Now, we will see which measures could be placed to manage the risks related to information security, dividing them into this classification:
Physical security and controls
Physical security is the part of information security that is probably well known by anyone. Since it protects an asset physically, we have all probably dealt with it in our lives in many circumstances, such as how do we protect a building, how do we protect a car, and how do we protect cash? First, we will try to physically protect these resources from outside access with simple or sophisticated security measures.
With information security, we start from the assumption that we have something similar to a server farm to protect against damage or thieves. Therefore, what should we do to enforce security?
We cannot answer this question without knowing the following initial conditions:
- Where is the server farm building located?
- Are there some fences/gates to cross to get into the building area or not?
- How far is the building from the nearest police station (or private security office)?
- Is the building outside an area monitored for suspicious activities?
Answering these questions is, in fact, a part of the ISMS process itself. Providing a good description of the initial conditions helps to build measures to mitigate risks. Let's proceed to going into the building with other questions:
- Is the building entrance properly supervised?
- Is there a key (or an identification) to get into the building?
- Could that key/ID be copied easily?
- Could someone else use that key/ID?
- Is there a proper security control for loading/unloading areas?
Please note, we are not yet into the working space and we already have many security issues to manage. Let's proceed, going at the top floor where the server farm is:
- Is the server farm room protected against intrusion?
- Are there any proper intrusion detection systems (alarms or sensors)?
- In case of an unexpected breach, is there a process to block the company in order to reduce the risk of losing data (and to catch the thief)?
We are just talking about measures to prevent unauthorized access to sensitive assets for people who do not have the right to be there. However, we should also consider other risks:
- Could the legitimate administrator shut down the power source of the server farm?
- Or they should be at least two power sources at the same time?
- Is the server farm room properly furnished with fire extinguishers?
- Are incoming post parcels properly scanned to detect prohibited materials, explosives, and dangerous goods?
Note
Many security measures seem as though they're evidence of the paranoia of the CISO. However, not every possible measure should be implemented since, as we said before, a company could also accept the risk, or reduce it to another one.
As mentioned previously, each answer (and consequently each countermeasure) could lead to a new risk. The purpose of an ISMS is also to set up a continuous improvement process to find and manage new risks properly.
Note
Exercise for you:
Is the new monitoring system installed in the whole company to protect the assets compliant with local laws and regulations? Have proper actions to legally film employees been done?
In the previous example, we talked about ways to protect a hypothetical server farm against unauthorized access or disasters such as fire. Those considerations are still valid for on-premise equipment that is stable fastened in company offices, such as cabling, desks, and big workstations. These are examples of what a thief could not easily steal (because of the weight and risk involved).
Imagine now how sensitive a CEO's desktop is in terms of confidentiality of information: documents, laptops, and smartphones might contain business secrets and losing them could lead the company into disaster too.
Protecting mobile resources with physical measures means applying new measures to provide security even outside it, in addition to the safety measures that are already implemented in the company.
Tip
Smartphones are like mini-PCs with saved credentials, sensitive web browser history, financial data, and e-mail accounts, and the risk of losing this data is mainly related to the mobility of the owner.
Let's consider an agent travelling with his or her mobile equipment. These are some of the questions that may arise pertaining to the physical security of this equipment:
- Is the smartphone always (when not in use) enclosed in a container (pocket, bag, or pack)?
- Is it protected from falls and shocks by a proper shell or cover?
- Are sensitive paper-based documents enclosed in plastic sealed envelopes to protect them from water?
- Does the agent have a second power supply to operate his or her PC in case of low battery?
These three questions give examples of what physical security for mobile devices could be:
- The first is about confidentiality (protecting the smartphone against loss) and availability (protecting it from breakage)
- The second is about integrity (a wet document may be compromised)
- The third is about availability (an agent without his or her operational PC can waste time and money)
Logical security and controls
Logical security is something that is not a physical measure to enforce security, such as access control, cryptography, organizational security processes, conventions, and many more. In this section, you will completely understand how ISMS is a pervasive approach, defining almost everything that is somehow related to the security of information.
Enforcing personnel security starts when the HR department evaluates a new candidate to hire in the company. First, the department should perform adequate screening of the candidate by verifying the information he or she is showing to the company in the resume. If the research gives an evidence of the candidate's insincerity, this is, of course, a negative component in the overall evaluation.
Also, the reliability of a candidate should be taken into consideration, mostly if he or she has to work with sensitive information, or is in contact with high-profile employees. Verify the truthfulness of the information declared by the candidate, which is again a good index of evaluation, especially if the entities who recommend him or her are certified or well known.
Another aspect strongly related to information security is the ability for an employee to disclose what he or she receives from the company as long as he or she works for it. Actually, the problem is still valid even after a person is outplaced, since the secrecy of the company information remains. By using Non-Disclosure Agreements (NDA) with employees, even if the company cannot solve the problem, it can reduce the risk of someone publicly disclosing the information.
During the working lifetime of employees, the company must train them to adhere to internal regulations, for example, the security policies about information technology. Government laws hardly recognize the validity of companies' internal policies and code of conduct; they can be used to create awareness and, in the case of failure of an employee, they can be used to raise the appropriate disciplinary process.
