- Email: [email protected]
Is security really everyone's responsibility?
SECURITY RESPONSIBILITY technical support department, helping home and corporative users with virus incidents. A year later, he joined the international technical support team assisting Panda’s technical support belonging to their partners distributed over 50 countries around the world. In 2002, he became PandaLabs’ director as well as malware alerts coordinator in worldwide infection situations, dealing with worms such as Klez, SQLSlammer, Sobig,
Blaster. Sasser, Mydoom, etc. During this time, he has coordinated several automated projects related to malware, such as the automatic analysis and response system, and the malware automatic information system. Dominic Hoskins has progressed rapidly within Panda Security (UK) Ltd since joining as a corporate sales manager in July 2007. He was, until joining Panda, sales director at E92 plus, one of the UK’s leading specialist security distributors, where
he oversaw 35% growth in sales. He was responsible for developing channel sales for a number of key vendors, including Trend Micro, SonicWall and Barracuda Networks. He has over 17 years experience in the technology and IT industry, specialising in channel sales structures for both distributors and manufacturers. He has previously held senior management roles at Northamber plc and Mitsumi Electronics where he was UK sales manager.
Is security really everyone’s responsibility? Bruce Potter, CTO, Ponte Technologies “Security is everyone’s responsibility.” IT security professionals in halls around the world echo this phrase. It sounds reasonable on the face of it; keeping our systems secure is such a pervasive problem that it’s best tackled by everyone in the organisation. By spreading the responsibility around, we stand a fighting chance against an enemy that always seems one step ahead. Some companies have taken this idea to heart. When walking the halls you may find posters about information security with advice for all employees. Some organisations send out periodic reminders about threats they’re facing and good security practice. There may even be broad education programs about security designed to turn everyone into mini security professionals.
A bad idea While the adage may sound great in theory, in practice it may really be doing more harm than good. A good analogy to start with is thinking about the role of routers and firewalls in your network. Routers, by definition, are designed to move packets from one network to another and deal with the dynamic nature of where networks live. Firewalls are designed to be security devices and protect your network and services from attacks. Even though routers are primarily network devices,
March 2008
modern routers have many security features that are similar to firewalls. The question becomes: ‘Even though your router can perform some security functions, should you make use of them? And if so, where do you draw the line?’ Routers, through access control lists or even full firewall feature sets as available in some Cisco devices, could be used to protect all your networks and services. However, routers usually do not have the rich features of modern firewalls. For instance, the management software may not have the scalability and audit capability of firewalls. The router may not handle deep packet inspection or advanced correlation. Similarly, firewalls may be able to route packets, but they are not optimised for integration into large scale networks and may lack all the interface types you expect. The same can be said about the employees in your organisation and your network security professionals. While your employees may have the ability to perform some
Bruce Potter
activities normally reserved for security staff, they probably shouldn’t. Auditing their workstation for signs of intrusion and ensuring their documents are properly and securely stored sound like great things for users to do. Unfortunately they are unlikely to do them, and even if they do they will do these activities incorrectly.
“Users are the weak link. Expecting your weak link to be an integral part of the solution is a bad idea” Users are the weak point in your organisation. Study after study shows that users will give up sensitive information or otherwise lead to a compromise in the network. For instance, I was involved in an email-based social engineering attack as part of a broader penetration test a few years ago. Our team sent out 100 emails in an attempt to get users to download a fake patch and install it on their workstation. We monitored the website the download was stored
Network Security
9
SECURITY RESPONSIBILITY on, and figured we might get 30 or 40 hits. We ended up with more than 120 downloads of the ‘patch’. We found out later that some of the employees we had sent the email to actually forwarded it to others because they were trying to be helpful. The moral: Users are the weak link. Expecting your weak link to be an integral part of the solution is a bad idea. Ideally, you should develop and deploy solutions that prevent users’ bad choices from compromising the system. Users will continue to make bad choices, regardless of how much education, how many posters, and how many emails they get. Your job as a security professional should be to remove the user from the security equation as much as possible.
What is everyone’s responsibility? That’s not to say you should completely write off your users and completely abandon their contribution to your security efforts. Rather, you should have realistic expectations of what is and is not their responsibility. Going back to the router analogy, we can learn quite a bit from our networks. A router’s primary responsibility involves moving packets between networks, and it should also be responsible for protecting its ability to do move the packets. For instance, a router should prevent malicious and incorrect route announcements from propagating through the network. Also, traffic that has no reason to be on the network, such as unneeded RFC1918 addresses and nonallocated networks, should be stopped by the router. By implementing these controls, routers can protect themselves and ensure they can perform their primary duty. Your users should have exactly the same expectations levied on them by your security staff. They should be responsible for protecting the resources they need for their daily jobs. Marketing professionals need to understand the sensitivity of their marketing plans, and the risks to the organisation that affect those plans. Then, they should ensure they are adhering to document handing and storage processes that prevent the unauthorised disclosure of their information. 10
Network Security
But that’s where their responsibility ends. Auditing their workstation for signs of intrusion is a job for the network security staff. Further, auditing of secure document storage processes and systems will ensure that the marketing staff sticks with the secure document policy. Similarly, your accounting department should keep financial information secret and understand the importance of not giving away any credential information that could be of use to adversaries.
