Upload File

security — who cares?

4
FEATURE Security Cares? m Who Martin Smith S ecurity breaches invariably involve the blindingly obvious and are rarely the outcome of sophisticated criminal acts. Simple human error, ignorance or omission is most commonly at the route of all trouble. A member of staff will rarely create chaos deliberately or with malice. Most people are honest but make mistakes. Most people want to do a good job, but can only do so when they have been trained. Most people, too, are happy to follow rules, but can only do so when such rules have been brought to their attention and explained. For instance, a young secretary was told to make back-up copies of her floppy disks, which she did happily each evening. One day her computer broke down, and when she was asked for her back-ups she produced a neat ring-binder containing photocopies of her floppy disks. Queries received at the PC Help Desk of a major Bank illustrate the problem further. Employees sought advice regarding "the length of the cable for my foot pedal" -- the mouse -- and "the coffee-cup holder on my laptop" -- the CD-ROM drive. The criminal will always take the simplest route to the riches. Rarely does an attack come from the outside. It is invariably via someone with authorized access, either directly or through subversion or coercion. The crook will take advantage of human failings to find a way through the defences. I have yet to find a computer that has committed fraud -- there is always a person involved. A major electronics warehouse and distribution centre had £500 000 worth of computer chips stolen overnight. There were no signs of a break-in and the burglar alarm had failed. It seems the thieves had visited the warehouse the previous day purporting to be from the maintenance company checking the alarms. Staff had given them the master keys and codes to all doors and alarms, which they had surreptitiously copied. To make things worse, the insurers refused to make good the full loss, citing carelessness by the company as a contributory factor. The need for improved information security For a number of compelling business reasons, our organizations need continually to improve the protection afforded to their information, computer systems and telecommunications networks. We operate in an increasingly hostile marketplace where competitive edge is essential. A key success factor is the ability to manage business information of all types effectively -- i.e. on time, accurately, and in many cases without disclosing it to unauthorized parties. Hence, information security is central to the continued growth and success of any company, no matter its size or market sector. Information security is not something just for the banks. Most organizations have long ago passed the point where information technology is an optional extra. Business operations are totally dependant upon the correct and reliable functioning of IT systems and services. There is a pressing need to ensure all aspects of their security -- their availability, together with the integrity and confidentiality of the information stored, processed and transmitted by them. Most organizations no longer are insulated from the rest of the business community. Increasingly, we are extending our enterprises to include our suppliers, customers and business partners. As the corporate boundaries fall, so the need for information security increases if we are not to lose control over our own information resources. Most business applications are moving away from the traditional mainframe computing environment to open-systems and to distributed client/server applications architectures. We are all moving inexorably to increased information exchange -- EDI, EFT, the Internet. The security issues associated with 12 Computer Fraud & Security April 1998 © 1998 Elsevier Science Ltd

Upload: martin-smith

Post on 19-Sep-2016

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Security — Who cares?

FEATURE

Security Cares?

m Who

Martin Smith

S ecur i ty breaches invar iab ly involve the blindingly obvious and are rarely the outcome

of sophisticated criminal acts. Simple human error, ignorance or omission is most commonly at the route of all trouble.

A m e m b e r of s ta f f will rarely create chaos deliberately or with malice. Most people are honest but make mistakes. Most people want to do a good job, but can only do so when they have been trained. Most people, too, are happy to follow rules, but can only do so when such rules have been brought to their attention and explained.

For instance, a young secretary was told to make back-up copies of her floppy disks, which she did happily each evening. One day her computer broke down, and when she was asked for her back-ups she produced a neat ring-binder containing photocopies of her floppy disks.

Queries received at the PC Help Desk of a major Bank illustrate the problem further. Employees sought advice regarding "the length of the cable for my foot pedal" - - the mouse - - and "the coffee-cup holder on my laptop" - - the CD-ROM drive.

The criminal will always take the simplest route to the riches. Rarely does an attack come from the outside. It is invariably via someone with authorized access, ei ther direct ly or through subvers ion or coercion. The crook will take advantage of human failings to find a way through the defences. I have yet to find a computer that has committed fraud - - there is always a person involved.

