Towards a secure mindset
The gatherings of the hacker community at Black Hat and Def Con have provided opportunities to survey professionals with their eyes and ears closest to the security threat coalface. Recent attacks and breaches have seen a shift from targeting information systems infrastructure, to applications and individuals within the organisations, both of which in turn will have legitimate access rights to corporate intellectual property and too sensitive client and consumer data. Indeed, surveys by both Blackhat.com and Tycotic found that social engineering attacks targeted at individuals within organisations are seen as the biggest threat to the security of corporate information stores. For applications, there are two key mitigation strategies: both direct protection (ensure the application is not vulnerable to known attacks through secure design, timely patching of identified security vulnerabilities, upgrades to more secure versions, and secure configurations) and indirect protection (using tools such as host/network integrity monitoring and application-aware firewalls) can be used to protect critical applications (and their data) against targeted attacks.
Notwithstanding possible ethical issues, the human equivalents of the direct protection strategies of patching and upgrade are difficult to implement, at least to scale! This leaves us with the final option: of secure configuration. Can we apply a secure configuration to humans? Most organisations implement the first steps towards this, starting with raising security awareness through training sessions; maybe these are followed up with evaluation tests and subsequent regular reminders, through on-screen – logon screens and savers & posters. These elements at least give employees or other associates of an organisation some foundation in security responsibilities – security 101 for employees, if you like.
But, whilst cybersecurity has become a business requirement, and staff security awareness training and reminders are now considered a mandatory part of a good cybersecurity posture, experience has shown that simply presenting employees with periodic eLearning materials is not enough. To effectively mitigate against the single biggest cybersecurity weakness in many of our organisations, we need to make that configuration change – we need to need to help our users develop a secure (maybe even “security first”) mindset.
As an analogy, most of us would lock the external doors of our homes, and we’d not invite total strangers into our homes and give them the freedom to roam. Yet, many of us will merrily go about our day doing the technology equivalent of these on our corporate and personal assets. However, until relatively recently in historical terms, people also did not routinely lock their front doors. What ensued was a mindset change in response to perceived and real changes in local and regional threats. Ever since we were children, we have been told to lock our doors when we leave our homes. This advice is initially shared by our immediate families and primary careers and subsequently enforced by the wider social community. In time, when we go out, securing our homes becomes second nature. This approach of initial guidance followed by regular enforcement changed our behaviour on how we secure our homes. Although for most of us, by the time we join a corporation, are no longer children, the same guided education strategy with frequent gentle reinforcements can and should change mindsets and provide enhanced protection against what is currently the biggest single threat to an organisation, its users. As Abby Christopher stated eloquently, we need to implement the ‘human (sic)firewall’.
Dr Wendy Ng, CISSP, CCNP; 11th October 2017