{"id":280,"date":"2018-06-14T19:04:58","date_gmt":"2018-06-14T19:04:58","guid":{"rendered":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch13-4\/"},"modified":"2026-02-03T23:17:43","modified_gmt":"2026-02-03T23:17:43","slug":"ch13-4","status":"publish","type":"chapter","link":"https:\/\/pressbooks.ccconline.org\/bus3060\/chapter\/ch13-4\/","title":{"raw":"13.4 Taking Action","rendered":"13.4 Taking Action"},"content":{"raw":"<div id=\"slug-13-4-taking-action\" class=\"chapter standard\">\r\n<div class=\"chapter-title-wrap\"><\/div>\r\n<div class=\"ugc chapter-ugc\">\r\n<div id=\"fwk-38086-ch13_s04_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox textbox--learning-objectives\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Learning Objectives<\/span><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<p id=\"fwk-38086-ch13_s04_p01\" class=\"nonindent para\">After studying this section you should be able to do the following:<\/p>\r\n\r\n<ol id=\"fwk-38086-ch13_s04_l01\" class=\"orderedlist\">\r\n \t<li>Identify critical steps to improve your individual and organizational information security.<\/li>\r\n \t<li>Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and organization more secure.<\/li>\r\n \t<li>Recognize the major information security issues that organizations face, as well as the resources, methods, and approaches that can help make firms more secure.<\/li>\r\n<\/ol>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">Taking Action as a User<\/h2>\r\n<p id=\"fwk-38086-ch13_s04_s01_p01\" class=\"nonindent para editable block\">The weakest link in security is often a careless user, so don\u2019t make yourself an easy mark. Once you get a sense of threats, you understand the kinds of precautions you need to take. Security considerations then become more common sense than high tech. Here\u2019s a brief list of major issues to consider:<\/p>\r\n\r\n<ul id=\"fwk-38086-ch13_s04_s01_l01\" class=\"itemizedlist editable block\">\r\n \t<li><em class=\"emphasis\">Surf smart.<\/em> Think before you click\u2014question links, enclosures, download request, and the integrity of Web sites that you visit. Avoid suspicious e-mail attachments and Internet downloads. Be on guard for phishing, and other attempts to con you into letting in malware. Verify anything that looks suspicious before acting. Avoid using public machines (libraries, coffee shops) when accessing sites that contain your financial data or other confidential information.<\/li>\r\n \t<li><em class=\"emphasis\">Stay vigilant.<\/em> Social engineering con artists and rogue insiders are out there. An appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically.<\/li>\r\n \t<li><em class=\"emphasis\">Stay updated.<\/em> Turn on software update features for your operating system and any application you use (browsers, applications, plug-ins, and applets), and manually check for updates when needed. Malware toolkits specifically scan for older, vulnerable systems, so working with updated programs that address prior concerns lowers your vulnerable attack surface.<\/li>\r\n \t<li><em class=\"emphasis\">Stay armed.<\/em> Install a full suite of security software. Many vendors offer a combination of products that provide antivirus software that blocks infection, personal firewalls that repel unwanted intrusion, malware scanners that seek out bad code that might already be nesting on your PC, antiphishing software that identifies if you\u2019re visiting questionable Web sites, and more. Such tools are increasingly being built into operating systems, browsers, and are deployed at the ISP or service provider (e-mail firm, social network) level. But every consumer should make it a priority to understand the state of the art for personal protection. In the way that you regularly balance your investment portfolio to account for economic shifts, or take your car in for an oil change to keep it in top running condition, make it a priority to periodically scan the major trade press or end-user computing sites for reviews and commentary on the latest tools and techniques for protecting yourself (and your firm).<\/li>\r\n \t<li><em class=\"emphasis\">Be settings smart.<\/em> Don\u2019t turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads. Secure home networks with password protection and a firewall. Encrypt hard drives\u2014especially on laptops or other devices that might be lost or stolen. Register mobile devices for location identification or remote wiping. Don\u2019t click the \u201cRemember me\u201d or \u201cSave password\u201d settings on public machines, or any device that might be shared or accessed by others. Similarly, if your machine might be used by others, turn off browser settings that auto-fill fields with prior entries\u2014otherwise you make it easy for someone to use that machine to track your entries and impersonate you. And when using public hotspots, be sure to turn on your VPN software to encrypt transmission and hide from network eavesdroppers.<\/li>\r\n \t<li><em class=\"emphasis\">Be password savvy.<\/em> Change the default password on any new products that you install. Update your passwords regularly. Using guidelines outlined earlier, choose passwords that are tough to guess, but easy for you (and only you) to remember. Federate your passwords so that you\u2019re not using the same access codes for your most secure sites. Never save passwords in nonsecured files, e-mail, or written down in easily accessed locations.<\/li>\r\n \t<li><em class=\"emphasis\">Be disposal smart.<\/em> Shred personal documents. Wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away\u2014remember in many cases \u201cdeleted\u201d files can still be recovered. Destroy media such as CDs and DVDs that may contain sensitive information. Erase USB drives when they are no longer needed.<\/li>\r\n \t<li><em class=\"emphasis\">Back up.<\/em> The most likely threat to your data doesn\u2019t come from hackers; it comes from hardware failure (Taylor, 2009). Yet most users still don\u2019t regularly back up their systems. This is another do-it-now priority. Cheap, plug-in hard drives work with most modern operating systems to provide continual backups, allowing for quick rollback to earlier versions if you\u2019ve accidentally ruined some vital work. And services like EMC\u2019s Mozy provide monthly, unlimited backup over the Internet for less than what you probably spent on your last lunch (a fire, theft, or similar event could also result in the loss of any backups stored on-site, but Internet backup services can provide off-site storage and access if disaster strikes).<\/li>\r\n \t<li><em class=\"emphasis\">Check with your administrator.<\/em> All organizations that help you connect to the Internet\u2014your ISP, firm, or school\u2014should have security pages. Many provide free security software tools. Use them as resources. Remember\u2014it\u2019s in their interest to keep you safe, too!<\/li>\r\n<\/ul>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Taking Action as an Organization<\/h2>\r\n<div id=\"fwk-38086-ch13_s04_s02_s01\" class=\"section\">\r\n<h2 class=\"title editable block\">Frameworks, Standards, and Compliance<\/h2>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p01\" class=\"nonindent para editable block\">Developing organizational security is a daunting task. You\u2019re in an arms race with adversaries that are tenacious and constantly on the lookout for new exploits. Fortunately, no firm is starting from scratch\u2014others have gone before you and many have worked together to create published best practices.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p02\" class=\"indent para editable block\">There are several frameworks, but perhaps the best known of these efforts comes from the International Organization for Standards (ISO), and is broadly referred to as ISO27k or the ISO 27000 series. According to ISO.org, this evolving set of standards provides \u201ca model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.\u201d<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p03\" class=\"indent para editable block\">Firms may also face compliance requirements\u2014legal or professionally binding steps that must be taken. Failure to do so could result in fine, sanction, and other punitive measures. At the federal level, examples include HIPAA (the Health Insurance Portability and Accountability Act), which regulates health data; the Graham-Leach-Bliley Act, which regulates financial data; and the Children\u2019s Online Privacy Protection Act, which regulates data collection on minors. U.S. government agencies must also comply with FISMA (the Federal Information Security Management Act), and there are several initiatives at the other government levels. By 2009, some level of state data breach laws had been passed by over thirty states, while multinationals face a growing number of statues throughout the world. Your legal team and trade associations can help you understand your domestic and international obligations. Fortunately, there are often frameworks and guidelines to assist in compliance. For example, the ISO standards include subsets targeted at the telecommunications and health care industries, and major credit card firms have created the PCI (payment card industry) standards. And there are skilled consulting professionals who can help bring firms up to speed in these areas, and help expand their organizational radar as new issues develop.