3/10/2014 - Author: Felicia

If business people, consumers, and technology people all understood IT security standards and best practices, the number of breaches and data leaks would dramatically decline. As someone who has worked in the IT security industry for 20 years, I am amazed at the lack of security that seems to be everywhere. This article intends to help everyone from general business people to consumers and IT professionals understand what IT security standards and best practices are.

Hacking Exposed is now in its 7th edition. I remember having the 2nd edition in the 1990s. Basically, this means that the information needed to properly secure IT systems has been around for a very long time, and it has been widely accessible. Therefore, there is no acceptable excuse for not having adequate security. Further, the majority of standards and best practices are not cost prohibitive to implement.

Every time I read about a breach or data compromise, I think about how that breach could have been prevented. We should all be thinking about ways to stop these breaches before they happen. Consider the recent Target breach and realize that the entire thing could have been prevented by the use of two-factor token-based authentication protocols and proper egress filtering techniques. I wrote about this in the Target breach article.

Learning through an example

While I think that a lot of IT people are just lazy in terms of fighting for usage of proper security controls, the bigger problem is actually the consumers of IT services. Let's take U.S. banking as an example. Mexican banks and banks in most other places in the world have had two-factor token-based authentication for the last 10 years or more. But in the U.S., you are hard pressed to find a commercial bank that has these security controls available to their customer base. Instead, they use the weak and pathetic image-based authentication methods. Anyone who thinks that showing an image with another phrase or keyword on the same endpoint creates added security is deluding themselves.

The primary method for the username and password for online banking to be compromised is through the compromise of the endpoint with keystroke loggers and screen capture malware. Therefore, the same techniques that compromise the username and password will also compromise the weak image-based or phrase-based multifactor authentication. It's just a smokescreen to make people feel good about security that isn't really being enhanced.

If you want to have real two-factor authentication, you have to get one component of the authentication off of the endpoint that could have been compromised. So that means an OTP (one-time passcode) token, a certificate token, or something like Phone Factor (which is now owned by Microsoft). Only in this way will a remote hacker not be able to obtain that second factor required as part of the authentication process.

So why isn't real two-factor authentication SOP (standard operating procedure) at all U.S. commercial banks? Because the customers aren't clamoring for it. So in this case, the IT people could talk until they are blue in the face and bank management won't care. When the banks start losing business because they don't have the security offering to make customers comfortable with the security of their systems, they will start doing something about their weak security methods. Therefore, in this example we learn that the ignorance of the general banking consumer is really the problem, not the lack of effort by IT people.

The same failure applies regarding the U.S. PCI (payment card industry) using weak/old protocols for credit cards. All of Europe and most of Asia are using more secure types of credit cards. The resistance in the U.S. is lack of consumer demand for security.

A second example

Let's go back to the Target breach example. Realize that the expense of implementing two-factor token-based authentication for external vendors like their HVAC contractor would not have been as expensive as the $200+ million breach cost. Additionally, configuring proper egress controls on the Target network would have also cost considerably less than the breach. So the question is why weren't these strategies implemented proactively?

Obviously, I'm not a Target insider, but I have been an insider at other large corporations, so I will speculate what may have occurred. It is likely that no one at a high enough level in management had the proper security certifications to know to push and advocate for these preventative measures. Target's CIO recently resigned. Did she have CISSP certification? I don't know, but I doubt it. If Target's CIO would have had CISSP certification, I think anyone in that position would have been pushing for proper egress filtering and two-factor authentication for remote contractor access.

So in this example, the Target breach could be said to have occurred due to ignorance of IT security standards and best practices at the business management level. This is more common than you think. I would go so far as to say that most corporate cultures do not select leadership based upon a meritocracy, but rather networking connections. This leads to situations where people lacking the required credentials, and people without the best qualifications being in positions of leadership.

Security Standards and Best Practices

Now that you know what the primary problems are leading to breaches, you may want to know how easy or hard it is to have proper security.

Fortunately, SANS has put together an excellent overview document that everyone should at least peruse. I have uploaded a marked-up (commented) version of SANS' Critical Security Controls for Effective Cyber Defense 5.0.

In general, most of the CSC recommendations are easy to implement and downright common sense. A few of the recommendations are difficult and costly to implement, so would only really be achievable by large companies with adequate IT budget.

I highly recommend that you download the marked-up version of CSC and evaluate your own technology systems against the recommendations in order to establish a gaps analysis. From there, you can think about ways in which to improve security of your IT systems.

As always, we at QPC are here to help you with security audits, perform gaps analysis, and help you find cost-effective ways to improve the security of your technology systems.