By Michael Weisberg, Vice President of Information Security and Assurance Services
We live in difficult and frustrating times in the world of Information Security. New vulnerabilities come to light every day, nation state actors are involved, and attacks reach down as far as the smallest of organizations.
Through all of this, we are looking at more and more complex security tools, surprising (and sometimes limiting) regulation, and operating system vendors who are releasing a stream of buggy code. It can feel dark, but despite all these circumstances, there remains a ray of light that, if exercised, can mitigate many, if not all, of these concerns. And it’s simple. To enjoy this mitigation, we must get back to basics!
Basic 1: Education
An educated user base is far less likely to be tricked into opening an infected file or following a risky link. Educated users also take their security knowledge home with them and avoid bringing infected files into the office.
Education should be:
An email, poster, or meeting reminder can prevent significant loss when an employee thinks before they click.
Training also needs to be pervasive. Everyone from the boardroom to the mailroom needs to have basic information security training.
Custom training should then be crafted to each job function. In this way, security is maintained, not by the information security team, but by each individual in an organization!
Basic 2: The Principle of Least Privilege
The Principle of Least Privilege basically means that everyone within an organization has the privilege necessary to do their job – but no more.
The Principle of Least Privilege can be achieved through role-based access control, proper identity management, and automatic defaults to low privilege levels. Even administrators should be subject to careful logging of all actions taken with elevated privilege.
The use of elevated privilege should always be tied to a work item or request.
As Juvenal, the 2nd century Roman satirist wrote, “Quis custodiet ipsos custodes?”
The problem of people in a privileged position needing supervision (in our case logging and control; in Juvenal’s, an unruly queen) is not new. Required use of ticketing, sudo or runas, and high levels of logging promote both good practices as well as non-repudiation.
Basic 3: Individual Responsibility
If something goes bad, users should not fear taking responsibility for their actions. Swift response often relies on an individual being willing to stand up and say “Oops!”
If organizations view the revelation of missteps as punishable, staff will not be willing to step forward and admit (and often prevent) a larger problem. The helpdesk call saying, “I clicked on something, and now my machine is acting oddly” is far better than ignoring, hiding, of covering up the error. It is far easier to mitigate risk to the organization when a potentially infected machine is swiftly removed from the network and an employee is forthcoming with information about what they did.
Following these basic principles does not replace a good program of information security, the use of technical tools, and strong policy, but it’s a great foundational start. It also does help limit exposure to many of the otherwise preventable security risks that every organization faces.