A major electronics warehouse and distribution centre had £500 000 worth of computer chips stolen overnight. There were no signs of a break-in and the burglar alarm had failed. It seems the thieves had visited the warehouse the previous day purporting to

be from the maintenance company checking the alarms. Staff had given them the master keys and codes to all doors and alarms, which they had surreptitiously copied. To make things worse, the insurers refused to make good the full loss, citing carelessness by the company as a contributory factor.

The need for improved information security

For a number of compelling business reasons, our o rgan iza t ions need con t inua l ly to i mprove the protection afforded to their information, computer sys tems and t e l e commun i ca t i ons ne tworks . We operate in an increasingly hostile marketplace where competitive edge is essential.

A key success factor is the ability to manage business information of all types effectively - - i.e. on time, accurately, and in many cases without disclosing it to unauthorized parties. Hence, information security is central to the continued growth and success of any company , no mat ter its size or marke t sector . Information security is not something just for the banks.

Most organizations have long ago passed the point where information technology is an optional extra. Business operations are totally dependant upon the correct and reliable functioning of IT systems and services. There is a pressing need to ensure all aspects of their security - - their availability, together with the integrity and confidentiality of the information stored, processed and transmitted by them.

Most organizations no longer are insulated from the rest of the business community. Increasingly, we are extending our enterprises to include our suppliers, customers and business partners. As the corporate boundaries fall, so the need for information security increases if we are not to lose control over our own information resources.

Most business applications are moving away from the traditional mainframe computing environment to o p e n - s y s t e m s and to d i s t r ibu ted c l i en t / s e rve r app l i ca t ions a rch i tec tu res . We are all moving inexorably to increased information exchange - - EDI, EFT, the Internet. The security issues associated with

12 Computer Fraud & Security April 1998 © 1998 Elsevier Science Ltd

Page 2: Security — Who cares?

FEATURE

such a migration are vastly more complex than for the mainframe environment.

Many organiza t ions , e spec ia l ly those in the financial services sector, are developing the range of services provided to their customers and are exploiting information technology to provide new ways of doing business. The benefits being sought include:

• fast time-to-market with new business systems

• increased productivity in all business activities

• improved service to customers

• providing access to new sales channels and markets

• extending the reach into the home with electronic banking and use of the Internet

• cost reduction in sales cycle and in administration

• cos t r educ t i on in c o m p u t e r ha rdware and infrastructure

Change is a magne t for risk, and all these developments have their dangers as well as their benefits. As a consequence, extreme caution is required.

There is a growing and increasingly sophisticated list of information security regulation and law. Abiding by the rules is not always sufficient. Organizations must also be able to illustrate due care and diligence in the way they do business. Failing properly to secure systems and associated information will not help your case, nor enhance your reputation in the marketplace.

Above all, though, the company's good name in the market, and amongst competitors, is paramount. A failure in information security can damage such a reputation quickly, significantly, and for a very long time. We can all recal l househo ld names where problems have sullied our view of them - - we are all remembered by our last mistake, not our last success.

The cha l lenges we all face

There is e n o r m o u s c o m p l a c e n c y amongs t most w o r k f o r c e s towards any a spec t of in fo rmat ion

secur i ty , and this is pa r t i cu l a r ly true a mongs t senior business managers where the example should be set.

Those aspects of information security that have been introduced tend to encourage a false sense of security amongst the workforce. It is often assumed that if it has a password, then it's safe (no matter how many o the rs you share that p a s s w o r d wi th) . Furthermore, if it has a password, someone else must be responsible for security. Backing-up "is done au tomat ica l ly by the ne twork" ... or is it? Any security measure will actually reduce protection if it has not been enabled properly while the users believe it has.

Those information security activities that do go on within any large organization tend to be autonomous, fragmented and isolated. Rarely do the IT security staff talk sufficiently to the bus iness , and even more rare ly does "change-- isa the bus iness talk magnet for risk, su f f i c i en t ly to IT security. More often, these pocke t s of IT secur i ty s ta f f fail to communicate properly with o ther such pocke t s , or with the physical security staff, or even with Internal Audit. Add to that the stress which often exists between IT itself and the rest of the business, and the odds are stacked significantly against us.

and all these developments have their dangers as well as their benefits."

