"If you are an organization that is relying on your employees to do the right thing with respect to security, you've already made a number of mistakes," said Scott Montgomery, global vice president for product management at Secure Computing, in a phone interview with ZDNet Asia.
Montgomery noted that end users are typically the "least educated" of proper corporate security practices and are "most prone to doing things" that do not adhere to the company's security policy.
He highlighted four most damaging security habits that are commonplace among organizations in this region and around the world, and underscored the need for IT administrators to closely monitor these areas.
1. Fixed passwords
The Sans Institute, over the last decade, has identified passwords as one of top 10 most damaging security practices, Montgomery said.
Unlike token-generated or one-time passwords, he noted that fixed passwords do not change and some users may even write them down to avoid forgetting the sequence. As such, fixed passwords are "dangerous" because any person who knows the right password can log into the network and cannot be identified as an imposter, he said.
"Everybody knows that fixed passwords are weak and a problem. It's been the same way for 10 to 15 years, but it doesn't change organizations from investing in it," Montgomery said.
In contrast, the use of one-time passwords has been found to "dramatically increase the security profile of organizations" because the perpetrator would not be able to compromise the user's credentials, he said.
"Even the use of one-time password on an application-by-application basis dramatically increases your security profile because you can't do…password guessing," Montgomery said. He added that the use of a hardware token for one-time password deployment--whether it is time-based or event-based--is a good way to prevent systems from being compromised.
2. Neglecting inbound threats from e-mail, the Web and instant messaging
When end-users receive a spam message in their e-mail inbox, their administrators have already "lost the battle", Montgomery said. "At that point, you're expecting the users to do the right thing [but] they won't... They don't have any perception of the greater risk of their activities." He noted that e-mail, Web mail and IM (instant messaging) are among the high-risk areas and IT administrators need to ensure data received via these platforms are safe and protected.
3. Forgetting that data traffic is two-way
When keeping the organization's network secure, IT administrators should keep in mind that data traffic is bidirectional and consider possibilities of outbound data leakage.
Montgomery noted that organizations often forget that their traffic is bidirectional and many spent the last several years protecting only the data that enters their networks. "Organizations have been very slow to look at what's leaving their network, in terms of data leakage, due to malicious and criminal intent or that are simply [the result of employee] mistakes," he said.
4. Not encrypting data
Without encryption, data sent and received via email is literally "like putting an ad out in the paper" and for anyone in the public to view, said Montgomery. He added that some users wrongly assume the data they send is private and cannot be seen by the public.
"People who want to read your e-mail will have to look for it to find it, but they can find it if they want to," he said.
"There is a level of protection only if people use encryption in their e-mail, [but] most people don't," Montgomery said.
Play video
Sure, staff are the “least educated” of proper security practices, but should that mean that as security professionals we give up on them?
This is not new, world respected experts in information security have seen the end user is the weakest link for years. Yet we concentrate pushing the line to business that a bit of training, and a lot more and stronger IT (which means a lot more IT spending, great!!) is the solution.
If pushed most IS companies can bolt a bit of security awareness on to an implementation, but will it be delivered by someone who is a specialist in the staff factor area? No, sadly, in most instances it does not even occur to them to try and find such a person- and there are a few of us around.
Until more information security professionals start really taking this subject seriously and talking to specialists, then dealing with the ‘insoluble problem’ of the staff users is going to be like nailing jelly (British translation) to the wall.
You can debate the best way to set passwords, regulating e-mail use and all those other annoying ways in which real people get in the way of technical solutions all you like, but that is only part of the answer. I most cases solutions will not work to their optimum until you take into account all the variables, which includes the human interface. Serious professional information security needs to go holistic and take staff seriously
Posted by Wendy Goucher on Wednesday, June 13 2007 05:22 PM