User training Getting users to protect their own resources is going to cost something. Users must go through regular education to be any good at it, and their training should be tailored to the work they are performing. In our example, the marketing team would be trained on the specific systems and networks they use every day, alongside the information they access. The accounting team, on the other hand, would be trained on their specific accounting systems and information stores. This ensures that users get the best view of their job from a security perspective, rather than trying to follow generic security statements with only marginal applicability. Employees must also understand the risk involved with the work they are performing, as computerised attacks become more sophisticated and attackers are increasingly motivated by profit. Users rarely understand the real risk to their data and systems, even if they are up on current events and feel they are technically savvy.
“Be sure to not only explain the incident to your user population, but also explain the impact that it had on the company” It is important to emphasise specific threats and attacks against your network systems. If possible, user training should discussion previous events that have occurred on your network, similar incidents with other companies in your market, and even specific systems and networks that are of particular risk. There are many public examples of security events that can be researched on the internet. Be sure to not only explain the incident to your user population, but
also explain the impact that it had on the company. If your users see the potential result of their actions, they will be more likely to comply with the rules you provide them. Finally, security professionals need to hold up their end of the bargain. Your security staff needs to provide secure services for users to access every day. Further, it is important to understand users’ specific needs before you can tailor training towards them. It is equally important not to scare or desensitise the users to the threat. It is easy to reach a ‘sky is falling’ point with your users where they eventually start to tune out the message you are trying to tell them. Don’t over-burden users with responsibilities and roles. If, your training places too weighty a responsibility on them, you may want to rethink your security plans and technology with respect to that part of the user population. Training your users and keeping their attention is a tightrope walk.
Parting shots Just as you spend time engineering your networks and systems for security, it is important to consciously set boundaries as to what employees will and won’t be responsible for in your security program. By understanding exactly how your users fit into your overall security posture, your network will be better protected and you will be able to perform your job easier. The security industry has developed an attitude over the last several years; we tend to feel that security is the most important aspect of any enterprise. In reality, security is really an enabler for highly connected and technology focused businesses. Through proper planning and training, you can make your users an integral part of your security success rather than over-relying on them, only to be disappointed later.
About the author Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise the yearly ShmooCon security conference held each winter in Washington DC. He is also the co-founder of Ponte Technologies, a company specialising in wireless security, IT security operations, and advanced network defence techniques.
March 2008
Blaster. Sasser, Mydoom, etc. During this time, he has coordinated several automated projects related to malware, such as the automatic analysis and response system, and the malware automatic information system. Dominic Hoskins has progressed rapidly within Panda Security (UK) Ltd since joining as a corporate sales manager in July 2007. He was, until joining Panda, sales director at E92 plus, one of the UK’s leading specialist security distributors, where
he oversaw 35% growth in sales. He was responsible for developing channel sales for a number of key vendors, including Trend Micro, SonicWall and Barracuda Networks. He has over 17 years experience in the technology and IT industry, specialising in channel sales structures for both distributors and manufacturers. He has previously held senior management roles at Northamber plc and Mitsumi Electronics where he was UK sales manager.
Is security really everyone’s responsibility? Bruce Potter, CTO, Ponte Technologies “Security is everyone’s responsibility.” IT security professionals in halls around the world echo this phrase. It sounds reasonable on the face of it; keeping our systems secure is such a pervasive problem that it’s best tackled by everyone in the organisation. By spreading the responsibility around, we stand a fighting chance against an enemy that always seems one step ahead. Some companies have taken this idea to heart. When walking the halls you may find posters about information security with advice for all employees. Some organisations send out periodic reminders about threats they’re facing and good security practice. There may even be broad education programs about security designed to turn everyone into mini security professionals.
A bad idea While the adage may sound great in theory, in practice it may really be doing more harm than good. A good analogy to start with is thinking about the role of routers and firewalls in your network. Routers, by definition, are designed to move packets from one network to another and deal with the dynamic nature of where networks live. Firewalls are designed to be security devices and protect your network and services from attacks. Even though routers are primarily network devices,
March 2008
modern routers have many security features that are similar to firewalls. The question becomes: ‘Even though your router can perform some security functions, should you make use of them? And if so, where do you draw the line?’ Routers, through access control lists or even full firewall feature sets as available in some Cisco devices, could be used to protect all your networks and services. However, routers usually do not have the rich features of modern firewalls. For instance, the management software may not have the scalability and audit capability of firewalls. The router may not handle deep packet inspection or advanced correlation. Similarly, firewalls may be able to route packets, but they are not optimised for integration into large scale networks and may lack all the interface types you expect. The same can be said about the employees in your organisation and your network security professionals. While your employees may have the ability to perform some
Bruce Potter
activities normally reserved for security staff, they probably shouldn’t. Auditing their workstation for signs of intrusion and ensuring their documents are properly and securely stored sound like great things for users to do. Unfortunately they are unlikely to do them, and even if they do they will do these activities incorrectly.
