Blog | CIO/CTO

What CIOs Ought to know about Building a Secure Workplace

What CIOs Ought to know about Building a Secure Workplace
share on
by Sanjeev Kapoor 14 Jan 2016

Information security has always been one of the core concerns of CIOs.

And this will be no different in 2016: a study by TechTarget found that 27% of IT leaders chose IT security as the top IT project for the year.

While the specific tactics and tools needed to secure the workplace will depend from company to company and industry to industry what remains consistent is the importance of a security conscious culture.

CIO/CTO or something else.
Let's help you with your IT project.

And building a culture of security is much harder than drafting policies or acquiring an expensive intrusion detection system.

Because let’s face it, the problem here is always been between the keyboard and the chair, no amount of stringent technical controls can compensate for the human element.

Anatomy of an attack

Target, the big box retailer suffered a data breach in late 2013 when attackers made off with 110 million credit/debit card credentials of Target customers. The information stolen included:

  • Credit and debit card numbers.
  • Expiration dates.
  • Encrypted PIN numbers.
  • Personal information (emails etc.) of additional 70 million

Target suffered a massive blow to its brand in the aftermath of the attack. It’s transactions during the peak holiday shopping season fell 3 to 4% with losses worth millions of dollars.

It had to slash its revenue and growth numbers, lay off 475 employees and leave 700 posts unfilled.

It is estimated that the data breach alone cost Target around $200m.

A post mortem of the breach indicated that Target’s systems were not directly targeted by the attackers.

The attackers backed their way into Target’s corporate network by compromising a third-party vendor…Fazio Mechanical, a refrigeration contractor.

A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for — Fazio Mechanical’s login credentials.

At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection.

After accessing Target’s internal network through its vendor portal the attackers started scouting for vulnerabilities. IPS/IDS systems flagged the suspicious activity “but the warning went unheeded”.

Malicious software eventually wormed its way into the company’s POS systems and siphoned credit card data over a period of months.

See how the root cause had nothing to do with technology? It had to do with policies and humans.

What if the vendor employee hadn’t opened the phishing email?

What if Target had insisted that all vendors use standard security software?

What if Target had better logging policies to catch system warnings from security systems already deployed?

Prerequisites of a secure network

Back in 2009 reports emerged that Iran’s nuclear reactors were crippled by a worm called Stuxnet (its code is openly available) which disabled the centrifuges.

If a worm can shut down industrial equipment not even connected to the Internet, think what it can do to your workplace where everyone has a mobile device and is always connected to the Cloud?

Here’s what you as a CIO should think about when it comes to securing the network:

1) User education

This is by far the hardest job, but the most essential. Every user can be a potential ingress point for attackers, whether through a carelessly clicked link on an email or by neglecting to update their mobile app.

Regular education about the risks out there, as well as the mitigation factors available should be part of your plan.

2) Security first design

Security considerations should permeate through every service, internal or external, that the organization uses. You must sensitize your colleagues about the dangers and the prohibitive costs associated with security as an afterthought.

3) Manage access

More often than not security incidents are caused by insider threats. You will have to build policies which determine how employees are treated by the system in the context of access to corporate digital assets through the entire period of their association with the organization.

There is also the need to have a limited number of heavily monitored access points into the core network so that suspicious traffic can be easily monitored.

4) Involve external stakeholders

Like in the Target breach where an external contractor was the unknowing conduit, security must not stop at the edge of the network.

You must also think about the security of third party systems over which you have no direct control, and ensure that their processes are aligned with yours.

Conclusion

For most people security is often trumped by usability. For e.g. if you adopt two factor authentication and offer it as an option, most users would prefer to stick to the older username-password regimen.

A CIO must need to be sensitive to such concerns as well while considering the implications of security policies, and work with everyone to build a consensus around security.

 

Leave a comment

Recent Posts

get in touch

We're here to help!

Terms of use
Privacy Policy
Cookie Policy
Site Map
2020 IT Exchange, Inc