Some organizations view ‘technical solutions’ as the immediate answer to their information security problems. This attitude is promoted by several suppliers of - you guessed it - those very same ‘technical solutions’. Technology-based information security products such as firewalls, antivirus software, are very valuable weapons in the security manager’s armory but there are severe drawbacks to a pure technological approach:
Firstly, technology is fallible. Despite the best efforts of the software quality engineering movement, hackers, testers and users continue to find unchecked buffers, unexpected exceptions, backdoors and other gross vulnerabilities in commercial and in-house developed software. This problem is compounded by the complexity of modern IT systems. Organizations that employ multi-layered security have the right idea but we find it extremely hard to believe that every layer of armor is near perfect. Worse still, ever since medieval days, attackers have been known to bypass castle defenses by taking an alternative approach. This kind of attack definitely occurs on the web too.
Secondly, very few organizations understand their information security problems in sufficient detail to ensure that they specify appropriate technical solutions. Typically, they recognize the need for standard information security packages (such as antivirus software) to address individual concerns, but seldom have they a comprehensive view of their requirements. They buy ‘plug and play’ firewalls with no regard to monitoring the security alarms, updating attack signatures, or responding to new forms of network traffic. They virus-scan Emails but ignore JavaScript.
Thirdly, the term “technical solution” usually implies significant expense. Today’s security technology is particularly costly, whilst standard off-the-shelf packages are often sub-optimal and offer little competitive advantage.
Lastly, someone invariably has to implement and operate the technology and this opens a massive can of worms. This post considers the importance of the last aspect, the human element of information security.
If you are serious about information security, you must tackle the human factors - those who purchase, implement, manage and use the technology - as well as the technology itself. Improving information security is not about choosing whether to improve the technical or procedural controls, but about how to improve them both. Proactively managing your information security risks involves assessing and reassessing all the threats, vulnerabilities and impacts and successively improving controls. This is not a one-off ‘fire and forget’ operation, just to get your ISO/IEC 27001 certificate or whatever. Information security requires ongoing management attention.
Wednesday, December 31, 2008
Friday, December 19, 2008
Can Security's Human Side Stop Data Breaches?
As human error increasingly becomes the top reason for security breaches, behavior-based strategies are making their way into the workplace to supplement technology
Shira Rubinoff was a practicing psychologist in 2004. When it came to technology, her experience was simply as a tech user, certainly not a tech guru. Then one day she was phished.
"After it happened, I was like: "There's got to be a better solution out there. Because once you put security in people's hands, so much can happen."
Rubinoff decided to take her background in human behavior and turn it into a security software firm that taps into how the mind works in order to prevent phishing attacks. Her New Jersey-based company, Green Armor, provides a product that uses a visual cue on the Web log-in page that is unique to each user of the site. The cue is generated using a mathematical formula based on the user id. It uses a colored box and a short word, a method she developed after extensive research and experimentation about how users memorize and retain information.
The idea, according to Rubinoff, is that users will know if something is amiss much easier than with the usual authentication techniques currently used by many online banking and other secure sites.
"This approach deals specifically with the humanistic factors of technology," said Rubinoff, who was recently named a "Women of Influence" award winner at the Executive Women's Forum because of her work on the software. "I think other technology out there look for technology problems. They forget there is a person sitting behind the computer that is very easily manipulated."
Human behavior is increasingly becoming a hot area of focus in security. In fact, a new study from networking giant Cisco says risky behavior tops the list of reasons for security breach. The study, which surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries, was conducted to examine security and data leakage at a time when employee lifestyles and work environments are changing dramatically.
"We conducted this research in order to understand behavior, not technology per se," said John N. Stewart, chief security officer of Cisco. "Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss - and what that ultimately means for both the individual and enterprise."
The research found one in five surveyed admit to altering security settings on computers. Additionally, one of four employees admitted verbally sharing sensitive information to non-employees. And a whopping seven in ten surveyed said they regularly use unauthorized applications at work.
Similar findings from consulting firm Deloitte earlier this year back up the Cisco research. A Deloitte survey of more than 100 companies found 75 percent cited human error as the leading cause of security failures.
Green Armor is one of several companies with a product that is based on human behavior. A quick Google search turns up many antivirus and malware solutions that utilize behavior analysis. Most of the major antivirus software makers, such as Symantec and McAfee, have implemented some kind of behavior-based defense into products.
A California-based consultancy called Security Mentor, which only launched in April, is hoping to find business in an approach that goes right to the source: the user. Security Mentor offers training that, according to founder and President Marie White, takes on a brief, frequent and focused approach. Employees take part in weekly, seven-minute-long informational Web sessions that teach and reinforce good security habits and practices.