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p04\" class=\"indent para editable block\">Here is a word of warning on frameworks and standards: compliance does not equal security. Outsourcing portions security efforts without a complete, organizational commitment to being secure can also be dangerous. Some organizations simply approach compliance as a necessary evil: a sort of checklist that can reduce the likelihood of a lawsuit or other punitive measure (Davis, 2009). While you want to make sure you\u2019re doing everything in your power not to get sued, this isn\u2019t the goal. The goal is taking all appropriate measures to ensure that your firm is secure for your customers, employees, shareholders, and others. Frameworks help shape your thinking and expose things you should do, but security doesn\u2019t stop there\u2014this is a constant, evolving process that needs to pervade the organization from the CEO suite and board, down to front line workers and potentially out to customers and partners. And be aware of the security issues associated with any mergers and acquisitions. Bringing in new firms, employees, technologies, and procedures means reassessing the security environment for all players involved.<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s04_s02_s01_n01\" class=\"bcc-box bcc-highlight\">\r\n<div class=\"textbox shaded\">\r\n<h4 class=\"title\">The Heartland Breach<\/h4>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p05\" class=\"nonindent para\">On inauguration day 2009, credit card processor Heartland announced that it had experienced what was one of the largest security breaches in history. The Princeton, New Jersey, based firm was, at the time, the nation\u2019s fifth largest payments processor. Its business was responsible for handling the transfer of funds and information between retailers and cardholders\u2019 financial institutions. That means infiltrating Heartland was like breaking into Fort Knox.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p06\" class=\"indent para\">It\u2019s been estimated that as many as 100 million cards issued by more than 650 financial services companies may have been compromised during the Heartland breach. Said the firm\u2019s CEO, this was \u201cthe worst thing that can happen to a payments company and it happened to us\u201d (King, 2009). Wall Street noticed. The firm\u2019s stock tanked\u2014within a month, its market capitalization had plummeted over 75 percent, dropping over half a billion dollars in value (Claburn, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p07\" class=\"indent para\">The Heartland case provides a cautionary warning against thinking that security ends with compliance. Heartland had in fact passed multiple audits, including one conducted the month before the infiltration began. Still, at least thirteen pieces of malware were uncovered on the firm\u2019s servers. Compliance does not equal security. Heartland was complaint, but a firm can be compliant and not be secure. Compliance is not the goal, security is.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s01_p08\" class=\"indent para\">Since the breach, the firm\u2019s executives have championed industry efforts to expand security practices, including encrypting card information at the point it is swiped and keeping it secure through settlement. Such \u201ccradle-to-grave\u201d encryption can help create an environment where even compromised networking equipment or intercepting relay systems wouldn\u2019t be able to grab codes (Claburn, 2009; King, 2009). Recognize that security is a continual process, it is never done, and firms need to pursue security with tenacity and commitment.<\/p>\r\n\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s02_s02\" class=\"section\">\r\n<h2 class=\"title editable block\">Education, Audit, and Enforcement<\/h2>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p01\" class=\"nonindent para editable block\">Security is as much about people, process, and policy, as it is about technology.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p02\" class=\"indent para editable block\">From a people perspective, the security function requires multiple levels of expertise. Operations employees are involved in the day-to-day monitoring of existing systems. A group\u2019s R&amp;D function is involved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. A team must also work on broader governance issues. These efforts should include representatives from specialized security and broader technology and infrastructure functions. It should also include representatives from general counsel, audit, public relations, and human resources. What this means is that even if you\u2019re a nontechnical staffer, you may be brought in to help a firm deal with security issues.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p03\" class=\"indent para editable block\">Processes and policies will include education and awareness\u2014this is also everyone\u2019s business. As the Vice President of Product Development at security firm Symantec puts it, \u201cWe do products really well, but the next step is education. We can\u2019t keep the Internet safe with antivirus software alone\u201d (Goldman, 2009). Companies should approach information security as a part of their \u201ccollective corporate responsibility\u2026regardless of whether regulation requires them to do so<sup>1<\/sup>.\u201d<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p04\" class=\"indent para editable block\">For a lesson in how important education is, look no further than the head of the CIA. Former U.S. Director of Intelligence John Deutch engaged in shockingly loose behavior with digital secrets, including keeping a daily journal of classified information\u2014some 1,000+ pages\u2014on memory cards he\u2019d transport in his shirt pocket. He also downloaded and stored Pentagon information, including details of covert operations, at home on computers that his family used for routine Internet access (Lewis, 2000).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p05\" class=\"indent para editable block\">Employees need to know a firm\u2019s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations. Policies without eyes (audit) and teeth (enforcement) won\u2019t be taken seriously. Audits include real-time monitoring of usage (e.g., who\u2019s accessing what, from where, how, and why; sound the alarm if an anomaly is detected), announced audits, and surprise spot checks. This function might also stage white hat demonstration attacks\u2014attempts to hunt for and expose weaknesses, hopefully before hackers find them. Frameworks offer guidelines on auditing, but a recent survey found most organizations don\u2019t document enforcement procedures in their information security policies, that more than one-third do not audit or monitor user compliance with security policies, and that only 48 percent annually measure and review the effectiveness of security policies (Matwyshyn, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s02_p06\" class=\"indent para editable block\">A firm\u2019s technology development and deployment processes must also integrate with the security team to ensure that from the start, applications, databases, and other systems are implemented with security in mind. The team will have specialized skills and monitor the latest threats and are able to advise on precautions necessary to be sure systems aren\u2019t compromised during installation, development, testing, and deployment.<\/p>\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s02_s03\" class=\"section\">\r\n<h2 class=\"title editable block\">What Needs to Be Protected and How Much Is Enough?<\/h2>\r\n<p id=\"fwk-38086-ch13_s04_s02_s03_p01\" class=\"nonindent para editable block\">A worldwide study by PricewaterhouseCoopers and <em class=\"emphasis\">Chief Security Officer<\/em> magazine revealed that most firms don\u2019t even know what they need to protect. Only 33 percent of executives responded that their organizations kept accurate inventory of the locations and jurisdictions where data was stored, and only 24 percent kept inventory of all third parties using their customer data (Matwyshyn, 2009). What this means is that most firms don\u2019t even have an accurate read on where their valuables are kept, let alone how to protect them.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s03_p02\" class=\"indent para editable block\">So information security should start with an inventory-style auditing and risk assessment. Technologies map back to specific business risks. What do we need to protect? What are we afraid might happen? And how do we protect it? Security is an economic problem, involving attack likelihood, costs, and prevention benefits. These are complex trade-offs that must consider losses from theft or resources, systems damage, data loss, disclosure of proprietary information, recovery, downtime, stock price declines, legal fees, government and compliance penalties, and intangibles such as damaged firm reputation, loss of customer and partner confidence, industry damage, promotion of adversary, and encouragement of future attacks.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s03_p03\" class=\"indent para editable block\">While many firms skimp on security, firms also don\u2019t want to misspend, targeting exploits that aren\u2019t likely, while underinvesting in easily prevented methods to thwart common infiltration techniques. Hacker conventions like DefCon can show some really wild exploits. But it\u2019s up to the firm to assess how vulnerable it is to these various risks. The local donut shop has far different needs than a military installation, law enforcement agency, financial institution, or firm housing other high-value electronic assets. A skilled risk assessment team will consider these vulnerabilities and what sort of countermeasure investments should take place.