29 Oct Enterprise security fundamentals? How about paranoid employees.
For years most enterprise security spending was allocated to layered defending. Stop them at the edge. Stop them at the end points. Stop them at the network. Stop them at the core servers. Stop them at the application layer. With over 70% of new attacks now are zero day with no signatures history the security narrative has moved decidedly away from signature based security that manned these layers. The advent of context aware security, adaptive security, proactive security postures is important even critical but the key vulnerability over the years has not changed. It’s the employees. Security experts have always known that technology, design, physical security measures are useless until combined powerfully with employee awareness about security do’s and don’ts.
For the longest time this meant a policy based approach. Policies from identity management to protocols are still a critical part of the security ecosystem. But modern day exploits exist in a digital age. Employees now have lives that exist partly or in many cases overwhelmingly in the digital virtual space. Policy based approach do not touch the new ways hackers have developed to exploit vulnerabilities of employees that are digital Millenials. This is why whenever we are involved in security roadmap discussions and security gap analysis, we always caution against social engineering that hackers use to break into systems via employees as the single biggest threats organizations face. No week goes by when such social engineering does not result in a news item and embarrassed organizations with multi million dollar security budgets. Marks & Spencer is the latest one hit as this post heads to publishing.
Hackers use social engineering to manipulate people into downloading malware. Many of these malware infections cannot be spotted by antivirus/ anti malware programs. When you get emails from a friend that ask you to check out something casually or download some media files it is social engineering designed to appeal to your trust. When you get emails from a charity or a friend in need that is social engineering targeted at your altruistic side. When you get emails that seem like they come form reputable companies or sites asking for verification of information or announcing you as a winner asking you for information to deliver your prize that is a socially engineered phishing attack. Social engineering relies on employees to think later and act first. And enough do to pose serious risks to themselves and their companies. Once an employee is compromised malware on their system can be used to systematically delve into company security protocols and break them down. Which is why it is estimated hackers have been in a system for hundreds of days before they are found.
This is why constant and mandatory employee communication and training of new methods of attack as they become known are necessary. Governance around this is an executive responsibility. Get rid of attachments with .js or .exe or other extensions that can be exploited using IT admin privilege. Set up an escalation matrix for downloading other files beyond Microsoft office and pdf’s. And the greatest defense? Paranoid employees. Teach them that when it comes to security anyone can be hacked. Trust no one. Watch attachments like containers of poison and open them when absolutely sure. Be suspicious of all messages that are not part of official email chains. Do not click on any links. Ever. Do not ever give personal information unsolicited even if the request comes from your own company. Your friends can be hacked so if they are sending any emails that seem out of context don’t act.
The world famous Intel CEO Andy Grove once uttered, “Only the paranoid survive” as the mantra for staying ahead in technology. Its no less well served talking about how your employees should approach enterprise security.