Chapter 16: IT Security and Service Management 201
Security administration
Another benefit that identity management confers is a reduction in security administration costs. Security administrators no longer have to make manual authorization grants in dozens of systems; the identity management system handles that workflow automatically. This arrangement is particularly useful for organizations that have distributed security administration over several locations, because it enables security administration to be centralized.
Data analysis
After you centralize all user data, you can generate useful reports on resource and application use or carry out security audits. If you’re having problems with internal hacking, for example, you can check a log that lists every user’s activity (see the following section). Also, if you have logging software for databases and files, you can monitor who did what to any item of data and when, including who looked at specific items of data. This audit capability is important for implementing data privacy and data protection compliance.
Employing Detection and Forensics
In this section, we discuss three specific groups of IT security products:
Activity logs
Host-based intrusion protection systems and network-based intrusion protection systems
Data audit
No one — intruder or legitimate user — should be able to use those resources without leaving evidence. You want to detect any illegitimate activity as soon as it happens, but in many situations, you can separate the legitimate from the illegitimate. If you don’t detect an attack while it’s happening, at least you have a record of what took place.
Activity logs
Many logging capabilities are included in operating systems, applications, databases, and devices such as hardware firewalls and network monitors. A cost is associated with invoking logging capabilities: Turning on logging requires the system to write log records constantly, and it also involves creating a process to manage and archive such data until it’s no longer needed.
202 Part IV: Nitty-Gritty Service Management
Log files often provide some evidence of how fraud was perpetrated, however. Perpetrators of digital fraud often escape justice simply because the victim doesn’t have sufficient evidence to prove what they did.
HIPS and NIPS
Host-based intrusion protection systems (HIPS) and network-based intrusion protection systems (NIPS) are the same thing: a collection of capabilities that make it difficult for intruders to penetrate a network. These systems can include the following elements:
System and log-file monitors: This software looks for traces of hackers in log files. The monitors can watch login accounts, for example, and issue alerts when account permissions change — often an indication that something untoward is going on.
Network intrusion-detection systems (NIDS): These security programs monitor the packets of information that travel through a computer network, looking for any telltale signs of hacker activity. The effectiveness of a NIDS depends on its capability to sort real dangers from harmless threats and legitimate activity. An ineffective NIDS raises too many false alarms and, thus, wastes time.
Digital deception software: This software deliberately misleads anyone who’s attempting to attack the IT network. It can range from the simple spoofing of various service names to setting up traps known as honeypots or honeynets. (For more information, see the nearby sidebar “Fooling attackers by spoofing.”)
Setting traps is unusual and can be expensive. It’s normally done by government sites or by companies that suspect digital industrial espionage.
White-listing software: This software inventories valid executable programs running on a computer and prevents any other executables from running. White-listing severely hampers hackers, because even if they get access to a computer, they can’t upload their own software to run on it. White-listing software reports on any attempt to run unauthenticated software. It also stops virus software stone dead.
Unified threat management: This central function takes information from all the preceding components and identifies threats by analyzing the combined information.
Chapter 16: IT Security and Service Management 203
Fooling attackers by spoofing
As a technical IT term, spoofing means pretending to be something else. In a so-called phishing attack, a false Web site pretends to be a genuine one. A phishing Web site might pretend to be a bank’s Web site, for example, and try to tempt users to reveal their financial details. It’s possible to spoof e-mail addresses and, under some circumstances, Internet Protocol (IP) addresses, but mounting an attack this way is difficult because a computer responds directly to the real address rather than to the spoofed address.
When you use spoofing as a defense, your aim is to confuse attacking software. Hackers employ sniffing software to look for servers running specific versions of, say, Microsoft Windows. If you set the operating system to give out false information, which is easy enough to do, that false information confuses the attacking software into passing on by.
Honeypots work by spoofing, too. They pretend to be vulnerable servers and thereby trick attackers into revealing details on where they’re attacking from.