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s03_p04\" class=\"indent para editable block\">Economic decisions usually drive hacker behavior, too. While in some cases attacks are based on vendetta or personal reasons, in most cases exploit economics largely boils down to<\/p>\r\n<p class=\"indent\"><span class=\"informalequation block\">\r\n<span class=\"mathphrase\">Adversary ROI = Asset value to adversary \u2013 Adversary cost.<\/span>\r\n<\/span><\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s03_p05\" class=\"indent para editable block\">An adversary\u2019s costs include not only the resources, knowledge, and technology required for the exploit, but also the risk of getting caught. Make things tough to get at, and lobbying for legislation that imposes severe penalties on crooks can help raise adversary costs and lower your likelihood of becoming a victim.<\/p>\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s02_s04\" class=\"section\">\r\n<h2 class=\"title editable block\">Technology\u2019s Role<\/h2>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p01\" class=\"nonindent para editable block\">Technical solutions often involve industrial strength variants of the previously discussed issues individuals can employ, so your awareness is already high. Additionally, an organization\u2019s approach will often leverage multiple layers of protection and incorporate a wide variety of protective measures.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p02\" class=\"indent para editable block\"><em class=\"emphasis\">Patch.<\/em> Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as <em class=\"emphasis\">patches<\/em>). Firms that don\u2019t plug known problems will be vulnerable to trivial and automated attacks. Unfortunately, many firms aren\u2019t updating all components of their systems with consistent attention. With operating systems automating security update installations, hackers have moved on to application targets. But a major study recently found that organizations took at least twice as long to patch application vulnerabilities as they take to patch operating system holes (Wildstrom, 2009). And remember, software isn\u2019t limited to conventional PCs and servers. Embedded systems abound, and connected, yet unpatched devices are vulnerable. Malware has infected everything from unprotected ATM machines (Lilly, 2009) to restaurant point-of-sale systems (McMillan, 2009) to fighter plane navigation systems (Matyszczyk, 2009).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p03\" class=\"indent para editable block\">As an example of unpatched vulnerabilities, consider the DNS cache poisoning exploit described earlier in this chapter. The discovery of this weakness was one of the biggest security stories the year it was discovered, and security experts saw this as a major threat. Teams of programmers worldwide raced to provide fixes for the most widely used versions of DNS software. Yet several months after patches were available, roughly one quarter of all DNS servers were still unpatched and exposed<sup>2<\/sup>.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p04\" class=\"indent para editable block\">To be fair, not all firms delay patches out of negligence. Some organizations have legitimate concerns about testing whether the patch will break their system or whether the new technology contains a change that will cause problems down the road<sup>3<\/sup>. And there have been cases where patches themselves have caused problems. Finally, many software updates require that systems be taken down. Firms may have uptime requirements that make immediate patching difficult. But ultimately, unpatched systems are an open door for infiltration.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p05\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down hardware.<\/em> Firms range widely in the security regimes used to govern purchase through disposal system use. While some large firms such as Kraft are allowing employees to select their own hardware (Mac or PC, desktop or notebook, iPhone or BlackBerry) (Wingfield, 2009), others issue standard systems that prevent all unapproved software installation and force file saving to hardened, backed-up, scanned, and monitored servers. Firms in especially sensitive industries such as financial services may regularly reimage the hard drive of end-user PCs, completely replacing all the bits on a user\u2019s hard drive with a pristine, current version\u2014effectively wiping out malware that might have previously sneaked onto a user\u2019s PC. Other lock-down methods might disable the boot capability of removable media (a common method for spreading viruses via inserted discs or USBs), prevent Wi-Fi use or require VPN encryption before allowing any network transmissions, and more. The cloud helps here, too. (See <a class=\"xref\" href=\"part-010-chapter-10-software-in-flux-partly-cloudy-and-sometimes-free.html\">Chapter 10 \u201cSoftware in Flux: Partly Cloudy and Sometimes Free\u201d<\/a>.) Employers can also require workers to run all of their corporate applications inside a remote desktop where the actual executing hardware and software is elsewhere (likely hosted as a virtual machine session on the organization\u2019s servers), and the user is simply served an image of what is executing remotely. This seals the virtual PC off in a way that can be thoroughly monitored, updated, backed up, and locked down by the firm.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p06\" class=\"indent para editable block\">In the case of Kraft, executives worried that the firm\u2019s previously restrictive technology policies prevented employees from staying in step with trends. Employees opting into the system must sign an agreement promising they\u2019ll follow mandated security procedures. Still, financial services firms, law offices, health care providers, and others may need to maintain stricter control, for legal and industry compliance reasons.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p07\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down the network.<\/em> Network monitoring is a critical part of security, and a host of technical tools can help.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p08\" class=\"indent para editable block\">Firms employ <span class=\"margin_term\"><a class=\"glossterm\">firewalls<\/a><\/span> to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication. <span class=\"margin_term\"><a class=\"glossterm\">Intrusion detection systems<\/a><\/span> specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss. Some firms deploy <span class=\"margin_term\"><a class=\"glossterm\">honeypots<\/a><\/span>\u2014bogus offerings meant to distract attackers. If attackers take honeypot bait, firms may gain an opportunity to recognize the hacker\u2019s exploits, identify the IP address of intrusion, and take action to block further attacks and alert authorities.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p09\" class=\"indent para editable block\">Many firms also deploy <span class=\"margin_term\"><a class=\"glossterm\">blacklists<\/a><\/span>\u2014denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions. While blacklists block known bad guys, <span class=\"margin_term\"><a class=\"glossterm\">whitelists<\/a><\/span> are even more restrictive\u2014permitting communication only with approved entities or in an approved manner.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p10\" class=\"indent para editable block\">These technologies can be applied to network technology, specific applications, screening for certain kinds of apps, malware signatures, and hunting for anomalous patterns. The latter is important, as recent malware has become polymorphic, meaning different versions are created and deployed in a way that their signature, a sort of electronic fingerprint often used to recognize malicious code, is slightly altered. This also helps with zero-day exploits, and in situations where whitelisted Web sites themselves become compromised.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p11\" class=\"indent para editable block\">Many technical solutions, ranging from network monitoring and response to e-mail screening, are migrating to \u201cthe cloud.\u201d This can be a good thing\u2014if network monitoring software immediately shares news of a certain type of attack, defenses might be pushed out to all clients of a firm (the more users, the \u201csmarter\u201d the system can potentially become\u2014again we see the power of network effects in action).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p12\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down partners.<\/em> Insist partner firms are compliant, and audit them to ensure this is the case. This includes technology providers and contract firms, as well as value chain participants such as suppliers and distributors. Anyone who touches your network is a potential point of weakness. Many firms will build security expectations and commitments into performance guarantees known as service level agreements (SLAs).<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p13\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down systems.<\/em> Audit for SQL injection and other application exploits. The security team must constantly scan exploits and then probe its systems to see if it\u2019s susceptible, advising and enforcing action if problems are uncovered. This kind of auditing should occur with all of a firm\u2019s partners.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p14\" class=\"indent para editable block\">Access controls can also compartmentalize data access on a need-to-know basis. Such tools can not only enforce access privileges, they can help create and monitor audit trails to help verify that systems are not being accessed by the unauthorized, or in suspicious ways.