WindowSecurity.com Newsletter of August 2011 Sponsored by: ManageEngine
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
1. Building a security entity within your organization
Internet access is a necessary evil simply because any organization would not survive without it. The very moment you connect your assets, whether they are mobile devices, desktop computers or whole setups to the Internet, you inherit a threat which needs to be mitigated. Organizations may end up with out-of-the-box setups that were overlooked or ignored during routine security checks but these low priority assets may expose the organization's other critical resources. For instance, an unprotected and unpatched Windows server or client has backdoors and can be scanned within a few hours or minutes if it is connected to the Internet. Even well planned and secure assets can pose a risk to an organization.
In an environment where security is dealt with due diligence, risks are minimized but still present. We all know that you can never achieve a 100% secure environment. Assume that your IT infrastructure is not likely to suffer from data theft, break-ins or loss of data but what if it is taken offline due to some DoS attacks or unplanned service provider downtime? Downtime costs big money and organizations in some business sectors (such as, selling low cost items) consider availability of their online shops more vital than top-notch security!
What further steps do we need to take after securing our IT environment?
In large organizations a Computer Security Incident Response Team (CSIRT) is responsible for receiving, reviewing and responding to computer security incidents. They are full time security experts handling security incidents but in order to be proactive they need to perform additional duties such as continuous examination of incident reports for possible future threats, research studies, and implement monitoring tools. While a large organization may afford the budget to maintain a security team (or may be obliged to maintain one due to regulatory compliance), a smaller organization can either implement a cut-down version of a CSIRT with reduced functionality or outsource these services. What are the basic elements you need in place to implement such an entity?
Building a security response entity and achieving results depends on the reputation such an entity acquires as it goes along. Putting in place practical security polices, having an excellent incident handling management system and clear strategy in place does not guarantee success. The ultimate goal has to be the effective resolution of security incidents and the greatest asset in all this is training. Make sure that any security staff delegated with incidents is well trained and is able to get help from other experts. In fact, a recommended additional requisite for effective CSIRTs is to establish contacts with other teams. Support from security experts would give your entity a broader knowledge and will keep you updated with the latest trends. I suggest looking for any national entity such as, national CSIRTs that may exist in your country. Surely, the added benefits are many as such teams can provide you with the required expertise and current threats from the data collected throughout their region.
Training does not end with the security experts. End users must have their fair share as well. Security awareness programs reduce the number of incidents--and remember that small things often prevent great disasters. Security awareness programs for end users should be seen as a preventive tool, however, the end users' cooperation is a big asset when it comes to collecting evidence.
To conclude this month's newsletter I would like to recap, mentioning the most important objectives of an organization's security entity. A security entity, whether it is a formalized team such as, CSIRT or an ad hoc team such as individuals from an IT department, must be based on both reactive and proactive services. The reactive services include vulnerability handling alerts, incident and artifacts handling while the proactive include security audits and announcements, secure configurations and routine maintenance, amongst others. Additionally, if enough funds are available, I would suggest security tools such as intrusion detection, supervisory control, and data acquisition tools that would make your proactive service more complete. Security quality can be enhanced further by adding other layers to the reactive and the proactive services. These are continuous risk analysis and disaster recovery plans. When an incident scenario has a devastating effect and is considered as a major crisis then your life saver would be a well-thought BCP (Business Continuity Plan).
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at firstname.lastname@example.org.
See you next month! - George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
Check this additional information about Security Emergency Response Teams:
4. Latest Security Exploits and Concerns
5. Ask George a question
What is a National CSIRT?
As nations get more and more dependent on IT systems, the underlying technology infrastructure has become vital to the economy. Fraud may be the major cyber threat; however, there are other possible disruptions such as, organized attacks on a country's IT infrastructure, as we have seen couple of years ago! To ensure security and economic vitality, governments are legislating frameworks that manage cyber security and a National CSIRTs is one element of that framework.
A National Computer Security Incident Response Team (National CSIRT) coordinates incident management and facilitates an understanding of cyber security issues for the national community. It also provides the specific technical competence to respond to cyber incidents of national interest. An important function within a national CSIRT is the dissemination of information throughout the country's industries and other entities. They become a focal point for a national discussion on cyber security.