If your defense against hackers is beginning to feel as tech-heavy as the NASDAQ, then listen up. There's a growing consensus in both the hacking and the security community that your biggest vulnerability, and best defense, have nothing to do with technology at all and may, in fact, already be on your payroll. In my wanderings at various conferences this year, I asked a number of security experts and hackers to share their thoughts on this subject.
"Employees are a very good intrusion vector," says Nightstalker, a ten-year member of hacking group Cult of the Dead Cow, confirming a widely held view that company employees could be either your cheapest line of defense against an endless legion of threats, or the sleeping sentries that let hackers over the barricades. Nightstalker did some informal polling amongst the hacker elite at the annual DefCon hacker gathering in Las Vegas in July. "Pretty much all of them said that. Everything from [intruders] social engineering them to [employees] just plain doing dumb things," he says. Employees are a hot target for hackers for numerous reasons, and their willingness to help telephone callers makes them especially vulnerable to social engineering by hackers
Security departments may be the victims of their own success. The more successful they are at defeating hackers on the network front, the greater the likelihood that hackers will be forced to attack the much weaker flank of the workforce. That reality has convinced many security professionals that employee education ranks just as high as the latest air gaps, honey pots or mantraps. "Technology is filled with flaws -- that's proven almost daily," says Stan Gatewood, Chief Information Assurance Officer for the Office of Information Assurance at the University of Southern California, in Los Angeles. "Logical security has its limitations as well and relies on policies. And we all know that enforcing policies is like pulling a rope. But awareness, training and education could prove to be the most solid of foundations for infosec, far more sturdy than technology or logical security." But when your workforce can be both a vulnerability and a defense, the training decision may not be an easy one. If your workforce is actually an army of sleeping sentries just waiting for a call to arms, what impact could this global force have on your fight against hackers and on your security budget? On the other hand, if each employee is little more than a weak lock waiting to be picked by a hacker, where are you going to find the money to guard tens-of-thousands of doors spread throughout offices around the globe? Sorry, but I've got a headache
Some security departments continue to take a rain check on employee security training because the solution is often a bigger headache than the problem. "Until senior management puts a verbal bomb over every employee's head, there will always be many employees who do not give a hang about security," says Jeffrey Lowenstein, principal consultant with Great Neck Computer Security & Controls in New York. Apathy apart, the biggest challenge may be finding room in the budget, especially for the cost of giving every employee a sufficiently large dose of security education to ensure that the vaccination takes. A June 2001 survey by Information Security magazine found that security budgets are not immune to cuts. Two-thirds of all respondents to the survey said their security budgets have either been cut (43%) or temporarily frozen (23%), according to the magazine. When budgets are tight, security pros may be tempted to invest the bulk of their budget in technology, on the premise that if an attacker slips past the perimeter, it's easier to blame the technology than their co-workers. At the other extreme, over training can also send the security department running for the Ibuprofen. Too much focus on employee participation in security could turn employees into freelance vigilantes, swamp the undermanned security department with a flurry of false alarms or cause employees to feel so paranoid or guilty they tremble at the telltale "ping" of a newly arrived e-mail. Working in the state of vigilance
GCHQ is Great Britain's ultra-secret electronic eavesdropping center. Nestled in the English countryside on the outskirts of the picture-postcard town of Cheltenham, the Government Communications Headquarters has long been a hot target for spies, terrorists and hackers. As employees of the spy center round the corner of Rabbit Warren Lane to the main entrance of the compound, they're greeted by a large sign above the security gate that warns "The State of Vigilance is ...," followed by a color that represents the level of security vigilance for that day. The sign is not intended to be a warning to attackers, but a daily reminder to every employee about the importance of constant vigilance in an environment of constant threat. I'm not suggesting that every corporate HQ in America place a giant neon warning sign next to their six-foot-high steel logo, but maybe the folks of Cheltenham could teach us a lesson. Security as a culture
Security can no longer be seen as a task, chore or set of rules. For it to really work security must become a culture, and there's never been a better time to evangelize that theme. Security as a culture strives to make all employees think about security all the time, for every decision and before every action. When security is as second nature as being polite to customers, it should kick in automatically without regular training and constant reminders. There's never been a better time to introduce a security culture. Even three years ago the very suggestion would simply have confirmed employee suspicions about the sanity of the security department. But today, almost every employee will have been exposed to the cybercrime bug and its impact on every aspect of their personal and professional business. About the author
Neal O'Farrell is CEO of Hackademia, a firm focused on security education. He's a twenty-year veteran of information security, former hacker and original Code Rebel.
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
This was first published in December 2001