About the Author
James joined Titania with a background in both project and personnel management in various organizations, including blue chip companies. He has technical experience across various sectors, and is currently responsible for managing the development, testing and support functions of the company. Outside of work he recently completed his first sky dive!Recently on a train, I overheard a conversation about herbal cigarettes. At an unspecified time in the past, a lady was quitting smoking. She used these as a substitute. They look and smoke just like a regular cigarette, but contain no tobacco. You can buy them at a chemist.
She had been smoking one of these things in a pub, and was asked to leave because the pungent odour led the manager to believe the ‘herb’ in question was the kind defined by the Urban Dictionary.
I was surprised by this story. Of course, in the UK it is now illegal to smoke indoors. It only transpired later that this incident occurred before the ban.
The very thought of smoking inside these days is culturally anathema. The legislation preventing smoking in enclosed spaces came into force on 1st of July 2007. Backed up by advertising and warning labels, it seems to have become a social norm.
Cyber security as a cultural norm, or at least a thorough appreciation of the issues, is surely something to strive for. The easiest opportunity will be the one attacked, and any organization is only as secure as those in its supply chain.
 |
| PwC 2013 Information Security Breaches Survey |
• 87% of small businesses had a security breach in the last year (up from 76% a year ago);
• 36% of the worst security breaches in the year were caused by inadvertent human error;
• 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago);
• 42% of large organizations don’t provide any on-going security awareness training to their staff (and 10% don’t even brief staff on induction);
• 93% of companies where the security policy was poorly understood had staff-related breaches (versus 47% where the policy was well understood).
Amongst (most) IT professionals there is a fundamental understanding of IT security practices. We would not click on every link we see, nor plug just any USB drive into a machine. There is already a culture of this embedded in our clique.
But how do we go about establishing this and other security practices as normal behaviour in the wider user community? In the earlier example of the smoking ban, there has been a shift from a ‘top-down’ legislative imposition to a widely accepted social rule. Peer pressure is as likely to prevent smoking indoors as much as the threat of a fine.
Similarly, rules and technical solutions will only take you so far in preventing security breaches and data loss. A good social engineering attack can gain ground no matter how well locked down your network is.
Some of us are old enough to recall a time when PCs were a rarity in the office outside of a thinly staffed IT department. We now live in a world where we are all in ‘The IT Crowd’ to some degree. However cyber security continues to be a niche area. While no one would expect everyone in an organization to possess the skills of PenTest Magazine readers, we are at a point where a basic understanding of cyber security needs to spread throughout the workforce. Indeed, one would argue that it is more important than the skills which are more often prioritized, such as MS Office.
The starting point is a workplace policy. You can create one from scratch, based on what the priorities are in your business. Alternatively, there are numerous policy templates that can be downloaded from the Web.
Of course, most of the organizations using Pen Testing will already have a policy in place, but how do they go about ensuring that is understood and implemented by all members of staff? And better yet, how do you reach the point where it is embedded into the culture of your organization, where one employee will challenge a colleague over poor IT hygiene practices?
As the PwC survey indicated, both induction and regular on-going training should be scheduled in as a starting point. Once you have decided upon your workplace security policy, you could use a policy checking tool such as Titania’s Paws Studio.
Paws Studio will help you enforce and check that your work machines are compliant.
Paws Studio, just like Nipper Studio, is very easy to use. You will also find a more detailed walk through elsewhere in this issue.
While the software naturally comes with pre-installed policies for PCI and many other compliance standards, the user generated\customizable policy option is the ideal tool to appeal to users in this arena.
Customizing your policy could hardly be more straightforward.
While readers of PenTest magazine will generally like to edit the XML themselves, there is an editor which allows a further two ways of editing the policy file.
For, say, a small business owner with limited IT knowledge, the most convenient tool is probably the Wizard.
This maintains the hierarchical requirements of the XML while providing a more user friendly method of creating or customizing your Policy.
Once you have installed and started Paws Studio, select the Policy Editor from the bottom right of the home screen (see Figure 1).
 |
| Figure 1. Paws Studio main screen |
When the initial screen opens, select the Wizard button on the left (see Figure 2).
 | ||||||||||
| Figure 2. Policy Editor wizard selection
In this example, I have chosen to use the supplied Titania template, which comes as a sample pre-defined policy. Opening it provides some summary information (see Figure 3).
At the top of this screen, you can see the three levels of the hierarchy in the policy file, which are: Requirement, Group and Check. In the next screen shot (see Figure 4), I am at the Requirement level and choose to add a Group.
In the next section, you are able to add the details of your specific Check. I give it an ID and
a Title, and then I am able to choose from one of the supported checks. For example, Manual Checks are Checks where the user needs to perform some kind of check themselves – for example, ensuring that a suitable lock is fitted to the server room door and that it is used. Naturally, Paws Studio can also automatically check for various issues on an individual machine. In the example here I am looking for suitable antivirus software, but other examples include (but are not limited to) password policy, system updates and installed software (see Figure 6).
On the final screen, you can review all the checks in your file and save it for later use during Paws Studio audit (see Figure 7).
So with both the training and the regular checks on your machines using software like Paws Studio, you can go a long way in terms of both explaining and enforcing your security policy.
But we can do more. Of course, for the readers of this magazine, we certainly hope that organizations will regularly engage the services of a Pen Testing company. However it is also worth considering setting up a method to regularly check the response of your employees to some of the most common types of attack.
At Titania, we set up a webserver and used it to run mock phishing attacks against our employees. It was very straight-forward, we just used a virtual machine, an Apache web server and a variety of email accounts to run some attacks. It was then simply a matter of checking the logs to see who had responded. I am very happy to say that we had no responses from our employees – they are obviously very well trained!
Of course, once you have the web server, you can use it in the future to run more ‘attacks’.
It is worth doing it often to both judge how aware your staff are of your policy, and to keep it fresh in their minds.
This is a simple method of testing your training methodologies and generating debate
amongst staff. There are probably many similar techniques you can use.
For example: Insert a point in your policy document that USB drives found on or near work premises should be handed to a nominated person in your organization, then liberally
sprinkle a few cheap USB drives around the area.
If, when you check the drive locations they have disappeared but have not been handed in, then it can perhaps be raised at the next staff meeting. If, for some reason, USB drives are
not locked out on your company hardware, you could perhaps have a text file on the drives with something like: ‘Oops, you have breached security policy point X’.
One very important point that needs to be made here: this is not about punishing or
tripping up employees. It’s about lighting those metaphorical cigarettes in the workplace,
and seeing who responds appropriately. Those who do can be used as good examples or
torch-bearers for the rest of the team.
So, this gives you – or your clients – a simple three pronged approach to building the IT
aware culture we should be aiming for:
• Codify a policy;
• Enforce it [regularly];
• Test it [regularly].
The fourth important ingredient is, of course, time for the policy to permeate and percolate until it becomes normal behaviour.
Perhaps the more businesses that use this or a similar approach, then the more often such businesses will be more exacting during their interactions with other organizations. If that happens, then such a culture might start to spread exponentially.
Poor cyber security, like smoking, is an expensive bad habit. Unlike smoking, it can have very bad consequences for more than just the user and those near to them.
|
No comments:
Post a Comment
Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.