Andrew Baker has been an IT manager specializing in security for over 25 years. He has worked at a variety of firms ranging from large enterprises like Sanford Bernstein, Bear Stearns, Warner Music Group and the Princeton Review, to SMBs like Send Word Now. In the wake of the 9/11 World Trade Center bombings, Baker was tasked with getting the network up and running and defending its data from any potential hacks. As a lifelong security expert, Baker knows that there is no such thing as absolute foolproof security. But he’s also aware that even the strongest security mechanisms can be undermined by human error and lack of strong security policies and procedures and corporation’s failure to enforce common sense security practices. Baker is President and founder of BrainWave Consulting Company, LLC in Gassaway, West Virginia where he provides Virtual CIO services for small/medium businesses. See BrainwaveCC.com
ITIC: What has been the greatest security threat to emerge in the last 10 years?
Andrew Baker: Since 2003 we’ve seen the modernization of the hacker community and organized crime has appeared on the scene. Organized crime views the Internet as a bonanza: it allows them to operate out of the limelight with fewer resources. We’ve also witnessed nation-states and state-sponsored cyber-terrorism. Countries are all spying on one another. But there are certain countries that represent a big security threat: China, Asia in general (North Korea), Romania, Russia, Bulgaria and former Soviet satellites and the Middle East. The difference between China and everyone is that China has swiftly morphed into state-sponsored cyber-security threats and the country is tightly regulated. Any country that can prevent Google from free-search can easily stop hackers from inside their borders – if it wanted to. In Romania and other countries there are towns like “Hackertown” that promote ‘Cybercrime as a Service.’ Here in the U.S. the bulk of the problem is people, specifically stupid human error among the bulk of the population. Additionally, the U.S. Government has yet, to my knowledge, catch a single cyber criminal either the Russian or Italian organized. These cyber security syndicates have modularized cybercrime; they outsource a lot of their criminal activities and they can operate from anywhere, which makes it more difficult (but not impossible to catch them.
ITIC: As both an IT professional and a consumer how much more dangerous and pervasive are the security threats now than they were even three to five years ago?
AB: It’s insane.It’s no longer college students or kids out make their reputation for fun and glory. You now have specific kits and organized crime and “hacktavists.” Security threats are everywhere and they’ve risen by orders of magnitude.
ITIC: Against this backdrop we now have the Bring Your Own Device (BYOD) and IT as a service, trends which make security even tougher for businesses. What do you do for your corporate clients?
AB: The first thing I dois review and test and their environment. I also construct a checklist and ask them if they are able to do the things they want to do and to ascertain whether or not any of those actions potentially compromise the organization’s security.
ITIC: What do you look for?
AB: I examine the entire network environment including application configurations, the manageability of systems and I examine how the corporation mitigates risk and manages host-based security. Many organizations haven’t done anything to regulate network access – they’re wide open and oftentimes have not changed/updated security parameters and permission.
ITIC: Upon examination what gaps do you typically identify?
AB: I do penetration testing but for the most part I don’t need to do that. In fact, the companies that need to do penetration testing to show where the flaws are – just don’t get it or they’re reasonably secure and I’m running an automated tool to uncover something obscure. For most SMBs, the gaps in their security are very evident; they are issues like firewall configuration or misconfiguration. Every rule in the firewall should apply to something that’s happening. I typically see a mismatch between the rules and the systems that the rules pertain to. What you want to see is more systems than rules. When you see more rules than systems, you will almost always find that you have openings in the firewalls for devices that no longer exist or no longer performs the specific function for which it was originally provisioned. For example, a firewall that is configured to secure or filter inbound Web access can be a security hazard, if the servers it applies to have been outsourced to GoDaddy. In this scenario, if the organization never changed the firewall rules and if the organization built a new server to control inbound Intranet traffic and gave it the same IP address as the old Internet Web server, the firewall rules from the outside will still work. But that means the company has unwittingly created a doorway into the network.
ITIC: What other common configuration errors do you encounter?
AB: Rules that are too broad and allow too much access; default passwords not being changed; people still putting in intentional back doors into the system (which is leftover from the 1980s) which they forget to secure. For example, many corporations allow the use of intentional backdoors so an administrator can manage the system from home, but when he or she leaves the company, the rest of the organization has forgotten about it, so it remains a possible source of exploitation. Organizations and their IT departments and security IT managers must monitor all the entry points into the system. This includes obvious things like user logins and of course, the still popular “shared passwords.”
ITIC: In terms of securing the environment where organizations are most likely to skimp on security and what types of security issues do some businesses ignore altogether?
AB: The areas of greatest weaknesses usually involve mobility and data leaks. Many companies pay attention to inbound traffic but they mistakenly ignore outbound data traffic. For example a small or midsized organizations that has 500 or fewer employees and that are not in a heavily regulated vertical market environment like healthcare, financial or pharmaceutical, you’ll find that 90% of the security rules are about connecting into the environment and only 10% are about connecting out. This goes beyond regulating social media or URL usage – with Web filtering – that’s more focused on productivity than it is for security. Most firewalls are intended to secure inbound traffic – most of the newer devices do support bi-directional security. The average lifespan of a firewall is about five or six years; the key is ensuring that the tool services the corporation’s security needs. A 10 or 20MB connection with multi-year support is available for a list price of less than $2,000. So it’s affordable for even an SMB with 10 employees. There is really no excuse for any company not to install a state-of-the-art firewall with network level anti-virus, intrusion prevention and different types of application analysis and multiyear support for subscription and signatures.
ITIC: Firewalls are the first level of defense. What are other must-have security tools?