Note
A code of conduct is a document (or a set of documents) used to state the responsibilities of an employee regarding the best practices to enforce minimal security measures, that are implemented by a company. A code of conduct may deny the use of social networks during work time, since social engineering can extract sensitive information from people's activities feed.
When someone talks about IT and software security, respectively, the first topic is always access control. Access control is a logical measure to guarantee that only authorized entities can access private resources.
New employees of a company are provided with certain security tokens, such as keys, badges, security cards, and so on to allow them access to specific physical and logical resources. At the end of the work relationship, they must be prevented from access to the company resources by the company revoking them.
Tip
Access control is also a physical measure, similar to badges or biometrics, while entering a building or a restricted area.
Almost every access control system uses credentials to identify and authorize users. Credentials are a couple of objects: the first identifies the user (or entity) and the other (that is very private) is like a key shared between the user and the system. In complex IT infrastructures, managing the credentials of a company is not an easy task to maintain. To reduce the risks connected to credential management, it is often recommended to use a centralized system of identity management (that is, Active Directory), which is useful to issue/delete credentials and to grant/revoke permission, especially when
Role-Based Access Control (RBAC) is in use.
While using a centralized system for identity management reduces some risks, it also introduces new ones, as previously stated in this chapter. The system administrator now has the capability to grant extra powers to unauthorized users, and can access the company's protected data. Therefore, the new measures that rise to reduce these risks in the company are:
- Independent auditing can be done for every administrative task (this is a detective measure)
- A multifactor authentication (biometrics) could be enforced to compel the administrator to be physically at the office to operate
- An approval process (two administrators) could be set to perform a double check on administrative tasks
Access control is the very first measure to protect data, but the ability to recover lost credentials (in a short amount of time) is important too, to avoid unavailability or Denial of Service (DoS).
With the spread of mobile devices, new risks have arisen in security. First of all, losing the device can compromise company trade secrets, even if the device is found and used by someone who is not going to use the sensitive information. However, from an IT security perspective, the issue still remains.
Many modern mobile operating systems (that is, iOS, Android, and Windows phones) have a sort of built-in security system to protect themselves from misuse. Unlocking the screen by entering a passcode could be an effective entry-level protection. However, an experienced technician who wants to recover personal data can open the device and connect to its memory to manually recover the private data. Under these conditions, a full disk encryption is advised to prevent this circumstance.
Tip
In recent years, many companies are adopting the
Bring Your Own Device (BYOD) philosophy. It is a strategy that, on one hand, can let companies save money for the acquisition and maintenance of devices and, on the other hand, introduce a series of risks associated with the potential loss of governance around personal devices. In these cases, a trade-off between what an employee knows and what he or she can store on devices is required. Under these circumstances, digital services, such as intranet and e-mail are usually blocked by design.
This is similar to desktop computers and laptops. While in most cases, a thief would steal them to resell them somewhere, the possibility of a hard inspection is concrete and a full disk encryption is a good (and often, easy) solution to achieve.
Tip
Many modern mobile operating systems also provide the capability to remote wipe the mobile device. This is a good solution to erase the contents of the device but it is available only if, after the loss, the device is reconnected to a network.
As usual, a new measure introduces new risks, such as what if the cryptography key is lost and who should be in charge (in a company) of the key management? We will discuss this in a later section.
Note
Inventory management process is required as a measure to correctly address the problem of tracking and monitoring the actual assets of mobile devices distributed to employees. Only through an accurate and planned process of inventory management can companies know at a given point of time which resources are in/out and who the current owner is.
Most of you probably know what encryption is. If we have a sender and a receiver, assuming the channel is unsafe (someone is listening), encryption transforms the message into another one with no semantic meanings until the receiver has received it, when it then comes back to the original form.
Symmetric encryption stands upon these concepts:
- The sender and receiver know a key
- Using a well-known algorithm, the sender encrypts the message with the key
- Using the same reverse algorithm, the receiver decrypts the message
This method, unfortunately, assumes that both parties possess the same key before the communication, and this exchange must be made in a secure manner. If this assumption is wrong, asymmetrical encryption can help. In asymmetric encryption, the sender has a public key and the receiver a private key. The public key is used to encrypt the data, while the private key is used to decrypt the data. Only the receiver can decrypt the data, so:
- The sender needs to send a message to the receiver; therefore, it asks for the receiver's public key
- With this key, the sender sends the encrypted message through the channel
- The receiver uses its private key to decrypt the message
If the public key is lost or intercepted, someone could just encrypt messages, not decrypt them. A man-in-the-middle behaves like the receiver, giving the sender its public key so it knows what it wants to send.
Public Key Infrastructure (PKI) is required when we want to correctly identify who the speaker at the other side of the cable is. With PKI, a sender can verify the identity of a receiver, while, for example, it gives back its public key to start an encrypted conversation. With PKI, the sender asks an authority the correctness of the information received by the receiver before it starts the communication process. HTTPS is an example of how PKI is used in Internet communication.
