Six Steps to Security Awareness
- The Importance of the Human Firewall
- Creating a Security Awareness Program
- Step 1: Gather Information
- Step 2: Develop a Format and Forum in Which to Present the Information
- Step 3: Prepare the Program Material
- Step 4. Present the Program to the Pilot Group
- Step 5: Present the Program to Senior Management
- Step 6: Develop a Schedule for Updating the Program
The Importance of the Human Firewall
Given the numerous security breaches that have been reported in recent times, the need to secure and protect corporate networks and sensitive data is becoming increasingly clear to senior management. That development is certainly a welcome silver lining to the dark cloud of network compromise, facilitating the enactment of more strict security policy and the deployment of tools such as intrusion detection or identity management systems.
Unfortunately, these measures often don't bring about the promised added security, or immunity to unauthorized intrusion (read: hacking) as intended. One contributing factor is certainly that security measures are often implemented piecemeal and allow gaping holes to remain. Simply installing an intrusion-detection system at the primary Internet gateway to increase monitoring capabilities, while helpful, will not eliminate exposure to potentially harmful attacks without taking other necessary precautions, including hardening web/database servers and host operating systems, and restricting internal access to sensitive information.
Another and often more common reason for the failure of security measures to provide real protection is that employees of an organization are not made aware of the security policy, or of what they need to do to comply with that policy. Firms often forget this step, or skip it completely.
Sometimes information security (IS) departments try to force security measures on end users, attempting to use technology to achieve compliance. For example, rather than training users to use strong passwords and protect them, IS departments use tools that force all users to follow the password policybut these tools do nothing to stop users from writing down their passwords or sharing them with colleagues. Employing user provisioning tools to implement access control throughout an organization can help restrict users to only the information they're authorized to view. But these tools can't stop users from being careless with documents once in hardcopy, or prevent them from keeping insecure copies of the information in their machine's cache.
This scenario was witnessed in a penetration testing exercise aimed at assessing the client's internal defenses around their back-end databases. We plugged our laptops into a network jack on the same LAN as their internal users and were separated from the databases by a router and firewall. Before we attempted to attack the server LAN, we took a look at shares on several employee machines. Sure enough, one employee had a recent copy of the database on his local machine, in a public share.
I don't know if this was a malicious attempt to make sensitive data available for compromise, or if the employee was just trying to make it easier to do his job, but it underscores the human element in defending networks. The firewalls and access control lists put in place to defend the databases didn't take into account a user simply storing a local copy on the wrong side of those defenses.
Cases such as these exemplify the need to make all employees and end users aware of the need for security and to train them to do their part in securing the enterprise.
For employees to change their activities, they must be convinced of why being more security conscious is important. In other words, beyond being able to say that being hacked is an unwanted occurrence, do employees really know the potential consequences of an outsider having access to the organization's data? There's no reason to assume that a given employee would have this understandingespecially if he or she is not privy to the full spectrum of information the organization maintains. And if your employees don't comprehend the consequences, you can't expect them to adopt security measures thrust upon them.
Users must understand that the actions they perform have an impact on the firm's security posture that in turn affects the firm's bottom line and their own job security. The prime example of this is email viruses, which often rely on being downloaded and opened or executed by the target recipient. Other examples include selecting bad passwords or writing them down, not using a password-protected screensaver, or using an analog modem to dial out to the Internet from the office.
All these issues have led to network compromise. While the IS department or senior management can jump and scream that everyone has to do things securely, most security plans can be bypassed if everyone isn't on the same page. After all, it only takes one person in a company to download an email virus.