Our End Users: The Weakest Link

Hackers and professional criminals are like most people; they want to accomplish their goal in the easiest way possible. As we have become better at implementing technical controls, such as hardening servers, more aggressive patching, and deployment of a vast array of security devices / appliances, they have two choices. A small number of highly technical, motivated crooks will find ways to defeat our defenses directly. However, the majority will simply follow the German’s World War II approach to the impregnable French Maginot defensive fortification and go around it, through lightly defended Belgium.

By analogy, our technical defenses are the Maginot Line and our users represent the often ignored and weakly defended alternative routes. So, why do the users represent such as easy target? The reasons are many: we should start by recognizing two distinct classes of users, even though the level of damage and the technical defenses are the same.

The first group consists of users (employees, contractors, guests, etc) who have no deliberate desire to harm the business but may reveal corporate secrets, cause downtime, or create liability by distributing or hosting inappropriate or illegal content.

The first way they can cause any of the above problems is through non-existent policies to prevent performing actions that result the above problems. Even if such policies exist, users may be unaware of them, the company may not enforce them, or there is no technical control to stop them. As Ronald Regan said, “Trust but Verify.”

Unfortunately, the performance of most companies is not encouraging in this area. Despite the fact that employee awareness is the crucial element here — so that all system users understand the company’s security policies and their responsibilities to comply — the results shown in a recent survey are discouraging. The numbers say two thirds of companies do a poor to average job training their employees, and that number rises to nearly three quarters for customers.

So the first thing you can do to improve your company’s security at a low cost (compared to technical tools) is to develop a comprehensive and understandable set of security policies. However, they will be ineffective if developed in a vacuum. You must engage the business units in their creation. This will help ensure your success in two ways. First, it will help to create the buy-in that is crucial to acceptance. Second, it will help ensure that your policies do not impede people from doing their jobs. If your policies do that, the end users will ignore them or find ways to work around them.

The second non-technical low cost thing you need to do is training. If people are properly educated, most will try to follow the rules, which will greatly enhance your security posture by making them less susceptible to the various forms of social engineering, including phishing.

The other group of users at your company is much smaller, but much more harmful. These are the “malicious insiders” who are trusted users who are deliberately trying to steal proprietary information or damage your systems via a denial of service attack. Because they are inside your perimeter security and often have knowledge of you security defenses they are very difficult to stop. To see how dangerous they can be just look at the recent rouge trader at the Société Genérale. The best way to defend against this attacker is a combination of policy and technology. Policies would include separation of duties, no sharing of passwords, and immediate deletion of unused accounts. Technology protections include secure logging with daily review, internal intrusion detection / prevention systems, and two-factor identification.

One last point to make about the use of technology: while it is a necessary component for a defense-in-depth strategy, one should be careful not to be lulled into thinking that the technology alone will protect the organization. In the end, it is a combination of people, procedures, policies and technology that offers you the best chance to achieve “defense-in-depth.”

Post a Comment

Your email is never published nor shared. Required fields are marked *