Even you can think on – IT Security Policy Development !!

policyI found many organizations without any IT Security – policy or with policy that none of any use or no one is following it. With the help of some industrial survey, employees not even read the policy book. May be due to lack of time or huge bunch of IT Security policy papers. Sometimes IT security manager not able to sort out right IT security policy papers for right employee. Even they not able to sign them properly. Of-course it depends on company/organization industrial level/band, country and trust. So, here is the question for you – Is your IT security policy guiding your employee to avoid confidential data leakage ?

Recently heard one scenario in IT industrial, One of the company IT administrator performed task which is beyond ability and got appreciation from IT manager personally. (administrator saved tons of company money, with the help of contacts/knowledge and experience in IT). As a result, in a few week administrator got appreciation letter from IT manager. Appreciation letter is nothing but in terms of resigning letter… huh.. Why ??
Administrator did best task for the company, even company CEO appreciate every time to his IT manager for wonderful job. But administrator got resigning letter from his IT manager… Bullshit right !! Where is your company policy ? Where is your task credit points ? Is your company IT policy for just employees or managers or CEO or each person of company ?

Sometimes questions are useful to contemplate on important topic. As i am discussing with the topic as ‘even you can also develop company policy’. Learn from company activity and develop new policy for the company and train others to learn new policies.

Developing all kind of document/policy is sometimes so hectic due to environment, time, task schedule. Even they forgot many things in while developing policy.

Here is the questions to ask your self at the time of developing it:

IT Policy Prominent ?
IT Policy Treatment ?
IT Policy Custodial Practices ? etc.
IT Policy Benefits ?
IT Policy Compliance ?
IT Policy Respect, Confidentiality, Trust ?

Some more questions to create document about policy:
IT Policy introduction with company environment ?
IT Policy Authorities and Compliance ?
IT Policy Applicability ?
IT Policies ? Procedure and Tasks ? Guideline ? Document Control ?

Here is small policy points to share with you from Information Systems Security Policy Handbook
==============================================================================
POL01 Responsibility of the office of information Security
POL02 Responsibility of the information Technology Security Board
POL03 Responsibility of system owner
POL04 Responsibility of information Technology Mangers
POL05 Responsibility of System Administrators
POL06 Responsibility of Data Custodians
POL07 Responsibility of Users
POL08 Monitoring of User Accounts, Files, and Access
POL09 Administrative Access to City Information Systems
POL10 Electronics Data and Records Management
POL11 Electronics Data Breach Disclosure
POL12 Access Controls
POL13 Systems and Network Security
POL14 Physical Security
POL15 Personnel Security Measures
POL16 Policy Enforcement
POL17 Acceptable Use of City Digital Equipment, Internet Access, Electronics Communications and Other Applications
POL18 Rules Specific to Electronics Communication Usage
POL19 Patch Management
POL20 Virus Malware Protection
POL21 Remote and Ad-Hoc Connectivity
POL22 Wireless Access
POL23 Web Application Deployment
POL24 Policy Exceptions
(…Continue in ISSP Handbook)
==============================================================================

Appendix A:
http://en.wikipedia.org/wiki/Security_policy
http://en.wikipedia.org/wiki/Information_security_policy
http://en.wikipedia.org/wiki/Information_Protection_Policy
SANS – Web Application Security Assessment Policy
Appendix B:
Business Justification for Application Security Assessment
Disgruntled Employee – The initial physical state of data leakage

Short-basket note on Information Security !!

When i was reading book on Linux Security: Craig Hunt Linux Library By Ramón J. Hontañón, I got very beautiful terms of Information security.

Security is not product. It is not software, and it is also not simply an excuse for a consulting engagement. It is a discipline that needs to be taken into consideration in any decision that you make as a network and system administrator. Security does not start or stop. You cannot install security, and you can’t even buy security. Security is training, documentation, design decision, and appropriate implementations. And the most important aspect of security is monitoring and honing your security policies as needed.

Well many organization follow the security auditing VAPT task, but they don’t follow the security policies. Even they miss to organize security training for their employees. they create disgruntled employee, may be due to senior authority ego, attitude etc.. and that is the loopholes for that company to data leakage.(See my earlier article)

Disgruntled Employee – The initial physical state of data leakage !! (VAPT Audit)

Social Engineering is the most effective term used in VAPT.  Here is the Wikipedia definition for Social Engineering.

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.

But Many organization unaware about it, I saw many IT companies HR and Recruiters working on best to recruit employees,  they recruit candidate according to their point of view. Seriously they have to understand one extra point of candidate, is known as level of anger.

Is it related with information security ? hmm.. ? i think so.. Lets find out how.. ?