AB: Adequate monitoring is crucial.The first rule of security is that you won’t catch everything; there’s no such thing as 100% foolproof security unless it’s the device is disconnected and physically locked up. Monitoring encompasses many tools (e.g. audit trails) that enable the company to consolidate network data traffic in at least near-real-time so the organization can perform forensics. Corporations also need to send firewall, application and switching log data and consolidate them to a single location where you can monitor them. Since you can’t stop everything, you need to be able to monitor all network traffic in hindsight, so you can determine if a breach has occurred, where it occurred and duration so you can determine what happened. Intrusion detection is typically included in new firewalls. Audit trails are directly linked to monitoring. Policy falls into two categories: policy as a matter of legal definition and procedures to facilitate the goal. Companies should also distinguish between their Business policy and their Technology policy. The Business policy sets the rules and guidelines governing who has what levels of access. The technology policy should enforce the business policy.So if the firewall is replaced with another brand all you have to do is figure out how to configure it, but the basic business premise doesn’t change. You have to identify risks to mitigate them to an acceptable level. You will never totally eliminate risk.
ITIC: What risks should organizations look for and eliminate?
AB: First, the security teams need to identify all technology and business-based risks. Next, they should suggest anything that can be used to mitigate these risks and pay equal attention to everyday human actions which can elevate physical security risks. For example, if everyone has a key card to get into the office but they ignore who comes in behind them, then you’ve just created a big security risk by human action, which has nothing to do with technology. Similarly, if a company has 50 people in the office but only 20 keycard swipes, it could institute a policy that requires a key card swipe and not allow visitors to roam unescorted throughout the premises. Finally, IT security professionally should proactively communicate with management, provide them with updates and bring security risks to their [management’s] attention. Set up a meeting with the goal being to have management sign off on some of the proposals and agree to accept or mitigate risks.
ITIC: That’s a bold suggestion. As we all know politics plays an important role in security. What’s your advice to internal Security IT pros, who are being told to provide administrative access to end users – particularly those that are connected to the corporate revenue stream like a doctor or a lawyer – even though it represents a big security risk?
AB: There are different approaches to saying “No.” Again, security professionals must be proactive about identifying the risks and getting management to recognize and sign off on them. Cite statistics and studies to bolster your argument; make an objective argument. Don’t make it personal. The objective of the corporate IT security professional is to gain better control or have the other parties accept the risk. There are three (3) outcomes. The first is they stay within the system because they don’t have a pressing need – the “convenience” argument for a knowledge worker to have Administrative access isn’t strong enough, or alternatively, the IT department will accommodate pressing needs by providing elevated access. The second path is that you can’t convince them and you tell senior management that we’ll do it, but you need to sign off on the elevated risk so if a breach occurs, they accept the responsibility for acquiescing to elevated access rights. If that’s the case, the security IT administrators need to state specifically that the physics of the system don’t allow them to grant elevated access rights and still maintain security. I recognized that depending on the relationship between C-level executive managers and the IT department, that it may be difficult to get senior management to put it in writing. The way to get the paper trail you desire is after the meeting, you send out an Email recapping the meeting events and stating “…As per our discussion, we have made an exception even though it’s a greater security risk….” The third scenario is to work with the individual(s) who want the elevated access and to work out some compromises. It could be that the IT department will monitor them to a greater degree and expect them to keep IT informed of their activities. It becomes a reciprocal relationship; even though it raises risks you still get another set of eyes. It takes a great degree of cooperation and you still have to be vigilant. The people who cooperate are rarely the source of trouble.
ITIC: BYOD and mobility are the new business paradigms. Smart phones and tablets are high security risks both in terms of device theft and potential security breaches. What are the best security defense methods?
AB: There are a variety of tools to manage mobile devices. But it still comes back to having strong corporate security policies, that the company enforces. Security IT professionals should assume that their worst security nightmares it will happen and find the tools and policies they need to secure it. There are mobile-only products – MDM (mobile device management) like. Mobile Iron and ManageEngine has a tool called Desktop Manager, to name just two. Consumer users can opt to store their contacts in the cloud Apple, Google, Microsoft and others all provide ways to do this. Google and Apple’s cloud solutions support storage of pictures and videos – and you can backup your data locally. There are also tools that enable you to wipe the device in case it’s lost or stolen e.g. AndroidLost which is free.
ITIC: What emerging security threats are on the horizon?
AB: It’s not so much new threats as it is sophistication of existing threats. Corporations can expect that hackers will employ technologies like cryptography to their advantage when attempting an intrusion. We see that hackers are now digitally signing their malware so it appears legitimate and authentic. We can also expect more meaningful and pernicious attacks against mobile devices. We’re going to see further proliferation of Root Kits and we’re also witnessing cross-platform attacks that can affect any connected platform, so the malware goes from Android to Windows to Apple or whatever. No connected platform or device is immune.
ITIC: For years Apple benefitted from security by obscurity is that going away?
AB: Thanks to its burgeoning popularity, Appleis absolutely much more of a target. In the last six months alone we’ve seen a lot of malware that is Mac-specific – it hasn’t done anything specific yet but the fact that it’s available and it’s targeting an environment where many users don’t expect it and have a false sense of security – is troubling.
ITIC: What’s the bottom line with security?
AB: At the end of the day, security in principle is straightforward. It’s the charts you see from companies that do business process re-engineering. You identify, assess and take the appropriate remedial action – or not. The problem with security is that it is not static. The hackers don’t stand still. Security is continually evolving process. Even if you never changed your technology, the security still evolves. Every new feature and function and product has unintended uses and consequences. Security is a 65% to 35% — between process and people it’s 65% and 35% is the technology. Security should be baked into the entire environment. You always pay the price when you do it in hindsight and bolt it on. Certain environments are more security-sensitive. In a financial organization, whatever the platform, people will be secure.