A company's major risks used to be its reputation and financial loss. Nick Galletto, partner with Deloitte Security Services, notes that responsibilities now include security incidents and new legislation.
IT Focus: What advice can you give Canadian manufacturers, wholesalers and retailers regarding communication and security?
Nick Galletto: Before a new application tied to a supply chain gets deployed, it is important to make sure you take it through the appropriate development life cycle. Typically, security is an afterthought but it should be part of the design process right from the get-go.
With any new application that is being rolled out, the best thing to do is do a threat risk assessment. Understand what the threats are, the risks to the organization, and from there, you can decide the types of security controls you need to implement. At the end of the day, you're not going to spend $2 to protect a $1 worth of asset. You want to make sure the controls you implement are in line with the risk.
The threats could be an external hacker, malicious code or viruses, and denial of service attack. The risks for the organization from the hacker could be loss or compromise of confidential information so it could be a reputation risk, financial loss. You take it through that step for each of the applications. Where the risk is minor, you don't have to worry about putting the most stringent controls in place but you need to make sure it doesn't compromise your secure environment. You can segment that less secure area from your crown jewels by a firewall. If it is a highly sensitive application, you treat it as if it were your crown jewels.
Particularly around manufacturing, there could be serious risk around intellectual property. A lot of this information isn't protected appropriately. It could be plans, architectures, programs that provide competitive advantage or differentiate this manufacturing organization from others. We've seen it where this information leaks out to the competition not because of stealing but because there has been some lax security controls implemented. They launch this program and right away one of their competitors launches a similar program.
IT Focus: How does it leak out?
Galletto: It could leak out through e-mail. If it is identified that it is confidential, it should be encrypted and ensured it is sent only to the intended recipient. There should be some controls in place on how you handle that information. Data classification - confidential, for internal use, public consumption - becomes very important. You can get more granular on that but it comes down to setting the appropriate policies on data classification and then communicating that to the employees to ensure that there isn't that human error. We've had one incident as well that it was actually intentional. So, being able to monitor for compliance as well is very important.
IT Focus: So what measures should be taken?
Galletto: The primary step is policies on data classification. The second is a security and awareness program that explains to an end user how and why they have these policies. Sometimes policies are viewed as the stick. Through awareness programs you can get them thought of as the carrot. Staff will have an 'aha' as to why it is important to encrypt.
On the retail side, one of the major issues that we face today is around privacy legislation. How does the information get handled throughout that supply chain? Then, making sure you have important controls in place so the user that is handling that information understands exactly what to do and not to do.
There is also the security issue of making sure that appropriate controls are in place to protect personally identifiable information or credit card numbers [for Web sites offering online buying]. At times, there are very lax security controls. When you access whatever that retailer.com is, you find that they don't even have encryption or secure socket layers (SSL) implemented. All that communication is in clear text which could be easily read by someone else.
We've also seen cases that the user I.D. and password given to the customer is contained in certain fields in the URL. Hackers have got pretty sophisticated where they can start guessing patterns. They could use those numbers in sequence to guess what the next client could be and break in with a client's I.D.
So once you've done your threat assessment prior to go live and you've put those controls in place to mitigate risk, see if there are any vulnerabilities that can still provide a gateway for that hacker or a denial of service attack. Once you've got the okay, then deploy it. But it doesn't stop there. Most of these applications are living, breathing applications and you need to do periodic reviews to ensure that there aren't any new vulnerabilities. Being proactive becomes a lifecycle approach in developing those applications and implementing solutions.
IT Focus: Are companies doing this or not?
Galletto: Is it pervasive? No.
IT Focus: What is stopping more companies from doing this? Is it the expense?
Galletto: I think part of it is expense. I think part of it is not fully understanding what the risks are. If you take a look at manufacturing, for example, there probably isn't an end user client directly impacted by electronic communication, but there is a supply chain that is. There is a false sense of security there. For example, if company B is supplying you with those widgets and you have had a good relationship with them for the past 20 years, it doesn't mean that based on that relationship they have implemented the appropriate security controls. There is a disconnect between the physical world and the electronic world. If they have a lack of security controls in place that connect them to company C, D, E and F, those companies that you have no relationship with may use company B as a gateway into your internal system.
As you work through contracts and negotiate terms and conditions from a business perspective, make sure that you've also considered security as well, querying 'what practices have you implemented within your organization?'
We're finding in manufacturing, especially in Asia-Pacific and Europe, a lot of organizations are now adopting the ISO 17799 standard. They are also driving this down through the supply chain and they would gauge [a partner] on the 10 areas it covers. We're seeing the standards being adopted in Canada and the U.S.
IT Focus: What other communication and security issues concern you?
Galletto: We're seeing wireless devices popping up everywhere. I don't think everyone is aware what the real issues are with wireless technology. Your organization might have gone through a tremendous job of securing your network but then the wireless access point is dropped in, creating a back door that becomes a single point of failure. The IT department may not know about it and others are unaware of its consequences. I
t is important you understand the limitations of security and how to manage those limitations. For example, turning off your broadcast of your service I.D. so it doesn't broadcast that password.
Encryption standards for wireless haven't evolved for wireless as quickly as they should. The WEP (Wired Equivalent Privacy) protocol, the wireless privacy protocol that comes standard with wireless devices, is easy to decipher. Other standards coming soon will improve the level of encryption. Some authentication mechanism would help minimize risk.
Instant messaging is another major issue, similar to wireless. If there is encryption, it can be very weak and information can be easily deciphered. It can create a pipe from end user A to end user B.
For example, if I am downloading files directly to my workstation, they may be infected with a virus. Traditional gateway anti-virus products would not be able to filter that information. In some cases, sessions have been sabotaged and used to launch an attack. You need to make sure that all the anti-virus programs on your desktop are controlling when you open up one of those attachments. It comes down to policies and procedures to maintain a safe, user-friendly experience.
Spam is another issue we deal with on a regular basis.
I think it is important to focus on people, processes and technology in ensuring that you have an effective information systems security plan.