2 days back, i read one of my favorite book as Firewall 24Seven, what it is ? just a beauty.. !!
I thought to introduce one slightly different point from that book. May be it help many organization to develop policy.

“Disgruntled employees are the most dangerous security problem of all organization or even most famous big IT companies. The employee those are always coming under-pressure from their senior authority, due to seniority, due to company political view. It depends on the mind level of senior manager/authority. Some times we saw indirect criminal case in corporate world, defining indirect criminal case is difficult for me in my words. Some times Senior level authority use their power to bend candidate to do anything what they want. Overreacting to an employee who is simply blowing off steam by denigrating management or coworkers is a good way to create a disgruntled employee, however. So be cautious about the measures you take to prevent damage from a disgruntled employee. Be aware about overreacting senior manager, coworkers. their overreacting will destroy your level.

Such disgruntled employee with an axe to grind has both the means and motive to do serious damage to company network. These sort of attacks are difficult to detect before they happen, but some sort of behavioral warning generally precipitates them.

Also remember that outsourced network service companies may have policies that make them hard to replace if you decide you no longer wish to retain services, and that disgruntled small companies tend to behave a lot like disgruntled employees. There’s very little that can be done about attacks that come from people with an intimate knowledge of your network, so you should either choose your service providers wisely and exercise a lot of oversight, or require the escort of a trusted employee at all times.

Unfortunately, there’s very little you can do about a disgruntled employee’s ability to damage your network. Attacks range from complex (a network administrator who spends time reading other people’s e-mail) to the simple (a frustrated clerk who takes a fire-axe to your database server).

All major operating systems have built-in internal security features that are useful for keeping users in line, but anyone who’s ever been an administrator on your network knows all the holes, all the back doors, other people’s passwords, and the “administrator” tools that can be used to cause all sorts of local exploits on machines. No version of any major operating system has been immune to “root level” access exploits within the last 12 months, not even the super-hardened OpenBSD. If someone with console access to a running server wants to take it down, it’s going down no matter what security measures you have in place.

Accountability and the Law are your friends in this situation. Unlike hackers, it’s very easy to track down disgruntled users and apply the force of the law against them. Accountability keeps these attacks relatively rare.

A day before i found interesting stuff on google with some search, one of the indian big company(IBM*) employee distributing their VPN credential files with others, list of IP address and host names. May be their Lab network in various city.

File name SSL_VPN.TXT
File contains:
==========================================================================
The procedure for connecting through SSL VPN is as follows:
1. Visit https://sslvpn.domain_name.co.in
2. Select the ‘Realm’ as ‘xxx’.
3. Username – <Your xxx Domain Username>
4. Password –  <Your xxx Domain Password>
5. After the authentication is successful you will be prompted with a dialog box which is for installation of new components. Accept the installation of these components.
6. Now you are connected to xxx intranet and will receive an IP from the range x.77.227.x.
Try accessing the resources mentioned in:  https://darxxx.domain_name.co.in
7. You won’t have access to any other resources on xxx network.
After logging through SSL_VPN,
To open New Darxxx – click on the following link:
https://darxxx.domain-name.co.in OR http://x.44.233.x/Pages/Default.aspx
To directly open xIS – click on the following link:
https://darxxx.domain_name.co.in/xis/login.aspx
After clicking on each link you will be asked for entering your domain ID and password:
Format for User ID xxx\user_name
Format for PWD simply mention the domain password.
On entering the credentials the respective pages will open.
Please contact mist00mxxx@xxx for any queries related to Darxxx and xIS.
Please contact pay0000xxx@xxx for any queries related to Pay0000xxx.
Please contact 00_bes_xxx@xxx in case of any queries related to SSL_VPN.
==========================================================================
note**: xxx=is the name of company

well every one knows this is the general information that administrator is sharing with VPN agent, but like this ?

Here is another company IP list:
==========================================================================
IP Range: x.x4.11.1-x.x4.11.254 mask: 255.255.255.128 nzlab.*xxx.*xxx.com
hostnames: anaconda, sharepoint, galaxy, corp-mail1 blah blah…
==========================================================================

Above information is really impressive for us, that how such administrator or authority senior can handle confidential data with their employee or network.

is this enough for us to have remote attack/connection on respective lab ? hmm.. ?

Vectors of Attack

There are only four ways for a hacker to access your network:

By using a computer on your network directly
By using dialling in via a RAS or remote control server
By connecting over the internet
By connecting to your network directly(usually via a wireless LAN).

This small number of possible vectors defines the boundaries of the security problem quite well.

Hopefully, HR, Senior Authority, Manger, Bosses, Coworkers will help employees to avoid making of disgruntled candidates.

If you known the meaning of confidentiality, then you have authority to spread the awareness” – Niraj Mohite