This is something that I heard in a meeting a while ago. My immediate response was to politely slap the guy that said it but then realised that my income would be questionable if I did that, so I let him continue....
"We don't need to formulate detailed security requirements at this stage..." (I should point out that they were planning to be designing the functional requirements for the solution in question for over a year) "...since these will come out of any risk assessments we do"
Let me understand this (I thought), this company has spent several $millions coming up with the solution, invested in resources, and only now are thinking about security. Combine that and the fact that no risk assessments had been done...at all... no really.. I'm not making this up.
It made me think, I've been in security for around 20 years, specifically information security for about 13. I appreciate that when I started out, security was the thing that got in the way of functionality. It was a pain, it was expensive and it was tricky to implement without making the user experience a complete nightmare.
What's changed? Well, the key is the thinking. A lot of businesses still think in terms of technology. Buying a firewall, AV, IPS/IDS and "hardening" systems is all good and well, but placing sole reliance on these to protect corporate assets? I think not. The need to get the business to understand security is the way to go; and by business I mean the suits with the executive bathrooms. These guys and girls are now responsible for protecting assetts (SoX anyone?), yet they have trouble understanding this sometimes. So how can we help them sleep easy at night. Here's my take on a couple of areas...
1) People - aka Layer 8 (geek joke.. look it up!).
Since security is generally getting better, we need to convince firms that their people need to be more aware of security risks and how to act and react in the face of these. Social engineering is a good example and it is a nightmare to train people to identify. Since the users have access to the assets we are trying to protect (the data), the easiest way to get to it is not to launch a complex technical attack against the systems, but to launch a simple dumb attack against the users.
Many moons ago I used to do physical penetration testing (can I get in the building and get to the server room etc...) and as part of that did social engineering. 9 times out of 10, I would get the data I needed. I did it with banks ( and got them to read bank statements over the telephone to me), did it with medical facilities (medical records anyone?), even did it military facilities (you don't want to know). The problem was always the same... People like to be helpful and want an easy life. If they can help me with my problem, it makes them feel good about themselves.
A small test for you if you're reading this in your office. If you have an area that is secure and you shouldn't go in (think swipe card, keypad etc..), I challenge you to stand outside the door with a cup of coffee in each hand and a mobile phone clamped between to your ear and your shoulder pretending to talk (hint - turn the phone off first.. really embarrassing if it rings when you do this!). I will guarantee that a majority of the time someone with legitamate access will stroll up, see you in your predicament and offer to hold the door open for you. NOTE - I don't condone this, I'm not responsible if you get fired doing this and I will not refund money invested for coffee. NOTE 2 - Doing this when there are armed guards on either side of said door is dumb!
Summary...educate staff. They need to be part of the security process. In fact, they need to be a major part since if they can be educated correctly, they can extend your security perimeter dramatically. Effectively you can create a human IDS - one that can determine the threat, analyze the risk and prioritize the escalation path.
2) Process
OK, so we've got the people sorted out. They've brought into the security idea and are raring to get out there into the workplace and become foot soldiers of the C.I.S.O. Now we need to do some things to baseline the security and build some rules for monitoring the environment and updating our overall security to adjust to threats.This really is not rocket science (aside - have you ever wondered what rocket scientists say in place of that phrase? Me too!). Here are some things to be done:
- Risk Assessment: A process to identify threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.
- Information Security Strategy: A plan to mitigate risk that integrates technology, policies, procedures and training. The plan should be reviewed and approved by the board of directors.
- Security Controls Implementation: The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties (back to the people again!!)
- Security Testing: The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These testing methodologies should verify that significant controls are effective and performing as intended.
- Monitoring and Updating: The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a one-time event.
These are processes. Doing them will go some way to helping the business become and stay secure. Thing is - going back to my original point - do not wait until you are midway through a multi-million refit / project / installation before thinking about these. This will add to timelines and invariably cost the business a lot of cash later on in the project.
Oh yeah, and the firewalls and other stuff... they're still there under the banner of security controls implementation. So all of you Checkpoint people can now relax.
Here endeth the ranting….
5 comments:
Post a Comment