The Human Element - Our Greatest Exposure
Post 9/11, in the name of security, we've all been taking off our shoes and limiting ourselves to 3oz of liquids in a clear container when boarding an airplane. Yet, despite all of these 'safety' measures, a man is allowed to board an international flight, with no passport, no checked luggage, and buying a one-way ticket with cash. Finger-pointing will go on for months over this, but the hard truth is that simple common sense was lacking in the human element.
We humans are almost always the weakest link. Ask yourself, do you know somebody that has their password on a post-it note stuck to their computer monitor? So, your company has a policy forcing complex passwords, and requires that they be changed on a regular basis. With all that, the post-it note puts the user's computer, and the entire network they're attached to, at risk.
We humans are almost always the weakest link. Ask yourself, do you know somebody that has their password on a post-it note stuck to their computer monitor?
In the IT security world, the initials C-I-A stand for confidentiality, integrity and availability. Many engineers focus almost entirely on availability. While system and data availability are important, take care not to expose your company to huge security risks. For example, an engineer opening up every port on a firewall so that machines on either end can 'talk' to each other. This person is a firewall engineer, but not a firewall security engineer. How about the software developer that unknowingly, yet routinely, places security vulnerabilities into the application he writes such as cross site scripting, SQL injection, etc? Send your firewall engineer to security courses in order that he understands that firewalls only need specific ports open as required. For example, port 25 to send e-mail, leaving the other 65,534 ports closed.
Most schools only teach how to write code in any of the numerous languages such as java, .NET, C++, etc. Make sure your developers are also trained in secure coding practices. Bottom line, consider what security exposures your company will have if your software developers and firewall engineers don't have appropriate security training.
As important as it is for engineers to have appropriate security training, everybody within your company needs security awareness. If you exclude people due to their position in the company, you will greatly reduce your overall security posture. Leading by example is important. I tip my hat to the CEO that follows the rules by wearing the required security badge and changes his password just like everybody else does. Security awareness needs to be more than a catch phrase. Have a program that recognizes people for reporting potential security problems, as well as correcting those that commit security infractions.
Black & White
Use very clear policies where possible. For example, you've just spent thousands of dollars on secure document disposal bins, and you have a service come and shred all your sensitive paper documents at your facility. Which documents need to be put in a secure bin, and which can be thrown away in the trash can under the desk? I guarantee you that you will get NO consistency on this issue if left up to the discretion of your employees.
Adopt what can be called a wet/dry policy. Require everything that is printed to be placed in a security disposal bin and not in an open trash container. Limit the trash can to items such as banana peels, apple core, and the last bite of the sandwich that you couldn't finish. This will help protect your company from having documents with sensitive data on them being discovered by dumpster divers and showing up on YouTube. Such a policy is also easier to enforce. I don't particularly want to sift through open trash cans, and to make sure the paper thrown away doesn't contain social security numbers or HIPAA protected health records. It's much easier to say: If it's paper to be thrown away, put it in a secure bin - period. Such policies are easier to follow, easier to enforce, provide for better security and ensure a better return on your security investment.
Philip Alexander is a 20 year veteran in the IT security field, a professional speaker, and the author of the books, Information Security: A Manager's Guide to Thwarting Data Thieves and Hackers, Data Breach Disclosure Laws: A State by State Perspective, and Home and Small Business Guide to Protecting Your Electronic Assets, Privacy, and Identity.