Paradigm Shift: Security is not Technology
Author: Virgil Vaduva
September 2007
When a security incident occurs, in most environments management will quickly rush to spend money on top-shelf firewalls, advanced intrusion detection systems (IDS) and other technical controls which should (at least in theory) prevent a repeat of the incident; rarely is the human factor analyzed and addressed in an administrative rather than technical remediation context. While it is true that technology plays an important role in security, it is important to understand that good security practices revolve around the human factor and should always start with people rather than technology.
The reality is that a large number of security incidents can be prevented with minimum cost or with awareness training targeted at all employees, not just those using a computer terminal. In most environments, employees simply do not understand the dangers and implications of certain actions or the benefits of others. In penetration testing for example, a vast majority of employees will allow a uniformed stranger to walk into the building unquestioned or have unfettered access to a data center without checking or asking for credentials. In other instances, many users willingly give out usernames, passwords or confidential information over the phone to an impersonator; some even respond to e-mail requests for such information.
Frequently, users will write a password on a piece of paper and tape it on the computer monitor, leave confidential documents lying around on the desktop and open email messages and attachments from strangers. In such instances technical controls will do little to mitigate risk. Because a determined intruder will most likely use a psychological or social approach to a break-in, we need to help users understand the importance of taking a common-sense approach to security. Help users understand the dangers of letting strangers walk in your building or your data center, or the importance of a clean desk policy; encourage them to openly question strangers on premises and be aware that a phone ringing does not mean a well-intended person is at the other end of the line. If the users understand the why, they will take the initiative to put policy into practice, and rather than seeing security policies as “just more rules,” the users will associate the security of the organization with their own security and wellbeing. Lastly, try to hold regular security awareness training sessions for all employees to cover basic personal security and corporate practices; a personal stake and concern in the topic will bring about tangible benefit for the entire organization.
Clearly, since the human factor plays such an important role in the overall security architecture of the enterprise, the human-approach is often the preferred point-method to penetrate an infrastructure quickly and easily. Technology may offers us very good compensating and deterrent controls but it does not, nor should it define our security posture. Because vendors often push expensive equipment and solutions on corporate management as “the end of all your security aches”, the human factor is rarely considered. The corporate world generally speaking needs a paradigm shift insofar as understanding that what we call “the new security threats” are simply the same cons practiced long before the invention of computers or the Internet. People are always the only constant; the rest is just technology.
About the author: Virgil Vaduva (CISSP) is a Romanian-born security consultant, trainer and analyst with experience in forensics, security architecture and human-factor security implementation and analysis. Virgil works as a Security Analyst for WinWholesale Inc, a private $2.6 billion company based in Kettering, Ohio.
