Creating a Culture of Security
Fostering a secure environment takes work and money. More than anything, though, it takes commitment by management.
There is no simple way to address these issues. You cant legislate compliance any more successfully than the federal government. You cant just say, "Do this, dont do that." But what can we do? What we can do is create a culture of security.
Fostering a secure environment obviously takes work and it takes money, but it doesnt take as much of either as you might think. The one thing it takes the most of is a commitment by management to do the right thing. Frequently, management is the last to get on board with security initiatives.
But first, lets address system compromises. Using the auto-update feature in all of the common operating systems is the first step. Giving users the lowest set of privileges needed to do their job is second. By limiting privileges, you limit the ability of users to change settings or install things that will make their lives miserable later.
Now lets look at security breaches. In many cases these are related to system compromises, since hacked machines are often the foot in the door for larger problems. Breaches are dedicated attacks that allow intruders to take control of a single machine or group of machines and use them to collect data of various types depending on their motives.
Intruders could be interested in corporate espionage, financial data harvesting, or even the desire to use your resources to host their activities. This might include file downloads from music to rootkits, storing harvested credit card numbers, or Distributed Denial of Service (DDoS) drones. These types of breaches can cause serious damage to your fiscal health and corporate reputation.
Make Users Understand Risks
One of the toughest challenges is to introduce and foster an environment of practical steps each of your users can take to protect their interests as well as the interests of the corporation. We all know that personal benefit will always trump loyalty to any larger organization when it comes to motivating specific actions on the part of others.
Its important that users understand the risks they take each time they take their laptop home or away on business. They risk any personal data they may have on their system, information such as personal email messages, financial data, and personal documents. In addition they risk any sensitive material that belongs to the company that is in their possession. In the recent case of the Veterans Administration, this might include the personal information of 26 million veterans and possibly active-duty personnel.
The individuals involved have been summarily dismissed. In the federal government, thats saying a lot.
Now, some of this hinges on your companys explicit written policy. I dont generally tend toward the discussion of policy and the writing of policy. However, without formal policy, it can be very difficult to enforce security requirements. Veterans Administration employees are now under close scrutiny regarding workplace practices and the safeguards used to prevent the loss of data.
The loss of a laptop can be a very distressing experience. The user may not know for sure what was on the system, including what may be damaging to their personal well-being. One thing that can help in these circumstances is having regular backups taken of machines. In the case of loaner machines, having systems wiped and reinstalled before being put back out on the street. Minimizing the amount of data being removed from the confines of the company network, limits your risk.
Stolen hardware isnt the only off-site threat. Employees frequently work from home, sometimes logging into the company network to get data, complete tasks left undone during the course of the day. Most households only have one computer used by everyone. Each spouse uses it for email work and shopping. The kids do their homework, surf, chat and play games both on and off line.
Many times household computers are rife with spyware and malware when the owners are unaware of the sources and the symptoms of these types of infections. In the workplace, its a little easier to identify the users who might be at greater risk. Either way, silent infections that are then turned loose on the network.
Passive infections can frequently be the most damaging. A passive infection is one that only collects data. It leaves no discernible trace in traffic or performance. When it forwards its data, it does so on common ports that would raise no suspicions. These are very difficult to identify, and equally difficult to eradicate without completely wiping a drive. Without proper data backup, this can be extremely painful for everyone involved.
So what do we have? We have the need for good user education. This can be in the form of incidental instruction whenever your IT staff have contact with users. It can be formal classes or briefings before specific events such as travel. It can be done in the form of policy documents that are required reading for all personnel. I dont recommend this last one as being particularly effective. It is one of the federal governments favorite techniques, and we know where that gets them.
We have the need for secure practices that are consistently enforced at all levels of the organization. These practices should include data backup, lowest user privileges for both desktop and laptop systems, and methods such as disk wiping on communal machines. They should also include the use of anti-virus, anti-spyware software to keep infections to a minimum.
Finally, we need to protect the network. Close unused ports, disable services and daemons that arent needed, and apply host-based firewalls to protect against unexpected inbound traffic.
Its not easy being clean. Its a lot of hard work. Getting support from management and developing an environment conducive to secure practices will pay off in the long run.