Ensuring a Successful Security Policy Approach
Comprehensive security policies are tools that employees and management can use to understand how the organization is protecting itselfand what it expects from its users.
One of the main challenges in creating this type of policy is ensuring that it doesn't become overburdened with rules that could become insurmountable barriers. Note that security does remove a certain degree of flexibility. Similar to installing a home security system, the more comprehensive the system becomes, the less mobility one has in the home. A simple perimeter system that places contacts on doors and windows allows full movement within the house. But with the addition of motion detectors and laser beams, a dog's attempt to retrieve food mistakenly left on a kitchen table could conceivably trigger an alarm. The decision to install a comprehensive home system is usually preceded by a discussion centering on the real cost of vulnerability. Deciding on the makeup of the system can only begin after that discussion is concluded, because one cannot effectively mitigate risk until the person knows his level of aversion to it.
In a network environment, if users are routinely bypassing security in their rush to complete work, there could be many possible issues, including, but not limited to:
Users are ill-informed about vulnerabilities that exist and simply bypass network security measures as a matter of course.
The systems in place might be overkill for the type of work that needs to be accomplished.
This section attempts to pinpoint key areas where security policies have been known to be vulnerable. Keeping these points in mind when formulating policy can help to ensure its eventual effectiveness. This section examines the following topics:
Security is a learned behavior
Inviting the unknown
Avoiding a fall into the safety trap
Accounting for the unaccountable
Striving to make security policies more efficient
Security Is a Learned Behavior
Individuals are not born cautious. Quite the contrary; they are naturally trusting, open, and inviting. Part of the rearing process involves teaching individuals to become suspicious. Cultivating a secure environment in a computing system is not dissimilar to teaching an individual to be wary. Networks are not born cautious, as evidenced by routers that broadcast their location. Security appliances are introduced to shield vulnerable equipment, but they cannot protect users who act recklessly or sloppily; that form of preventive guarding must be learned by users.
Earlier discussions have alluded to the argument that certain organizations are better served by explaining their security posture to users. While it is challenging to fully protect a network from a user who willfully wreaks havoc, the vast majority of users who might cause harm are not doing so maliciously. They usually have no perception of the damage, or potential for damage, they have left in their wake; they simply do not know any better. An organization that openly shares its rationale for security generally finds its users less likely to skirt measures it puts in place, and a corresponding reduction in the amount of inadvertent errors it experiences should result.
Teaching appropriate security techniques takes time. Through the power of conditioning, users can learn how to properly navigate a system without putting it in jeopardy. Repetitively performing tasks and walking through the system with a knowledgeable teacher, users can become skilled at performing safe computing. Consistent positive reinforcement, whether it is praise or ongoing education, can help to create a corporate culture that is focused on making security a learned behavior.
Inviting the Unknown
Most security systems are designed to deal with known entities, either attacks that have occurred or are feared to occur. Equipment is put in place, and an organization returns to its normal business. A comprehensive network security program dictates that minor vulnerabilities, or seemingly insignificant cracks, should be scanned for constantly, because the most harmful invasions usually come from the most unsuspected places.
Regular security scans should do the following things:
Identify an organization's most vulnerable points, and assume that attacks could be launched against them
Identify network areas that the IT department assumes to be highly secure, and determine their weakest links
Even the most secure environments have stress points, and identifying them is the first step in forging a more resilient network. Continually scanning for vulnerabilities in the most unsuspected places can proactively help mitigate the unknown.
Avoiding a Fall into the Safety Trap
Perfectly secure environments do not exist. Purchasing every possible type of equipment doesn't protect an organization if its users are not effectively trained. Furthermore, responsible employees cannot protect a company from a DDoS attack without the help of proper equipment. It is a combination of both that provides the most comprehensive security. Equally important is recognition that implementing security is not a one-time effort. Threats evolve and disappear, only to be replaced by new and more sophisticated ones. Policies must be able to respond quickly, efficiently, and proactively.
A security-minded organization can use a revolving wheel, as shown in Figure 5-1, to underscore its daily practices and to help it create a forward-thinking security posture.
Figure 5-1 Closing the Loop on Security: Making Policy Review a Constant
Business environments rarely remain static, and the wheel ensures that an organization can keep pace with an ever-changing world.
Accounting for the Unaccountable
The likelihood of a hacker planning and carrying out a full-scale attack against a random network is remote. But should one occur, its effects could be devastating. Protection equipment, or the act of mitigating threats, is a type of insurance vehicle that organizations use to keep hackers at bay, as discussed in Chapter 3, "Security Technology and Related Equipment."
The most common threats organizations confront are those that come from within. Whether they are premeditated or inadvertent, the end result is usually the same. Human error can result in a nonmalicious DoS attack that, while innocent, can still bring down a network.
Some breaches might appear innocuous on the surface, but they could result in serious damage being inflicted if not immediately addressed. For example, a staffer who routinely borrows the phone line from the fax machine to dial in to his personal ISP opens an unprotected path to the Internet that a hacker could recognize. The staffer might know he is not allowed to do this, but his need to connect to his personal account through the ISP could outweigh his misgivings, particularly if he isn't reprimanded after the first few times. The more he accesses his ISP and gets away with it, the more bravado he will have to continue.
Aberrant activity must be addressed in security policies so that users can understand the spirit of what is expected of them.
Ideally, policy formulation teams should include users who are familiar with an organization's workflow to ensure that a policy reflects the workflow.
Policies that reflect workflow have the added benefit of addressing rules that are too cumbersome for users by avoiding the pitfall that is all too common with restrictive regulations: Users go around them and typically create back doors in the process.
Security policies that take practical considerations into account have a greater potential to effect positive results.
Striving to Make Security Policies More Efficient
Identifying and planning for the natural weaknesses in security policies can be an effective tool to use when creating a comprehensive plan.
Breaches can be avoided when planners model a process before committing it to implementation. For example, a procedure might reasonably dictate that a particular room remain locked during business hours and assign responsibility for the key to one person. But if multiple users require access to the room to carry out their normal course of duties, frustration could ensue if the individual in charge of the key is not always readily available. Users might find a way to circumvent the rule by surreptitiously copying the key. It is understandable that the organization might need to control access to the room, but rather than creating an environment that inadvertently encourages underhanded activity, it could research more reasonable access measures, such as the authentication and authorization tools described in Chapter 3.
Ensure that a process exists to routinely review policies. Even the best-laid plans can require tweaking, and security policies should not be immune from postimplementation analyses. Organizations can also change in size, structure, and equipment that they use; policies should be flexible enough to appropriately reflect any relevant changes to the corporation.
Continue to educate users on the importance of security and on what they can do to help. Most employees have strong positive feelings about their employer and, if possible, they genuinely want to make a difference in their workplace. An environment that encourages its employees to become active participants in the security process will be well structured to deal with threats in the future.