Using multiple antivirus engines together with intrusion prevention systems is supposed to better protect your network against multiple attack vectors. Sounds great, but unless you include people in your multi-layered security portfolio, your company is still vulnerable.
A year ago, HP got caught red-handed employing investigators who pretended to be someone else to gain access to information. Many commentators have called this 'pretexting'. In reality, practices such as this have existed for hundreds of years in various forms, and are known as social engineering. Companies often overlook social engineering threats, taking a blinkered approach to security. The reason is simple: compared to hardware and software, people are difficult to configure.
One of the better books on social engineering, Kevin Mitnick and William Simon's The Art of Deception, details some of the ways in which an organisation can be attacked with nary a port sniffer or network mapping tool in sight. Exploiting weak passwords is an obvious option, but what about calling up the receptionist and impersonating a senior executive, demanding that she give you the names and telephone extensions of all the managers engaged in a particularly sensitive internal project? Calling a recently employed HR person and pretending to be the IT director in a rush can also elicit supposedly private information.
The perils of Social Engineering
The problem for companies who are serious about locking down their security is that approaches to securing people against social engineering are often haphazard at best, warns Martin Rico, president of Inspired eLearning, a company specialising in employee security awareness training.
"The reality is that a lot of security unfortunately happens when you are putting out fires," he says. "How do you do that more proactively?"
The first step in creating a framework to promote security awareness among employees is to develop the policies that you are to promote. They may already exist, says Jeff Bennet, vice president of strategic solutions at FishNet Security, a security firm that offers awareness training.
The problem is that these policies may be dormant within the company. "Most companies have security policies written down somewhere, but the problem is that they're not pushed out to the wider user population," Bennett says. "In many cases, they're not even pushed out to the IT department. The first step is updating the policies, and looking at what data is important to them, and then to go department by department using that as an example."
However, before you start trawling the corridors trying to persuade employees of the benefits of security, the first hurdle is getting support from the highest levels of management, explains Nigel Jones, director of the cyber Security knowledge transfer network, and also the leader of technology exploitation at the IT security business of Qinetiq, the technology research lab spun out from GCHQ. Getting board level buy-in is more difficult than it sounds, he warns. "One thing that people are struggling with is the ability to express the economic value of security in terms the business can understand."
This is an important part of a converged approach to security that can help to resolve some of the broader risk management challenges facing board level executives. "True risk management convergence involves consolidating all risk management functions and toolsets, and aligning them with the organisation's business objectives," says Kent Anderson, a member of the certified information Security manager board within the Information Systems Audit and Control Association (ISACA).
If the senior management can be persuaded to buy into a company-wide security drive, the next challenge facing security advocates in the organisation is to get the employees on board. As a senior technical member of staff at Carnegie Mellon University's computer emergency response team (CERT) Lawrence Rogers spends most of his day explaining technical issues to non-technical people. It is important to make employees understand why they're doing something, says Rogers - to make them stakeholders.
"If you give out company secrets, then the company will go out of business and you're going to be out of a job. Now is it important to you?" he asks. Getting that kind of message out to the users is a combination of practical education and of systematic reinforcement. "It's analogous to the world war 2 slogan, 'loose lips sink ships'," says Rogers, recalling the nationwide wartime secrecy campaigns that were reinforced using posters and other methods. "That's one way that people have tried, tying it to what people know. 'Change your password every day' may be the tagline at the bottom, but there has to be something else."
Getting user buy-in involves walking a fine line between ease-of-use and secure operation. There are two dangers inherent in reinforcing security procedures throughout the employee base. The first is that if the security measures are too difficult to follow, users will work around them. The second is that the more rigidity you introduce into your company's processes, the greater the impact on everyday operations and areas such as customer service.
"Absolute security is completely useless," says Ken Newman, security officer for American Savings Bank in Honolulu. "Even if you're in a customer role, you can still tie customer service and security together." For example, he says, a receptionist may be told only to give out certain information to the public. But she may also be given other contacts within the company who can handle requests for information that she is not allowed to divulge.
Ultimately, however, employee security practices must be enforced, and it is difficult to stop employees breaking the rules, especially if business conditions demand it. "If this is a revenue issue, then a lot of times people will skip through everything and make an exception," points out Fishnet's Bennett.
Enforcing policy
One way to help enforce security policies is to reinforce them as close to the point of execution as possible. Inspired eLearning's Rico has a background in training the military, and says that many corporate ideas in security come from this sphere. "You have a local person charged with security. That person and the supervisor are usually the ones who are doing the policing."
Co-opting line of business managers and supervisors into the overall security effort is crucial, not only because they will monitor their workgroup for security breaches, but also because they can lead by example, says Rico. Without their leadership, employees may feel less inclined to toe the line.
Assigning responsibility to one or two individuals then makes it easier to quantify performance. "Make sure that for the management in each group, part of their employee reviews, their bonuses or some other thing that is being measured is tied to how well they have adhered to these policies," Bennett says.
Such measures are theoretically attractive, although in practice, you can imagine significant problems tying such a policy into existing human resources systems. Even PayPal, which due to the nature of its business has to be more security-savvy than most, has not yet tackled the correlation of security awareness to performance review, admits chief information security officer Michael Barrett.
Another way to help reinforce management responsibility is by allocating ownership of certain sets of data. One of FishNet's clients identified almost 150 separate data owners within the organisation. It put them through one-day training sessions, with associated exercises. "Those data owners then identify everyone that needs access to that information, and institute data access control policies," says Bennett. "The security department as a whole is letting the data owners know that these policies are important, and then giving them the tools and training to deal with that on an ongoing basis."
Bringing people into the process
Other activities such as role-based training in addition to general security awareness training can also help to enforce security policies within the organisation. Rico trains customers' employees once a year, but also sends out a security newsletter once a month. A newsletter can be a useful means of enforcing messages about the impact of threats such as social engineering, viruses, and phishing. It is important to do this at the individual level, he says. "We bring this to their attention. If they get infected by a virus or a Trojan horse and their machine is turned into a spam bot, then that will be ultimately tracked down to them," he says. Employees should be aware of the potential for disciplinary action if they are found to be violating security rules.
Ideally, a company will marry an organisational focus on security awareness with technologies designed to enforce it. Technologies such as role-based access control (RBAC) can complement user education and awareness frameworks. Well-designed RBAC systems are already closely tied to the organisational structure. They assign privileges to employees based on the scope of their role within the company. This enables applications to define exactly the right privileges per individual, and no more, making it difficult for them to cross the line and do things with the computer systems that they shouldn't.
Will employees using those systems share their passwords, or write them down on sticky notes? If you don't teach them the importance of security and make them accountable, you can stake your reputation on it - and in an age of embarrassing breaches, you will be.
