As a fifty something male, personal grooming takes on whole new meaning. You realize that when you start typing “Botox” on Google that things are getting serious. Bottom line how can I cover up the cracks brought upon by years of abuse and misuse?
And it’s pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and it’s impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you don’t take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.
If most us are honest with ourselves we complain about the nanny state banning everything that is bad for our health but deep inside we know that many things are probably for our own good. And in the same way we complain about the increasing interference in our private IT worlds of controls and regulatory compliance but deep down we know that internal controls for privileged user access rights and controls has been abandoned, or in many cases only given lip service in many organisations, and these controls are bringing us face to face with results of years of neglect.
And the result is that we’re risk being hacked either by thrill seekers, the curious, or the downright vindictive employee. Independent research clearly shows that a lack of improper segregation of duties, failure to control users with superuser access to files in production systems, failure to secure data in applications, a lack of processes coupled with a lack of reconciliation of these processes to the IT systems used, and a failure to secure access to operating systems and databases that support corporate financial applications and transactions, are the prime cause of most breaches and compliance failures.
The increase in computer-related theft and fraud is forcing the issue of internal users and privileged access into the open. This is clearly shown by the current case in the US courts of the IT executive who is alleged to have used his knowledge of system passwords to hack into a company’s system remotely and accessed emails and other information. And the bottom line is that it is simply too easy for people with a limited amount of knowledge to do this. I mean who would expect an IT executive to be able to do this!! Most of us so-called IT executives are considered to be in the Dilbert Manager’s category when it comes to understanding bits and bytes, and yet even an IT executive can hack a system today with the tools that are so easily available.
So there is a challenge for you as a security officer, or as an internal auditor – face up to the fact that the sooner you deal with the organisational grooming, the better for all concerned. So today, every organization should take the security of their systems and applications seriously. Start by ensuring that you have effective policies and procedures in place to control privileged access to every system, including your workstations, and applications, and make sure that you can enforce them.
And remember that regulations do not make allowances for unintentional errors, just as speed cameras are not able to differentiate between the accidental speeding granny and the Jensen Button wanabee. Human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. So here are a few suggestions when you have a look at these policies and procedures.
Policies must be realistic – The policy must fit the requirements and ensure that the complexity is not such that users are inclined to try and bypass it.
Policies must be enforceable – Having well documented procedures that can be bypassed will be quickly exposed by any audit. The only effective way to make policies both realistic and enforceable is to automate the critical processes. For example, having policies that require privileged users to have the correct authorizations must be enforceable. Likewise, policies that require regular changing of passwords only work effectively if they are automated.
Policies must auditable – Having policies in place is a good first step, but they will not hold up to regulatory scrutiny unless there are audit trails proving the policy is in place and enforced on an ongoing basis. However, simply having an audit capability is not the solution. The sheer scale and diversity of systems in an enterprise require that tools are cross-platform. In other words, IT security staff must be able to provide reports that are consistent across all platforms and take account of the information produced by heterogeneous systems.
When you consider the amount of time and effort required to collect raw data from key systems and applications, including critical network devices, there can be literally hundreds if not thousands of logs that must be examined for the purpose of an audit report. This data needs to be converted into a standardized, audit compliant report format that can auditor can read.
So when you’re examining what options are open to you remember like your personal grooming options, don’t expect miracles overnight, make sure you stick to the treatment regime, and most of all make sure that the results are there for all to see. So treat yourself for Christmas – Botox your policies before it’s too late.