There has been little success to date in 'selling' informat ion securi ty within the organizat ion. It remains an abstract topic, someone else's problem, and certainly not worth the attention of the real workers (i.e. those making money) despite the fact that it is essential to business stability and growth. IT security retains a staid and boring image.

Too often, technical solutions are prescribed for people problems. No lock in the world is worth a jot if the users pass round keys to anyone. No medicine is ever going to work unless the patient takes it.

Computer Fraud & Security April 1998 © 1998 Elsevier Science Ltd

13

Page 3: Security — Who cares?

FEATURE

Has anything really changed? Looking back over some 15 years' worth of surveys and reports by a host of celebrated authorities into security breaches and the status of information security generally, a trend comes through loud and clear. In almost every one, human error and ignorance can be seen at the root of most security incidents.

Clear, too, are r ecen t reports appeal ing for improved security awareness. Indeed, almost every advertisement for a senior security job, attention is drawn to the need for attaining "commitment and awareness at all levels of the organization".

So, is the message getting through? Unfortunately, only a tiny number of companies achieve good practice in i n fo rma t ion secur i ty . Near ly two thirds of o rgan iza t ions suf fer major inc iden t s to their information systems over any given year. Loss of services, facilities or equipment, system malfunction, inadequate operator /user skills and human error account for the vast majority. Those threats where, as an industry, our attention is most focused - - technical attacks and intercept ions on networks, hacking, viruses, access violations - - hardly get a mention in the surveys. How can this be? Is it because those threats do not exist? Or do these threats go unnoticed?

It appears that information technology has still some growing up left to do. Lax basic discipline is common, i l l -defined or unplanned changes to business requirements , poor sys tem and network service management, inadequate testing, ineffective change control, unproven or incompatible technology, uncertain 'ownership' of critical business information and systems, incomplete contingency and recovery arrangements.

The house is still in some degree of disorder. Information and systems security professionals are trying to secure a careless home. The owners, and those who live there, need to be educated in the basics of housekeeping before any real progress can be made towards sensible and cost-effective systems' security.

Recent surveys recommend the following:

• establish management commitment for information security, properly understand the risks

• c lass i fy the assets , e n c o u r a g e persona l accountability

establish sufficient specialist resource - - get the 'bas ics ' r ight - - cont ro l ou t sou rc ing , raise awareness

• put in place some pe r fo rmance indicators to measure the success of information security

The advantage is clear, and the principle well established. All employees, and not just a few at the centre, need to contribute towards security. Yet the need to get organized properly and then to communicate a number of simple security messages throughout the workforce is still low on many professional information security managers lists of priorities.

Making a difference

Rarely does security receive the attention it deserves. We still, too often, focus on reactive security, dealing with the latest problem in a sticking-plaster way. Too often we are tempted into exotic solutions, developing ever more complicated solutions for increasingly obscure threats. The equivalent of brain surgery is used to treat problems that more often than not are akin to a common cold.

It is essential that we apply professional internal marketing and change management techniques to the security message. Change management need not be expens ive or complicated. Internal marke t ing can be cheap and simple yet still be enormously effective. Creating a true security culture will take time and is best done in small steps, but real improvements in overall standards of security can be made quickly and with little pain. Effectively communicating simple security messages through a number of differing channels, most of which will probably already exist, will stem many of the dangerous weaknesses in our defences. Traditional marketing techniques can be deployed to strengthen the security imperative.

"People will always be the weakest link in the defensive chain"

14 Computer Fraud & Security April 1998 © 1998 Elsevier Science Ltd

Page 4: Security — Who cares?

FEATURE

Determine the culture. It is important to match the security culture with the existing corporate dynamics so that a 'feel-good' factor is incorporated.

Identify priorities. Listen to your management and talk to the workforce. What do they want? What are their security concerns? It is important that everyone feels they have been consulted. Examine past security breaches - - have you learned from them and have you built on these lessons?

