What we are up against…

March 31, 2011 · Posted in Information Security, Information Systems 

There is much ballyhoo on the importance of information security to an organization. There is significant focus on the threats posed by hackers, intruders, cyber-terrorists, foreign actors, viruses, Trojan horses, spyware.  etc. to the information held by a particular organization. Laws have been enacted to ensure that these actors if caught will face significant punishment under the law and organizations spend millions of dollars to ensure that their systems and infrastructure are hardened to protect themselves from this threat.

I received an e-mail this morning that somehow reminded me of an often overlooked threat and arguably the greatest single source of risk to organizations. First off, I need to put the e-mail in context; I perform risk assessments and write security plans documenting operational risks associated with a particular resource (application, system, infrastructure, facility, vendor, etc.) utilized by the organization. To do my job I will need to interview stakeholders and do discovery on the overall posture of the resource. Being a large organization, discovery meetings are done via conference calls and I typically schedule those in advance requesting stakeholders and subject matter experts to participate.

In one invite that I sent, I received this not-so polite reply. Again the organization that I work for have hundreds of thousands of employees, so I don’t know this individual and all I know about him is that we work for the same company. Anyway he said (partially edited to remove proprietary/confidential info):

Why can’t we do this now?  I have a need to use this and am wondering why we even need a security plan as other groups are using this software inside the organization today, without security plans.

The first statement is really inconsequential, since I scheduled the meeting a few weeks out as a common courtesy to give them time to prepare. At the same token, it made me want to say: “The world doesn’t revolve around you, Sparky. You have commitments, but so do I.”

The second statement is really the focus here. I was tempted to reply with my standard reply to my kids when they are about to do something dumb: “If the other groups jump off a cliff, will you jump, too?” In both cases, I decided not to stoop down to that level and be the better man and instead gave him a “professorly”-like reply on the importance of security and risk assessments.

All that said, back to the purpose of this blog entry. That comment reminded me of a particular threat to information security that is sometimes forgotten or ignored: the threat of an insider. When insider threat does come into the conversation, the typical discussion points are typically about bad seeds in the organization, the ones with an ax to grind or the ones that are just malicious. We often ignore those with a higher likelihood of creating a serious vulnerability to the organization, because of:

  • Ignorance
  • Apathy
  • Self-importance
  • Complacency
  • Laziness
  • Plain stupidity

Not knowing this person I mentioned, based on the e-mail, I essentially pre-qualified him to have three of the six items I mentioned above. The information is not enough to qualify him as complacent, lazy or stupid. But, there is a good chance that he is ignorant to the security policies of the organization, not to mention the liabilities and risks it face for failing to maintain a sound security posture. He is probably apathetic to the overall security requirement, because really this application is so small. It can never happen to me. And finally, he sounded so self-important, because he thinks his need to use the software outweighs the need to first assess the risk brought upon by the software to the organization.

You may also argue that he is also just plain stupid to assume that just because others are getting away with something he should be able to get away with it, too. I would not go that far, but I would not argue with you either ;-) .

This is essentially what we are up against as security professionals. Technology, processes, policies and our technical skills can only go so far as to ensure the security of the organization that we are protecting. The weakest link remains the people inside that organization. It behooves us, as security professionals to go beyond the technical skills and know-how and learn to effectively communicate and educate our co-workers on the importance of security and understanding the risks.

Oftentimes security is often just seen as road block to progress. As security professionals, we will need to learn the politics of the organization and understand its business goals and effectively communicate to stakeholders that security in fact enhances the competitiveness and viability of the organization. By helping educate stakeholders, security professionals can develop partnerships in security that can prove invaluable in ensuring that not only insider threats are mitigated, but also help protect the organization from external threats.

Bookmark and Share

Thought you should know, etc... Update

Using a Project Methodology

By using a project methodology as a guide for your next business venture, you have set the parameters of your project and all of the tasks that need to be completed. The path you take is then decided by the…

Using a Project Charter Template

By using a project charter template you will have a jump start on completing the task you have undertaken. The template is designed to assist you in the creation of this document so the final product will be formatted as…

The Project Manager Position

For every company that employs one, the project manager position is a very demanding job that requires a certain type of person to fill. To be able to fill the shoes of this position, you must experience in the position and the ability to perform the required tasks that will…

Tips to Plan and Manage Collaborative Team Tasks

Manage your team wisely and achieve everything you planned. The crucial moments you need to take into consideration for this can be found in this article. Complex team You need to have different professionals and different people in your team so that they will bring different ideas to the project...

The Five Types of Cloud Customers

One of the consulting leaders, Bain surveyed nearly 500 North American CIOs and IT decision makers and spoke with more than 25 cloud providers. Through this research, they identified five clusters of companies with common approaches to cloud computing...

Tags: , , , ,

Comments

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    March 2011
    M T W T F S S
    « Feb    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  

  • RSS From the National Vulnerability Database

    • CVE-2012-0291 (pcanywhere, altiris_client_management_suite_pcanywhere_solution, altiris_deployme...) February 21, 2012
      Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) allow remote attackers to cause a denial of service (applic […]
      nvd@nist.gov
    • CVE-2012-0315 (alftp) February 21, 2012
      Untrusted search path vulnerability in ALFTP before 5.31 allows local users to gain privileges via a Trojan horse executable file in a directory that is accessed for reading an extensionless file, as demonstrated by executing the README.exe file when a user attempts to access the README file. […]
      nvd@nist.gov
    • CVE-2012-0223 (termis) February 21, 2012
      Untrusted search path vulnerability in 7-Technologies (7T) TERMIS 2.10 and earlier allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2012-0224. […]
      nvd@nist.gov
    • CVE-2012-1256 (easyvista) February 21, 2012
      The single sign-on (SSO) implementation in EasyVista before 2010.1.1.89 allows remote attackers to bypass authentication via a modified url_account parameter, in conjunction with a valid login name in the SSPI_HEADER parameter, to index.php. […]
      nvd@nist.gov
    • CVE-2011-4185 (iprint) February 20, 2012
      The GetPrinterURLList2 method in the ActiveX control in Novell iPrint Client before 5.78 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2008-2431 and CVE-2008-2436. […]
      nvd@nist.gov
    • CVE-2012-1218 (freelancerkit) February 20, 2012
      Multiple SQL injection vulnerabilities in freelancerKit 2.35 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to the (1) notes and (2) tickets components. […]
      nvd@nist.gov
    • CVE-2011-4521 (advantech_webaccess) February 20, 2012
      SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via crafted string input. […]
      nvd@nist.gov
    • CVE-2012-1222 (r2/extreme) February 20, 2012
      Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23. […]
      nvd@nist.gov
    • CVE-2012-1235 (advantech_webaccess) February 20, 2012
      Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235. […]
      nvd@nist.gov
    • CVE-2012-0865 (cubecart) February 20, 2012
      Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes