SubscribeThis article will demonstrate why we can no longer continue with fragmented, legacy security systems and policy.
We will show why distributed, and project-based security ownership is inherently flawed and how some good, old fashioned threat and risk analysis, combined with testing, education and ownership can considerably reduce your exposure and bottom-line spend.
Gap Analysis and Legacy Security Systems
As with most areas in our lives non-integrated legacy systems populate ur security landscape. We have seen two central pillars of security grow independently; ‘traditional’ security functions such as cctv, access control, front-of-house etc. and IT security (often called ‘information’ security even though it rarely encompasses all ‘information’).
It is clear that there are many risks that fall between these two pillars. The only way to achieve a cohesive risk management and mitigation is to have a holistic overview of all security risks, impartial (non-departmental) gap analysis and use this data to design effective policies and procedures.
Security’s Technology Reliance
We are nearly all dependent on technology systems for our core business functions and day-to-day lives. Technologies’ include; computers, laptops, networks, mobile phones, blackberry's, pda’s, conference phones, fax machines, photo-copiers, RSS feeds, VOIP, Email, Twitter, FaceBook etc.
The reality of technology product development is that security is nearly always an afterthought. From a designers point of view it is expensive, resource hungry, detrimental to performance and has limited commercial appeal.
Keeping our technology secure is a significant challenge for all of us as it is a moving target. Can you imagine Chubb turning up every 2 weeks to ‘patch’ your front door lock because new vulnerabilities had been made public?
Clearly this challenge goes far beyond the IT department.
Holistic Security: Finding the Balance
Security must always be a balance between business need and absolute security. Demonstrating R.O.I. on security spend is always a challenge (akin to justifying life insurance).
A holistic approach can often bring bottom line benefits where legacy systems can be combined and integrated, sometimes function duplication can be identified and removed.
Some pointers to finding your balance:
- If you want to show best practice and due diligence you must perform ongoing risk assessments
- Security measures must be practicably implementable
- Policies must be effective in the real-world
- Education and ownership is the only effective method of implementation
- The majority of security breaches can be prevented by basic good practice – easy wins
Risk Assessment should be carried out both formally and informally. The formal program should be documented and used to define security spend and policy. The informal program should be carried out on an ongoing basis. Indeed we make risk assessments all the time in our daily life (don’t fancy walking down that dark street, unplugging the lamp when I change the bulb etc.)
Risk Assessment Example - Bad weather
Simple but telling examples of risk assessment, most of us own an umbrella or know when to hail a taxi.
| Risk | Getting wet, bad first impression, poor meeting performance, damaging suit and shoes |
| SLE (Single Loss Expectancy) | £5 - £5000 |
| ARO (Annual Rate of Occurrence) | 2 |
| ALE (Annual Loss Expectancy) | £4995 (5000-5/2*2) |
| Mitigating measures | Umbrella, taxi £25 = 0.5% of ALE PA |
Changing Threat Landscape – Technical
As well as all the traditional threats that face our business there are many new and emerging problems that need to be in your risk assessment.
We have seen an exponential increase in the quantity and quality of covert listening devices in the last three years. Listening devices with a technical capability that was once the domain of the security services are now freely available to buy on-line. Often these devices cost less than $100.
At the forefront of these new devices are GSM based listening bugs (pictured). These are in simple terms, a stripped down mobile phone (no keypad, speaker or screen) that is set to auto answer.
Whereas traditional RF-based devices had a limited range of reception a GSM based device will operate anywhere there is GSM coverage (most of the world) and can be listened to anywhere where one has a phone.
These devices are being produced in the millions in Asia and can be purchased from $20 (try searching on EBay for 'GSM Device').
We have also seen a massive increase in the use of hardware key-logger devices. These are small memory devices that record to flash memory everything that is typed on a given keyboard or laptop computer.
These devices cannot be detected by any form of software protection and can often only be found by a specialist search team. They cost around $100 and take many forms including dongle (pictured), mini-pci card (internal for laptops) and internally for desktop keyboards.
Technical Risk Assessment
This performance and price-point must change our risk assessment. It is now reasonable to put a risk assessment against almost anyone of your employees who wants to gain an advantage (motivation include industrial espionage, overlooked for promotion, commission based earnings, union representative etc.) utilising one of these devices in your board room or executive offices.
Human factor
Another often overlooked area of information security is managing humans. Within the agency security community this recognised area of focus, but is often overlooked in the commercial world.
Part of your holistic assessment must include acknowledging and mitigating the threats from predictable human behaviour patterns.
Predictable human behaviour patterns - people do things they should not, people lose things, people forget things, people talk about things too loudly and get overheard, people are vulnerable of being compromised using various leverage methods. If we are aware of these issues we have a duty to try to mitigate them.
Insider threats – A very common area of information loss is from people within a work environment. This can range from a partner to a cleaner. Physical control of information and compartmentalisation are key to minimising this threat.
Brain shredding – much harder than paper, once information is in someone's brain it is very hard to remove: options include NDA’s and confidentiality agreements.
Education, Education and Education
The single most important factor in creating a successful security policy and culture is education.
The only effective policy is one where users have ownership. The goal is to create a secure environment for your information with an accountable procedure for end-users to follow. The policy should encourage a security culture within your business that is designed to be understood, embraced and implemented by your staff.
Whilst extensive policies such as SO17799, SOX, CobiT, ISO2000, ISO 27001, BS25999 all have their place and purpose, the document that your team are expected to understand should be 1-3 pages in length and backed up with an annual training session for every employee.
