Streamlining to improve security (Part 3)

Moving on from the example scenario given in part 2 – this instalment looks at developing the streamlining and consolidation mindset that will contribute towards improving security. To recap on some of the conclusions from the previous two parts:

  • The greater the diversity of software, the greater the attack surface. Reducing the number of systems contributes to improving security; reducing the risk of internal and external attacks.
  • Reducing the number of systems has a much broader impact than security alone. It also contributes to reduced costs across the board. When decommissioning a business system,  it also eliminates all associated back-office costs.
  • Reducing IT costs through streamlining releases funds which for other security-related projects which might otherwise not be economically viable

How many people does it take to change a light bulb? If an entire building has precisely the same type of light bulb in every room, the replacement bulbs will all be the same. The storage cupboard might have a minimum stock level of 20 to cover a building with 5000 operational light fittings. I will leave it to your imagination what happens next door in the office with 50 different light bulbs. In a nutshell, having a standard is good, too much diversity is bad. The more exceptions added, the greater the complexity. In this simplistic example, it is more about how long it takes to change a light bulb.

Here are some thoughts to consider:

  • Before committing to the expense of a new system, understand the infrastructure, operating system and database system requirements and ensure they are aligned with the business IT environment. Vendor’s sales representatives might not be aware of the technical details, and if they are, it might not be considered an essential part of their pitch. Also, the buying decision-maker might not know what questions to ask about the operating environment and assume that whatever he buys can be implemented by the technical teams.
  • Lockdown desktop permissions so that users are unable to install software themselves; this should also include most of the IT department. Allowing users to install software has much broader implications than just the proliferation of software within the workplace. It has the potential to introduce a wide range of security risks and malware to the business. Even without considering the streamlining of software, this is a recommended action.
  • Implement a centralised approach to purchasing software. With distributed software-purchasing and decision-making across the business, the diversity of software will inevitably increase.

Beyond application consolidation within an organisation, businesses can gain the same benefits from the continuing emergence of cloud-based services; developed, managed and maintained by a third-party and offered to a large number of companies requiring the same system. With this approach, the vendor manages the implementation of security.

Streamlining to improve security (Part 2)

In part 1, we looked at some of the causes of software proliferation. Here in the 2nd part, we look at an example of two independent systems that perform the same business function. Consider two profiles of software, one being desktop software such as word processing and spreadsheets, and the second being systems that operate from a server environment with implemented infrastructure.

In this example, we will look at a client/server business system. The same principle applies regardless of what the system does, or how we ended up with two systems performing the same purpose. For illustration purposes, we can assume that we have two insurance claims systems, each with a separate set of customers and insurance policies. Although security is the focus here, the example extends to other factors. Increased costs and skillsets have an impact on budgeting requirements if due to financial constraints, security issues are risk-accepted by leadership teams and ignored until a budget may be available to fund mitigation.

  • Infrastructure – each system will have its own set of hardware infrastructure and running costs, and may also have a separate infrastructure for development and testing purposes; separate infrastructure support contracts; infrastructure in place for disaster recovery. Most notably on the security side, a requirement to maintain physical security for a much higher quantity of hardware, possibly at an increased number of locations.
  • Skillsets – an increased quantity of differing infrastructure and software systems requires an increased set of skills to maintain the systems. With a single system, staff will develop a greater depth of knowledge, reducing the overall cost of training.
  • Access Management – running two systems will require the management of user access to both, along with any development, testing or disaster recovery environments. Reducing the number of systems reduces the overall cost of access management.
  • Licensing – where multiple systems serve the same purpose, it is often the case that a high proportion of staff needs access to both systems and not just a single system. Consolidating will reduce the number of vendors, the overall licence requirement and any associated vendor support costs.
  • Patch Management – reducing the number of business systems will reduce the overall effort required to maintain business systems at the latest vendor release.
  • Vendor Management – increased systems include an increased number of commercial relationships to maintain. Every supplier takes time to manage and deal with changes, sometimes to the point where dedicated members of staff are needed to liaise for a particular piece of software. Reducing the number of vendors reduces the administrative overhead. Also, every vendor will have terms and conditions, and with that comes the requirement to review every contract and every change in terms that may take place. Reducing the number of vendors means less work for the legal team.
  • Other benefits of consolidating two systems include reduced auditing requirements and reduced cost in delivering system changes. On top of this, reduced energy consumption in running the services will help contribute towards carbon neutrality.

