This is the time of year that most of us look back at the last twelve months and evaluate what was accomplished. We also look back at things we worked on to improve our internal networks to determine if we made a difference. The same can be said of many companies in the security industry, RSA, Comodo, and GlobalTrust looked back to determine how to prevent a recurrence of the problems they suffered.
We in the security field look at security as a fluid set of controls that will minimize the possibility of a breach. We understand that risk is defined as vulnerability multiplied by the possibility of exploit multiplied by the value of asset. The key variables in this equation would be vulnerability and exploit possibility. We then attempt to control these two variables in order to reduce the risk.
Most of us have used many of the devices that are implemented by the vast majority of companies to reduce the chance of an exploit. Firewalls, Intrusion Detection, and the usual cadre of Anti-Virus, Anti-Spam, and Anti-Spyware are a few of the tools used to reduce the opportunity of an exploit being deployed.
We all know that there are many other tools that can be used to "lock" the systems down or create a secure environment. We also know that our best efforts are only as good as the latest version of the tools we deploy. We constantly update our systems, security devices, AV, and other aspects of the overall security posture. This done to minimize our threat exposure and in theory will reduce the possibility of exploit of vulnerabilities on our network.
All of these actions are part of "due diligence" we hear so much about when the auditors arrive to test our compliance with the standards which we are to adhere. Part of due diligence is maintaining an Information Security Policy (ISP) that is reviewed annually to track with changes to the company's business needs and IT infrastructure.
This document is one of the pillars of information security posture for any company. Depending upon how strong the ISP is maintained will determine the ability of a company to pass an audit for one of the major security standards. The ISP will cover all the aspects that make up the security posture for the company.
When an auditor or an information forensics examiner comes to a company, the ISP should be the first thing that person asks to read. The Auditor will then determine if the ISP covers all the aspects of information security that will enable a compliant rating. If the auditor or forensics examiner decides that the ISP isn't sufficient, they can revert to "best practices". This is not something you as an IT manager want to have occur.
One of the aspects that a strong ISP will cover and be very stringent about is the Security awareness training for all employees at time of hire and annually to ensure the employee is aware of the policies that might have changed. The employee should be required to sign a form stating that they have had training and understand their responsibilities. This training is also very important if the employee is being terminated due to failure to follow the policies.
If the security policy changes and personnel aren't given yearly training then if terminated for cause, they might have an avenue for redress by stating they weren't aware of the policy that they violated. The signing of a document that shows the training was completed and understood is critical to a company in the case of litigation.
The second aspect to ensure that employees are aware of the company's policy to educate them in regards to information gathering techniques used by people with malicious intent. There are many methods of gathering information that can lead to an intrusion into an internal network.
Most employees have heard of social engineering, pharming, phishing and malicious spyware. The problem is, though they may have heard of these techniques they aren't aware of how to identity when someone is attempting to garner information about their company or personal identity assets.
Most of us have heard that the weakest link in any security program that a company is implementing is the human element. I personally enjoy the statement; "The weakest link in any security program is the biosphere sitting between the chair and keyboard." My statement says "If you make your security measure too restrictive, the users will find a way around them." All these are really saying is our users are the easiest target for penetrating our secure networks. Just look at some of the breaches for 2011 for proof of this belief.
The RSA breach was caused by a successful spearphishing attack. The targeted RSA end user clicked on a bogus spreadsheet and launched the malware that ultimately compromised secureID token data. The GlobalTrust and Comodo certificate problems stemmed from an Iranian hacker being able to convince employees at Comodo to issue certificates that represented major companies.
Both of these breaches caused doubt in the minds of the users of the products that RSA and Comodo provide. I am sure that both of these companies have strengthened their procedures to prevent a recurrence of the problem. The damage has been done to the image. I am confident that their security programs were strong but the human factor entered the security equation and the event happened. The best remediation of their problem is security awareness training; doing this annually raises the awareness of the employees and strengthens the overall security posture.