Top 9 IT Security Threats and Solutions for 2009
By Mark Kemmerle, OIT
In my role as Enterprise Information Security Director, I receive a lot of marketing and sales information from vendors of information security solutions. In January of this year, one of the leading vendors sent out a mailing on the Top Nine Security Threats of 2009. I thought it might be of general interest to share these top threats to a wider audience and provide a little information about what we're doing about them in Maine state government.
Threat #1
Malicious Insiders (Rising Threat): Employees with malicious intent have always been the biggest threat to their organizations.
Vendor Recommendation: Conduct Employee Security Awareness Training. Raising the awareness level of employees through mandatory, monthly online courses is a terrific way to remind them that security is everyone's responsibility. Choose a training program that offers up-to-date courses, ensures users understand policies and procedures, and provides reporting to management.
What We're Doing in Maine State Government: These newsletter articles are one way that we (the OIT Enterprise Security group) are trying to reach as many employees as we can on a regular basis. The OIT newsletter reaches almost 800 recipients every two weeks and the OIT Enterprise Security group tries to provide at least one security-focused article each month. We do not use the state's email system to send out security updates, since each message is stored in each account until it is deleted. We'd create (and sent) 13,000 for each notice or update, so we try to communicate through OIT representatives that serve each state agency. Additionally, some agencies use means such as posting security alerts on WEB pages for means of information dissemination.
You will also have noticed that there is a security banner as part of the active directory logon process. It was added in OIT last April and across the state in July.
We've also created an Enterprise Security webpage – with many security tips, articles and links to policies – at: http://inet.state.me.us/oit/services/CoreTechnology/security/index.html
Threat #2
Malware (Steady Threat): Malicious software can include viruses, worms, trojan horse programs, etc. but most importantly websites that host malware, which has become the most prolific distribution method.
Vendor Recommendation: URL Filtering, Patch Management and Other Protections. Proactively manage the sites where employees are allowed to surf by limiting them to safe, approved sites from reputable web publishers. Employ patch management and system AV & spyware protection to combat the malware threat.
What We're Doing in Maine State Government: URL filtering appliances could provide great benefit to the state in blocking access to inappropriate websites. However, in tough economic times, it is very hard to allocate funds for an appliance to block access to sites that should be avoided. OIT has blocked access to some websites (streaming Internet radio, for example), but the job is too big to be done manually. OIT uses Microsoft's automated patch management software to push fixes to the desktop devices on the network. Later this quarter, OIT is scheduled to implement an upgraded version of this patch management software called System Center Configuration Manager ( SCCM ) which will allow us to improve the patching process. OIT uses a similar product (McAfee's Electronic Product Orchestrator or ePO) to assure that anti-virus software is kept current.
Threat #3
Exploited Vulnerabilities (Weakening Threat): Hackers find a weakness in a commonly used system or software product and exploit it for their gain.
Vendor Recommendation: Implement Comprehensive Patch Management. Often some of the most sensitive data are on non-Microsoft systems such as Linux, UNIX or Macintosh. Invest in a patch management solution offering full visibility into your network and covering all operating systems and vendors, not just Microsoft. Consider host-based intrusion prevention (HIPS) which can monitor your system looking for anomalous behavior, applications attempting to be installed, user escalation, and other non-standard events.
What We're Doing in Maine State Government: Some of the biggest dilemmas in patch management come from third-party products like Adobe, Oracle, JAVA, and .Net applications. Settling on standard software products and reducing the number of versions we support will help us to do a more efficient job of patch management while reducing costs. A group has been convened to develop a list of suggested software standards and recommendations will be released this spring.
Threat #4
Social Engineering (Rising Threat): With hacking, a computer is compromised. With social engineering, a human is tricked into supplying personal information and passwords. Any method of communication will be used to perpetrate this fraud including telephones, mobile phones, text messaging, instant messaging, impersonation of support/vendor staff and social networking sites.
Vendor Recommendation: Conduct Employee Security Awareness Training; Conduct Social Engineering Testing. In addition to employee training to raise awareness you can hire a firm to come in and test your employees for their resilience to social engineering. A 3rd party can use mock scenarios to assess your vulnerability to a real attack.
