Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Integrating Security into the Corporate Culture


{LANG_NAVORIGIN} Enterprise Security
Steve Purser 10/06/2004



Introduction

At a major security conference several years ago, I asked a group of security professionals to define risk in such a way that it could be understood by non-specialists and then to suggest different ways of reacting to risks once they had been identified. Interestingly enough, many of those present were able to come up with good examples of risks, but defining risk in practical terms as a concept turned out to be a difficult exercise, even for security professionals. Equally interesting was the fact that although everyone realized that risks could be managed by some kind of mitigation exercise, very few people identified the option of transferring the risk to a third party (e.g. by insurance or contractual means) and even fewer suggested that it might make sense to simply accept certain risks. The important point here is that thinking about risk is not necessarily simple and even the experts can have difficulties when they are put on the spot.

Nevertheless, the notion of risk is at the heart of information security. Implementing real security involves understanding security-related risk and reacting appropriately and, in general, the better employees are at doing this, the more secure the enterprise will be. Put another way, even well-designed technical controls and procedures will be of limited value if the staff involved do not understand why they have been implemented, what they are accomplishing and their limitations. As the previous paragraph illustrates however, achieving this level of understanding represents a major challenge and normally involves a great deal more than an annual awareness initiative. Indeed, for many organizations this will involve a cultural change requiring the integration of security concepts into the working culture.

Recent surveys in the area of information security confirm that there is still a lot of progress to be made in this area. Hence, one of the key findings of the 2004 CSI/FBI Computer Crime and Security Survey is that although organizations view security awareness training as important, they do not on average believe that their organization invests enough in this area [1]. This conclusion is supported by the Ernst & Young 2003 Global Information Survey, which reports that only 29% of organizations list employee awareness and training as a top area of information security spending [2]. Much along the same lines, the Australian Computer Crime and Security Survey 2004 notes that “the most common challenges and difficulties respondent organizations faced were changing user attitudes and behavior (reported by 65% of respondents) and keeping up to date with information about the latest computer threats and vulnerabilities (reported by 61% of respondents)” [3]. Finally, the DTI Information Security Breaches Survey 2004 points out that the relatively low priority businesses give to educating their own staff is surprising given that a significant proportion of businesses recognize a need for more information security advice from third parties [4]. These results are largely in line with previous surveys in this area [5].

This short paper analyzes why organizations should consider spending more time on developing a culture that is both aware and capable of responding to security-related risk and goes on to suggest ways in which this could be achieved.


Why culture is important

Before examining techniques for introducing cultural change, it is useful to look at some of the ways in which the level of staff awareness and training can have a drastic effect on the success or failure of the security process as a whole or on specific security mechanisms and procedures. In order to make the point, we will (rather arbitrarily) look at four separate areas within the information security process:
  1. The decision making process.
  2. Client-side security.
  3. Server-side security.
  4. Recognizing and handling incidents.
Of these examples, the first provides the best example of how a lack of education and awareness can fundamentally compromise the whole information security process. In order to understand this, it is important to realize that one of the biggest paradigm shifts that has taken place in the area of information security in the last decade is the realization that security is a business issue. In other words, although much of the analysis, design and implementation of security solutions will require highly-competent technical staff, the key decisions should be driven by business concerns and not technical ones.

When viewed from an opportunity and risk perspective, this makes a lot of sense – organizations take risks every day and the way in which they take risk can be considered to be a part of their business model. Indeed, there is nothing particular about security-related risk, except perhaps that it can be extremely difficult to understand when IT systems are involved. When viewed from an awareness perspective however, the survey data cited in the introduction suggests that this is a rather hopeful view of things and, in reality, many organizations might not have attained the level of user awareness and education necessary to make this model work in practice. Organizations that have adapted their core processes to align with this model without having achieved the necessary awareness may well find that the real decision making is taking place outside the agreed procedural framework. Under such circumstances, business managers will not have the knowledge or understanding necessary to make an informed decision and are more likely to blindly accept recommendations made by specialists, rather than to challenge them.

The fact that user awareness and education has a big impact on client-side security is easy to understand. Even when client software and operating systems are locked down (and in principle inaccessible to the end user) it is clear that poor decisions made by the latter can easily compromise security. Hence, user communities that do not appreciate the techniques that are used to spread viruses and other malicious code via E-mail and web channels will be more open to infection by malicious code in the window of risk before the corresponding pattern files are available. Similarly, inappropriate responses to pop-up boxes during a web session can have wide reaching consequences. More fundamentally, where users do not enforce a minimum of physical security over their personal computers or laptops, not only are they open to theft, but it may be possible to modify the configuration using attacks that exploit the boot sequence (similar to NTFSDOS or linux boot disk attacks). Widening the discussion to other types of client device, staff that upload business data to PDA devices may not take the time to consider what the impact will be should the device be lost or stolen, whereas those that limit the use of PDAs to receiving and sending E-mail have little control over the information that is sent to them (and so may unwittingly store confidential information on the device).

Taking the example of malicious code one stage further, it is obvious that once a client has been infected, it is usually only a matter of time before servers are infected too. For example, where infection spreads by infecting files, the file server will be infected as soon as the client saves an infected file. A more interesting example of where poorly adapted cultural values can have a big impact on server-side security is in the area of system administration. Where administrators consider repetitive tasks as dull and uninteresting, these tasks may not get done or, at best, they may be carried out reluctantly. For instance, due to the complicated syntax of entries in the log files, performing a correct log analysis for some platforms requires highly-skilled staff. Where such staff are in short supply and there are more interesting tasks to be done, there may be a tendency to avoid the more routine work. More generally, it is often easier to motivate engineers to implement new technology than to administer it once it is in place.

The last example in this section is concerned with recognizing and handling incidents. Whereas recognizing some incidents (such as a virus infection) is relatively straightforward, others can be very difficult to recognize. Personnel that are sufficiently aware of security issues and correctly trained in their day-to-day activities should be capable of developing a ‘feeling’ for what constitutes normal behavior of the system or process they are dealing with. This is extremely important as the control system (i.e. the procedures and mechanisms deployed to reduce IT security related risk) is designed to cope with known risk scenarios. Where unusual risk scenarios crop up, the capability of recognizing unusual behavior is at the root of incident recognition. Furthermore, the extent to which the organization is really secured will also depend on the ability of staff to handle incidents appropriately, which usually means understanding and correctly using existing incident handling procedures.

These short examples illustrate that real security is not just a question of well-designed technical infrastructure and tight procedures. In order to ensure the right result, staff must understand the framework they are working in and be capable of adapting their behavior to respond to new and unforeseen events.




More Enterprise Security tutorials and guides













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
5498 Views
4.44/5 Rating
32 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact