Information Security Policy and Awareness
Your information security policy is a document that describes how you will deal with specific information security situations. This could define what the acceptable use of your e-mail system is, or it might dictate whether you can read employee e-mail. Today, a good information security policy will cover the gamut of information, such as e-mail, Instant Messaging (IM), backup storage, and acceptable use of company resources (meaning desktops, notebooks, servers, Internet connection, and so on).
An information policy is built to guide the employee, as well as to protect you and your company from inadvertent problems. Often, the employee excuse of “we didn't know” tends to work, and, sadly, it forces you to document all of your policies. Although people tend to gloss over employee policies, the information policy document will serve to push the burden of responsibility back onto the employee or user community.
Your information security policy should cover the responsibility of each person. The information policy also should cover license information (such as if you find pirated software, what to do), as well as what can or cannot be plugged into your network, such as an outside notebook or any other unauthorized device.
Awareness also falls into the information security category. People are often unaware of what is going on around them. This is a “perfect storm” situation for a social engineer (that is, someone who uses specific social techniques to get past another person's defenses). A classic social engineering technique is to call someone in the company and fool him or her into helping the caller by providing a password. Unfortunately, this method works very well. Training your staff in proper phone screening can help to avoid this issue.
This chapter covers two aspects of the information security spectrum. The first half of this chapter provides an in-depth view of the information security policy itself. Although you won't find here a full written plan, the discussion can help guide you to developing your own. The second part of the chapter helps you to develop a strong defense against social-engineering techniques and takes a look at the situational awareness paradigm.
Establishing an Information Security Policy
The information security policy can be a single document stating what is and is not acceptable concerning what information can be divulged to whom. It may also be a collection of policy documents. The purpose of the information security policy is to protect you and your business from harm caused by the actions of employees, contractors, customers, and others who violate the rules.
Following are the particular policy areas examined in this section:
Although this list of examined topics is not exhaustive, it's meant to get you started on the proper path. This section covers a basic framework for your information security policy. Take the time to discuss the information presented in this chapter with your staff as it relates to your business and technical needs.
To begin, let's start with the overall information security policy.
General Information Security Policy
The primary document you will create is the information security policy. This document is typically delivered to employees for acknowledgment and signature. Its scope covers the use of the company's information resources.
The policy should be updated from time to time as your technology needs change. It's important that the employees read the policy document and acknowledge an understanding of its contents by signature.
This type of document typically covers the following areas:
Sections within the overall information security policy document tend to cover these areas, which represent many of the normal delicate areas in IT. However, keep in mind that, as your IT evolves with new technologies, your policy should also cover new technologies, cover new issues, and address various yet-to-be-determined threats.
Make a clear definition statement for what will happen in the event of violations. This should cover whether disciplinary action will occur, and may even contain to what degree.
An example statement may be written as follows:
“Violations of this information security policy may result in disciplinary action in accordance with company policy. The failure to observe and maintain the guidelines of this policy could result in the employee's being subjected to disciplinary action up to and including immediate termination. The severity of the employee violation will dictate the level of disciplinary action. These violations include (but are not limited to) actions that result in liability or harm/loss to the company, or repeat violations of the policy.”
Of course, you should draft your own statement of what will happen in the event of violations.
The roles of management should be spelled out to describe the expectation that you have for them in regard to this policy. For example, supervisors and managers should be responsible for reviewing the contents of this document with their direct reports. Further, managers must put into place the standards and controls to ensure employee compliance with this policy.
The employee responsibilities section of your security policy will be specific to your environment, but should include coverage of several common areas that span across companies.
Many systems in IT are simply communications tools of one form or another. Therefore, at all times, the employee must observe a sense of decorum and professional behavior in his or her use of the IT systems.
This policy should state that the employee has full responsibility for any file (text, music/audio, video, and so on) that he or she sends or uses with the company's computer and network systems.
In today's electronically oriented society, stressing to employees what copyrighted materials are is important. Ensure that copyrighted material is not unlawfully sent out or distributed using company resources. The idea that sharing a digital resource is wrong often tends to escape some employees. Your company could be on the hook financially for such behavior.
Be sure that the employee is fully aware of company policies regarding the security of information such as price lists, customer lists, road map information, or anything else deemed confidential by the company.
IT/Technical Staff Responsibilities
Be sure to cover the basic scope of your IT or technical staff's mission. This includes the setting of technical security standards, such as virus scanning, spam filtering, and so on. You should also spell out how IT is also responsible for providing assistance as needed to the employees with regard to technology.
Acceptable Use of Resources
Define for your staff what you will deem acceptable use of company resources. For example, web browsing for company purposes should be fine, whereas you may not want employees spending time on an auction site for personal use. Alternatively, you may not care. It's all a matter of what you deem as acceptable.