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p15\" class=\"indent para editable block\">Audit trails are used for deterring, identifying, and investigating these cases. Recording, monitoring, and auditing access allows firms to hunt for patterns of abuse. Logs can detail who, when, and from where assets are accessed. Giveaways of nefarious activity may include access from unfamiliar IP addresses, from nonstandard times, accesses that occur at higher than usual volumes, and so on. Automated alerts can put an account on hold or call in a response team for further observation of the anomaly.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p16\" class=\"indent para editable block\">Single-sign-on tools can help firms offer employees one very strong password that works across applications, is changed frequently (or managed via hardware cards or mobile phone log-in), and can be altered by password management staff.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p17\" class=\"indent para editable block\">Multiple administrators should jointly control key systems. Major configuration changes might require approval of multiple staffers, as well as the automatic notification of concerned personnel. And firms should employ a recovery mechanism to regain control in the event that key administrators are incapacitated or uncooperative. This balances security needs with an ability to respond in the event of a crisis. Such a system was not in place in the earlier described case of the rogue IT staffer who held the city of San Francisco\u2019s networks hostage by refusing to give up vital passwords.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p18\" class=\"indent para editable block\"><em class=\"emphasis\">Have failure and recovery plans.<\/em> While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. If a compromise has taken place, what needs to be done? Do stolen assets need to be devalued (e.g., accounts terminated, new accounts issued)? What should be done to notify customers and partners, educate them, and advise them through any necessary responses? Who should work with law enforcement and with the media? Do off-site backups or redundant systems need to be activated? Can systems be reliably restored without risking further damage?<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p19\" class=\"indent para editable block\">Best practices are beginning to emerge. While postevent triage is beyond the scope of our introduction, the good news is that firms are now sharing data on breaches. Given the potential negative consequences of a breach, organizations once rarely admitted they\u2019d been compromised. But now many are obligated to do so. And the broad awareness of infiltration both reduces organizational stigma in coming forward, and allows firms and technology providers to share knowledge on the techniques used by cybercrooks.<\/p>\r\n<p id=\"fwk-38086-ch13_s04_s02_s04_p21\" class=\"indent para editable block\">Information security is a complex, continually changing, and vitally important domain. The exploits covered in this chapter seem daunting, and new exploits constantly emerge. But your thinking on key issues should now be broader. Hopefully you\u2019ve now embedded security thinking in your managerial DNA, and you are better prepared to be a savvy system user and a proactive participant working for your firm\u2019s security. Stay safe!<\/p>\r\n\r\n<div id=\"fwk-38086-ch13_s04_s02_s04_n01\" class=\"bcc-box bcc-success\">\r\n<div class=\"textbox textbox--key-takeaways\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\">Key Takeaways<\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<ul id=\"fwk-38086-ch13_s04_s02_s04_l01\" class=\"itemizedlist\">\r\n \t<li>End users can engage in several steps to improve the information security of themselves and their organizations. These include surfing smart, staying vigilant, updating software and products, using a comprehensive security suite, managing settings and passwords responsibly, backing up, properly disposing of sensitive assets, and seeking education.<\/li>\r\n \t<li>Frameworks such as ISO27k can provide a road map to help organizations plan and implement an effective security regime.<\/li>\r\n \t<li>Many organizations are bound by security compliance commitments and will face fines and retribution if they fail to meet these commitments.<\/li>\r\n \t<li>The use of frameworks and being compliant is not equal to security. Security is a continued process that must be constantly addressed and deeply ingrained in an organization\u2019s culture.<\/li>\r\n \t<li>Security is about trade-offs\u2014economic and intangible. Firms need to understand their assets and risks in order to best allocate resources and address needs.<\/li>\r\n \t<li>Information security is not simply a technical fix. Education, audit, and enforcement regarding firm policies are critical. The security team is broadly skilled and constantly working to identify and incorporate new technologies and methods into their organizations. Involvement and commitment is essential from the boardroom to frontline workers, and out to customers and partners.<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<div id=\"fwk-38086-ch13_s04_s02_s04_n02\" class=\"bcc-box bcc-info\">\r\n<div class=\"textbox textbox--exercises\"><header class=\"textbox__header\">\r\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Questions and Exercises<\/span><\/p>\r\n\r\n<\/header>\r\n<div class=\"textbox__content\">\r\n<ol id=\"fwk-38086-ch13_s04_s02_s04_l02\" class=\"orderedlist\">\r\n \t<li>Visit the security page for your ISP, school, or employer. What techniques do they advocate that we\u2019ve discussed here? Are there any additional techniques mentioned and discussed? What additional provisions do they offer (tools, services) to help keep you informed and secure?<\/li>\r\n \t<li>What sorts of security regimes are in use at your university, and at firms you\u2019ve worked or interned for? If you don\u2019t have experience with this, ask a friend or relative for their professional experiences. Do you consider these measures to be too restrictive, too lax, or about right?<\/li>\r\n \t<li>While we\u2019ve discussed the risks in having security that is too lax, what risk does a firm run if its security mechanisms are especially strict? What might a firm give up? What are the consequences of strict end-user security provisions?<\/li>\r\n \t<li>What risks does a firm face by leaving software unpatched? What risks does it face if it deploys patches as soon as they emerge? How should a firm reconcile these risks?<\/li>\r\n \t<li>What methods do firms use to ensure the integrity of their software, their hardware, their networks, and their partners?<\/li>\r\n \t<li>An organization\u2019s password management system represents \u201cthe keys to the city.\u201d Describe personnel issues that a firm should be concerned with regarding password administration. How might it address these concerns?<\/li>\r\n<\/ol>\r\n<\/div>\r\n<\/div>\r\n&nbsp;\r\n\r\n<\/div>\r\n<\/div>\r\n<\/div>\r\n<p class=\"nonindent\"><sup>1<\/sup>Knowledge@Wharton, \u201cInformation Security: Why Cybercriminals Are Smiling,\u201d August 19, 2009.<\/p>\r\n<p class=\"indent\"><sup>2<\/sup>IBM, <em class=\"emphasis\">X-Force Threat Report: 2008 Year in Review<\/em>, January 2009.<\/p>\r\n<p class=\"indent\"><sup>3<\/sup>For example, the DNS security patch mentioned was incompatible with the firewall software deployed at some firms.<\/p>\r\n\r\n<h2>References<\/h2>\r\n<p class=\"nonindent\">Claburn, T., \u201cPayment Card Industry Gets Encryption Religion,\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 13, 2009.<\/p>\r\n<p class=\"indent\">Davis, M., \u201cWhat Will It Take?\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 23, 2009.<\/p>\r\n<p class=\"indent\">Goldman, D., \u201cCybercrime: A Secret Underground Economy,\u201d <em class=\"emphasis\">CNNMoney<\/em>, September 17, 2009.<\/p>\r\n<p class=\"indent\">King, R., \u201cLessons from the Data Breach at Heartland,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, July 6, 2009.<\/p>\r\n<p class=\"indent\">Lewis, N., \u201cInvestigation Of Ex-Chief Of the C.I.A. Is Broadened,\u201d <em class=\"emphasis\">New York Times<\/em>, September 17, 2000.<\/p>\r\n<p class=\"indent\">Lilly, P., \u201cHackers Targeting Windows XP-Based ATM Machines,\u201d <em class=\"emphasis\">Maximum PC<\/em>, June 4, 2009.<\/p>\r\n<p class=\"indent\">Matwyshyn, A., <em class=\"emphasis\">Harboring Data: Information Security, Law, and The Corporation<\/em> (Palo Alto, CA: Stanford University Press, 2009).<\/p>\r\n<p class=\"indent\">Matyszczyk, C., \u201cFrench Planes Grounded by Windows Worm,\u201d <em class=\"emphasis\">CNET<\/em>, February 8, 2009.<\/p>\r\n<p class=\"indent\">McMillan, R., \u201cRestaurants Sue Vendors after Point-of-Sale Hack,\u201d <em class=\"emphasis\">CIO<\/em>, December 1, 2009.<\/p>\r\n<p class=\"indent\">Taylor, C., \u201cThe Tech Catastrophe You\u2019re Ignoring,\u201d <em class=\"emphasis\">Fortune<\/em>, October 26, 2009.<\/p>\r\n<p class=\"indent\">Wildstrom, S., \u201cMassive Study of Net Vulnerabilities: They\u2019re Not Where You Think They Are,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, September 14, 2009.<\/p>\r\n<p class=\"indent\">Wingfield, N., \u201cIt\u2019s a Free Country\u2026So Why Can\u2019t I Pick the Technology I Use in the Office?\u201d <em class=\"emphasis\">Wall Street Journal<\/em>, November 15, 2009.