How IT Compliance Auditing Can Save You Money

IT Compliance Auditing: How IT Compliance Auditing Can Save You Money

IT compliance auditing can save you a lot of money. If you look at the cost of an audit and turn your nose up at it because you don’t want to spend the money, you may be risking your entire business. One security breach can cost you a significant amount of money – and this doesn’t just have to do with the profits sitting in your bank account. Learn how scheduling an audit can be the best money you can spend on your business.

Avoid a Monetary Loss

If you don’t use IT compliance auditing, you could become the next victim of a security breach. Research has indicated that the average monetary loss for a company that experiences such a breach is $5 million. This could be any combination of bank accounts, corporate data, financial accounts, and much more. There is no telling what a hacker can get once they get inside of your system.

An audit is going to look at your system from all angles. This includes web applications, back doors, and more.

Avoid a Shift in Your Reputation

In today’s media-frenzy of a world, all it takes is one person to post about the data breach for the entire world to find out that you encountered a hack. People are going to go on the defensive and look to protect themselves. This means they may close an account with you, stop buying, and tell their friends. While the hack may not have been directly caused by you, not partaking in IT compliance auditing caused the hack to be possible.

Your reputation may drop significantly because people don’t trust you. They don’t trust that their information is safe in your hands. This means that online ordering may drop and people providing you with any personal information may come to a halt.

Avoid Paying More Labor

As you deal with a security breach, you are going to be spending a lot of money in labor. This is due to having more IT people focus on the problem and more employees drop off on their productivity because of having to circle back and address the problem.

Had you focused more on IT compliance auditing, none of this would have happened. Paying more labor to deal with the problem is entirely your fault because you failed to run checks on your system as often as you should have been doing.

The cost of an IT compliance audit is a minimal amount of money when you look at the big picture. You can’t NOT afford to spend the money because you can’t run the risk of someone hacking into your system. No business is safe from being hacked. Some companies will say they are too big to worry about it while others will say they are too small. Large and small companies alike have been hit and both have suffered significantly from it. You can take the defensive by doing some IT compliance auditing – and it will save you money.

Network Security – The Road Ahead

Network Security – The road ahead

Introduction

Network Security is the next wave which is bound to sweep the software
market. Increase in offshore projects and transfer of information
across the wire has added fuel to the burning urge to secure the
network. As the famous adage goes, the most safest computer is
one which has been unplugged from the network(making it almost
useless). Network security
is becoming more of a necessity. Interestingly the type of security
required across different enterprises depends on the nature of its
business. Offlate some laws & acts have been defined to
identify security breaches, which is a very good move to prevent
fradulent use/access of information. There are two types of softwares
for Network security, one which prevents it and one which does the
forensic analysis. The main focus of this article would be
the forensics of network security.

What is Network Security?

network security: the
protection of a computer network and its services from unauthorized
modification, destruction, or
disclosure

Network security is a self-contradicting philosophy where you need to
give absolute access and at the same time provide absolute security.
Any enterprise needs to secure itself from two different access of
information/transaction for that matter(ex:ftp,http etc.), internal
access and external access. Securing the access of information or
resources from the external world(WWW) is quite a task to master, that
is where the firewalls pitch in. The firewalls act as gatekeepers who
seggregate the intrusive and non-intrusive requests and allow access.
Configuring & maintaining a firewall is by itself a task which
needs experience and knowledge. There are no hard and fast rules
to instruct the firewalls, it depends on where the firewall is
installed and how the enterprise intends to provide access to
information/resources. So, the effectivity of any firewall depends on
how well or how bad you configure it. Please be informed many firewalls
come with pre-configured rules, which intend to make the job of
securing the information access from external sources. In short
firewall gives you information about attacks happenning from the
external world.

The toughest job is to secure information from the internal sources.
More than securing it, managers need to track the information flow, to
identify possible casuatives. The tracking of information flow will
come in handy in case of legal situations. Because what seemingly to be
a sharing of information could be held against you in the court of
law. To enforce this, acts such as HIPAA, GLBA, SOX have been
putforth, to ensure that the scam(s) like that of “Enron” does
not happen. In short the tracking of information and audit gives you
information abouot security breaches and possible internal attacks.

There are a variety of network security attacks/ breaches:

  • Denial of Service
  • Virus attacks
  • Unauthorized Access
  • Confidentiality breaches
  • Destruction of information
  • Data manipulation

Interestingly , all these information are available across the
enterprise in the form of log files. But to read it through
and making sense out of it, will take a life time. That is where the
“Network Security” monitoring also known as “Log Monitoring” softwares
pitch in. They do a beautiful
job of making sense out of the information spread across various
locations and offer the system administrators a holistic view of what
is happening in their network, in terms of Network Security. In short they
collect,collate,analyze & produce reports which help the
system administrator to keep tabs on Network Security.

