physical access is covered by access control and management systems.
Organization of SOC
Proactive strengthening and optimization of corporate information security infrastructure in face of evolving threats requires organizing a security operations center (SOC) with skilled personnel. Small and medium-sized enterprises usually lay all information security functions on IT department, and it is the wrong approach. A company should have at least one specialist who is responsible for integrity and comprehensiveness of information security system.
Web application security
It is hard to imagine a modern company which operates strictly offline and only uses its site to mark its presence on the web. There are numbers of companies which are not engaged in IT business, but they still provide auxiliary online services. Today businesses create personalized user accounts and smart applications to deliver customer satisfaction. Even big companies cannot provide safety from mistakes and breaches (recent TalkTalk incident speaks loud for that). Smaller companies with less investment into security risk even more. Even a simple news subscription web-service form can pose potential threat – customers won’t be happy if their emails suffer from spam attack. Safe operation of website and application today does not guarantee the same status tomorrow. Normal performance requires constant patching, updates, consideration of bug reports and timely response to incidents. It might be a good option to outsource these services, however a company should consider the risks mentioned below.
Access of third-party contractors and service providers to storage and processing of sensitive information should be reduced to minimum. The more parties have access to the data, the higher the risks of leakage. Cloud service providers, SaaS-services, contractors, outsourcers – “trust but verify” principle must lie in the core of any relations. Optimal performance is achievable with reasonable balance. Try to avoid extremes. For example, on certain stage there might be a situation when a company faces the choice: to host the website on the company-owned server or choose professional hosting service instead. From the one hand, full control is preferable, from the other – are you sure you can provide the same level of support as a specialized provider? There is no universal answer, but measured approach and granular analysis together with dedicated risk assessment should be definitely applied before signing up with external contractor or service provider.
Installation of updates
Timely check for updates and their correct management is critical. Unattended vulnerabilities often become the reasons for breaches. Unfortunately, the frequent scenario is that vendors first launch a product and only consider security issues after that. That is why it is recommended to pick new solutions carefully. Of course vendors perform safety checks, however it is impossible to cover all aspects in testing environment. Routers, for example, are often configured only once and operate for years without attendance then. The same situation is with software updates: according to research by Kaspersky Lab about 1% of all vulnerabilities are 10 years old.
Working with staff
According to the research by Trend Micro only a quarter of data leakage incidents result from hacking and malware. The lion’s share (accidental and intentional both) is the responsibility of employees. The stuff should be informed about the existing information security policies and well-trained with secure operations rules for the corresponding business processes. Constant monitoring of following these rules and policies by personnel is highly important. The main drive for following the policies is transparency of all work processes and clear vision of responsibility for non-compliance with corporate regulations. Introduction of Commercial Secret regime and signing non-disclosure agreements usually serve as a proof of deep mutual understanding of the concerned risks and consequences in case of intentional leakage. A well-selected information security and operational risks management tool will provide support for the corporate policy from the technical side with comprehensive control of work processes and data transfer channels.
Holistic assessment of the current situation with information security in a company as the initial stage of building a comprehensive information security infrastructure will most probably require involvement of external auditor. An experienced information security specialist will help to identify who works with which types of data and arrange secure access to it in the future. Another audit method is pentesting – ethical hacking and penetration tests which reveal weak points in security infrastructure. The so-called bug bounties are a smart method to test the status of security. World famous companies like Facebook, Google, Yahoo and other launched the initiative of paying bounties for discovered vulnerabilities long ago. It is clear, however, that information security system cannot be plugged once and for good – the process is permanent. Analysis and evaluation of applied tools and followed procedures should be on permanent go. Having a pair of fresh eyes on the system when doing the audit is highly recommended, that’s where involvement of third-party experts might be a good option.
Building a comprehensive information security infrastructure in a company is not an immediate process. The level of protection should continuously evolve. Information leakage threats are permanently growing for any kind of business that is why the counter measures should develop accordingly. We do not claim the above listed measures as full and totally comprising but these are the ones to be covered in the first place.