“Users are the weak link. Expecting your weak link to be an integral part of the solution is a bad idea” Users are the weak point in your organisation. Study after study shows that users will give up sensitive information or otherwise lead to a compromise in the network. For instance, I was involved in an email-based social engineering attack as part of a broader penetration test a few years ago. Our team sent out 100 emails in an attempt to get users to download a fake patch and install it on their workstation. We monitored the website the download was stored
Network Security
9
SECURITY RESPONSIBILITY on, and figured we might get 30 or 40 hits. We ended up with more than 120 downloads of the ‘patch’. We found out later that some of the employees we had sent the email to actually forwarded it to others because they were trying to be helpful. The moral: Users are the weak link. Expecting your weak link to be an integral part of the solution is a bad idea. Ideally, you should develop and deploy solutions that prevent users’ bad choices from compromising the system. Users will continue to make bad choices, regardless of how much education, how many posters, and how many emails they get. Your job as a security professional should be to remove the user from the security equation as much as possible.
What is everyone’s responsibility? That’s not to say you should completely write off your users and completely abandon their contribution to your security efforts. Rather, you should have realistic expectations of what is and is not their responsibility. Going back to the router analogy, we can learn quite a bit from our networks. A router’s primary responsibility involves moving packets between networks, and it should also be responsible for protecting its ability to do move the packets. For instance, a router should prevent malicious and incorrect route announcements from propagating through the network. Also, traffic that has no reason to be on the network, such as unneeded RFC1918 addresses and nonallocated networks, should be stopped by the router. By implementing these controls, routers can protect themselves and ensure they can perform their primary duty. Your users should have exactly the same expectations levied on them by your security staff. They should be responsible for protecting the resources they need for their daily jobs. Marketing professionals need to understand the sensitivity of their marketing plans, and the risks to the organisation that affect those plans. Then, they should ensure they are adhering to document handing and storage processes that prevent the unauthorised disclosure of their information. 10
Network Security
But that’s where their responsibility ends. Auditing their workstation for signs of intrusion is a job for the network security staff. Further, auditing of secure document storage processes and systems will ensure that the marketing staff sticks with the secure document policy. Similarly, your accounting department should keep financial information secret and understand the importance of not giving away any credential information that could be of use to adversaries.
User training Getting users to protect their own resources is going to cost something. Users must go through regular education to be any good at it, and their training should be tailored to the work they are performing. In our example, the marketing team would be trained on the specific systems and networks they use every day, alongside the information they access. The accounting team, on the other hand, would be trained on their specific accounting systems and information stores. This ensures that users get the best view of their job from a security perspective, rather than trying to follow generic security statements with only marginal applicability. Employees must also understand the risk involved with the work they are performing, as computerised attacks become more sophisticated and attackers are increasingly motivated by profit. Users rarely understand the real risk to their data and systems, even if they are up on current events and feel they are technically savvy.
“Be sure to not only explain the incident to your user population, but also explain the impact that it had on the company” It is important to emphasise specific threats and attacks against your network systems. If possible, user training should discussion previous events that have occurred on your network, similar incidents with other companies in your market, and even specific systems and networks that are of particular risk. There are many public examples of security events that can be researched on the internet. Be sure to not only explain the incident to your user population, but
also explain the impact that it had on the company. If your users see the potential result of their actions, they will be more likely to comply with the rules you provide them. Finally, security professionals need to hold up their end of the bargain. Your security staff needs to provide secure services for users to access every day. Further, it is important to understand users’ specific needs before you can tailor training towards them. It is equally important not to scare or desensitise the users to the threat. It is easy to reach a ‘sky is falling’ point with your users where they eventually start to tune out the message you are trying to tell them. Don’t over-burden users with responsibilities and roles. If, your training places too weighty a responsibility on them, you may want to rethink your security plans and technology with respect to that part of the user population. Training your users and keeping their attention is a tightrope walk.
Parting shots Just as you spend time engineering your networks and systems for security, it is important to consciously set boundaries as to what employees will and won’t be responsible for in your security program. By understanding exactly how your users fit into your overall security posture, your network will be better protected and you will be able to perform your job easier. The security industry has developed an attitude over the last several years; we tend to feel that security is the most important aspect of any enterprise. In reality, security is really an enabler for highly connected and technology focused businesses. Through proper planning and training, you can make your users an integral part of your security success rather than over-relying on them, only to be disappointed later.
About the author Bruce Potter is the founder of The Shmoo Group of security, crypto, and privacy professionals. He helps organise the yearly ShmooCon security conference held each winter in Washington DC. He is also the co-founder of Ponte Technologies, a company specialising in wireless security, IT security operations, and advanced network defence techniques.
March 2008