Security Depends on IT Maturity

Sunday, March 18, 2012

Robb Reck


Mature IT Processes are Essential to Effective Enterprise Security

Enterprise information security is a function, not a role. While we hire technical folks and call them our “security team,” the expectations around implementing security are distributed throughout the business, especially the IT staff.

The security department is responsible for creating the policies and standards that govern the organization, but we depend on network administrators, system admins, developers, DBAs, projects managers, desktop support and others to ensure that those standards are implemented.

As an example, imagine…

Funding finally gets approved for those critical network security enhancements you’ve needed for years. You purchase and implement the latest and greatest firewalls, DLP, IPS, anti-DDOS and WAF systems. Things are good. Of course you realize that no security is perfect, but you feel comfortable that you’re at an acceptable level of risk.

A few months go by. Your security controls have been able to withstand the best that the bad-guys have thrown at you. Then one fateful day it happens. A harried network administrator sets up a connection from a new ISP. Within minutes of being stood up the bad guys have found recognized the new public IP and have found their way into the soft squishy center of your network.

All it took was one unapproved network change to render all your countermeasures useless. By setting up a new internet gateway without working with the security team the network admin provided the backdoor that gave malicious users no-holds-barred access directly to the corporate treasures.

The reality is that the Information Security team is only as good as the processes of the IT department they work to protect. The most basic tenet of information security governance is that when policies, standards and guidelines are created, they will be followed. Information security governance is only successful when supported by a larger, well-implemented IT governance.

I picked on a network administrator in my story, but they are just the easiest example; certainly not the only one.

  • Information security can purchase and implement cutting-edge code-review tools and vulnerability testing systems, but if application developers are making changes to production on-the-fly, those tools can’t keep a web application secure.
  • The security team may create standards and baselines for laptop configurations that prevent users from downloading malicious software, but if desktop support gives the user local administrator privileges, all those security tools can easily be disabled.
  • The information security organization may have specific requirements for that great new system, but if the Project Management Office (PMO) doesn’t include a security representative in project scoping, the security requirements will never be known, and will not find their way into the final product.

Each member of the IT team is critical to a successful enterprise security program. Information security governance is first and foremost about governance, and that needs to be implemented at a much larger scale.

Normally we might look for signs of an organization’s cyber security fitness in metrics like patch levels, web application vulnerabilities, and firewall configurations. But in order to step back and see the real state of our companies’ information security programs, we need to include measures that capture the state of IT governance overall.

Some key questions include:

  1. Are our IT teams properly staffed? Overloaded IT technicians are much more likely to skip steps. The steps they’re most likely to skip include testing and documenting, both of which are essential to security.
  2. Do teams know what they’re in charge of? Every process needs one team to own it, and every team needs to know what it’s responsible for. Documentation around who owns each function is critical.
  3. Do we have reliable, up-to-date inventory lists and network diagrams? We may have the best intentioned system administrators. They may be fantastic at keeping their systems up to date with all required security controls. Yet, if their documentation does not include every system for which they are responsible, we will likely have systems that are not protected.
  4. How understood and accepted is the Change Advisory Board (CAB) process? What percentages of changes go through the CAB? Are we ensuring that changes to our systems are reviewed by a cross-functional team to minimize change risk? The CAB process can be a valuable opportunity for potential changes to be reviewed for their impact to the overall environment, and also can serve as a tool in keeping disparate teams informed on one another’s projects.

Enterprise Information Security is a complex subject, and it cannot be handled by the security team by itself. Maturing information security processes must occur hand-in-hand with maturing IT governance.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Enterprise Security
Industrial Control Systems
Enterprise Security Best Practices Governance Data Loss Prevention metrics Information Security Policies and Procedures SysAdmin IT Security
Post Rating I Like this!
Ian Tibble 'While we hire technical folks and call them our “security team"'. Technical is a four letter word in most security departments. They do not hire technical folk, and even if they do, they do not have a technical role.
"As an example, imagine…" could have used a better example. Adding a public facing IP address is not adding a backdoor unless other "technical" (sorry I said it again) controls are in place.
There's nothing actually faulty in what you're saying it's just that the reality of most security departments is not in sync with what you're saying. There's a theoretical picture of the role of a security team, elements of which you have depicted here, then there's the reality of the picture in 90% and more of cases. It may be worse than 90% but I like to keep open the dream that somewhere over the rainbow, there might be an effective security deparment somewhere, just that in 12 years, from 3 continents, and 100 or so global clients, i am yet to see one.
"I picked on a network administrator in my story, but they are just the easiest example" I can't be sure if you're digging at network admins here or...? Anyway in 90%+ of cases, the security team isn't qualified to comment on network security risks at all. They do not, for example, have a say in firewall configuration. Network security is decided on and implemented entirely by network admins with little or cursory input from security. Security passes a checklist of policies requirements to network teams who know what the requirements are anyway. This is the case in most countries and industry sectors. It may be different where you are, but in this case you're either in dream land, you're not in security, or this is a very rare scenario that you're a part of.
"those tools can’t keep a web application secure". Familiarity with what the tools do under the hood depicts a rather grim story of real deliverables versus perceived deliverables in most cases. Show me a scanning tool that can accurately assess and also cover all the bases that matter to businesses. They do not exist. This is not cynicism, it's reality. Doesn't really matter whether or not developers are making ad hoc changes, the security team can't find the vulnerabilities anyway. Mention SQLi to most security staff and they take on a pale complexion and start shaking - visibly distressed at the very mention of the phrase. Plus their available tools will miss the most glaring vulnerabilities.
"The security team may create standards and baselines for laptop configurations that prevent users from downloading malicious software". The realities here are stark in that security teams will not be able to argue against a business case where developers etc ask for security controls to be disabled. But you make a valid point about admin privileges...although often its the case that malware isn't installed as a result of user's being duped.
"network diagrams" fair point...interestingly 50% or so of clients weren't able to produce one when asked, although at least staff member could draw one on a whiteboard.

"Enterprise Information Security is a complex subject, and it cannot be handled by the security team by itself". Totally yes, but everyone has to be speaking the same language to even begin to approach the problem. Right now, security does not speak IT whereas IT departments speak IT.

Robb Reck Ian, thanks for your comments.

The required skill-sets for the security team will vary wildly depending on the strategy the organization wants to pursue. Many organizations choose to keep the security operations within the functional teams (IE, networking team handles networking security), and the security team just handles policy and governance. Other organizations will put hands-on security expertise within the security team itself.

My background is as a security manager for the last 6 years, previous to that I worked as a network and system administrator. I have worked in organizations on both sides of the fence... where security was very technical, or security was very policy-based.

The point of this article is that in either of those models security's effectiveness is dependent upon IT having appropriate structure in place. IT is the foundation upon which information security is built.

Ian Tibble Maybe where you are everything's fine Rob, and i did understand your point.
There's many security departments that take the haughty position of being 'managerial' rather than techinical but their influence over other departments is typically zero. So how much say does the securty team have in terms of governance and control of other deparments? Zero.
There are policies. But other depts just ask for exceptions. Knowledge of technical risk doesnt exist usually so there is no leverage for the security team to apply governance.
It doesnt really matter about how work ia divided and who does what. Until the right skills are deployed, whatever changes are made won't have any effect.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.