<\/p>\r\n\r\n<\/div>\r\n<\/div>","rendered":"<div id=\"slug-13-4-taking-action\" class=\"chapter standard\">\n<div class=\"chapter-title-wrap\"><\/div>\n<div class=\"ugc chapter-ugc\">\n<div id=\"fwk-38086-ch13_s04_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox textbox--learning-objectives\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Learning Objectives<\/span><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<p id=\"fwk-38086-ch13_s04_p01\" class=\"nonindent para\">After studying this section you should be able to do the following:<\/p>\n<ol id=\"fwk-38086-ch13_s04_l01\" class=\"orderedlist\">\n<li>Identify critical steps to improve your individual and organizational information security.<\/li>\n<li>Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and organization more secure.<\/li>\n<li>Recognize the major information security issues that organizations face, as well as the resources, methods, and approaches that can help make firms more secure.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s01\" class=\"section\">\n<h2 class=\"title editable block\">Taking Action as a User<\/h2>\n<p id=\"fwk-38086-ch13_s04_s01_p01\" class=\"nonindent para editable block\">The weakest link in security is often a careless user, so don\u2019t make yourself an easy mark. Once you get a sense of threats, you understand the kinds of precautions you need to take. Security considerations then become more common sense than high tech. Here\u2019s a brief list of major issues to consider:<\/p>\n<ul id=\"fwk-38086-ch13_s04_s01_l01\" class=\"itemizedlist editable block\">\n<li><em class=\"emphasis\">Surf smart.<\/em> Think before you click\u2014question links, enclosures, download request, and the integrity of Web sites that you visit. Avoid suspicious e-mail attachments and Internet downloads. Be on guard for phishing, and other attempts to con you into letting in malware. Verify anything that looks suspicious before acting. Avoid using public machines (libraries, coffee shops) when accessing sites that contain your financial data or other confidential information.<\/li>\n<li><em class=\"emphasis\">Stay vigilant.<\/em> Social engineering con artists and rogue insiders are out there. An appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically.<\/li>\n<li><em class=\"emphasis\">Stay updated.<\/em> Turn on software update features for your operating system and any application you use (browsers, applications, plug-ins, and applets), and manually check for updates when needed. Malware toolkits specifically scan for older, vulnerable systems, so working with updated programs that address prior concerns lowers your vulnerable attack surface.<\/li>\n<li><em class=\"emphasis\">Stay armed.<\/em> Install a full suite of security software. Many vendors offer a combination of products that provide antivirus software that blocks infection, personal firewalls that repel unwanted intrusion, malware scanners that seek out bad code that might already be nesting on your PC, antiphishing software that identifies if you\u2019re visiting questionable Web sites, and more. Such tools are increasingly being built into operating systems, browsers, and are deployed at the ISP or service provider (e-mail firm, social network) level. But every consumer should make it a priority to understand the state of the art for personal protection. In the way that you regularly balance your investment portfolio to account for economic shifts, or take your car in for an oil change to keep it in top running condition, make it a priority to periodically scan the major trade press or end-user computing sites for reviews and commentary on the latest tools and techniques for protecting yourself (and your firm).<\/li>\n<li><em class=\"emphasis\">Be settings smart.<\/em> Don\u2019t turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads. Secure home networks with password protection and a firewall. Encrypt hard drives\u2014especially on laptops or other devices that might be lost or stolen. Register mobile devices for location identification or remote wiping. Don\u2019t click the \u201cRemember me\u201d or \u201cSave password\u201d settings on public machines, or any device that might be shared or accessed by others. Similarly, if your machine might be used by others, turn off browser settings that auto-fill fields with prior entries\u2014otherwise you make it easy for someone to use that machine to track your entries and impersonate you. And when using public hotspots, be sure to turn on your VPN software to encrypt transmission and hide from network eavesdroppers.<\/li>\n<li><em class=\"emphasis\">Be password savvy.<\/em> Change the default password on any new products that you install. Update your passwords regularly. Using guidelines outlined earlier, choose passwords that are tough to guess, but easy for you (and only you) to remember. Federate your passwords so that you\u2019re not using the same access codes for your most secure sites. Never save passwords in nonsecured files, e-mail, or written down in easily accessed locations.<\/li>\n<li><em class=\"emphasis\">Be disposal smart.<\/em> Shred personal documents. Wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away\u2014remember in many cases \u201cdeleted\u201d files can still be recovered. Destroy media such as CDs and DVDs that may contain sensitive information. Erase USB drives when they are no longer needed.<\/li>\n<li><em class=\"emphasis\">Back up.<\/em> The most likely threat to your data doesn\u2019t come from hackers; it comes from hardware failure (Taylor, 2009). Yet most users still don\u2019t regularly back up their systems. This is another do-it-now priority. Cheap, plug-in hard drives work with most modern operating systems to provide continual backups, allowing for quick rollback to earlier versions if you\u2019ve accidentally ruined some vital work. And services like EMC\u2019s Mozy provide monthly, unlimited backup over the Internet for less than what you probably spent on your last lunch (a fire, theft, or similar event could also result in the loss of any backups stored on-site, but Internet backup services can provide off-site storage and access if disaster strikes).<\/li>\n<li><em class=\"emphasis\">Check with your administrator.<\/em> All organizations that help you connect to the Internet\u2014your ISP, firm, or school\u2014should have security pages. Many provide free security software tools. Use them as resources. Remember\u2014it\u2019s in their interest to keep you safe, too!<\/li>\n<\/ul>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s02\" class=\"section\">\n<h2 class=\"title editable block\">Taking Action as an Organization<\/h2>\n<div id=\"fwk-38086-ch13_s04_s02_s01\" class=\"section\">\n<h2 class=\"title editable block\">Frameworks, Standards, and Compliance<\/h2>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p01\" class=\"nonindent para editable block\">Developing organizational security is a daunting task. You\u2019re in an arms race with adversaries that are tenacious and constantly on the lookout for new exploits. Fortunately, no firm is starting from scratch\u2014others have gone before you and many have worked together to create published best practices.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p02\" class=\"indent para editable block\">There are several frameworks, but perhaps the best known of these efforts comes from the International Organization for Standards (ISO), and is broadly referred to as ISO27k or the ISO 27000 series. According to ISO.org, this evolving set of standards provides \u201ca model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.\u201d<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p03\" class=\"indent para editable block\">Firms may also face compliance requirements\u2014legal or professionally binding steps that must be taken. Failure to do so could result in fine, sanction, and other punitive measures. At the federal level, examples include HIPAA (the Health Insurance Portability and Accountability Act), which regulates health data; the Graham-Leach-Bliley Act, which regulates financial data; and the Children\u2019s Online Privacy Protection Act, which regulates data collection on minors. U.S. government agencies must also comply with FISMA (the Federal Information Security Management Act), and there are several initiatives at the other government levels. By 2009, some level of state data breach laws had been passed by over thirty states, while multinationals face a growing number of statues throughout the world. Your legal team and trade associations can help you understand your domestic and international obligations. Fortunately, there are often frameworks and guidelines to assist in compliance. For example, the ISO standards include subsets targeted at the telecommunications and health care industries, and major credit card firms have created the PCI (payment card industry) standards. And there are skilled consulting professionals who can help bring firms up to speed in these areas, and help expand their organizational radar as new issues develop.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p04\" class=\"indent para editable block\">Here is a word of warning on frameworks and standards: compliance does not equal security. Outsourcing portions security efforts without a complete, organizational commitment to being secure can also be dangerous. Some organizations simply approach compliance as a necessary evil: a sort of checklist that can reduce the likelihood of a lawsuit or other punitive measure (Davis, 2009). While you want to make sure you\u2019re doing everything in your power not to get sued, this isn\u2019t the goal. The goal is taking all appropriate measures to ensure that your firm is secure for your customers, employees, shareholders, and others. Frameworks help shape your thinking and expose things you should do, but security doesn\u2019t stop there\u2014this is a constant, evolving process that needs to pervade the organization from the CEO suite and board, down to front line workers and potentially out to customers and partners. And be aware of the security issues associated with any mergers and acquisitions. Bringing in new firms, employees, technologies, and procedures means reassessing the security environment for all players involved.