Having one system to maintain will always be cheaper than developing changes across multiple business systems. Even in cases where one or all are vendor-supplied, often bespoke software provides aggregated reports using data from various systems.

Software is not the only area where consolidation can deliver tangible benefits in the form of reduced complexity and reduced costs. The points discussed demonstrate that the greater the diversity, the higher the effort and expense of keeping systems operational. Bloated back-office costs can reach a tipping point where businesses cease to be profitable. Financial savings are not always obvious, and, in many cases, implementing change will have high up-front costs with long-term tangible benefits. Consider application consolidation as a long-term strategy and not only as a tactical piece of work to be undertaken this month with expected immediate benefits.

Every case for consolidation is different and will need to be carefully considered based on individual circumstances, and delivering the overall benefits will often depend on getting the right balance. It could also be the case that when looking at one small aspect of cost, consolidation could appear expensive and cause conflict. In contrast, cost reduction demonstrated with a holistic view.

Streamlining to improve security (Part 1)

It is almost impossible to pick up a newspaper without finding some report on cyber threats and data breaches. Estimates of skill shortages are published as businesses across the globe race to improve security and reduce risk exposure. IT security has become a considerable part of the budget and is expected to increase. Back-office operations have become far too complicated, too many systems which perform the same function within the business and too many exceptions which make business rules unnecessarily complicated.

Significant security benefits are achievable by delivering a programme of application consolidation and business streamlining. Still, it is necessary to give serious consideration needs to the causes of software proliferation as without eliminating the causes, software systems will continue to multiply undermining all the efforts and benefits. Here are some of the many reasons:

  • Lack of a standard set of infrastructure, operating system and database technology – having such a standard serves as a benchmark for evaluating new software systems, by rejecting solutions which don’t fit the target environment.
  • Lack of an authorised list of software – without a standard approach, different people, teams or departments will inevitably make decisions on what software they will use.
  • Users permitted to download and install the software – even if the individual user doesn’t have permission directly when combined with the lack of a standard, they will be able to ask someone in the IT department to install the software, and the request is unlikely to be rejected. Choice of software could be motivated by personal preference such as a lack of understanding of one product and being an expert in another.
  • The IT implications of Mergers and Acquisitions – IT seldom considered before reaching an agreement. Although the nature of the businesses could be identical, the infrastructure, operating systems, databases and software systems could be completely different.
  • Purchasing a new system without fully understanding the dependencies and implications can lead to the introduction of new underlying technologies to the business. For example, a company with 1000 windows servers agrees to purchase a new system which requires Linux, which in turn requires new hardware, new software, new skills and cross-system integration. In a short space of time, the IT environment becomes significantly more complicated. The same can apply to other combinations such as if an estate made up of Microsoft SQL Server databases, inherits or purchases a new system which requires Oracle.

It will always be possible for someone to justify an exception to any standards which are defined whether that be for personal preference reasons, experience or lack thereof, or anything relating to costs. The important point which cannot be over-emphasised is that the greater the diversity of hardware and software, the greater the overall running cost, the number of problems experienced will be much higher. IT becomes more complicated and eventually chaotic.

With this increased complexity and chaos, is an increased requirement to improve security. The more systems there are, the greater the security requirement; the more systems need to patching, more systems need auditing, and more vulnerabilities need patching. In other words, the attack surface becomes much more extensive. Essentially the focus here is reducing the attack surface area through streamlining the use of software systems. Henry Ford said that a customer could have a car painted any colour they wanted as long as it was black. Although he said this in jest, and that he manufactured in many different colours, his comments accurately illustrated the point that production is fast and efficient when streamlined with repeatable processes. Here we are talking about streamlining software and its positive impact on security and reduction in exposure to risks.

The website credibility test

With an ever-increasing number of websites and a seemingly comparable increase in the level of fraud and other problems with purchases, people need to apply a greater level of judgement over which websites they use and choose to trust with their credit card details. What constitutes site credibility is somewhat subjective. The aim here is to highlight and discuss several obvious issues and ask thought-provoking questions so that you can make your own decisions over what you will accept, tolerate or avoid like the plague.

Consider a simple example of website images that imitate search boxes. Everyone knows what a search box looks like, and how to perform a search, but more and more websites have images that look like search boxes and any attempt to use them results in completely unrelated content which opens in different windows. There are many other variations on this same theme where the site deviates from standard website behaviour to create an outcome to its users’ detriment. This behaviour is deceptive, and you should leave the website.

