People and IT Security

gallery

Using multiple antivirus engines together with intrusion prevention systems is supposed to better protect your network against multiple attack vectors. Sounds great, but unless you include people in your multi-layered security portfolio, your company is still vulnerable.

A year ago, HP got caught red-handed employing investigators who pretended to be someone else to gain access to information. Many commentators have called this 'pretexting'. In reality, practices such as this have existed for hundreds of years in various forms, and are known as social engineering. Companies often overlook social engineering threats, taking a blinkered approach to security. The reason is simple: compared to hardware and software, people are difficult to configure.

One of the better books on social engineering, Kevin Mitnick and William Simon's The Art of Deception, details some of the ways in which an organisation can be attacked with nary a port sniffer or network mapping tool in sight. Exploiting weak passwords is an obvious option, but what about calling up the receptionist and impersonating a senior executive, demanding that she give you the names and telephone extensions of all the managers engaged in a particularly sensitive internal project? Calling a recently employed HR person and pretending to be the IT director in a rush can also elicit supposedly private information.

The perils of Social Engineering

The problem for companies who are serious about locking down their security is that approaches to securing people against social engineering are often haphazard at best, warns Martin Rico, president of Inspired eLearning, a company specialising in employee security awareness training.

"The reality is that a lot of security unfortunately happens when you are putting out fires," he says. "How do you do that more proactively?"

The first step in creating a framework to promote security awareness among employees is to develop the policies that you are to promote. They may already exist, says Jeff Bennet, vice president of strategic solutions at FishNet Security, a security firm that offers awareness training.

The problem is that these policies may be dormant within the company. "Most companies have security policies written down somewhere, but the problem is that they're not pushed out to the wider user population," Bennett says. "In many cases, they're not even pushed out to the IT department. The first step is updating the policies, and looking at what data is important to them, and then to go department by department using that as an example."

However, before you start trawling the corridors trying to persuade employees of the benefits of security, the first hurdle is getting support from the highest levels of management, explains Nigel Jones, director of the cyber Security knowledge transfer network, and also the leader of technology exploitation at the IT security business of Qinetiq, the technology research lab spun out from GCHQ. Getting board level buy-in is more difficult than it sounds, he warns. "One thing that people are struggling with is the ability to express the economic value of security in terms the business can understand."

This is an important part of a converged approach to security that can help to resolve some of the broader risk management challenges facing board level executives. "True risk management convergence involves consolidating all risk management functions and toolsets, and aligning them with the organisation's business objectives," says Kent Anderson, a member of the certified information Security manager board within the Information Systems Audit and Control Association (ISACA).

Email to a friend

Print this page