In dealing with the individuals who use your IT systems and who must adhere to the social engineering aspects of the security approach - such as password discipline, physical access risk, misuse of corporate machines, e-mail attachment discipline and so on - it is critical to over-communicate the real threats that human-based risk brings to the enterprise. There are a number of straightforward actions that can be taken to address the social engineering risk.
Firstly, and perhaps most importantly, simplicity is key in tackling these challenges. If you want to fail in a security policy or technology, make it complex or intrusive for the end user. Password management is a prime offender. If a user has a single password, or even better has a token (an RSA token for example) that can be used as a credential for all network, computing and application access, they are highly unlikely to be guilty of reckless actions such as the infamous "password sticky notes" on their monitor or keyboard.
Secondly, it is imperative to communicate the chosen procedure in clear and concise English. Security is a complex science that most fail to grasp comprehensively. Instead of using complex terms such as authentication, authorisation, authenticity, credential, and others, security policy should be composed in an easily digestible style. Translation should not be required for staff to understand what they should and should not be doing with respect to IT policy.
An IT security policy should focus on meaningful and intuitive requests. If the policy focuses on password management, physical access to buildings, and misuse of applications and PCs, it is important to state this clearly and succinctly. A high-level and intuitive "10 Commandments"-style security policy is far more desirable than a book of security regulations that staff are unlikely to read or fully absorb.
Ideally, staff should also be educated continuously about current risks and threats. An interesting article in the news on how another company was hurt by an attack would be relevant and helpful to every stakeholder in the business, not just the IT and security staff. It is advisable to let them know that the risks are out there and to elaborate on how these could adversely affect the organisation. Again, the message should be kept in simply expressed terms.
Also, it cannot be emphasised enough that security policy should be kept relevant and up to date. Nothing frustrates a loyal and intelligent employee more than having to guess what to do in a situation where his or her seniors should have provided guidance. Security policies should be updated and education and procedures constantly amended to keep pace with new applications, changes in the business model and market events. IT directors should be the source of guidance and wisdom with respect to security; if they are absent when employees need them, then these employees will struggle and lapses will occur.
The main problems observable today arise from the well-entrenched attitude of IT groups in treating security as an IT issue. The private and public sectors, and the private individual at home, are all failing to grasp that when it comes to IT security social engineering issues and risks, the primary tool is an informed employee base or an educated consumer. That base is, however, non-technical and incredibly hectic. Security is a complex and difficult area and sometimes executives become disconnected from the fact that well-meaning employees simply do not understand what they are being asked to do or where exactly the risks lie.
A major priority should be to simplify the complex requests to colleagues so they can understand what we want and take ownership of the security area they can influence.
The second hurdle where IT directors are falling is the fragmentation of security approaches. If there exists a network security strategy, a voice security strategy, an application security strategy, and a physical security strategy, but these are not communicated as a single straightforward strategy in order to protect the business, the whole issue becomes too complex to come to grips with and staff will be tempted to simply ignore it. Again, having multiple passwords is not necessary because more than adequate technology exists to create a shared authentication framework for everything from network access to application control bus. In many cases, such an integrated system of security is not created in the first place because each group has been allowed to exist independently with respect to authentication. This is not only risky but it is also highly expensive for the business to sustain in the long term.
Finally, security technology today is, in many cases, unnecessarily intrusive. We seem to think that loading software onto a PC (that slows it down, pops up meaningless messages, and delays network attachment) is acceptable to end-users. That assumption is wrong. Every new security technology that touches a user should have one simple goal: absolute transparency. Users do not want to take an extra minute to access critical applications, and they do not want their PCs to tell them things they have no chance of comprehending. Good desktop tools talk almost exclusively to the IT professionals directly, and only in the most unusual situations do they interact effectively with the typical end-user. In these cases, the communication must be understandable, rather than being a technical "system error 32"-type message.
The success of these implementations is critical. If security is only delivered by IT people and technology, then eventual failure is inevitable. An active and fully involved employee base that is passionate and involved in protecting their company is the only way that critical gaps can be bridged, and the ever-expanding security challenges outpaced. Truly effective security must include the best technology, the best IT staff and the most informed and involved employee base as an integrated and coordinated architecture, but care must be taken to ensure that the individuals who make up these various operational levels are lead, communicated with and supported on their terms and in their language.
John Roese is the CTO of Enterasys Networks and co-author of 802.1x