"There is wide spread information at this point that employees are one of the greatest threats to an organization," said White. "But the question is: Why do they remain the greatest threat? One can assume they are either intentionally or unintentionally engaging in risky behavior. Most people agree it's unintentional. This training addresses that."
Security Mentor, which launched at the RSA conference, is still in the start-up phase, according to White. While the firm is not working with any customers yet, there is interest from a wide-swath of commercial and government organizations, she said.
White said in developing the sessions, she also took into account how the typical employee works today. The sessions are short to fit the attention-span criteria of a busy person. They are regular so that retention of information will be more effective.
"We consider how employee’s multi-task and the training fits in that attention span window," said White. "Also, how often people get interrupted coupled with how they remember. And the frequency of having training weekly makes it a lifestyle difference for employees."
Shira Rubinoff was a practicing psychologist in 2004. When it came to technology, her experience was simply as a tech user, certainly not a tech guru. Then one day she was phished.
"After it happened, I was like: "There's got to be a better solution out there. Because once you put security in people's hands, so much can happen."
Rubinoff decided to take her background in human behavior and turn it into a security software firm that taps into how the mind works in order to prevent phishing attacks. Her New Jersey-based company, Green Armor, provides a product that uses a visual cue on the Web log-in page that is unique to each user of the site. The cue is generated using a mathematical formula based on the user id. It uses a colored box and a short word, a method she developed after extensive research and experimentation about how users memorize and retain information.
The idea, according to Rubinoff, is that users will know if something is amiss much easier than with the usual authentication techniques currently used by many online banking and other secure sites.
"This approach deals specifically with the humanistic factors of technology," said Rubinoff, who was recently named a "Women of Influence" award winner at the Executive Women's Forum because of her work on the software. "I think other technology out there look for technology problems. They forget there is a person sitting behind the computer that is very easily manipulated."
Human behavior is increasingly becoming a hot area of focus in security. In fact, a new study from networking giant Cisco says risky behavior tops the list of reasons for security breach. The study, which surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries, was conducted to examine security and data leakage at a time when employee lifestyles and work environments are changing dramatically.
"We conducted this research in order to understand behavior, not technology per se," said John N. Stewart, chief security officer of Cisco. "Security is ultimately rooted in users behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss - and what that ultimately means for both the individual and enterprise."
The research found one in five surveyed admit to altering security settings on computers. Additionally, one of four employees admitted verbally sharing sensitive information to non-employees. And a whopping seven in ten surveyed said they regularly use unauthorized applications at work.
Similar findings from consulting firm Deloitte earlier this year back up the Cisco research. A Deloitte survey of more than 100 companies found 75 percent cited human error as the leading cause of security failures.
Green Armor is one of several companies with a product that is based on human behavior. A quick Google search turns up many antivirus and malware solutions that utilize behavior analysis. Most of the major antivirus software makers, such as Symantec and McAfee, have implemented some kind of behavior-based defense into products.
A California-based consultancy called Security Mentor, which only launched in April, is hoping to find business in an approach that goes right to the source: the user. Security Mentor offers training that, according to founder and President Marie White, takes on a brief, frequent and focused approach. Employees take part in weekly, seven-minute-long informational Web sessions that teach and reinforce good security habits and practices.
"There is wide spread information at this point that employees are one of the greatest threats to an organization," said White. "But the question is: Why do they remain the greatest threat? One can assume they are either intentionally or unintentionally engaging in risky behavior. Most people agree it's unintentional. This training addresses that."
Security Mentor, which launched at the RSA conference, is still in the start-up phase, according to White. While the firm is not working with any customers yet, there is interest from a wide-swath of commercial and government organizations, she said.
White said in developing the sessions, she also took into account how the typical employee works today. The sessions are short to fit the attention-span criteria of a busy person. They are regular so that retention of information will be more effective.
"We consider how employee’s multi-task and the training fits in that attention span window," said White. "Also, how often people get interrupted coupled with how they remember. And the frequency of having training weekly makes it a lifestyle difference for employees."
Wednesday, December 10, 2008
The Importance of the Human Firewall
Given the numerous security breaches that have been reported in recent times, the need to secure and protect corporate networks and sensitive data is becoming increasingly clear to senior management. That development is certainly a welcome silver lining to the dark cloud of network compromise, facilitating the enactment of more strict security policy and the deployment of tools such as intrusion detection or identity management systems.
Unfortunately, these measures often don't bring about the promised added security, or immunity to unauthorized access as intended. One contributing factor is certainly that security measures are often implemented piecemeal and allow gaping holes to remain. Simply installing an intrusion-detection system at the primary Internet gateway to increase monitoring capabilities, while helpful, will not eliminate exposure to potentially harmful attacks without taking other necessary precautions, including hardening web/database servers and host operating systems, and restricting internal access to sensitive information.