“Network Security” -Monitoring

No matter how fine your defense systems are, you need to have someone
to make sense out of the huge amount of data churned out of a edge
device like firewall and the system logs. The typical enterprise logs
about 2-3GB/day depending upon the enterprise the size might vary. The
main goal of the forensic software is to mine through the vast amount
of information and pull out events that need attention. The
“Network security” softwares play a major role in identifying the
causatives and security breaches that are happenning in the
enterprise.

Some of the major areas that needed to be addressed by any network
security product is to provide a collective virus attacks across
different edge devices in the network. What this offers for an
enterprise is a holistic view, of the attacks happening across the
enterprise. It offers a detailed overview of the bandwidth
usage, it should also provide user based access reports. The
product has to highlight sescurity breaches and misuse of internet
access, this will enable the administrator to take the necessary
steps. The edge devices monitoring product has to provide other
stuffs like Traffic trends,insight into capacity planning and Live
traffic monitoring, which will help the administrator to find causes
for network congestion.

The internal monitoring product has to offer the audit information of
users, system security breaches and activity audit trails (ex: remote
access) As most of the administrators are ignorant of the requirements
for the
compliance acts, it is better to cross reference which acts apply to
their enterprise and ensure that the product supports reporting for the
compliance acts(please refer here
for details on compliance)

In altoghether they will have to support archiving, scheduling of
reports and a comprehensive list of reports. please follow the next
section for more details.

“Network Security” -Forensics

The most important features you need to
lookout,when you short list a network security forensic product is the
ability
to archive the raw records. This is a major factor when it comes to
acts and laws. So in the court of law, the original record has to be
produced as proof and not the custom format of the vendor. The
next one to lookout for is the ability to create alerts, i.e the
ability to notify whenever some criteria happens ex: when 3
unsuccessful login attempts mail me kind of stuff, or better still if
there is a virus attack for from the same host more than once, notify
me etc. This will reduce the lot of manual intervention needed in
keeping the network secure. Moreover the ability to schedule
reports is a big plus. You don’t have to check the reports daily. Once
you have done your ground work as to configure some basic alerts and
some scheduled reports. It should be a cakewalk from then on. All
you need to do is check out the information(alerts/reports) you get in
your inbox. It is recommended that you configure reports on a weekly
basis. So that it is never too late to react to a potential threat.
And finally a comprehensive list of reports is a vital feature to
lookout for. Here is a list of reports that might come in handy
for any enterprise:

Reports to expect from edge devices such as a firewall:

  1. Live monitoring
  2. Security reports
  3. Virus reports
  4. Attack reports
  5. Traffic reports
  6. Protocol usage reports
  7. Web usage reports
  8. Mail usage reports
  9. FTP usage reports
  10. Telnet usage reports
  11. VPN reports
  12. Inbound/Outbound traffic reports
  13. Intranet reports
  14. Internet reports
  15. Trend reports

Reports to expect from compliance and internal monitoring:
( see compliance sub-heading for reports on compliance)

  1. User Audit reports (successful/unsuccessful login attempts)
  2. Audit policy changes (ex: change in privileges etc)
  3. Password changes
  4. Account Lockout
  5. User account changes
  6. IIS reports
  7. DHCP reports
  8. MSI reports( lists the products installed/uninstalled)
  9. Group policy changes
  10. RPC reports
  11. DNS reports
  12. Active directory reports

The gating factor for choosing a monitoring product is to cross verify
whether the devices you have in your network are supported by the
vendor you choose. There are quite a number of products which
address this market, you might want to search for “firewall analyzer”
and “eventlog analyzer” in google.

“Network Security” -Compliance

Most of the industries such as health care and financial
institutions are mandated to be compliant with HIPAA and SOX acts.
These acts enforce stringent rules in all aspects of the enterprise
including the physical access of information. (This section
concetrates on the software requirement of the acts) There are quite a
number of agencies that offer the compliance as a service for an
enterprise. But it all depends on whether you want to handle compliance
yourself or employ a third party vendor to ensure compliance to the
acts.