What We're Doing in Maine State Government: The most prevalent type of social engineering attack is through email, specifically the kind of email known as “phishing.” Phishing attacks usually attempt to trick the email recipient into divulging personal information including bank account numbers, credit card numbers, social security numbers, and passwords. Sometimes they try to scare you; sometimes they appeal to your instincts to be helpful. We've published a number of articles about phishing scams and Internet hoaxes. Links are available on the Enterprise Security webpage .
Threat #5
Careless Employees (Rising Threat): Mistakes made by careless or untrained employees can lead to a significant security compromise. A poor economic climate puts strains on employees causing them to cut corners or important duties. It can also lead to less formal employee training.
Vendor Recommendation: Conduct Employee Security Awareness Training.
What We're Doing in Maine State Government: Despite the current economic climate, proper system training and quality practices should never be minimized.
Threat #6
Reduced Budgets (Rising Threat): A weak economy leads companies to tighten their budgets, which results in less headcount and less money for upgrades and new systems.
Vendor Recommendation: Consider Opting for a Software-as-a-Service (SaaS) Solution to Cut Costs. A company that has traditionally kept their security management and monitoring in-house may use this as an opportunity to look at the cost benefits of outsourcing it to a leading security firm. Choose a provider that offers a broad range of services is financially, viable and is audited by multiple independent 3rd parties.
What We're Doing in Maine State Government: Thorough security testing of complex new applications like AdvantageME, MERITS, and the upcoming Fiscal Agent projects are appropriately outsourced because of the complexity of the systems, their critical nature, and the added benefit of a neutral third-party assessment. These engagements have worked very well in the past.
Threat #7
Remote Workers & Road Warriors (Steady Threat): Telecommuting and mobile workers are on the upswing.
Vendor Recommendation: Use The Same Systems For Telecommuters As For On-Site Employees. Don't forget to install security on your remote VPNs. Make sure that remote users use company issued systems with updated security patches and web content filtering. Provide easily accessible on-call tech support so that employees don't resort to fixing things themselves and possibly disabling necessary security measures. Isolate work computers at home from the kids who can download threats along with their games.
What We're Doing in Maine State Government: In order to facilitate telecommuting, mobile workers employ secure VPN (Virtual Private Network) technology with two-factor authentication – the RSA Secure ID tokens that you use to log on from home. OIT encourages departments to provide a state supported device whenever possible. They can be configured securely and will receive regular updates when they connect to the state network. There is a written policy to address the use of
non-state-owned devices on the network. Policy Governing the Use of Non-State Owned/Approved Software and Devices for State Business ( MS-Word )
Threat #8
Unstable 3rd Party Providers (Rising Threat): While there is an increase in IT security expenses required to keep up with the growing threatscape and regulatory environment, there is a decrease in revenues in the market. This may lead many providers to go out of business or cut corners that could lead to a security compromise.
Vendor Recommendation: Consider Streamlining Your 3rd Party Providers. Ensure that you are using providers that have been in business for a long time, have seen hard times before and have been regulatory focused for years. Ask for audited financials and ensure your provider is profitable. Choose a firm that can offer you multiple solutions via one integrated portal to gain the benefits of economies of scale and reduce the burden on existing IT staff resources.
What We're Doing in Maine State Government: The state has security policies specifically tailored to our interactions with third-party providers like the Remote Hosting Policy ( MS-Word ) . The procurement process requires an evaluation of a bidder's financial and technical qualifications.
Threat #9
Downloaded Software Including Open Source and P2P files (Steady Threat): IT administrators may download and install open source software or freeware in an attempt to save money, which can lead to a huge waste of time in software configuration in and fine tuning or a data breach.
Vendor Recommendation: Limit Download and System Update Administration to a Trained IT Professional. Don't allow users to download and install software on their desktops. Regularly update system AV & Spyware Protection. Consider host-based intrusion prevention (HIPS) which can monitor your system looking for anomalous behavior, applications attempting to be installed, user escalation, and other non-standard events but make sure that only IT managers have access to this.
What We're Doing in Maine State Government: OIT is working on a standard list of software to be run on state supported desktops. The goal is to facilitate user download of approved software and eventually to block downloads of any software not registered and approved.
This has been a much longer than usual article for the OIT Newsletter. Thank you for your continued interest if you've read this far.
If you have comments or observations, please feel free to contact me.
Mark Kemmerle
Enterprise Information Security Director
Office of Information Technology
Division of Administrative and Financial Services
State of Maine, Executive Branch
Voice: (207) 624-8892
Fax: (207) 287-4563
