- Paul Livi Security Architect for CBC/Radio-Canada’s Information Technology
- Eric Veysey Senior Systems Analyst, Identity and Access Management
In today's digital information landscape, society is moving at an unprecedented pace and demands that information be accessible anytime, anywhere, and on virtually any device. Security in this ever-changing environment is crucial, with constant, pervasive threats to the information services we use on a regular basis affecting both our personal and work environments. Security is an inconvenient but fundamental necessity, and practicing good security takes time, discipline, and money.
Security is a topic that has gained the spotlight over the last decade due to an increasing number of high-profile breaches in various areas of business and personal use. This has created a new methodology in how we do business, where we must not only deliver new technologies and products: we must also ensure that we are doing so securely.
CBC/Radio-Canada's Information Technology Department is therefore in the process of developing and deploying an Information Security Risk Management programme in order to deal with the security concerns of today's digital information landscape, and more news regarding this programme will be announced in the near future. The unique nature of the broadcasting industry may not necessarily require all of the stringent and restrictive security protocols of a financial institution per se; however, we must still strive to protect our corporate and media information assets, as well as the content we provide on publicly available Internet sites. This responsibility also extends into the realms of technologies such as Cloud Computing, Social and Collaboration platforms, and Mobility, where public Wi-Fi connectivity and Bring Your Own Device initiatives are not only becoming more common, but also the new norm.
Information Security Principles
The following shortlist of Information Security Principles describes the high-level concepts that must be taken into account in order to safeguard CBC/Radio-Canada's information assets. These principles are well recognised within the security industry and have been adjusted with a broadcasting perspective in mind.
Media Content Sharing
Electronic media content sharing is a natural outgrowth of the mandate of broadcasters to disseminate information. An effective Security Policy must support this objective in a transparent manner to ensure that it does not hinder the creative process while maintaining necessary security. The goal is to create policies and procedures that will enhance security to meet industry standards in order to prevent breaches, all while attempting to keep the creative environment flexible and functional. Typically, it can be quite a balancing act.
Access Under Control
Considering that all media content is essentially data, access controls must be implemented to govern the “who, what, where, when, and how” of access: who can access the data; what is permitted to be done with the data; where can the data reside and where must the user be to access the data; when can the data be accessed and how (in what formats) can it be accessed, in order to protect the data from unauthorised modification or disclosure. Access to non-public information resources should be granted only with an authorised request and on a need-to-know basis, providing the minimal privileges required for an individual to perform their job functions.
Corporate & Media Content – CBC/Radio-Canada's Valuable Strategic Assets
Corporate and media systems need to be designed, managed, and protected in relation to the business criticality of the information to which they provide access. Corporate and media content owners must ensure that they adequately and accurately classify corporate and media content in terms of confidentiality, integrity, and availability. This is critical to ensure that information assets are not over-protected or under-protected.
Embracing a Risk-based Approach
Risk should be the determinant of the appropriate level of control to protect information. Each business initiative and operational unit should identify its main security risks, evaluate their likelihood, and propose a risk treatment plan in line with the risk tolerance of CBC/Radio-Canada. A risk assessment mechanism should also be in place in order to identify, prioritise, and communicate risks to the stakeholders.
In-depth Global Approach to Information Security
Corporate and media content flow in various formats (electronic, paper, or verbal) through every part of the organisation. A global approach to Information Security must be taken in order to provide appropriate protection for all of these formats across a wide variety of networks and systems, with multiple layers of protection as warranted (i.e., “defence-in-depth”). Information Security must be designed with multiple layers of barriers that an attacker must go through in an attempt to compromise a given resource.
Lifecycle Integrated Approach to Information Security
Although the criticality and sensitivity of specific information can change over time, data and media content always have a corporate business value. As a result, Information Security and Risk Management must always be taken into account when designing, testing, implementing, and maintaining corporate and media systems, as well as when reusing or disposing of information assets and their related technological components.
The Human Factor of Information Security
Although technology plays a critical role in the protection of corporate and media assets based on the principles mentioned above, the human factor of information security is often regarded as the weakest part of any security system. Users may not necessarily be aware of the risks associated with revealing or disclosing security-related information. Rather than faulting them for their indiscretions, we should seek to better understand their roles and the pressures placed upon them by security requirements in order to help us to design better policies, procedures, programmes, and systems.
A security awareness programme is crucial in educating users about the importance of information security and information security risks, providing them with strategies that they can employ in both their personal and work environments. However, in some cases, a security awareness programme can be overwhelming, with too much information being conveyed to the user at a single point in time. Another approach would be to deliver security awareness information in smaller doses and on a more frequent basis, akin to a tip of the day approach.
Some tip of the day examples for a security awareness programme might include:
- Never give out your login credentials and always be suspect of anyone who requests that information from you, even your own Help Desk or Technology Department.
- When using public Wi-Fi, always refrain from sending or receiving personal information.
- Always report any loss or theft of your device (laptop, tablet, or smartphone) to your Help Desk or Technology Department immediately.
- Always be suspicious of links and attachments in your email and social media from unknown or even known sources. If there is even the slightest bit of doubt, delete it immediately without opening it.
- Be diligent in reporting any security incident to your Help Desk or Technology Department. Incidents could include mistakenly disclosing your login credentials to a third party, or observing an employee exporting large amounts of corporate data to secondary storage (USB key or external hard drive) or printers.
- Refrain from using the same password for both your personal and work systems.
- Log out of access controlled applications or lock your device when leaving your work area.
- Never leave your laptop, smartphone, or tablet unattended in a public place or in an unlocked office.
- Pay attention to the security tools installed on your device and ensure that they are always operational and up to date.
- Ensure that any information that you provide online is always encrypted. Be sure to always look for HTTPS at the beginning of a URL website address, which indicates that traffic to that website should be encrypted.
Password Controls & the Human Factor
Users can become frustrated when they are forced to change their passwords on a regular basis. Thinking of a new, strong password that can be easily remembered can be quite daunting at times, but it is crucial to securely protecting CBC/Radio-Canada data and media content on an on-going basis. A new policy has therefore been implemented regarding passwords at CBC/Radio-Canada to help increase our password strength and increase the overall security of all of our systems.
All passwords can be guessed or deciphered: it is just a matter of time. This is one of the reasons why password expiration is crucial. It limits the time someone has to guess or determine a password and, if someone does illicitly obtain a password, its value is time-limited by the periodic change. By choosing passwords that are secure, you can ensure that your systems and your data are safe, and enhance the overall security of CBC/Radio-Canada.
One of the most frequent questions asked is: How do I make my password more secure?
The words or characters in your password and its overall length determine how secure your password is. Passwords that contain dictionary words are generally easier to crack than non-dictionary words. Additionally, the length increases the difficulty and time required to crack a password. However, if you are using longer dictionary-based words, the length has little to no increased security value. Similarly, using words or numbers which are easily associated with you as an individual as a password makes the password easy to guess, so things like your pet's name, your birthday, your children's names, and the like make for poor password choices.
E.g., here are a set of passwords and rough estimates with regards to how long it would take to crack them (based on an average computer, password protection, Microsoft Windows System):
|Password||Time to Decipher|
|redwagon||Less than a day|
|summertime2012||Less than a day|
|Passwdsec4||Two months, seventeen days|
As we can see, the more random non-dictionary words we use, the harder is it to guess or crack the password.
Now that the password has been protected from guessing, we also have to ensure that we secure the communication of the password to various systems. We do not want people eavesdropping on our communications and reading our carefully chosen password as plain text (unencrypted). A policy should therefore be employed that requires the encryption of all communications that contain login credentials (i.e., usernames and passwords) throughout the internal networks and over the Internet. This protects passwords from being read in plain text by third parties.
Password synchronisation across directory services and applications simplifies our lives while reducing the overhead of managing numerous different passwords for different systems. CBC/Radio-Canada uses Identity Management to store all corporate passwords and distribute them to all connected systems. Once we have changed our password in the Password Self-serve portal, it then relays this new password to our Identity Management system. In turn, the Identity Management system will automatically send out this new password to all connected systems. (However, it does take some time for all connected systems to process this new password, we recommend waiting 20 minutes.)
Along the user security awareness front, we have also made the following Password Best Practices list available to users to help convey the different aspects of password controls:
- Keep passwords confidential.
- Avoid keeping a record (e.g., paper, unencrypted software file or unencrypted hand-held device) of passwords, unless this can be stored securely and the method of storage has been approved by the Information Security Committee.
- Change passwords immediately whenever there is any indication that a system or password has been compromised.
- Select quality passwords that are:
- Easy to remember;
- Not based on anything somebody else could easily guess or obtain using personal information (e.g., names, telephone numbers, dates of birth, etc.); and
- Not vulnerable to dictionary attacks (i.e., ensure that passwords do not consist solely of words included in dictionaries) and are free of consecutive identical, all-numeric or all-alphabetic characters.
- Change temporary passwords at the first log-on.
- Do not include passwords in any automated log-on process (e.g., do not store passwords in a macro or function key).
- Do not share your login credentials.
- Do not use the same password for business and non-business purposes.
- Verify the identity of anyone calling you to disclose or reset your password. To ensure consistent and accurate updates to your passwords, please always use the password portal to update your CBC/Radio-Canada passwords.
- If you are ever legitimately required to disclose your password (e.g., for support purposes) make sure to change it as soon as possible.
Information security continues to be an ever-growing concern in today's digital information landscape. In order to deal with the constant, pervasive threats, we must attempt to define and adhere to information security principles that will protect our data. Developing our users' security awareness to ensure that they are cognisant of today's security risks is crucial, and having them abide by the policies and controls set in place will not only minimise risk in their work environment, but hopefully in their personal environments as well.