<\/p>\n<div id=\"fwk-38086-ch13_s04_s02_s01_n01\" class=\"bcc-box bcc-highlight\">\n<div class=\"textbox shaded\">\n<h4 class=\"title\">The Heartland Breach<\/h4>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p05\" class=\"nonindent para\">On inauguration day 2009, credit card processor Heartland announced that it had experienced what was one of the largest security breaches in history. The Princeton, New Jersey, based firm was, at the time, the nation\u2019s fifth largest payments processor. Its business was responsible for handling the transfer of funds and information between retailers and cardholders\u2019 financial institutions. That means infiltrating Heartland was like breaking into Fort Knox.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p06\" class=\"indent para\">It\u2019s been estimated that as many as 100 million cards issued by more than 650 financial services companies may have been compromised during the Heartland breach. Said the firm\u2019s CEO, this was \u201cthe worst thing that can happen to a payments company and it happened to us\u201d (King, 2009). Wall Street noticed. The firm\u2019s stock tanked\u2014within a month, its market capitalization had plummeted over 75 percent, dropping over half a billion dollars in value (Claburn, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p07\" class=\"indent para\">The Heartland case provides a cautionary warning against thinking that security ends with compliance. Heartland had in fact passed multiple audits, including one conducted the month before the infiltration began. Still, at least thirteen pieces of malware were uncovered on the firm\u2019s servers. Compliance does not equal security. Heartland was complaint, but a firm can be compliant and not be secure. Compliance is not the goal, security is.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s01_p08\" class=\"indent para\">Since the breach, the firm\u2019s executives have championed industry efforts to expand security practices, including encrypting card information at the point it is swiped and keeping it secure through settlement. Such \u201ccradle-to-grave\u201d encryption can help create an environment where even compromised networking equipment or intercepting relay systems wouldn\u2019t be able to grab codes (Claburn, 2009; King, 2009). Recognize that security is a continual process, it is never done, and firms need to pursue security with tenacity and commitment.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s02_s02\" class=\"section\">\n<h2 class=\"title editable block\">Education, Audit, and Enforcement<\/h2>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p01\" class=\"nonindent para editable block\">Security is as much about people, process, and policy, as it is about technology.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p02\" class=\"indent para editable block\">From a people perspective, the security function requires multiple levels of expertise. Operations employees are involved in the day-to-day monitoring of existing systems. A group\u2019s R&amp;D function is involved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. A team must also work on broader governance issues. These efforts should include representatives from specialized security and broader technology and infrastructure functions. It should also include representatives from general counsel, audit, public relations, and human resources. What this means is that even if you\u2019re a nontechnical staffer, you may be brought in to help a firm deal with security issues.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p03\" class=\"indent para editable block\">Processes and policies will include education and awareness\u2014this is also everyone\u2019s business. As the Vice President of Product Development at security firm Symantec puts it, \u201cWe do products really well, but the next step is education. We can\u2019t keep the Internet safe with antivirus software alone\u201d (Goldman, 2009). Companies should approach information security as a part of their \u201ccollective corporate responsibility\u2026regardless of whether regulation requires them to do so<sup>1<\/sup>.\u201d<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p04\" class=\"indent para editable block\">For a lesson in how important education is, look no further than the head of the CIA. Former U.S. Director of Intelligence John Deutch engaged in shockingly loose behavior with digital secrets, including keeping a daily journal of classified information\u2014some 1,000+ pages\u2014on memory cards he\u2019d transport in his shirt pocket. He also downloaded and stored Pentagon information, including details of covert operations, at home on computers that his family used for routine Internet access (Lewis, 2000).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p05\" class=\"indent para editable block\">Employees need to know a firm\u2019s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations. Policies without eyes (audit) and teeth (enforcement) won\u2019t be taken seriously. Audits include real-time monitoring of usage (e.g., who\u2019s accessing what, from where, how, and why; sound the alarm if an anomaly is detected), announced audits, and surprise spot checks. This function might also stage white hat demonstration attacks\u2014attempts to hunt for and expose weaknesses, hopefully before hackers find them. Frameworks offer guidelines on auditing, but a recent survey found most organizations don\u2019t document enforcement procedures in their information security policies, that more than one-third do not audit or monitor user compliance with security policies, and that only 48 percent annually measure and review the effectiveness of security policies (Matwyshyn, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s02_p06\" class=\"indent para editable block\">A firm\u2019s technology development and deployment processes must also integrate with the security team to ensure that from the start, applications, databases, and other systems are implemented with security in mind. The team will have specialized skills and monitor the latest threats and are able to advise on precautions necessary to be sure systems aren\u2019t compromised during installation, development, testing, and deployment.<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s02_s03\" class=\"section\">\n<h2 class=\"title editable block\">What Needs to Be Protected and How Much Is Enough?<\/h2>\n<p id=\"fwk-38086-ch13_s04_s02_s03_p01\" class=\"nonindent para editable block\">A worldwide study by PricewaterhouseCoopers and <em class=\"emphasis\">Chief Security Officer<\/em> magazine revealed that most firms don\u2019t even know what they need to protect. Only 33 percent of executives responded that their organizations kept accurate inventory of the locations and jurisdictions where data was stored, and only 24 percent kept inventory of all third parties using their customer data (Matwyshyn, 2009). What this means is that most firms don\u2019t even have an accurate read on where their valuables are kept, let alone how to protect them.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s03_p02\" class=\"indent para editable block\">So information security should start with an inventory-style auditing and risk assessment. Technologies map back to specific business risks. What do we need to protect? What are we afraid might happen? And how do we protect it? Security is an economic problem, involving attack likelihood, costs, and prevention benefits. These are complex trade-offs that must consider losses from theft or resources, systems damage, data loss, disclosure of proprietary information, recovery, downtime, stock price declines, legal fees, government and compliance penalties, and intangibles such as damaged firm reputation, loss of customer and partner confidence, industry damage, promotion of adversary, and encouragement of future attacks.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s03_p03\" class=\"indent para editable block\">While many firms skimp on security, firms also don\u2019t want to misspend, targeting exploits that aren\u2019t likely, while underinvesting in easily prevented methods to thwart common infiltration techniques. Hacker conventions like DefCon can show some really wild exploits. But it\u2019s up to the firm to assess how vulnerable it is to these various risks. The local donut shop has far different needs than a military installation, law enforcement agency, financial institution, or firm housing other high-value electronic assets. A skilled risk assessment team will consider these vulnerabilities and what sort of countermeasure investments should take place.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s03_p04\" class=\"indent para editable block\">Economic decisions usually drive hacker behavior, too. While in some cases attacks are based on vendetta or personal reasons, in most cases exploit economics largely boils down to<\/p>\n<p class=\"indent\"><span class=\"informalequation block\"><br \/>\n<span class=\"mathphrase\">Adversary ROI = Asset value to adversary \u2013 Adversary cost.<\/span><br \/>\n<\/span><\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s03_p05\" class=\"indent para editable block\">An adversary\u2019s costs include not only the resources, knowledge, and technology required for the exploit, but also the risk of getting caught. Make things tough to get at, and lobbying for legislation that imposes severe penalties on crooks can help raise adversary costs and lower your likelihood of becoming a victim.