Data audit
Although databases log who changed any data, they normally don’t log who read any piece of data. But read data is easily stolen. Enthusiasm for filling this gap increased considerably after the Sarbanes-Oxley legislation was enacted in 2002, specifically demanding that financial data be secured from unauthorized eyes. Consequently, a series of software products that log who looks at what quickly came into existence. These products generally are referred to as data audit products.
Encrypting Data
The IT world has a whole set of encryption techniques that can be regarded as completely safe. Thus, you can easily encrypt data and ensure that only the intended recipient can decrypt it.
You could encrypt everything. You could encrypt data when you write it to disc, when you send it down a wire, when you send it through the air by radio, and so on. Encrypting everything in a comprehensive way consider-
ably reduces your exposure to data theft. Hackers wouldn’t be able to cover their tracks, because they’d never be able to decrypt the log files.
204 Part IV: Nitty-Gritty Service Management
Encryption poses a performance penalty, however, so focus encryption on specific data that needs protection.
Think about how you use encryption. A fairly recent case of data theft included data that was encrypted until it was delivered to the application that needed to use it. At that point, the data was decrypted for use — and that’s exactly where the hacker struck. The loss could have been prevented if the application itself had controlled the decryption on a record-by-record basis.
Because of the complexities it adds, encryption is used less frequently than perhaps it should be. The media have covered many cases of stolen laptops containing valuable data — including military secrets. Those thefts wouldn’t have been problems if all the data on those laptops had been encrypted properly.
Creating an IT Security Strategy
This book isn’t IT Security For Dummies, so we won’t go into creating a comprehensive IT security strategy. We do want to provide some pointers, though:
In most circumstances, IT security needs to be approached from a risk management perspective. If your organization has risk management specialists, involve them in IT security planning.
IT security monitoring has no simple key performance indicators, but be aware of what similar organizations spend on IT security. That way, you have some awareness of the level of investment. Similarly, it makes sense to keep track of time lost due to any kind of attack — a useful measurement of cost that you may be able to reduce over time.
You need identity management for many reasons, and identity management offers many benefits. Give priority to improving identity management if your current capability is poor.
Try to create general awareness of IT security risks by educating and warning staff members about specific dangers (such as social engineering; refer to “Types of attacks on IT assets,” earlier in this chapter).
Regularly have external IT security consultants check your company’s IT security policy and IT network.
Determine specific IT security policies for change management and patch management, and make sure that policies are well understood by your service management staff.
Chapter 16: IT Security and Service Management 205
Stay abreast of news about IT security breaches in other companies and the causes of those breaches.
Review backup and disaster-recovery systems in light of IT security. Apart from anything else, IT security breaches can require complete application recovery.
When a security breach occurs on a specific computer, the applications running on that computer will likely have to be stopped. Consequently, security breaches can be the direct causes of service interruptions and can contribute to lower service levels. Also, data theft resulting from a security breach could result in a real or perceived breach of customers’ trust in your organization.
All you can do right now, however, is reduce the risk of such occurrences. Current IT security technology doesn’t allow for integration and, hence, a higher level of maturity.
206 Part IV: Nitty-Gritty Service Management
Chapter 17
Business Service Management
In This Chapter
Understanding business service management
Managing risk with key performance indicators
Setting business and IT service levels
Balancing business goals
Alot of business, technological, and organizational issues have to come together in proper service management. How can service management
goals provide important benefits to your company’s business goals? The reality is that companies are at different stages of implementing a service management strategy. But no matter where your company is, the fundamental premise is that service management is an integral part of your business strategy.
Why did we wait until now to discuss business service management? You first have to understand the parts of service management and how they work together; otherwise, you don’t know what tools are at your disposal. Here’s a way to think about this issue: Imagine that you’re in your car starting out on a trip. You don’t have a map, and you haven’t decided where you want
to go. You stop at the nearest gas station and ask for directions. But how can you possibly figure out which path is best if you don’t even know which town you’re going to? As the old saying goes, if you don’t know where you’re headed, any road will do.
In this chapter, we explain what business service management is and how a business can benefit from it.