The role of IT operations in Information Security
Over the years I’ve been involved in many discussion concerning information security. I’ve started in IT working for several banks implementing e-banking and Internet-banking solutions. At that time hacking and cyber attacks were serious threats but not so common as they are now. Since I’ve realized that the best cyber security is about preparing for cyber war and being able to fight battles against an unknown enemy who is ready to strike at any moment.
For most parts the discussion on information security seems to be about technology and how all kind of solutions can prevent or boost security threats. If there is mention of the human factor than it mostly relates to user behavior and how users can be manipulated in sharing passwords or other information that will help hackers to gain access. Often I miss the role of IT operations in the discussion.
Now, give them time and hackers will manage to break through even the strongest defenses. There are plenty of Hollywood blockbusters that show you how this can be done. The hackers take time to get to know the routine of their opponent. Maybe lure a crucial security agent into sharing some essential information. They might trick an easy candidate so they can copy a passkey. Often they will create some kind of a diversion in the form of a sudden crisis (a major power outage will do). And when their plan comes together, they’re in the vault stealing the treasure.
Some real live examples, like bank robberies or jewel heists, show as well that time is the most crucial factor for criminal success: the time they get before an effective counter action can take place. If they can do what they need to do in the time given, than they can pull it of. So, the best way to prevent a bank robbery is to have an unpredictable active (human) guard that can show up any time and has the appropriate and necessary means to take action. Most bank offices do not store much anymore that is of interest to bank robbers, doing the rounds in an unpredictable manner is still a good defense.
If you ask me how secure your IT network is than I will not take a first look at your firewall or investigate how secure your passwords are. How well your IT operations is doing their work will be more crucial to my assessment:
- Is your IT staff available around the clock every day of the year? Otherwise there will be an obvious gap in your defenses. And there will be plenty of time for a criminal to get into your network.
- Your IT staff will probably say that they will at least monitor the network around the clock. How reliable is your monitoring system? Often these systems are not kept up to date with all the changes in the infrastructure, creating holes in the system. Also, the monitoring (polling) intervals tend to be very predictable if they are not managed well.
- How often are your IT operators actually investigating alerts that are generated by the monitoring system? What use is a monitoring system when an human operator is not taking time to follow up on what it detects?
- Let’s assume for now that your monitoring system is working well: how much time is there between the system alert, the notification to the operator and him being able to do something about it? In most organizations this time is longer than expected. There is often plenty of time before someone picks up on the alert and can take the appropriate action to stop a break-in attempt..
- What is the appropriate action in your organization when an intrusion has been detected? Can you afford to pull the plug and take your network off the Internet to stop someone from gaining access? The best defense might be a counter-attack, but does your IT staff know how to do that?
- Back to basics: when was the last time that your firewall has been upgraded? Or your network routers and switches? If your IT operations is up to the task they will have to make sure that they are at least doing what is necessary to stay up to date. The other side is doing that for sure.
- How are your IT staff doing their virtual rounds? Most smaller IT departments struggle to do the pro-active routine tasks, like regular checking of log files or going through the configuration settings. Doing this routinely will not only help preventing service outages, it also helps in improving your security. And, by setting up checklists and having your operators sign them, it will create an audit trail as well helping you in getting a better sense of how your IT staff is doing.
The quality of your security is directly linked to how well your IT staff is taking care of the more basic aspects of their work. How well they monitor, check and maintain your systems may increase your security levels without having to resort to expensive technical solutions.