You may also want to clarify for your staff the appropriate use of e-mail and other communications tools. Do you care if they send personal e-mails over the company e-mail systems? If not, then state it. If you do care, ensure that you state that the e-mail system is to be used for company business purposes only. As you will discover later in this chapter, many companies deem e-mail that is sent and received as company property. Be sure to consider that when drafting your acceptable use policy.
Unacceptable Use of Resources
Unacceptable use of resources could be practically anything, because different companies have different views of what is and is not acceptable. However, it is the opposite of acceptable use. This section of your information security policy details what is clearly not up for negotiation.
Define in this section of the policy the overview of what you will not accept (for example, racism, viewing or sending pornographic material, using company resources to run the employee's own business, and so on).
This section should tie back into the violations section of your policy.
Define the password standards, the length of time between password changes, who the employee may give his or her passwords to, and why. You might consider adding to this a process or policy to guide the employee on procedures to follow in the event of a compromised password.
Depending on the nature and size of your business, you may want to restrict any installation rights to your IT administrative staff. Write out the policy for installing software, such as “software may be requested through the change management process and will be installed by IT.”
Spell out the policy on software licensing. That is, if software is licensed commercially, the company should have proof of that license before installation occurs.
The goal of this part of the security policy is to prevent employees from attempting to install software they were given, downloaded, or brought in from another source. The installation of this software could open you up to legal or technical liabilities.
You should have a general policy to prevent the installation of external devices such as wireless routers or switches or any other unauthorized devices. The policy should prohibit any unauthorized installation of equipment to your network. The reasons are simple. It could cause a disruption to service, it could be a security risk, or it might very well be an intentional security vulnerability (such as a sniffer).
Internet Use Policy
Without a clearly defined policy, employees will not consider the Internet connection to be company property. You must define how firmly you want to control employee behavior in terms of Internet use.
Unless a legitimate business reason exists, you should include in your policy that browsing or surfing any sites that display or promote pornography is considered a violation of company policies that will result in immediate termination. This is one area you cannot waver on at all. That type of activity can lead to lawsuits and other legal trouble.
Additionally, your Internet use policy should extend to prohibit any site promoting hate, racism, and so on.
Remote Access Policy
Remote access is commonplace today with both open source and commercial applications. The remote access policy primarily defines acceptable use for remote access, the security standards expected for the remote machine, and the type of software to be used. In addition to these items, you'll want to cover any legal violations and provide a disclaimer for damages to the user's machine or loss of data. For example, is the employee responsible if a hacker breaks into your network through the user's remotely connected machine? Clearly, this is a tough question, but one that should addressed.
Lastly, in the remote access policy, consider including what the rule will be for access costs. Today, the typical means of remote access is through the employee's ISP. Define whether you will reimburse the employee for costs incurred for the IPS. Write this into your policy upfront so that there will be no questions later.
Acceptable E-Mail Use
E-mail can easily let in all kinds of attacks. The use of your company's e-mail system by and large should be rigidly defined. At a minimum, your policy should address the points shown in Table 11.1, and clearly spell out the company's position.
Define for your employees your company's position on the sending of political e-mails during an election season. By and large, a company resource such as e-mail should only be used for company purposes, and the transmission of political messaging is a recipe for trouble and wasting time.
The final point is to define the nature of ownership of your e-mail system and the e-mail passing through it. As part of this ownership policy, you should establish the right to review any and all e-mail that is sent through your e-mail system. (This part of the policy may require a review with your legal counsel.)
With respect to external clients, you want to cover the responsibilities for any e-mail sent to them through your website. This responsibility would be covered separately in your privacy policies.
Instant Messaging Policy
Instant messaging (IM) has become such a critical part of our society that countless applications are in use. IM is a wonderful resource to communicate with clients, co-workers, vendors, or others. The challenge with IM is that it represents a two-way street. It can allow in malware, or it can be used to transmit out company information.
You should standardize on a company-wide IM platform. Choose one that fits your needs and is fairly secure. Beyond that design, your policies should account for the following:
Social Media Networks
The use of social networks today is as common as using the telephone. Most everyone has used or heard of Facebook, Twitter, and other social media networks.
The social media network is also a means for a hacker to gain vital information about you or your company. Define your policy regarding the use, posting, and distribution of company information on social networks.
The social media network should be considered as completely public (that is, 100 percent of the time). There are simply too many ways into a social media network, and, thus, too great of a chance that information can be released that should not be.
The next section provides a primer on increasing your awareness as it relates to information security. Most people are so inundated with information (such as advertising, news, interruptions, and life in general) that they tend to ignore their surroundings. The problem is compounded by a plethora of techniques employed by what are commonly known as social engineers.
The idea behind social engineering is to manipulate how the human mind works, to the advantage of the attacker. A hacker may deploy many tools, but they tend to fall into some very observable categories. Table 11.2 shows a few tools in the social engineer's toolkit.
