Addressing the Human Vulnerabilities that Bedevil IT Security

A month or more of high profile security breaches have reinforced the importance of data protection as a CIO agenda item.

Naturally, if a security vendor like RSA can succumb to an attack, all organisations have to ask themselves: Is their IT security fit for purpose? Coincidentally, the RSA and the other incidents happened around the time of Infosecurity Europe making the case for new and improved counter-measures against the latest threats.

But, organisations should pause and think very carefully before adding another ring of defences. A prime lesson from the recent attacks is that they succeeded because of a forensic focus on exploiting human vulnerabilities and these helped to undermine very sophisticated systems for preventing unauthorised access.

RSA is a good example of how people proved to be the weakest link. The exploit was a spear phishing attack on RSA staff that used a bogus email from HR about 2011 recruitment plans. Once clicked on, the email initiated a zero-day attack that scanned and stole sensitive data.

In this case, people inadvertently let the hackers in because 'people' can do the stupidest things with the least encouragement, despite all of the best counter-measures. Use of social engineering is going to become even more attractive to e-criminals as the obvious points of attack are comprehensively locked down.

The flip-side of the social engineering challenge is that the greatest threat to the safety of your organisation’s “secrets” is your employees. This isn’t surprising given the picture that we’ve built up over the last few years about workers’ improper use of corporate data especially when they leave a company.

 Whether human nature is so amoral on this issue or not (and the answer is probably yes when over 59 percent of workers say they took confidential information on leaving and 67 percent used that sensitive data to get a new job), organisations seem to be leaving themselves open to damage with almost a quarter of departed workers still having access after they’ve gone.

This finding flags up how organisations can mitigate human vulnerabilities through better policies and procedures. Indeed this is one pillar of an effective strategy on insider threat. The other two are identity and access control; and a capability to audit whether the systems are properly protecting the organisation.

All the above is a great blueprint for getting information security right but many organisations would say that they have all of these strategies in place already.

Where the challenge lies is how to apply these strategies to maximum effect across the organisation. For example, defining strong security policies and procedures is great but are they being used consistently by everyone or are people employing short-cuts. These may be innocent in nature but create vulnerabilities that could be exploited or procedures that are non-compliant and impossible to audit.

There are similar challenges for identity and access control where managing the lifecycle of an identity becomes extremely difficult especially across disparate systems. There also is the counter-intuitive need to monitor your most privileged and therefore most trusted users more intensively than those users who you know least about. And, while IT security audits sound great in principle, they are time-consuming to run and do thoroughly. Running them regularly to spot any new user-related behaviour is a fanciful concept for many if not all organisations.

All of these challenges are creating a stronger case for security process automation to resolve the need to keep a constant focus on reducing the risks. For example, automated exception and approval management to detect non-compliant systems and enforce a workflow to ensure correct approvals and notifications for any exceptions. Similarly, automating the incident management processes including event detection and response ensures a faster and more consistent response that is easier to audit.

Tighter management of policy, identity and access control and audit is an obvious step to take given how even the best IT security defences can be by-passed. Automation can achieve this goal and deliver the joined-up approach required to proactively rather than reactively drive out the baleful effects of human nature.

Labels:

Identity & Access Mgmt
Anonymous