How to Combat Five Network Security Compliance Risks

By Atchison Frazer & Brian Dennis

In the contemporary enterprise, the responsibilities of executives in finance, legal, information technology and, most important, those with a special duty of care and loyalty to the best interests of shareholders, the so-called “fiduciaries” of a publicly traded corporation, have become quite blurred.  The threats to a corporation’s security are changing so quickly that it is difficult to determine what steps are required to ensure a company is both secure and legally compliant.

Even a corporation that has a mature security program, including several levels of security, strictly enforced policies, and regularly scheduled audits, still faces a number of potential threats that can either bring down the network, or increase security risks and create legal liabilities.  An important factor to remember is the delta between the loss of business value as a result of an attack versus the savings from taking all imaginable precautions. 

The Gramm-Leach-Bliley Act (GLBA), for example, compels corporations to conduct risk assessments that identify “reasonably foreseeable internal and external risks….” While monitoring the efficacy of IT systems agility in “detecting, preventing and responding to attacks, intrusions or other [vulnerabilities]….”

The following five areas are some of the most important risk factors companies must address to maintain compliance and a security-hardened risk posture:

Risk One:  Constant change in the nature of attacks and windows of vulnerability from mash-ups and other Web 2.0 apps.

Every component or device (hardware/software) deployed is not scrutinized in three key areas before becoming part of your infrastructure circumference.

Can the device work transparently to provide an additional feature without radical changes in the current network architecture? Can the device functionality be virtualized without exposing interfaces to attack?  Are data from disparate devices captured, aggregated and analyzed for event correlation defenses?

Every device takes time to learn, but the cost of additional training mitigates the savings incurred by the additional functionality the device is perceived to bring to your environment.  In other words, do the complexity and redundancy of devices increase human latency and the possibility for error that hackers and ’social engineers’ can subsequently exploit?

Implement modularity in terms of what services can be placed on the network to mirror the nature of the latest threat, as well as the ability to do so quickly by simply activating incremental features and functionality on demand.

a.

b.

c.

Risk Two:  Weak links in the security value chain and business process activity monitors.

a.

Department edges are vulnerable to users in other departments, especially if the network segmentation strategy calls for deploying a router at the edge internally between executive departments and the Internet, and other primary subnet domains.

Temporary naked access to internal networks is generally a forgotten area that presents a security loophole for remote employees who have recently plugged into lodging or WiFi broadband networks.

Giving partners, contractors, and remote users access can infect a network within minutes, or create denial of service via a blended spam/email/virus attack.  This is especially acute among smaller, mid-market firms that act as suppliers to large, public enterprises.

Tunnels for VPN communications can get overly extended and become difficult to manage. Conventional remote access servers cannot protect against incoming attacks caused by business users coming from other websites and infecting the network.

Instituting automated abilities can help restrict a user from gaining access until a policy is enforced, such as what is possible by deploying GRC (governance, risk, compliance) automated controls in the network.

b.

c.

d.

e.

Risk Three:  Incomplete Cost-Benefit Analysis.

Areas of Loss: Formulas to calculate losses are built on models that often do not include: cost of lost IP; market value of lost or stolen information; cost of fixing an unsecured area after an attack; productivity losses; costs of becoming a greater insurance risk; and loss of brand equity and corporate reputation. 

Risk Four:  Areas where corporations are not ’Court-Proof Secure.’a.

Under SEC regulations, due diligence is closely akin to the legal responsibility of the Duty of Care and Duty of Loyalty standards to which the boards of directors, officers, CEOs and CFOs are held in the corporate charter. Corporations must create defensible audit trails that include logging of IP, malicious attacks, and unauthorized access to another IP address.

Third party responsibility has been a hotly contested area especially for web-hosted services that provide online applications.  Tort law cases have indicated a duty to provide security for a company’s remote employee and contractor use to avoid downstream liability. Existing case law establishes that, in order to prevent lawsuits for insider espionage, a company must meet secured operations standards, which include setting corporate and network policies even for contractors and short-term employees.

Generic VPNs may not protect against an attempted hack into an encrypted tunnel, or worse, prevent the propagation of an agent that plants a time-released intrusion on the network.  One way to harden VPN communications is by establishing ’trusted zones’ that are securely enabled by multiple layers of security from unified threat management appliances that combine firewall/VPN functionality with intrusion prevention and threat intelligence services.

b.

c.

Risk Five:  There are limited layers of security for electronic correspondence between fiduciaries.a.

Bill Cook, one of the foremost experts in cyber security who prosecuted the first case under the often overlooked Computer and Fraud Abuse Act of 1986, says the courts are specific about the steps fiduciaries must take to avoid being considered “reckless” and potentially liable to criminal prosecution.  This includes the recognition that something as simple as an email from a fiduciary to another employee is held to a higher standard of protection than an email sent from an individual who is not considered a fiduciary.  Furthermore, any content that is transmitted from a fiduciary through the corporate network and other IT resources can be held to a higher standard than any employee without equivalent responsibilities

CONCLUSION:

First, mandate privileged network security zones, using technologies that can block, log and create an audit trail for blended attacks and internally-spawned threats. By quarantining a department, you will mitigate outbreaks and potential losses on your network, due to theft, spam, viruses, and blended intrusions.  This is a common practice in physical security; so too should it be for virtual security in the network.

Second, provide layered security for your employees working remotely as well as extranet security for third parties who often represent the greatest threat of bringing down a network or stealing confidential information by exploiting the limitations in most flat networks from edge-based Remote Access Servers that generally lack application intelligence to perform contextual inspection of data packets. 

Third, create redoubted layers of secured access specific to the officers and senior managers in the company, and take responsibility for all data that passes from their computers and other digital communications devices – at corporate headquarters, home, or any remote location. All information coming from or going to the fiduciary’s various means of communications is highly privileged, so security controls should be pervasive where the business and network architectures converge.

Fourth, look closely at the court rulings as a guide to mitigate escalating cyber-insurance costs.  One possible formula to justify a reduction in cyber-insurance costs is SC= p(x)L + wx:

* Where p=probability of cyber-loss

* X=precaution level

* L=loss from cyber-attack

* w=precaution cost (per $ of unit)

* p’(x)<:chance of cyber-loss decreases with precaution>

Fifth, implement corporate security policies that protect audit trails for IP going into and leaving company networks, as well as appliances that log and correlate events of malicious exploits, while establishing an enterprise architecture strategy to embed security intelligence throughout the fabric of the network.

Corporations rely on a combination of speed and accuracy to make financial information of a material nature publicly available.  This requires greater emphasis on reviewing your organization’s overall security risk management plan and devising a holistic compliance scheme that is resilient enough to adapt before the next sophisticated attack occurs.

Atchison Frazer is director of enterprise services strategy for Cisco based in San Jose, California. Brian Dennis is a legal analyst based in New York.