IT Security and Engaging Users to Reduce Vulnerability
There is a lot of discussion going on about security in the cloud. With numerous advancements in technologies of various sorts intended to secure our information and identities on the Web, how is it that security continues to be a growing problem? The answer is in the Big Data the Web collects (read about the Internet of Things – IoT), the large silos of data now handily available in the cloud, and users who continue to provide access for all sorts of bad guys and malicious attackers simply due to not understanding that they – the users – remain as the biggest vulnerability of all. It is educating this user and finding a way to get them to recognize their potential as a critical element in enhancing system security and reducing vulnerability that has become the larger challenge.
People are nothing more than another operating system, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute. “Computers store, process and transfer information, and people store, process and transfer information,” How Hackers Fool Your Employees
Social engineering and finding ways to earn user trust has become a widely recognized means for gaining access to systems and information. Any experienced computer security consultant recognizes that Microsoft Outlook is among the best applications to place in front of users to test system security, as emails with malicious attachments (spearphishing) represent a majority of targeted attacks. And hackers aren’t resting on their laurels while users figure out that opening email from unfamiliar sources isn’t a good idea. Nope, not for a minute. Today’s flavor is “conversational” phishing, where it is made to appear as though a real person is at the other end of the conversation. Hackers are patient, and they are willing to take the time to find a way in. Users, on the other hand, still tend to be somewhat complacent when it comes to security, and often operate under the belief that the IT security products and the IT department have it all under control. And no matter how many times they’re told to not click on strange email attachments, to change passwords frequently, not to reuse passwords, and to make passwords hard to guess… getting users to comply continues to challenge system administrators.
Communicating with users about the importance of adhering to password management and other security standards often falls on deaf ears for two reasons: users believe that system security is the job of the IT department, and users are made to feel stupid by being chastised and punished by the IT department that’s supposed to be helping them. Rather than helping to educate users and find innovative ways to get users to participate in helping to improve system security, IT administrators and security teams generally view users as part of the problem rather than part of the system of solving it.
It’s a heated debate that can upset people on opposing sides. For instance, one RSA conference presenter conducted a class on “how to patch stupidity,” Spitzner says. “He explained why people are stupid, how they’re stupid and how to fix stupid. It was a very emotional talk for me, because how can you sit there and insult the very people who can end up helping us?… How Hackers Fool Your Employees
In order to build strong security which is better-suited to protect businesses from today’s variety of threats, IT security professionals and system administrators should engage in positive internal marketing for better system security, deliver improved education to build awareness with users, and actually engage users in the process of threat identification and detection. These users don’t have to be geeks or IT people; they can be average users who simply keep their eyes open to things that just don’t seem right. “People can become a detection system to improve organizational resilience.”