<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s02_s04\" class=\"section\">\n<h2 class=\"title editable block\">Technology\u2019s Role<\/h2>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p01\" class=\"nonindent para editable block\">Technical solutions often involve industrial strength variants of the previously discussed issues individuals can employ, so your awareness is already high. Additionally, an organization\u2019s approach will often leverage multiple layers of protection and incorporate a wide variety of protective measures.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p02\" class=\"indent para editable block\"><em class=\"emphasis\">Patch.<\/em> Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as <em class=\"emphasis\">patches<\/em>). Firms that don\u2019t plug known problems will be vulnerable to trivial and automated attacks. Unfortunately, many firms aren\u2019t updating all components of their systems with consistent attention. With operating systems automating security update installations, hackers have moved on to application targets. But a major study recently found that organizations took at least twice as long to patch application vulnerabilities as they take to patch operating system holes (Wildstrom, 2009). And remember, software isn\u2019t limited to conventional PCs and servers. Embedded systems abound, and connected, yet unpatched devices are vulnerable. Malware has infected everything from unprotected ATM machines (Lilly, 2009) to restaurant point-of-sale systems (McMillan, 2009) to fighter plane navigation systems (Matyszczyk, 2009).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p03\" class=\"indent para editable block\">As an example of unpatched vulnerabilities, consider the DNS cache poisoning exploit described earlier in this chapter. The discovery of this weakness was one of the biggest security stories the year it was discovered, and security experts saw this as a major threat. Teams of programmers worldwide raced to provide fixes for the most widely used versions of DNS software. Yet several months after patches were available, roughly one quarter of all DNS servers were still unpatched and exposed<sup>2<\/sup>.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p04\" class=\"indent para editable block\">To be fair, not all firms delay patches out of negligence. Some organizations have legitimate concerns about testing whether the patch will break their system or whether the new technology contains a change that will cause problems down the road<sup>3<\/sup>. And there have been cases where patches themselves have caused problems. Finally, many software updates require that systems be taken down. Firms may have uptime requirements that make immediate patching difficult. But ultimately, unpatched systems are an open door for infiltration.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p05\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down hardware.<\/em> Firms range widely in the security regimes used to govern purchase through disposal system use. While some large firms such as Kraft are allowing employees to select their own hardware (Mac or PC, desktop or notebook, iPhone or BlackBerry) (Wingfield, 2009), others issue standard systems that prevent all unapproved software installation and force file saving to hardened, backed-up, scanned, and monitored servers. Firms in especially sensitive industries such as financial services may regularly reimage the hard drive of end-user PCs, completely replacing all the bits on a user\u2019s hard drive with a pristine, current version\u2014effectively wiping out malware that might have previously sneaked onto a user\u2019s PC. Other lock-down methods might disable the boot capability of removable media (a common method for spreading viruses via inserted discs or USBs), prevent Wi-Fi use or require VPN encryption before allowing any network transmissions, and more. The cloud helps here, too. (See <a class=\"xref\" href=\"part-010-chapter-10-software-in-flux-partly-cloudy-and-sometimes-free.html\">Chapter 10 \u201cSoftware in Flux: Partly Cloudy and Sometimes Free\u201d<\/a>.) Employers can also require workers to run all of their corporate applications inside a remote desktop where the actual executing hardware and software is elsewhere (likely hosted as a virtual machine session on the organization\u2019s servers), and the user is simply served an image of what is executing remotely. This seals the virtual PC off in a way that can be thoroughly monitored, updated, backed up, and locked down by the firm.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p06\" class=\"indent para editable block\">In the case of Kraft, executives worried that the firm\u2019s previously restrictive technology policies prevented employees from staying in step with trends. Employees opting into the system must sign an agreement promising they\u2019ll follow mandated security procedures. Still, financial services firms, law offices, health care providers, and others may need to maintain stricter control, for legal and industry compliance reasons.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p07\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down the network.<\/em> Network monitoring is a critical part of security, and a host of technical tools can help.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p08\" class=\"indent para editable block\">Firms employ <span class=\"margin_term\"><a class=\"glossterm\">firewalls<\/a><\/span> to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication. <span class=\"margin_term\"><a class=\"glossterm\">Intrusion detection systems<\/a><\/span> specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss. Some firms deploy <span class=\"margin_term\"><a class=\"glossterm\">honeypots<\/a><\/span>\u2014bogus offerings meant to distract attackers. If attackers take honeypot bait, firms may gain an opportunity to recognize the hacker\u2019s exploits, identify the IP address of intrusion, and take action to block further attacks and alert authorities.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p09\" class=\"indent para editable block\">Many firms also deploy <span class=\"margin_term\"><a class=\"glossterm\">blacklists<\/a><\/span>\u2014denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions. While blacklists block known bad guys, <span class=\"margin_term\"><a class=\"glossterm\">whitelists<\/a><\/span> are even more restrictive\u2014permitting communication only with approved entities or in an approved manner.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p10\" class=\"indent para editable block\">These technologies can be applied to network technology, specific applications, screening for certain kinds of apps, malware signatures, and hunting for anomalous patterns. The latter is important, as recent malware has become polymorphic, meaning different versions are created and deployed in a way that their signature, a sort of electronic fingerprint often used to recognize malicious code, is slightly altered. This also helps with zero-day exploits, and in situations where whitelisted Web sites themselves become compromised.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p11\" class=\"indent para editable block\">Many technical solutions, ranging from network monitoring and response to e-mail screening, are migrating to \u201cthe cloud.\u201d This can be a good thing\u2014if network monitoring software immediately shares news of a certain type of attack, defenses might be pushed out to all clients of a firm (the more users, the \u201csmarter\u201d the system can potentially become\u2014again we see the power of network effects in action).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p12\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down partners.<\/em> Insist partner firms are compliant, and audit them to ensure this is the case. This includes technology providers and contract firms, as well as value chain participants such as suppliers and distributors. Anyone who touches your network is a potential point of weakness. Many firms will build security expectations and commitments into performance guarantees known as service level agreements (SLAs).<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p13\" class=\"indent para editable block\"><em class=\"emphasis\">Lock down systems.<\/em> Audit for SQL injection and other application exploits. The security team must constantly scan exploits and then probe its systems to see if it\u2019s susceptible, advising and enforcing action if problems are uncovered. This kind of auditing should occur with all of a firm\u2019s partners.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p14\" class=\"indent para editable block\">Access controls can also compartmentalize data access on a need-to-know basis. Such tools can not only enforce access privileges, they can help create and monitor audit trails to help verify that systems are not being accessed by the unauthorized, or in suspicious ways.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p15\" class=\"indent para editable block\">Audit trails are used for deterring, identifying, and investigating these cases. Recording, monitoring, and auditing access allows firms to hunt for patterns of abuse. Logs can detail who, when, and from where assets are accessed. Giveaways of nefarious activity may include access from unfamiliar IP addresses, from nonstandard times, accesses that occur at higher than usual volumes, and so on. Automated alerts can put an account on hold or call in a response team for further observation of the anomaly.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p16\" class=\"indent para editable block\">Single-sign-on tools can help firms offer employees one very strong password that works across applications, is changed frequently (or managed via hardware cards or mobile phone log-in), and can be altered by password management staff.