  • Generally speaking, how people behave some of the time is how people behave all of the time. A deceptive website design demonstrates the values of the people who built it, and the people who run the business behind it.
  • Adverts are a popular way to monetise websites, and we can forgive website owners for adding one or two adverts that are directly related to their blogs, for example. Websites lose their credibility when the page appears to have more adverts than content; not to mention disguised adverts which appear to be a genuine part of the page content.
  • Implementing deceptive means to trick users into clicking on adverts is often a fraud against those paying for adverts on a per click basis. Consider the credibility of the websites advertised when evaluating the credibility of the site you are visiting.
  • Intrusive pop-ups are unprofessional, and they give a clear picture of the overall credibility of the site. Website behaviour includes pop-up windows that appear on top of the current page, hidden under the page later when you close your browser or timed to open after a specific amount of reading time on the current site. If people open a webpage, they expect to read the content of the page without being interrupted by unpredictable behaviour.
  • An amusing trend with web pages on tablets is the inclusion of an image which makes it look like a speck of dust, or a hair is on the screen. Consequently, cleaning your screen results in the selection of links to new pages; amusing in so much as it shows how far people are willing to go to get people to click on links.

Considering the nature of the site behaviour and the values of the business, this indicates that it is the last place anyone should use their credit card details. Putting that aside, the following are the kind of things you should expect if you choose to make a purchase.

  • A pre-selected check box with additional purchase options – by going ahead with your purchase, which may be for a negligible value, you inadvertently make a purchase that you didn’t expect. Essentially it becomes an opt-out purchase
  • Terms and conditions that deviate from standard practice – such as a term which states that by making a purchase, you are joining a club and that subsequent payments will be taken from your credit card and added to an online account ready for future purchases
  • Automatic continuation of services – payment is made for a specific duration, but automatically renewed without any warning or notification. The customer doesn’t notice until they check their bank/credit card statement.
  • Email address and other personal information sold to other businesses leading to an increase in unrelated junk email

Claiming a chargeback against the credit or debit card used to make the purchase is not straight forward in cases where the customer has explicitly given their credit card details. Banks don’t consider this to be credit card fraud and responsibility for the loss remains with the cardholder. Under these conditions, banks tell their customers to contact the vendor. The issue with dealing directly with such vendors is that the values exhibited throughout the customer journey are consistent with customer support model.  Essentially, designed to get people into an undesirable situation, while making it difficult, time-consuming, or expensive to get out.

Insecurity questions (Part 3)

We have already illustrated that security questions are not secure, but this will continue for some time to come. The problem is that a lot of security questions and answers use immutable facts which are akin to having a never-changing password used in many different places. It is disproportionate, to enforce a password policy of minimum eight characters, mixed upper case and lower case, and including numbers and symbols, then for someone to reset it using your first school, the name of your dog and your mother’s maiden name?

With every data breach, more information about individuals becomes available in the public domain. Combined with information that people are openly providing on social media, results in the answers to the majority of security questions, based on unchangeable historical facts, readily available for use. It is also likely that large quantities of stolen data from multiple sources are already correlated to build a bigger picture of individual people. If this is not already true, it is a safe assumption that it will be in the future. Here are some thoughts on how to adapt:

  • The most crucial point is that for the concept of security questions to work, the questions and answers need treatment with the same level of importance as usernames and passwords. Remember that security questions can reset and override the need for passwords or PINs.
  • Advice that people should use different passwords for different systems is ubiquitous; however, for security questions to have security value, the same approach needs to be applied. It is daunting to think of having 200 mothers and needing to change them all every 60 days, but it’s not that bad; having one mother and multiple maiden names is sufficient. Also having a mother who was once called ‘Miss Yr66£1&Ld’ is acceptable. It is amusing when asked to confirm this by telephone. What is not funny is it being accepted by phone after giving only the first three characters. Some systems treat the answers to security questions like passwords, and call centre staff must correctly type the answer to access customer data. This approach provided an extra level of security which prevents call centre staff from accessing customer data when the customer is not present on the call.
  • Exercising a certain amount of security due diligence when being asked for information is essential and will require a judgement call to be made. What is reasonable and unreasonable is somewhat subjective, and companies should only be requesting the minimum information necessary to fulfil their purpose. Name and address are obvious requirements if you place an online order which needs to be delivered, but you would not expect to be asked for a date of birth when placing an order.

Companies are behind with the idea that someone can have a cat called ‘G8ssJe4£!’. Being asked once to pronounce his name was followed with an explanation that the answer to my security question needed to be factual and could I give the real name so they could update my records. Not having a cat made that close to impossible.