Social engineering is a well-known and well-used means to extract information. Train yourself and your employees to question unusual situations, and to remain vigilant in the workplace environment.
Having Situational Awareness
If you were in a combat situation, you would experience situational awareness, which means that you would be extremely aware of what's going on around you in any direction—what your fellow soldiers are doing, and possibly what the enemy is doing. The nature of combat demands that you keep a strong vigilance of your surroundings, but in everyday civilian life, people tend to lose focus and not be vigilant at all.
You and your employees should develop a sense of awareness regarding your office, your network, and the company perimeter in order to protect the company from hackers.
Situational awareness is important because people tend to leak information. A skilled social engineer can pick up your employees' lack of vigilance and get more information. For example, a good Samaritan may open a door for a stranger without question, or an overly helpful person may not challenge a person during a phone conversation who says he or she works for the president of the company. These are examples of where situational awareness would be handy to have.
Usually, if you pay attention to your surroundings, you are not surprised when things happen. You may see things build up to something. it, The buildup doesn't catch you off guard, and gives you an opportunity to prevent damage.
If a hacker desires to gather information or penetrate a building for the purpose of hacking a company's systems, then he or she can deploy a number of different social engineering techniques. These are actions taken for the specific purpose of fooling someone to gain something from him or her. In social engineering techniques such as a Ponzi scheme or a confidence-man ploy, which is a scheme where the con artist gains your confidence to deceive you, the idea is to get past your natural defenses to get something from you.
Additionally, a hacker wanting to enter a company's building needs to know as much as possible about the people, the way they dress, the cars they drive, the guards, security systems, trashcan locations, and more.
Using the information gathered online, over the phone, and from your employees combined with knowledge of your company's physical perimeters, the attacker can construct a false persona to use with social engineering techniques to gain the information he is seeking from your company.
Vulnerable Security Points
The following sections cover points of vulnerability that are general in nature, but could represent a threat to you.
“Hold the door, please,” a well-dressed gentleman says with a briefcase in one hand and cardboard carrier with four large cups of steaming-hot coffee in the other. You smile and hold the door because he looks like he's late for an important meeting. You move on your way to your desk because you are late yourself and are glad you made it without too much fanfare. You don't give the guy a second thought.
Who was he? Did he have a badge? Do you know him? This situation has been played out many times through both penetration testing and real-life hacker exploits. It is a technique to play on your sympathy. If your company has a policy for badges and clear identification of who's coming in, then you should have challenged him and asked for identification.
Develop and cultivate an awareness of everyone who is entering and leaving your company premises. Who is following you into the building? Why are they there? Where are they going? What is their business? Do they have an appointment?
Asking these questions does not make you paranoid; it makes you aware and smart. People are often afraid to challenge someone because they fear that the person may be someone important who could take it the wrong way and make life difficult. However, if that person is an executive and you challenge him or her for identification, then you should be thanked. A vigilant employee can save the day.
Asking for an ID from someone is perfectly fine. If the person cannot produce it, then a polite escort to the guard for further assistance is usually all it takes. If the person is legit, the guard can track down the right party for him or her. If not, then the guard can follow whatever procedure is in place to take care of the intruder.
Following are some basic rules for awareness regarding door entrances:
Another interesting area to be aware of in regard to security is when carrying out trash to a dumpster. Do you see someone always there about the same time emptying a can? Is someone parked nearby? Digging through the trash is a very powerful means of information gathering. Trash can yield passwords, customer lists, internal memos, e-mails, source code, sales figures, and more.
This type of information can make someone very knowledgeable about your company, sometimes so much so that he or she can easily pass for an employee. Consider establishing a policy to either shred all paper (cross-cut like confetti) or utilize an outside service to handle destruction of paper. In the area of electronic waste, there are a number of third-party services that will provide certified destruction. Hardware devices are prime targets for data loss.
Before sending out drives for destruction, use the free software product called Darik's Boot and Nuke (“DBAN”) from www.dban.org. This tool is designed to wipe out data on hard drives very thoroughly. Using this in combination with the physical destruction of the drive is a sure-fire guarantee that the data is not retrievable.
Remember the fictional wireless hacker from Chapter 10? He used his parking spot near the building to monitor the wireless transmissions from outside your building. The information he gathered enabled him to break into the wireless network.
The guy in the Chapter 10 was simply picking up “free” signals from his location. From a hacker's point of view, he's safe—he's not trying to physically gain access to the building.
If the hacker wanted to gain access to the building, he would want to get closer to observe the target. Strange cars that are continuously parked in your parking lot or that are constantly driving around and scoping out the building are cause for vigilance.
The hacker wants to gain information about the building, the people, security, cameras, telephones, deliveries, and more. If he is to successfully penetrate your building, he'll need a full scope of what he's facing.
