Thou shalt not ignore security

A security threat can come from anywhere: indiscriminate viruses or Trojans, script kiddies, disgruntled employees, hackers working for a competitor, thieves, fraudsters or even plain old human error. And, if you think that sounds paranoid, well, there's nothing wrong with a bit of paranoia when it comes to designing a security policy for your organisation.

Or is there? Some organisations take things a bit too far. Until recently, at least one local council was blocking all incoming emails that were not sent in plain text format without attachments. And, since many common email packages, including Outlook, are often set up to format messages as HTML by default, this meant a huge number of emails sent to the council were bounced back to senders.

An automated reply told them to reformat their message as plain text but, since your average email user has no knowledge of text formatting protocols, the policy caused untold confusion.

"It was a nightmare. People were ringing us and saying that our email didn't work. It took so much time to explain how to get round the problem that we just told them to fax us instead," said one member of staff, who wished to remain anonymous.

Here ends lesson one of designing a security policy: always assess the level of risk first. Yes, sensitive data needs to be protected, but any security measures taken have to be weighed up against the direct cost of implementation and the indirect cost to users.

The risk of an HTML email infecting the council's network with a virus was minimal. But the time lost by employees as a result of the council's blanket blocking of HTML mails was a significant cost.

This is bad risk assessment; not to mention monumental stupidity given that Outlook, used by most of the council's staff, can be patched to prevent HTML messages automatically executing any potentially dangerous code.

When assessing risk, think about what data in your organisation needs to be protected. Once you know this, you can start to think about how you might protect that data. There is no one-size-fits-all solution.

Scott Rivers, product manager at 3Com, said: "A security policy cannot be bought off the shelf. It is a document that outlines your company's security needs and procedures and identifies what you need to protect and assign priorities to, thus eliminating the risk of protecting unimportant data, while leaving valuable data unprotected."

Having decided what data to protect, consider who should have access to that data, where it should physically reside and how it might best be protected.

Don't think about specific technologies at this stage. Too many organisations put products before people and processes. This is a sure fire way to create an ineffective security policy. Always remember that security is a double-edged sword: too much can slow down business processes and hamper people's ability to do their jobs.

Quite often an overly rigorous policy can backfire. For example, one company set all desktops to perform a full local virus scan after every boot. Of course, no one could be bothered to wait for it to finish and cancelled the scan, leaving the machines more vulnerable than if a less intrusive virus checking regime had been in place.

But nowhere is a security manager's paranoia more evident than when setting the email and internet access policy. Some security experts recommend the blanket banning of software downloads and executable email attachments, with harsh penalties for any member of staff caught contravening the ban.

/b>

Many organisations also indiscriminately monitor staff emails and web usage, and it is easy to see why such policies have become commonplace. As well as threats from malicious code, the use of email and the internet has potentially damaging legal implications.

There are the potential threats of employees libelling someone or spreading illegal material around the company network. A recent white paper from security specialists DespatchBox noted: "The UK's recent Regulation of Investigatory Powers Act makes failure to correctly store emails a potential go-to-jail card for directors. When required, directors must be able to provide requested material or face prosecution."

As with all aspects of security, you need to get the balance right. DespatchBox goes on to say: "Companies would need to justify storage of an individual's personal mails for longer than they have to or risk further pressure under the Data Protection Act. Companies keeping everything for the purposes of liability are taking a disproportionate approach that breeds corporate paranoia."

Indeed, depending on your users' needs, a more relaxed policy might be desirable. Where users need relatively free access to the internet for genuine business purposes, blanket blocking of executables can be undesirable and unworkable.

In such cases a better approach is a three-pronged strategy: scan for known malicious code at the gateway; set medium-level security on the desktop to issue warnings before a user opens potentially damaging code; and implement a sound user education programme to prevent people from opening suspect attachments or accepting cookies from unknown sites.

Many security experts cite effective user training as the key to a successful security policy. Rob Boltman, principal consultant for security consultancy Detica, said: "Having security awareness programmes in place is absolutely essential. I know several companies that don't give this basic training to users. There might be a policy document kicking around, but that's no good. You need to actively educate users."

Users should understand the reasons why security policies are in place and the potentially serious consequences of not sticking to them, be those consequences technical, legal or to do with compromising corporate confidentiality. And even if training all users is impractical, at the very least all employees should be sent - and made to sign - a security charter. This needs to come from senior management on headed paper. It should not simply be a circular email from the IT department.

/b>

Which brings us to the next key point about designing a security policy: you must get the understanding and full commitment of senior management. Ideally, the policy should be actively driven by the board.

"The issue of security can no longer be left to IT managers and should be generated and managed at board level," said Steve Davis, professional services consultant at security specialist Tumbleweed. "The consequences of security breaches, or emails being inadvertently sent to the wrong person, are simply too grave for the issue to be left in the hands of a technical person. The whole process should not be viewed as a waste of time and resources, but as a way of improving efficiencies, profitability and return on investment."

