ISO/IEC 27001 - Operational Threats
Operational Threats:
1)
Malware
Malware
attacks are worldwide headlines catching news. The virus is an example of a
piece of malware or malicious software that is designed to infiltrate or damage
a computer system. This class of software also includes worms, Trojan horses,
spyware and adware, to name but a few pieces of malicious software code.
Managing the
Problem
Protection
from malware needs proper management processes and controls in place. For a
start, the organisation should produce a policy prohibiting the use of
unauthorised software and then implement controls to prevent or detect the use
of such software. The organisation should also have a policy regarding the
downloading or receiving of files and software.
The organisation should conduct regular audits on the software that supports their
critical systems and processes. Such exercises should search for the existence
of any unapproved files or software.
2)
Unauthorised
Access
Unauthorised
access to information can lead to disclosure, modification or unauthorised use
of the information. Such access might happen as a result of an internal
compromise of organisational policy and abuse of privilege, or it might occur
as a result of someone externally breaking through organisations security
systems. Unauthorised access to information might occur by breaking through
layers of physical protection or electronic protection, or a combination of
both. Of course, access via the Internet or other network is a common problem.
Whatever the means and method of access, once the unauthorised person has
gained access to the organisation’s information, they
have an opportunity to steal, modify or destroy this information.
Managing the
Problem
The problem of unauthorised access to information can be managed at different levels.
The organisation should have an access control policy, and it should have
specific procedures for different access control methods and for covering
different types of access (e.g.,access to information, applications, processes,
IT and networks). The control methods implemented to manage access should be
strong enough to prevent unauthorised access. Control of these methods and the
information used for gaining access needs proper management and administration.
Controls need to be in place relating to who has access, for what purpose and
to what information is access given, via what devices can access be made:
establishing authorized computer, system and network accounts, password and
privilege management, access restrictions, reviews of access rights,
disciplinary action regarding abuse of rights and training of users on access
control methods, rights, and privileges.
3)
Insider Threat
The
insider threat is a malicious threat to an organisation, which is becoming more
and more a common occurrence. Such a threat could be from current staff and
employees from within the organisation, but it might also be from ex-employees
or even contractors or business associates that are working closely with the
organisation and have certain internal access privileges because of the nature
of the work and collaborative ventures, they are involved in.
Managing the
Problem
The
insider problem can be managed at different levels, with a combination of the
following:
Ø Policies and procedures—include instructions and information
regarding insider threat;
Ø Training—include insider threat awareness into staff training;
Ø Recruitment process—check employment references, check for past
criminal offences, review reports of suspicious or disruptive behaviour;
Ø Personnel management—manage conflicts; resolve disputes in the work
environment; review working conditions of disgruntled staff; provide counseling
and dispute resolution opportunities for disgruntled staff; be vigilant to
unusual behavior and watch for unusual work patterns against what the organisation defines as standard, work-related activities, and patterns of normal work
operations;
Ø Ensure the risk assessment and risk treatment takes account of
the insider threat problem;
Ø Termination of employment—implement a secure employee
termination process;
Ø Implement controls for separation of duties and least
privilege; enforce strict password practices; ensure secure backup and recovery
processes; implement effective change control procedures;
Ø Access control—implement strict access controls; enforce strictly
access restrictions; ensure effective management of privileged users, including
effective monitoring, logging, and audit of system access; impose restrictions
on remote access; review access rights;
Ø Online activities—be vigilant to online employees behaviour;
manage usage of online services such as social networking through acceptable use
policy; Enforce an appropriate policy and procedures for BYOD;
Ø System vulnerabilities—keep the door closed to unauthorized
access and exploitation of system vulnerabilities by fixing, repairing and
safeguarding against system vulnerabilities.
4)
System Availability
If the organisation wants to keep its business running and to operate productively, then
it needs to ensure the resources it needs to do so are available. This includes
all types of resources: people, information, processes, services, networks, IT
and facilities. A factor in this is how reliable, for example, is the
organisation’s network in providing for its operational needs? Does the network
fail? Does it slow down? Does it provide for 24x7 uninterrupted usage? The
backbone of most businesses is that of IT. The organisation might suffer from a
poor record of IT system failures. Why? Is it lack of adequate maintenance,
failure to install the latest software upgrades and patches, or is it that the
demand for a specific IT system far outweighs its capacity to deliver against
these demands?
If an organisation’s IT system fails or its online presence is interrupted, it could
suffer many hours of downtime, which translates into impacts such as loss of
revenue, loss of customer confidence and possibly penalties due to a breach of
contractual obligations if the loss of availability stops the organisation from
being unable to honour such obligations.
Managing the
Problem
The availability problem can be managed at
different levels including the following:
Ø Information— protecting information from
unauthorized disclosure or modification, access to information, backups of
information, information recovery in the event of system failure, procedures
for handling information, ownership of information assets and authorization to
access information;
Ø Services—management of service delivery, service
provider contracts and SLAs, managing the connections to services, access and
usage of services (e.g., networks, web services, managed security services,
disaster recovery services, outsourced services, teleworking services, media
disposal)
and authorization to access services;
Ø IT system usage—effective access controls,
restrictions of usage to avoid misuse, policy for acceptable use and procedures
for correct use, secure processing of information using IT, employee terms and
conditions on the use of IT, network services and the handling of information,
authorization
to access IT systems;
Ø Software (S/W) management—restrictions on S/W
installations and usage; control of S/W versions, upgrades, and patches;
separation of private and business use; control of S/W support and maintenance;
use of default/secure configurations, access to utility versus application S/W;
restrictions on remote use of S/W, control of S/W licenses; separation of S/W
in operational environments from S/W in development and testing environments;
malware protection; S/W backups; secure control over operation S/W;
Ø Vulnerability management—risk assessment and impact
analysis of the vulnerabilities, understanding and identifying system
vulnerabilities, assessing and reviewing the vulnerabilities, taking correct or
preventative actions to remove or diminish the weaknesses or to improve
protection
to avoid the chances of exploitation, improvements, and controls to manage
vulnerabilities need to be tested, ensuring S/W patches are from an authentic
source, assuring the vulnerability process works in collaboration with the
incident handling and business continuity processes
5)
Social Engineering
Social
engineering is a type of information security attack that exploits the psychological
vulnerabilities of people by manipulating them to perform activities that
result in divulging information—the “art of hacking into the human psyche.”
This type of attack can be performed online (e.g., emails, phishing attacks,
social networking) or offline (e.g., over the phone to obtain information
or posing as officials or service technicians to gain access to company premises,
facilities and information). This attack is a confidence trick that aims to
obtain information to gain system access to steal commercially sensitive
information or to commit fraud, a scam and so on.
Managing the
Problem
The
social engineering problem can be managed at different levels including:
Ø Consideration of social engineering attacks in the risk
assessment and risk treatment exercises;
Ø Identification of information as sensitive, critical or
personal, and evaluation of the exposure of this information to social
engineering attacks;
Ø Establishment of a policy and procedures for handling social
engineering attacks;
Ø Employee training to understand the problem of social
engineering and to recognize situations that might be an indicator of, or a precursor to, a social engineering attack and understand how to apply company policy
and procedures to social engineering attacks for protection information;
Ø Occurance of regular audits and reviews of the controls in
place to counter social engineering attacks—people, processes, procedures, and access
control methods;
Ø Establishment of roles and responsibilities for handling
sensitive, critical or personal information;
Ø
Keeping up to date with the latest
information on social engineering attacks, feeding this information back into
the training programme and using this information in the revision of policy and
procedures.