Communication is probably the key value of any company today. Sending an e-mail to a supplier or a colleague exposes the company to the risk of an information leak, if no security measures are taken.
Tip
A specific internal regulation is needed while working with third parties operating on behalf of the company (that is, outsourcing), and a fortiori when these third parties need access to sensitive information.
The following questions can help you to understand which risks are concrete:
- Is the Instant Messaging (IM) system implementing a proper cryptography strategy to handle messages between parties?
- Is the software used trusted?
- What is permitted to be sent by e-mail? Are there policies to filter incoming and outgoing messages, based on content, attachment, or sender/destination?
- Are people properly informed about what to disclose? Are they aware of which communication channel they can use to share the company's sensitive data?
Managing communication safely is harder than replying to these questions, but it is out of the scope of this book.
Giving IT equipment to employees exposes the company to a huge number of risks if they are permitted to install and use arbitrary software. This is why modern operating systems have sophisticated mechanisms to configure usage policies in order to permit/deny users to perform specific operations. However, configuring and maintaining the devices of a medium (or big) company one by one is not a simple task to perform. This is why it is recommended that you implement a centralized management system for devices and operating systems, performing administrative tasks in batches from a remote location.
If you do not have a clear understanding of how important software management is, please note the following:
- What if a user needs a new software? A proper process should be documented, where, for example, the user asks IT to install the software, and they, after validating the request, perform the remote installation of the requested tool.
- What if a user opens a virus or, generically, a malware application from the e-mail? Users should not have the proper rights to compromise the operating system. However, proper software restrictions in execution, Internet browsing, and content filtering could help to reduce the risks.
Note
Exercise for you:
What about updates? Should users be independent while applying them? Why not? Is it a security issue or just a governance one?
A company should produce appropriate documentation about its processes to identify risks. As we said earlier, a good code of conduct should be distributed and adhered to by, by employees to build organizational ethics. Internal regulations must be presented to third parties, contractors, and external entities (who have business relationships with the company) to rule the connection and treatment of sensitive information.
These principles are real but first, a company should address local laws and regulations, such as:
- What are the code of conduct, the regulations, and the policies that are compliant with the law?
- Is every piece of software used compliant with local laws and regulations?
- If not, what action could be implemented to replace them?
- Are the employees informed properly about laws and regulations, on top of the company's rules, to reduce the risk of them making mistakes?
Every country defines its own laws and regulations, for example:
- In some places, encryption is considered forbidden in some applications
- In some places, filming employees or visitors is considered illegal, even with a notice
- In some places, using location tracking on a company's devices given to users, is not permitted
IT security must include also the defects of local laws and regulations, for example, the patents or the rights contained within Intellectual Property (IP). Different countries treat software patents differently; for an international company, choosing where to develop software could shape the future of the company itself.
The same applies to IP. There are countries where everything an employee produces (in terms of IP) during his or her work is the property of the company; other countries have different rules. So, as local regulations may differ, proper contracts and agreements should be made to create a common framework that can be used for an international company operating worldwide.
Security in software development
We covered security while using software, but what can we say about building it? The process of creating software hides a series of potential threats that must be addressed correctly before starting the development process. As usual, documented procedures and policies are the main tools a company can use to correctly map each vulnerability with every measure, to control (and reduce, where possible) the risks.
A developer often uses tools that require administrative access to the local machine (think about local web servers); also, during development, a new tool (or set of tools) needs to be installed quickly to perform an immediate action without asking for support. Finally, the operating system itself may be custom configured to test the software infrastructure created.
Note
In some companies, speed is generally preferred over quality. In these environments, inexperienced developers must perform their work on top of every other administrative task (configuring networks, operating systems, and more). It may happen that a wrong configuration may lead the system into an inconsistent state, exposing the local environment (if not the entire network) to malicious software or external attackers.
The importance of a well-known, verified, and approved base set of development tools is important for a software development company; starting from this, the exceptions can be defined and the proper process to extend or upgrade a developer's permissions must be implemented.
If a company operates as a software house, the most important asset is code: how can we manage it safely? There is no a unique answer to this question, nor a procedure to avoid leaks. Of course, there are some suggestions:
- Is the code stored or checked in a code repository? A source code repository helps to granularly grant permission to a particular subset of the codebase on a user-by-user basis.
- Is the code repository publicly available on Internet? If not, an employee cannot use/dump the codebase from another PC or outside the company's premises. If it does, an employee can even work outside the company or leak the sensitive data.
A safe environment could be a Virtual Machine (VM) (accessible only from inside the company through a remote desktop solution) with the development tools and source code access. By denying Internet access and the copy/paste functionality from/to the VM, a company can reduce the risk of code leaks.
Except when we are working in the perfect company, developers usually gain access to sensitive data or, at least, much more than normal users. It is common to share the database credentials with the main developer, thinking that he or she is reliable. This is probably true but the problem is, by design, this means giving inadequate (or excessive) access to someone.
Tip
A person with administrative access is an administrator and they can, in addition to operating sensitive data, make new administrators or change the existing ones.
In the rest of the book, we will discuss what it means to be an administrator of an Azure-based environment and we will look into different ways you can use to minimize the risk of security incidents.