By Daljit Paul, Head of Services, Networks First
Businesses often have a standardised approach to security policies. Most policies are put in place and then not touched or updated until either a breach is discovered or when there is a compliancy factor such as ISO27001 or Payment Card Industry Security Standard brought in by the business. The reality is that cyber criminals who are determined to access data or systems are continually finding ways to circumnavigate processes, policies and the prevention methods that are in place.
Businesses need to look continuously at both the internal and external threat of IT fraudsters and the accessibility of the information they want to target. This could be external hackers conducting toll fraud or accessing systems to charge up prepaid cards for resale or employees taking copies of privileged, competitive information such as customer records or contract information.
Big brand names, with big IT budgets, have their IT teams regularly advising customers of security breaches and fraud threats. If companies like Ebay, Paypal or Subway are exposed, smaller organisations must also take action to reduce risks.
There are specific steps that Network Managers, Network Administrators and IT Teams need to undertake to keep on top of the constant and continuous threat of IT fraud.
Network Penetration Testing
Network penetration testing is one way to assess the vulnerabilities organisations face, but in many instances it happens just once a year based on compliancy requirements. This can then leave businesses exposed for long periods of time as any changes to network configuration or updates to software can lead to new and previously unknown vulnerabilities being introduced into the network - therefore, effectively rendering the annual vulnerability assessment invalid.
If organisations perform penetration testing or vulnerability assessments on a more frequent basis, for example quarterly, it will reduce the time of exposure. On completion of these assessments, businesses will be able to understand the level of risk posed by vulnerabilities and allow them to make decisions on the priority and the planning of any corrective actions.
Research has shown that many common security breaches of networks result from quite simple administrative errors, for example, having standard passwords for all network devices, or not changing network device passwords on a regular basis.
To ensure security, passwords on networking devices need to be changed every time a member of staff - with access to networking devices - leaves the organisation. This task is often forgotten about due the invisible nature of the network and the administration overhead of changing the passwords.
Software running on networking hardware can sometimes contain security vulnerabilities that leave open the potential exploitation by external and internal attackers. However, ensuring software levels are up to date is often a lower priority for network managers as live projects and day to day support activities consume their time. In addition, upgrades are often required to be completed at unsociable hours or weekends, making it an undesirable task for network managers. Organisations can reduce the risk associated with security vulnerabilities by ensuring that the software running on the networking hardware is current.
User access empowers IT users’ access to the computer systems and information that is required to carry out their role. The shift in working practices from only desktop to mobile has increased the workload of the IT team who now have to administer the access of multiple devices for each user.
Compliance requirements now dictate that organisations must track a users’ access levels at a granular level, making the task complex and labour intensive, as each user needs to be tracked down to application level rather than the simple ‘on the network level’.
Reassessing permissions, as organisations grow and departmental responsibilities change or roles are transferred, is required as an ongoing activity. Does everyone need the information they have access to? Ensuring the access rights are correct for people to do their job but not offering, for example, the entire company customer database available for download at the click of a button.
By undertaking log management, reports can be provided which show when and who were opening files, these logs can help to identify suspicious or unusual occurrences. For example, why is Geoff from logistics attempting to log in to the payroll server?
Monitoring and analysis
A typical network is spread over a large geographic area, making the correlation of security events a resource intensive process and a drain on the network manager’s time.
IT departments can deploy solutions that provide real-time monitoring & analysis, event correlation and notification of security alerts generated by network hardware. By monitoring the network logs for events, IT teams are able to detect in real time any attempts to breach the security of the network.
It’s not enough to complete one network security health check or review your Security Information and Event Management (SIEM) logs or Access Management policy once a year. Health checks provide a starting point for areas needing to be addressed immediately to minimise the risk of IT fraud and provide benchmarking against industry standards. It is an ongoing commitment that businesses need to make in terms of time and skills.
For ‘anti’ fraud policies to be effective the application and use of technology needs to be embedded into the culture of a business. Ideally, employees need to receive constant updates on policies regarding information security and regular audits need to be completed both internally and externally as part of compliancy requirements.
A Network Manager recently said to me “never under estimate the potential people have to do stupid things”. It might be obvious to you that the email from ‘firstname.lastname@example.org’ requesting you to reconfirm your login details is not to be trusted, but there people who are still taken in by these. Likewise, it is possible for employees to be coerced into divulging business critical information either by email or phone, which should remain company confidential. Training sessions that talk through real life examples help bring to life the written policy.
Policies also need to be firm but fair, for those employees who continue to ignore the rules there need to be consequences. However, for those who make genuine mistakes, the person responsible for setting the policy needs to be approachable, any action to mitigate risk can be taken quickly, rather than have employees fearfully trying to hide or cover any genuine mistakes. This comes back to the culture that’s been built within the business.
The continued attention required to minimise the opportunity for IT fraud to occur can be consuming. Tasks can be both time intensive and require the right skills and experience to interpret information correctly and implement the necessary updates or preventative action required.
With IT departments so heavily relied on, it is no surprise that many are already working at maximum capacity. Businesses need to identify the areas they are able to address internally and those where the services and support of external experts need to be obtained whether based on resource availability or skill requirements.