The Social Engineering of Security
A few weeks ago, I was talking to the operations manager of a medium-size bank in New England. We were discussing a new commercial online banking application the bank was planning to roll out. He wanted to use a strong authentication model, but the product managers were overruling him. "User name and password is perfectly acceptable to all of our competitors," the logic went. "Why should we do anything different?"
Why, indeed? The difficulty in securing your enterprise is no longer a technical problem. It is a social, political and cultural problem. Senior leadership wants objective measurement of an inherently subjective discipline; peer managers dont understand that their participation is necessary; users continually do foolish things; the threats are changing daily; and many organizations are forced to do more with fewer people. Is it any wonder that IT and security managers are overworked and overwhelmed?
Security management today consists of mostly putting out fires. You do what you can, hope you havent missed something and pray that today isnt the day an overlooked BIND vulnerability is used to hack into your company.
There is simply too much information to process and no tools to help you make sense of it all. But a careful, methodical, consistent approach to security can go a long way toward mitigating risk. Following are best practices gleaned from my 20 years of managing IT security in government and commercial enterprises.
Get everyone on board
Sure, universal buy-in is a cliché, but it is still one of the most important things your company can do. Start with senior leadership. They need to understand their role in defining what needs to be protected and why. Are you about to expose your financial system to the Internet to support that e-business initiative? Management needs to understand the associated risks and protective measures that need to be taken.
Develop a security infrastructure
A good security architecture will go a long way toward enabling secure operations in the future. Is account management a nightmare because of the number of different systems? Then invest in a provisioning system to ease the administrative burden. The job is complicated enough. Smart infrastructure investments will allow your personnel to concentrate on the important things.
Training and awareness
A good training and awareness program will pay for itself. Concentrate on teaching the good behaviors that you want your users to follow. Is every month accompanied by a day of downtime while the latest e-mail virus is cleaned up? Teach users about viruses and how to protect important data. Be sure to incorporate testing into the program to keep your users from ignoring the message.
Develop threat sources
There are hundreds of Web sites that provide security information and alerts. But theres only so much information you can digest. In addition to your vendors sites, bookmark sites that have distinguished themselves by providing measured, trustworthy information. (For a list of eWeek Labs recommended security resources, go to Page 26.) Did you find out about that operating system patch after it was used to deface your Web site? Establish a daily routine to check for changes to your security profile.
Dont protect everything
Work with senior leadership and peer managers to determine what needs to be protected. Are you spending money securing product information that is freely available in your catalog? Invest your time and money in protecting important resources instead of peripheral information.
Carefully consider outsourcing options
There are plenty of managed security vendors out there, but be very careful before going down this road. Is a provider proposing to handle all firewall configurations for you? Make sure the provider can do a better job than you can do.
Even if you do hire an outsourcing company, you are still ultimately responsible. Make sure you are in control of how your systems are going to be protected.
Develop a response plan
Plan alternate configurations that will provide more secure profiles in the event of an attack. Was your organizations response to the last attack to go offline while a plan to counter the threat was developed? This reaction is typical but tremendously damaging to your business. With predefined configurations, you can operate in a degraded mode while resolving security problems. This allows you to respond procedurally, instead of wasting valuable time trying to formulate a response.
Perform regular audits
You cant catch everything. Did your last audit result in an embarrassing meeting in front of the board, where every mistake was examined in excruciating detail?
Enlist a third party to regularly audit your security profile for omissions and new threats. Performed on a regular and consistent basis, these audits become a valuable tool instead of a political event.