Another and often more common reason for the failure of security measures to provide real protection is that employees of an organization are not made aware of the security policy, or of what they need to do to comply with that policy. Firms often forget this step, or skip it completely.
Sometimes information security departments try to force security measures on end users, attempting to use technology to achieve compliance. For example, rather than training users to use strong passwords and protect them, IS departments use tools that force all users to follow the password policy—but these tools do nothing to stop users from writing down their passwords or sharing them with colleagues. Employing user provisioning tools to implement access control throughout an organization can help restrict users to only the information they're authorized to view. But these tools can't stop users from being careless with documents once in hardcopy, or prevent them from keeping insecure copies of the information in their machine's cache.
For employees to change their activities, they must be convinced of why being more security conscious is important. In other words, beyond being able to say that being hacked is an unwanted occurrence, do employees really know the potential consequences of an outsider having access to the organization's data? There's no reason to assume that a given employee would have this understanding—especially if he or she is not privy to the full spectrum of information the organization maintains. And if your employees don't comprehend the consequences, you can't expect them to adopt security measures thrust upon them.
Users must understand that the actions they perform have an impact on the firm's security posture that in turn affects the firm's bottom line and their own job security. Cases such as these exemplify the need to make all employees and end users aware of the need for security and to train them to do their part in securing the enterprise.
Unfortunately, these measures often don't bring about the promised added security, or immunity to unauthorized access as intended. One contributing factor is certainly that security measures are often implemented piecemeal and allow gaping holes to remain. Simply installing an intrusion-detection system at the primary Internet gateway to increase monitoring capabilities, while helpful, will not eliminate exposure to potentially harmful attacks without taking other necessary precautions, including hardening web/database servers and host operating systems, and restricting internal access to sensitive information.
Another and often more common reason for the failure of security measures to provide real protection is that employees of an organization are not made aware of the security policy, or of what they need to do to comply with that policy. Firms often forget this step, or skip it completely.
Sometimes information security departments try to force security measures on end users, attempting to use technology to achieve compliance. For example, rather than training users to use strong passwords and protect them, IS departments use tools that force all users to follow the password policy—but these tools do nothing to stop users from writing down their passwords or sharing them with colleagues. Employing user provisioning tools to implement access control throughout an organization can help restrict users to only the information they're authorized to view. But these tools can't stop users from being careless with documents once in hardcopy, or prevent them from keeping insecure copies of the information in their machine's cache.
For employees to change their activities, they must be convinced of why being more security conscious is important. In other words, beyond being able to say that being hacked is an unwanted occurrence, do employees really know the potential consequences of an outsider having access to the organization's data? There's no reason to assume that a given employee would have this understanding—especially if he or she is not privy to the full spectrum of information the organization maintains. And if your employees don't comprehend the consequences, you can't expect them to adopt security measures thrust upon them.
Users must understand that the actions they perform have an impact on the firm's security posture that in turn affects the firm's bottom line and their own job security. Cases such as these exemplify the need to make all employees and end users aware of the need for security and to train them to do their part in securing the enterprise.
Thursday, December 4, 2008
The Need for an Awareness Program
In view of regulations such as Sarbanes-Oxley (SOX), Gramm Leach Bliley (GLBA), the Health Information Protection Portability Act (HIPPA), and ISO27000 (International Organization for Standardization), it is very important to determine what needs to be covered in an information security program and who takes responsibility for various program components. These regulations require organizations to implement policies, procedures and technologies to protect sensitive information assets.
The demands of new regulations such as SOX, HIPPA, PCI-DSS, and GLBA, along with statutes that require disclosure to consumers of security breaches, force businesses to implement security measures. Corporate executives are now held liable, and can face jail and fines, when security lapses occur. Most security breaches occur due to a weak link in the information security chain; that is, human rather than technological failure. In view of this, the security landscape is changing.
As cited in audit reports, periodicals, and conference presentations, the IT security professional community understands that people are one of the weakest links in attempts to secure systems and networks. The people factor not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. A robust and enterprise-wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, and properly use and protect the IT resources entrusted to them.
An effective IT security awareness and training program explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Through awareness and training, users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.
The demands of new regulations such as SOX, HIPPA, PCI-DSS, and GLBA, along with statutes that require disclosure to consumers of security breaches, force businesses to implement security measures. Corporate executives are now held liable, and can face jail and fines, when security lapses occur. Most security breaches occur due to a weak link in the information security chain; that is, human rather than technological failure. In view of this, the security landscape is changing.
As cited in audit reports, periodicals, and conference presentations, the IT security professional community understands that people are one of the weakest links in attempts to secure systems and networks. The people factor not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this asset. A robust and enterprise-wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, and properly use and protect the IT resources entrusted to them.
An effective IT security awareness and training program explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Through awareness and training, users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.
Subscribe to:
Comments (Atom)