Everyone wants to bolster his or her defenses, but what obstacles truly block the path to improvement? Security is often talked about in terms of new technologies - the latest IDS system, the newest anti-virus download, etc. But what if one of the biggest influences on our information security systems, perhaps the most critical variable, is something we seldom even consider - the human factor?
The truth is that as much as we try to protect our IT systems with upgrades and patches, employees - human beings - have a natural tendency to care most about what immediately affects them. Therefore, they represent a huge variable in the information security equation. It is all too easy for someone to make decisions that have the potential to affect everyone in an organization, but seemingly have the 'no impact on me' attitude. Individuals have a tendency to view their jobs in terms of what is on their desks and answering to the chain of command. Security can be a mystical force, the realm of unseen departments and managers. Lost is the notion that by simply downloading a file-swapping application, clicking open an attachment, leaving a laptop unguarded, working from home on an unsecured PC or loading data from a contaminated disk, users can cause tremendous damage.
We need security-savvy employees because there is no perfect automated enterprise at the present time, despite our progress. Look no further than the Anna Kournikova virus, which used simple social engineering to cause all sorts of trouble around the world in 2001 - to many companies that boasted healthy security budgets and defense mechanisms. A recent study of intrusions at online banking services has revealed that many victims' PINs and passwords were often divulged to hackers by call center staff answering fraudulent 'customer' queries. Again, behind the best technology money can buy, vulnerabilities always occur at the weakest link.
We look at security with a blindfold on, in a sense. We see and react to the technological issues, while not recognizing that the entire process is fundamentally dependent on humans. Having lived and breathed security around the world for the last 14 years, encountering hundreds of models, architectures, policies and laws in the process, it is clear that codifying what people should do to promote information security in organizations is as important as having locks on office doors. The objective is not to make each worker an information assurance engineer or certified auditor, but to instill a level of security awareness in employees that emphasizes how security begins and ends with them.
I recently revisited the ISO-7 layer model, the accepted hierarchy that looks at security from the 'physical' layer (Layer 1), first, and then proceeds through the 'data link,' 'network,' 'transport' layers and so on. Layer 7 - the 'application' layer - is where you currently find your end-user and end-application protocols (of further concern is the fact that there is no layer addressing policy management).
The ISO pyramid essentially bundles the human factor into the application layer and leaves it at that. ISO evidently concludes that users become part of the application. I feel this is oversimplified and insufficient for effective planning purposes. In all seriousness, perhaps the user was put in Layer 7 because no one seems to understand exactly what the user does. It is admittedly a hard factor to account for since employees have varying backgrounds and experiences, and typically shuttle through a variety of tasks and applications over the course of a day.
We need to extend the ISO model by creating additional layers that address the interaction between the human factor, company security policies and technology. We should elevate the user to Layer 8 and make the user responsible for their actions - we can then relate our policies (which should be in a separately-created Layer 9) to the user, specifically, and unbundle the crowded Layer 7 where application and protocols sit. It is imperative that organizations understand that the 'Human Factor' is the root cause of many security incidents and therefore needs controlling. Layer 9 - the policy level ensuring end users can be instructed and policed, provides operational guidance and discipline when necessary. It is an unfortunate but nonetheless important fact that 'inside jobs' do occur, and just as network defenses guard against external threats, internal network misuse and abuse must also be taken seriously.
Technology is only half the battle; the best firewalls and detection schemes need to be backed by policies that are carefully drafted, continually enforced and evaluated. This practice firmly embeds security alongside other vital business operations.
When you go online you join a global community. Conservative estimates count approximately 560 million users - people who can visit you anytime with good or bad intentions. The Internet is active 24 hours a day, 365 days per year and is growing at an exponential rate, expected to double its user base by the year 2005. Separately, there are 6.2 billion people in the world, and at today's predictions that figure will double in 40 years.
Security, absolute information assurance, is controlled by us - the human beings. Many organizations still need to realize this and plan accordingly. Making people a ubiquitous part of an effective solution is a better idea than the status quo, holding them accountable as the eternal liability.
Steve Crutchley is CSO of 4Front Security (www.4frontsecurity.com).