Johannesburg, 11 Dec 2014
Cyber security and those responsible for IT security need to get with the times. They can no longer afford to be the "No!" men/women and need to figure out how to become a business enabler.
In today's environment, most would concur with this message. After all, we want access to our business and data from any location, any device and across the medium of connectivity that is most convenient for us - the end-user. Gone are the days of being shackled to a desk, locked to corporate laptop and funnelled through a VPN. It's me and my 2.5 devices, any open hotspot I can find and direct line to the heart of the datacentre.
While it's easy to praise the productivity gains and ease of doing business, this does require a relaxation of policy, a loosening of controls and a shift in trust to end-users.
Most large organisations would typically adopt a security standard or framework like ISO 27001:2013 or the ISF's "The Standard of Good Practice for Information Security" and, in certain cases, they would be required to abide by SOX, Basel, etc. This typically takes care of ticking the box on the policy requirement, however, the level of adoption and implementation varies wildly.
The selection and implementation of controls and enforcement mechanisms typically comes down to approaches and technologies the IT Security team are most comfortable with. This is typically balanced against the skill and resource availability (or lack thereof) within the company. With the assistance of security consultants, vendors and implementation partners, most organisations are able to address this aspect adequately.
The one factor only addressed in a cursory manner is the human aspect. The reality is, by further enabling end-users, the attack surface increases. A malicious entity gaining access to end-user credentials becomes a malicious insider with privileged access and the ability to destroy and/or remove data by the same means used to enable the end-user (from any location, with any device). Typically addressed by general e-mails and a few security awareness posters or workshops, a greater focus needs to be placed on the education and management of end-users in order to ensure that while business is enabled, it is not compromised.
Unfortunately, there is no easy answer and only a comprehensive, holistic approach can reduce (not eliminate) the risk posed by the human factor. At the minimum, the following technical controls should be considered to reduce the impact of a breach attributable to such a risk:
1. Minimum privilege - Secure data at the source through the use of encryption and audit user permissions to ensure only specified users have authorisation to access relevant data for the performance of their job function. Example: It would be prudent to audit the use and existing permissions of an "Everyone" group on a regular basis.
2. System assessment/review - On an ongoing basis, penetration tests and vulnerability assessments should be conducted and remediation of any identified risks prioritised. In addition, where organisations typically perform employee vetting on appointment, changes over time affect employee behaviour and specifically employees with a high level of privilege should be vetted and cleared on a regular basis.
3. Change auditing - The system and event logs generated by servers and appliances contain a wealth of information, but are a chore to review.
Performing change auditing through the use of the correct tools can assist in providing visibility and determining who changed what, where and when. The additional benefit of this approach is it can simplify troubleshooting through analysis of current and previous configurations.
This approach is not meant to provide comprehensive security, but rather to suggest a starting point which reduces the risk of the human factor without having to spend the entire IT budget on security.
The bottom line is, humans are inherently fallible and this is very apparent when discussing cyber/IT security and this starting point serves the old adage "Trust, but verify".
Share