Following are some types of information a stranger in a “parked car” might be after:
This list merely scratches the surface of possible points of interest to an attacker, but you can probably imagine how the information he could gather can compromise your company's security, either physically or wirelessly.
Fire Exit or Smoke Break Area
Most buildings today in the United States are non-smoking. That means that smokers must go outside or to a designated smoking area. In many buildings, the fire exit is often a place for employees to smoke because it's easily accessible. Similar to the “hold the door please” scenario mentioned earlier, the smoking areas are a prime target for building penetration.
Imagine the scene where a person comes walking toward a smoking area, holding a pack of cigarettes. He's patting his pockets in a manner familiar to all smokers, looking for a lighter. A fellow smoker might quickly offer him a light. The bad guy may strike up some small talk with the new acquaintance and, being friendly, the other person would respond. After all, he's just taking a smoke break! If the bad guy has done his homework, he'll know quite a bit about the inner workings of the company—enough so that he could pass off himself as an employee of the company.
His purpose, of course, is to either follow you or someone else in. He may stay for one more quick smoke while you return to work. He might casually smoke another as he waits for someone else to come out who didn't know the bad guy had simply walked up. At this point, the bad guy merely taps out the smoke as the other person walks out, and then he walks in. Mission accomplished.
People are clearly the biggest threat to your network. In this case, “people” are defined as employees. A break-in often occurs via an employee either by accident or intentionally. One very well-known case of an employee doing something wrong is the alleged behavior of the soldier who delivered documents in the WikiLeaks scandal. According to the charges filed, he allegedly accessed the government networks and removed documents for delivery to an unauthorized person.
This scenario has been repeated at all levels millions of times. People inside your company are very likely your largest threat.
The author once had job in the defense industry that used a proprietary network in a building that routed communications to terminals (before PCs were everywhere) from the mainframe. This network was very sensitive to physical changes (that is, putting something on the network that was not supposed to be on it could cause it to fail).
The author received a trouble ticket stating that part of the robotic manufacturing network had failed. He traced it down to a terminal that had been attached that shouldn't have been. He found out a manager had taken it upon himself to add it and avoid the process of applying for installation.
Following the process to remove the terminal and letting the person know how to properly request access, the author continued about his business. A mere few hours later, the robots in manufacturing had lost their connection again. Returning again to the manager's location, the author found that the manager had decided to ignore the previous admonition and put the terminal back on. Removing it restored proper operations. After that, the recurring problem was handled directly with the manager at a more senior level in the organization.
In this example, when the manager attached the terminal, it broke the connection to the robots that delivered parts to the manufacturing line. This caused a stop in production, thus causing delays in delivery of the product to the customer. Hence, the network was fine, but the cause of the failure was the person who was deliberately installing equipment he should not have.
Your policy should clearly cover situations where employees decide to take things into their own hands. In the event of someone's adding equipment to the network, adding a wireless router, or plugging a home laptop into your network, you'll have to decide on the actions to take. Consider each scenario and lay out the proper procedures, accompanied by the consequences for not following procedure.
Blatant violations like information theft should be treated as a criminal act, and be dealt with by your policy. Other items such as innocently plugging in a notebook computer may just require a discussion about safety of the network, virus scanning standards, and so forth.
Numerous online sites sell hardware keyloggers that plug into a USB port. The purpose of these innocuous-looking devices is to capture, record, and send out electronically what was typed. These devices are basically a hardware equivalent of a Trojan horse. This type of technology has been used in various forms for many years across many types of computing platforms.
Take the time to periodically check desktops and keyboards for any devices plugged in that you don't recognize. Obviously, if you don't know what it is, you should investigate and remove it if it is unneeded.
Along those same lines, train employees to never insert a “found” USB key or other device into a workplace computer. Dropping a USB key containing malicious code in a place an employee can find it is a form of social engineering, as is simply asking an employee to insert it—a technique that works more often than you might think.
One of the more popular social engineering attacks (but by far not the only one) is the caller who phones in and pretends to be someone in need of assistance, such as for a forgotten password. This type of hacker attempt can run from a nice “please help me” kind of conversation all the way to a hostile or possibly threatening call.
This chapter covered two key operational areas for your business—the development of a solid information security policy, and increasing your situational awareness.
Policies are designed to guide your employees on the proper use of your information systems (such as server, websites, e-mail, browsers, instant messaging, and so forth). Policies should also cover the use and misuse of confidential information. You should establish a policy on the type of equipment that employees can install into your network, and how they can use remote access.
The second half of this chapter covered the dark side of information gathering through social engineering techniques. The idea you must adopt is to pay attention to what is going on around you. The techniques deployed are very simple to detect and defeat. However, without any awareness that they are occurring, you and your employees can often be tripped up by them.