Once the policy has been clearly defined, you can begin to decide on ways and means of implementation: what firewalls and antivirus software to use, how to ring-fence certain data, whether and how you'll be using encryption, content filtering, passwords, biometrics or other systems.

However, it is vital that your selection and configuration of products and solutions comes after you have decided what your policy will be. And, since no security policy can be 100 per cent failsafe, you also need to ensure that adequate backup and contingency plans are in place.

There is certainly not room here to detail all the technical possibilities, but myriad tomes have been written on the intricacies of a security policy, some of which are considerably more comprehensive than others (see below). Then, of course, there's BS 7799, the British Standard code of practice for information security management. It's a weighty document but, even if you're not going for certification, it's required reading for all security managers. For more information see www.dti.gov.uk/cii/datasecurity/index.shtml .

You must also ensure that you have assigned responsibility for enforcement and progress monitoring. There's no point in designing a brilliant policy if you don't know who's responsible for making sure it's implemented properly.

The rapid pace of change in both business and IT means that security never sits still. Your policy should not be a static document, but an ongoing process regularly reviewed and kept up-to-date in line with both technical developments and the changing needs of the organisation. If you manage all this, even the most paranoid security managers among you should be able to sleep soundly at night.

10 security policy tips:

• Assess risks: what data most needs protecting and is most vulnerable?
• Decide where data will reside and who has access to what
• Strike the right balance between security and user convenience
• Ensure that management is fully on board
• Educate users on policy, and make sure they understand
• Examine ways and means, such as firewalls, encryption, passwords
• Assign responsibility for enforcement
• Detail contingency plans
• Select and implement appropriate technologies
• Monitor progress and adapt policy as necessary.

Case study: The Open University

As an open, academic institution, the security threats faced by the Open University (OU) are different to those faced by most businesses and necessitate a very different policy.

David Phillips, the OU's computing development officer, said: "Our main threat comes from emailed viruses rather than hackers or internal threats. Hackers see us as a bit of a soft target, so they tend to leave us alone. However, people applying to do a PhD often send us a virus along with their CV. We also have to protect our systems against it being used to attack others, for example by blocking Trojans like BackOrifice."

The university is based in Milton Keynes and has 13 regional offices. Some 3500 staff work on site using a variety of platforms, and the university has 200,000 students in disparate locations, about 60,000 of whom use the OU's FirstClass conferencing system.

The business systems sit behind a firewall and are kept totally separate from the academic and web-based systems. "Those need to be more open because of the need to allow a free flow of information among academics, researchers and students," explained Phillips.

On the business side, the OU runs Sophos antivirus software on the desktop and Trend on the servers. "That gives us two systems which are being constantly and independently updated," said Phillips. Students run Kaspersky AntiVirus. "We don't like to have all our eggs in one basket," he explained. "We've also gone for extension blocking on the mail gateway so that things like VBS scripts get stopped automatically."

Phillips is a member of antivirus groups such as the Wild List and Avien, which allows the OU to keep abreast of the latest threats and be among the first organisations to protect itself. It also has a security committee that meets four times a year to ensure that the policy is up-to-date and effective.

Further reading

Many books claim to offer help and advice when it comes to designing a security policy. Most are biased towards external threats, but here are five of the best:

Security Engineering
Ross Anderson
John Wiley and Sons
ISBN 0471389226
Covering everything from security concepts to systems architecture to management politics, Ross Anderson digests his years of experience working in, and lecturing on, security into an eminently readable yet comprehensive book on distributed systems security.

Windows NT/2000 Network Security
E Eugene Schultz
New Riders
ISBN 1578702534
Good generalist book on how best to avoid security holes in multi-user Windows NT/2000 environments.

Firewall and Internet Security
William Cheswick and Steven Bellovin
Addison Wesley
ISBN 0201633574
Written by the two AT&T Bell Labs' researchers who tracked the infamous Berferd hacker and built the firewall gateway at Bell Labs, this book contains a fascinating account of one of the first documented hacker attacks, as well as taking you in detail through the planning and execution of an internet security strategy for Unix systems.

The Complete Guide to Internet Security
Mark Merkow and James Breithaupt
McGraw-Hill
ISBN 081447070X
Up-to-date and comprehensive reference on internet security concepts, principles and best practice.

Hacking Exposed: Network Security Secrets & Solutions
Joel Scambray, George Kurtz and Stuart McClure
Osborne Publishing
ISBN 0072193816
A great read that looks at security from the hacker's point of view. It details the tools and tricks of so-called black-hat hackers. The third edition is out at the end of September and also contains a CDRom. Although heavily biased towards Linux systems, a new Windows 2000-specific version comes out this month.