HIPAA Compliance:

HIPAA defines the Security Standards for monitoring and auditing system
activity. HIPAA regulations mandate analysis of all logs,
including OS
and application logs including both perimeter devices, such as IDSs, as
well as insider activity. Here are some of the important reports that
need to be in place:

  1. User Logon report: HIPAA requirements (164.308 (a)(5) – log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  2. User Logoff report: HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  3. Logon Failure report: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
  4. Audit Logs access report: HIPAA requirements (164.308 (a)(3) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.
  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

SOX Compliance:

Sarbanes-Oxlet defines the collection,retention and review of audit
trail log data from all sources under section 404′s IT process
controls. These logs form the basis of the internal controls that
provide corporations with the assurance that financial and business
information is factual and accurate. Here are some of the important
reports to look for:

  1. User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) – log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  2. User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  3. Logon Failure reportThe security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
  4. Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and (D) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.
  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.
  6. Track Account management changes:Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to a admistrative group. These changes can be tracked by analyzing event logs.
  7. Track Audit policy changes:Internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy.
  8. Track individual user actions:Internal controls sec 302 (a)(5) by auditing user activity.
  9. Track application access:Internal controls sec 302 (a)(5) by tracking application process.
  10. Track directory / file access:Internal controls sec 302 (a)(5) for any access violation.

GLBA Compliance:

The Financial Services Modernization Act (FMA99) was signed into law in
January 1999 (PL 106-102). Commonly referred to as the
Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps
that financial institutions and financial service companies must
undertake to ensure the security and confidentiality of customer
information. The Act asserts that financial services companies
routinely collect Non-Public Personal Information (NPI) from
individuals, and must notify those individuals when sharing information
outside of the company (or affiliate structure) and, in some cases,
when using such information in situations not related to the
furtherance of a specific financial transaction.

  1. User Logon report:GLBA Compliance requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  2. User Logoff report:GLBA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.
  3. Logon Failure report:The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.
  4. Audit Logs access report:GLAB requirements (review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.
  5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

Conclusion

“Network Security” has to be done both internally as well as
externally, the job of nailing the problem is a huge task
which needs expertise and mostly help from softwares such as EventLog Analyzers(compliance and internal monitoring of internal machines) and Firewall Analyzer(virus,attacks
and traffic monitoring of edge devices).

Bibliography

http://www.interhack.net/pubs/network-security/

http://www.hipaa.org/

[http://www.sarbanes-oxley.com/]

http://www.senate.gov/~banking/conf/

Competitive Intelligence: Understanding the Secret Techniques Your Competitor Is Using Against You

Bill, the Chief Marketing Officer at a large manufacturing company in the Midwest seemed puzzled as he sat down to lunch with me recently.

“I just don’t get it,” he said. “I have some of the top talent in the country on my staff, I have a leading brand and our company has a real tradition of innovation. But over the past couple of years it seems as if we’re always behind the curve. We always seem to start out with some new and unique ideas but somehow by the time we get to rollout, our biggest competitor has already launched something similar. We’ve lost millions in market opportunity and it puts our sales reps in a defensive position — and me in a bad mood.”

Bill went on to explain that he had originally suspected some kind of ‘mole’ or inside employee feeding secrets to the competitor, but security had checked everyone out and found no unusual behavior or activity that would indicate a leak. They had done awareness training with those that handle sensitive information and Bill felt that, while worthwhile, his strategic situation still hadn’t improved.

“I’m at a loss” he said, knowing that I had built and managed competitive intelligence departments for some major corporations in the past, “where do I go next? We’re still getting beat to market and it’s not improving. I’m starting to feel like our CEO is wondering what’s going on and I don’t have any answers.”

As I pondered his question I could see that this was no idle chit-chat. Bill needed to explain what was going on and start putting together a plan to turn it around or he feared he’d be looking for another job before long.

“Listen Bill” I said, “it sounds like you’re doing everything right. You’re playing the game the right way…”

“Yea, but I’m not winning…”

“OK,” I began, “If your CEO is starting to wonder what’s going on with you and your product development processes, maybe we should start by trying to understand what’s really happening with your competitor.”

“How would you know that?” He asked. “You don’t even know our industry that well.”

“That’s correct, I am not well versed in your industry,” I agreed, “but I know the discipline of Competitive Intelligence, or CI. Let’s start with the fact that I know your competitor is active in the intelligence discipline. I met a couple of their intelligence folks at a national conference last year. I believe the CI Director came from a pharmaceutical company and joined your competitor a couple of years ago.”

“That’s about when I started noticing we were playing catch-up,” Bill replied.

“It may be just a coincidence,” I said, “but she has been involved in the discipline for years. She’s even published some articles and the young analyst I met with her probably accompanied her to your competitor. Going from Pharma to your industry would require some learning on her part, but certainly not difficult.”

“Hmm, that’s interesting,” Bill said. “I’ve been so focused on us and what we’re doing that I didn’t know they even had a competitive intelligence department. “

Well,” I mused, ” I certainly don’t know the details of your situation but I know what folks learn in the discipline of CI and I know the standard competitive intelligence best practices. I’ll bet you lunch that they are doing 90% of the things I’m about to tell you.”