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p17\" class=\"indent para editable block\">Multiple administrators should jointly control key systems. Major configuration changes might require approval of multiple staffers, as well as the automatic notification of concerned personnel. And firms should employ a recovery mechanism to regain control in the event that key administrators are incapacitated or uncooperative. This balances security needs with an ability to respond in the event of a crisis. Such a system was not in place in the earlier described case of the rogue IT staffer who held the city of San Francisco\u2019s networks hostage by refusing to give up vital passwords.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p18\" class=\"indent para editable block\"><em class=\"emphasis\">Have failure and recovery plans.<\/em> While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. If a compromise has taken place, what needs to be done? Do stolen assets need to be devalued (e.g., accounts terminated, new accounts issued)? What should be done to notify customers and partners, educate them, and advise them through any necessary responses? Who should work with law enforcement and with the media? Do off-site backups or redundant systems need to be activated? Can systems be reliably restored without risking further damage?<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p19\" class=\"indent para editable block\">Best practices are beginning to emerge. While postevent triage is beyond the scope of our introduction, the good news is that firms are now sharing data on breaches. Given the potential negative consequences of a breach, organizations once rarely admitted they\u2019d been compromised. But now many are obligated to do so. And the broad awareness of infiltration both reduces organizational stigma in coming forward, and allows firms and technology providers to share knowledge on the techniques used by cybercrooks.<\/p>\n<p id=\"fwk-38086-ch13_s04_s02_s04_p21\" class=\"indent para editable block\">Information security is a complex, continually changing, and vitally important domain. The exploits covered in this chapter seem daunting, and new exploits constantly emerge. But your thinking on key issues should now be broader. Hopefully you\u2019ve now embedded security thinking in your managerial DNA, and you are better prepared to be a savvy system user and a proactive participant working for your firm\u2019s security. Stay safe!<\/p>\n<div id=\"fwk-38086-ch13_s04_s02_s04_n01\" class=\"bcc-box bcc-success\">\n<div class=\"textbox textbox--key-takeaways\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\">Key Takeaways<\/p>\n<\/header>\n<div class=\"textbox__content\">\n<ul id=\"fwk-38086-ch13_s04_s02_s04_l01\" class=\"itemizedlist\">\n<li>End users can engage in several steps to improve the information security of themselves and their organizations. These include surfing smart, staying vigilant, updating software and products, using a comprehensive security suite, managing settings and passwords responsibly, backing up, properly disposing of sensitive assets, and seeking education.<\/li>\n<li>Frameworks such as ISO27k can provide a road map to help organizations plan and implement an effective security regime.<\/li>\n<li>Many organizations are bound by security compliance commitments and will face fines and retribution if they fail to meet these commitments.<\/li>\n<li>The use of frameworks and being compliant is not equal to security. Security is a continued process that must be constantly addressed and deeply ingrained in an organization\u2019s culture.<\/li>\n<li>Security is about trade-offs\u2014economic and intangible. Firms need to understand their assets and risks in order to best allocate resources and address needs.<\/li>\n<li>Information security is not simply a technical fix. Education, audit, and enforcement regarding firm policies are critical. The security team is broadly skilled and constantly working to identify and incorporate new technologies and methods into their organizations. Involvement and commitment is essential from the boardroom to frontline workers, and out to customers and partners.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<div id=\"fwk-38086-ch13_s04_s02_s04_n02\" class=\"bcc-box bcc-info\">\n<div class=\"textbox textbox--exercises\">\n<header class=\"textbox__header\">\n<p class=\"textbox__title\"><span style=\"font-family: 'Cormorant Garamond', serif; font-size: 1em; font-style: normal; font-weight: bold;\">Questions and Exercises<\/span><\/p>\n<\/header>\n<div class=\"textbox__content\">\n<ol id=\"fwk-38086-ch13_s04_s02_s04_l02\" class=\"orderedlist\">\n<li>Visit the security page for your ISP, school, or employer. What techniques do they advocate that we\u2019ve discussed here? Are there any additional techniques mentioned and discussed? What additional provisions do they offer (tools, services) to help keep you informed and secure?<\/li>\n<li>What sorts of security regimes are in use at your university, and at firms you\u2019ve worked or interned for? If you don\u2019t have experience with this, ask a friend or relative for their professional experiences. Do you consider these measures to be too restrictive, too lax, or about right?<\/li>\n<li>While we\u2019ve discussed the risks in having security that is too lax, what risk does a firm run if its security mechanisms are especially strict? What might a firm give up? What are the consequences of strict end-user security provisions?<\/li>\n<li>What risks does a firm face by leaving software unpatched? What risks does it face if it deploys patches as soon as they emerge? How should a firm reconcile these risks?<\/li>\n<li>What methods do firms use to ensure the integrity of their software, their hardware, their networks, and their partners?<\/li>\n<li>An organization\u2019s password management system represents \u201cthe keys to the city.\u201d Describe personnel issues that a firm should be concerned with regarding password administration. How might it address these concerns?<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p class=\"nonindent\"><sup>1<\/sup>Knowledge@Wharton, \u201cInformation Security: Why Cybercriminals Are Smiling,\u201d August 19, 2009.<\/p>\n<p class=\"indent\"><sup>2<\/sup>IBM, <em class=\"emphasis\">X-Force Threat Report: 2008 Year in Review<\/em>, January 2009.<\/p>\n<p class=\"indent\"><sup>3<\/sup>For example, the DNS security patch mentioned was incompatible with the firewall software deployed at some firms.<\/p>\n<h2>References<\/h2>\n<p class=\"nonindent\">Claburn, T., \u201cPayment Card Industry Gets Encryption Religion,\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 13, 2009.<\/p>\n<p class=\"indent\">Davis, M., \u201cWhat Will It Take?\u201d <em class=\"emphasis\">InformationWeek<\/em>, November 23, 2009.<\/p>\n<p class=\"indent\">Goldman, D., \u201cCybercrime: A Secret Underground Economy,\u201d <em class=\"emphasis\">CNNMoney<\/em>, September 17, 2009.<\/p>\n<p class=\"indent\">King, R., \u201cLessons from the Data Breach at Heartland,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, July 6, 2009.<\/p>\n<p class=\"indent\">Lewis, N., \u201cInvestigation Of Ex-Chief Of the C.I.A. Is Broadened,\u201d <em class=\"emphasis\">New York Times<\/em>, September 17, 2000.<\/p>\n<p class=\"indent\">Lilly, P., \u201cHackers Targeting Windows XP-Based ATM Machines,\u201d <em class=\"emphasis\">Maximum PC<\/em>, June 4, 2009.<\/p>\n<p class=\"indent\">Matwyshyn, A., <em class=\"emphasis\">Harboring Data: Information Security, Law, and The Corporation<\/em> (Palo Alto, CA: Stanford University Press, 2009).<\/p>\n<p class=\"indent\">Matyszczyk, C., \u201cFrench Planes Grounded by Windows Worm,\u201d <em class=\"emphasis\">CNET<\/em>, February 8, 2009.<\/p>\n<p class=\"indent\">McMillan, R., \u201cRestaurants Sue Vendors after Point-of-Sale Hack,\u201d <em class=\"emphasis\">CIO<\/em>, December 1, 2009.<\/p>\n<p class=\"indent\">Taylor, C., \u201cThe Tech Catastrophe You\u2019re Ignoring,\u201d <em class=\"emphasis\">Fortune<\/em>, October 26, 2009.<\/p>\n<p class=\"indent\">Wildstrom, S., \u201cMassive Study of Net Vulnerabilities: They\u2019re Not Where You Think They Are,\u201d <em class=\"emphasis\">BusinessWeek<\/em>, September 14, 2009.<\/p>\n<p class=\"indent\">Wingfield, N., \u201cIt\u2019s a Free Country\u2026So Why Can\u2019t I Pick the Technology I Use in the Office?\u201d <em class=\"emphasis\">Wall Street Journal<\/em>, November 15, 2009.<\/p>\n<\/div>\n<\/div>\n","protected":false},"author":217,"menu_order":4,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[49],"contributor":[],"license":[],"class_list":["post-280","chapter","type-chapter","status-publish","hentry","chapter-type-numberless"],"part":267,"_links":{"self":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/users\/217"}],"version-history":[{"count":2,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/280\/revisions"}],"predecessor-version":[{"id":418,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/280\/revisions\/418"}],"part":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/parts\/267"}],"metadata":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapters\/280\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/media?parent=280"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/pressbooks\/v2\/chapter-type?post=280"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/contributor?post=280"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.ccconline.org\/bus3060\/wp-json\/wp\/v2\/license?post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}