Over the course of my career, I have worn the hat of the CIO and CISO simultaneously many times. I am currently doing so now as CIO/CISO for Minnesota State Colleges and Universities (MnSCU), which includes 37 state colleges and universities and serves over 400,000 students. Over the course of the years and as recently as a few weeks ago during a meeting of our Board of Trustees, I have been asked whether enterprise information security is a solvable problem. My answer over the years really hasn’t changed – the answer is yes.
"Clearly, two factor authentication is the most intrusive of the measures discussed up to this point, yet the practice is becoming pervasive outside of the work place"
At this point I could justify this answer by talking about critical controls, policy and procedure and education – all of which are important parts of the equation. However, if I had to single out one avenue that is going to maximize my reduction of risk and provide solid ROI, I will choose the elimination (to the degree possible) of the human element through automation – particularly at the network level.
My experience tells me that end users do not want to be bothered with anything that interferes with their work. They expect their network and the Internet to be safe (regardless of reality) and they should not have to be bothered with security. Like everything else – it should just “work” without conscious effort on their part – and to an extent, I largely agree. While organizations can spend a considerable amount of time and money to change behavior, those activities tend to be as effective as the medical community telling us to eat right, exercise and quit smoking. Everyone knows someone who is not heeding that advice even though the consequences of these behaviors are far more dangerous to the end user than failing to practice safe computing. One difference is that, in the context of enterprise networks, one bad choice by a single user can put the entire enterprise at risk.
To accommodate this mindset, my task becomes putting systems and services in place that as transparently as possible will prevent end users from hurting themselves and others. This starts at the core by properly segmenting the network and applying and rigidly enforcing network policy in network communication. While you don’t want a network that is so complex that it is impossible to manage, giving up a little on the manageability front can reap significant rewards from a security stand point. All the “normal” tools and methods come into play here: traditional firewalls, routers, VLANs, rules of least privilege, etc. If automation is kept in mind, complex networks can be built without a significant loss in manageability. I also believe that software defined networking will play a significant role here from both security and manageability perspectives.
The next step (or perhaps the first step if you are designing the network from scratch) is including an IPS and/or Next Generation Firewall. The point is to proactively and automatically detect and act on malicious traffic to the greatest degree possible. I did not include IDS in the equation here because, while it is important from a logging perspective, most organizations do not have the staffing required to effectively manage the events generated by the device. Note that I am not saying IDS is not important, just that in my experience it generally goes underutilized.
To go a step further, include enterprise DNS services. While many balk at the pricing, these services can considerably reduce the risk posture of an organization. It is one thing to educate your users not to fall for phishing or not to click on executables, but it is another thing entirely to have a safety net that will catch the inevitable bad behavior that comes from knowingly or unknowingly clicking on a link that turns out to be a security threat. While no product has a 100 percent guarantee, I will take something over nothing. We all run antivirus even though their effectiveness is roughly in the 30 – 60 percent range.
Tools and services that protect against phishing, malware, botnets and crypto locker pay for themselves in countless ways, such as reducing forensics and re-imaging costs and limiting the spread of viruses and malware. It is hard not to add this rather non-intrusive tool to your layered defense.
Finally, consider two factor authentication – particularly for system admins and super users, but increasingly for the general end user. I have always considered Identity and Access Management (IAM) a network function, and the sophisticated use of these tools coupled with automatic rules for provisioning and deprovisioning help to create a safer networking environment that for the most part is invisible to the end user. Clearly, two factor authentication is the most intrusive of the measures discussed up to this point, yet the practice is becoming pervasive outside of the work place. Gamers now protect their online accounts through two factor using a phone or fob, and large email providers are actively encouraging the use of two factor. Some online banking and other financial services require two factors, particularly when the device making a connection is not recognized. Why not take advantage of a practice the consumer market is already training our end users to expect?
All the above is written with the consideration that I work in an industry (higher education) that traditionally has very limited funds to put towards security and a low tolerance for strict controls. Colleges and universities have a history of openness, sharing and innovation. Rules and controls are perceived as stifling – thus my emphasis on transparency. Furthermore, there is the reality that the limited dollars available need to be spent to maximize effectiveness. I would rather spend the dollars that I have on systems and solutions that minimize human effort (because staffing is limited) and that are proactive rather than reactive.
Each organization’s security posture is influenced by that organization’s culture, maturity and resources. The steps I have described above may be just the beginning for some organizations, but for others, they would represent the pinnacle of success. I believe most institutions of higher education could go a long way towards solving their enterprise information security problem by implementing these steps, and I am willing to bet that they will work for your enterprise, too.