“You’re on,” he said as he studied the menu.

“OK,” I started, “the first thing they are probably doing is scouring your web site. And I don’t mean just somebody checking it once a week. There are monitors that can be set up to constantly monitor a site for changes. Alerts are sent and then they dive in to study exactly what has been changed. Sometimes it’s nothing, sometimes it’s an indicator of something they want to know about.

“They are also reading your press releases and digesting any and all published information that they can get their hands on. Directories, trade journals, the local press and many others. I know your company’s CEO is known well in the industry and some of your leaders often speak at conferences. They are pulling those transcripts and dissecting them for clues on where you guys are headed.”

“They are also using social media extensively. They can pretty quickly put together a profile of your management staff, who reports to whom and even identify which suppliers you are using.”

“If she’s following best practices,” I continued, “they attend trade shows and observe you in action with your customers. They will talk to your sales people, not in a funny disguise but openly and overtly with their identification clearly visible. They will engage them in a non-threatening manner…”

“Oh come on,” Bill laughed, “you mean they’re asking our reps what they had for breakfast and gaining intelligence from that! You’ve been watching too much TV!”

‘Well maybe not questions about breakfast, but they will use elicitation techniques such as flattery to put them off guard, and provocative statements to validate a hunch. Your folks aren’t even asked a question and certainly don’t realize they’ve provided some valuable intelligence.”

“Really?” Bill replied sheepishly.

“This is all carefully scripted” I replied. “And not only that, the best companies have their sales and marketing people trained to find certain information about their competitors at every trade show. It is all coordinated and planned, just like you’d have a plan for finding new leads and customers.”

“And how do they make sense of all of this? It’s like lots of little pieces of information…” asked Bill.

“You’re right. Lots of pieces but related to a defined key intelligence topic. It all gets compiled in a database so that it is organized and related to its topic. That might be a specific competitor or a threatening technology or other important development they want to keep their eyes on. This is at the heart of a world-class intelligence operation.”

“But we do that,” Bill replied as he shifted in his chair. “We do a complete competitive assessment prior to each planning cycle and then we make that available on our SharePoint site so that others can access it.”

“Not the same,” I said. “Your competitor is likely using a database system designed specifically for market and competitive intelligence, not just a place to upload and store documents. It allows them to compile, analyze, and disseminate intelligence in one step in an ongoing manner. Since the CI analysts aren’t subject matter experts, remember she came out of Pharma, it also allows them to engage others in the organization to gain valuable perspective and help them develop real insight they can act on.”

“The more important point is that this is not an annual, quarterly or even a monthly exercise. Intelligence is an ongoing, everyday activity. It is a way of doing business just like proper accounting or human resources development. She probably meets regularly with key leaders in the organization to find out what strategic decisions they are considering and what intelligence they need. She probably attends sales meetings and has lunch with her company’s purchasing folks. She likely has a Rolodex of external contacts that she can tap into. If she follows the best practices, she has a large group of key leaders engaged in their intelligence efforts.”

“And she must have a big staff of analysts. We could never afford something like that…”

“Actually, it’s probably just her and the one analyst along with some subscriptions and technology.” I said feeling like I was bursting his bubble. “Her role is more of a ringleader than one of the performers. She leverages the knowledge that people have in their heads so it can be acted on.”

“So why are they targeting us?” Bill asked. “We’re not their biggest competitor and I can’t imagine we’re their number one priority.”

“My guess is that you are on the list because of your reputation for innovation.” I said. “They’re big and slow, right? And you’re fast and nimble. They know you’re good at discovering the next customer need or product innovation. By watching you they likely confirm their own hunches. Then it’s just a matter of deploying their vast resources to outrun you to the finish line.”

Bill exhaled slowly and looked a little disappointed. “You didn’t once mention spying or dumpster diving or pretexting. I figured they had to be doing something illegal, or at least unethical.”

“Again, I don’t know exactly what is happening,” I replied, “but I can tell you that if she is applying some of the best practices she would have learned along the way, this is what she is doing and it is completely legal and ethical.”

“So it’s really about being smarter about finding the information that is available to anyone, and knowing how to use it to make decisions,” said Bill as his face brightened.

“Exactly. You have to remember that strategic information is a resource just like equipment, capital, or human resources.” I said. “You have access to the same kind of information and you can develop the same skills. But it isn’t easy. It requires a commitment to developing a real competency, not just a one-off project, and the leadership to change your organization’s behavior until it becomes part of your culture and part of the way you do business.”

“Lunch is on me” said Bill as he looked at his watch.” I need to make an appointment with our CEO. We need to turn the tables on them and learn how to do competitive intelligence, and now.”