Create a security culture. There should be an overall, recognizable 'branding', with common themes. The messages should be clear, and correctly targeted at differing audiences using the most appropriate media. In short, professional internal marketing techniques should be applied to information security. This is a non-trivial task. It should be considered a process, not an event. It should be drip-fed, using every possible channel of c o m m u n i c a t i o n avai lable within the organization. It should be as simple as possible, and at all times the customer should understand "what's in it for me?"

Appropriate media~mechanisms. There are a number of ways of passing the message:

• The most effective method of successful message delivery is in the use of personal contact.

The power of pape r -based means of c o m m u n i c a t i o n must not be underes t imated . Straightforward User Guides will communicate many of the basic security messages.

Induction packs for new employees and those beginning a new role are always well received and absorbed.

At t rac t ive and e y e - c a t c h i n g w e l l - d e s i g n e d m e r c h a n d i z i n g cap tu res the imag ina t ion of employees.

C o m p u t e r - b a s e d t ra in ing is a cos t - e f f ec t ive awareness medium where staff can learn at their own pace and to suit their work schedules, and such a medium also provides easy measurement of knowledge and progress.

It is a straightforward process to include simple security messages on logon screens, or through the electronic mail, Lotus Notes or via an intranet.

• Make videos - - they are very effective.

Personalizing the messages. Different staff members have contrasting job functions, and the risks they face vary widely. Some deal directly with the public, others are office-based. Some are 'portable' workers, using the workplace as merely a base and relying on laptop computers and portable te lephones . The information that staff collect and manipulate also varies considerably, in terms of volume and value.

It is necessary to split employees into discrete user groups, each with a common profile, so that personalized communication plans can be created that have direct relevance to their working day. The tone, media and mechanisms used to communicate the messages will also vary to suit these differing audiences. Do not forget to take into account any cultural issues - - geographical or otherwise.

Keeping go ing

It is important to sustain support for your work. Never take the patronage of your internal sponsors for granted. Pass on the skills as far 'down the line' as possible so that the awareness programme becomes self-sustaining. Finally, never give up.

People will always be the weakest link in the defensive chain. But with a relatively small amount of effort they can also become the strongest weapons in our a rmoury . Ga in ing the i r c o m m i t m e n t to information security is vital. Without it, all else will fail. The security job draws attention specifically to "attaining commitment and awareness to security at all levels within the organization".

This paper was first presented at COMPSEC '97 at the Queen El izabeth II Conference Centre, Westminster, London, UK.

Computer Fraud & Security April 1998 © 1998 Elsevier Science Ltd

15


Ignite Presentation Who Cares

Who Cares About Science?

Who Cares about thisWho Cares about thisWho Cares about thisWho Cares about thisWho Cares about thisWho Cares about thisWho Cares about thisWho Cares about this

Stakeholders, who cares?

Privacy, who cares!?

Strategic Planning (Who cares?)

Legal and security issue Who cares? [email protected]

Culture? Who cares?

Security? Who cares! - Brett Hardin

Countertops, who cares?

Data citations: who cares?

Pigeon? Shit. Who Cares? #StateofSearch

Late life psychache – who cares?

03 Nunez Who Cares Sahara

Web standards: Who cares?

Who Cares Sahara

Who cares about Rho GTPases?

Who Cares About Content?

Physical Geography of the Middle East Who cares?! Why does it matter?! Who cares?! Hmmm…

Constitution day - Who Cares?

“BIM compliant?.....Who cares?”

Who clicked Who Cares

Who Cares About Standards

Who cares about social media?

Podcasting Who Cares? Teacher Voice

Self-care: Who cares!

Math? English? Who Cares?

Babbitt Who Cares

Who Cares Wins - Dansk Erhverv

East Timor: who cares?

1 Bradford & Airedale Palliative Care Who Cares for the Carers – Who cares for you?

The Government of Canada. The Canadian Government Who cares? Who cares?

Cybersecurity Who Cares? 2014

Biodiversity who cares slide show

Biodiversity: Who cares?