By: Stu Sjouwerman
To some extent, establishing and maintaining proper information security is a balancing act. It involves formulating security policies to state what assets are worth protecting, how far such protection should go and what kinds of protection should be applied to them. User training helps to address the all-important human element in security. Finally, monitoring is necessary to ensure that security is working and protecting the right things. It also enables organizations to react quickly and decisively when a security breach occurs.
Failing to implement even one of these components can greatly increase your organization’s risk of attack or security breach.
A security policy is a document that establishes how an organization secures its facilities and information technology (IT) environment. Large organizations may have several policies, in separate documents, that represent a collective security policy.
The more complex the policy, the more difficult it is to maintain. In an SME environment, a best practice is to designate one person to be in charge of policy maintenance. That person can assign parts of the policy to different personnel, but he or she should be aware of all policy changes and any ripple effects.
The physical security of all things IT, such as switches, routers and servers, must be addressed. In addition, the policy should outline protection methods used to safeguard IT assets from unauthorized access and exploitation. It should also address the actions administrators and security personnel will take if a security breach occurs.
“I didn’t know.”
Those three simple words have led to severe security breaches in organizations large and small. User education and security awareness can stop most threats, including those launched by cybercriminals. A security policy is an organization’s blueprint for safe computing. When it’s followed, it acts like a shield against scammers. A policy stands a greater chance of success when everyone understands its importance and buys in to its terms. Employees need to understand why the policy is necessary, how to adhere to it and what will happen if they don’t. This is what security policy training is all about.
To get a security policy off the ground, management must agree that the policy is necessary. Then, managers must set an example by adhering to the policy.
Employees won’t be interested in training that focuses only on consequences and penalties. They need to understand what can happen to the organization—and potentially their jobs—if a major security breach occurs. Presenting problems from their perspective can help you gain their support. It’s also helpful to remind them that security can be very simple—that many security issues can be avoided by thinking before clicking.
Organizations change, and policies change, too. When changes occur, more training is needed. Therefore, an organization might consider offering security policy training in phases:
- Entry-level or introductory-level training for users who are new to the organization
- Periodic refreshers—perhaps quarterly or annually—to keep the users in touch with the security policy
- On-demand training as new scenarios or changes to the policy occur
After you’ve implemented a security policy, you need to ensure it’s having the desired effect. Ideally, you will want to validate all aspects of your security policy. Your validation and monitoring plan should include not only checking for unauthorized access attempts into secured building areas, but also recording and being alerted to unauthorized file access on the network.
To check on the state of your physical environment, you can conduct premises monitoring, which is the practice of monitoring multiple physical aspects of your environment. This may include areas such as:
- Parking lots
- Lobby and public waiting areas
- Unsecured employee areas, such as where receptionists or temporary workers are housed where or conference rooms, cafeterias and restrooms are located
- Secured employee work areas, such as an area where only authorized employees have been granted access
- Secured resource storage areas, such as data centers and wiring closets
Why is physical security so important? Having physical access to a system gives an attacker a distinct advantage. For example, to access a network from the outside, an attacker has to traverse multiple firewalls, including network firewalls and host-based firewalls. Then he or she has to deal with authentication requests and prompts. If the attacker gets into the network, he or she might have to get past permissions configured on specific files and folders. However, acquiring physical access to a system on the network negates most of these protection mechanisms.
An attacker who gets physical possession of a system can boot the system from a CD or USB drive and then gain administrative access to the entire system. The attacker can then reset passwords, destroy or steal data and format the system before moving on. An attacker may also choose to disrupt system activities by forcibly rebooting machines or installing undesired hardware or software such as keyloggers. Premises monitoring can help you prevent cyber criminals from accessing your systems.
A premises monitoring system may consist of multiple devices and monitoring systems, including the following:
- Video cameras: Before attackers can get to the computer systems in a data center, they must gain physical access to the building. Video cameras in parking lots and driveways allow you to track people entering the premises.
- Door security: To keep the systems in a facility secure, the doors to the facility must be secured. Oftentimes when public access is granted to a facility, the entrance allows all visitors access to a sealed lobby area. Doors leading from the lobby to the user work areas and beyond are secured. Individuals who are allowed through those doors are admitted by a security guard or a technology such as card readers or keypads.
Do security guards or technologies provide better physical security? It depends. It is certainly possible for attackers to steal key cards or other credentials to bypass either type of security. However, when a security guard is responsible for granting access to the inside areas of a work environment, there is an increased chance of successful attacks using social engineering. An attacker might be able to sweet talk a night guard into granting access to a building, using a cup of coffee and a smile. Such tactics simply don’t work with an access keypad.
Stu Sjouwerman is Founder and CEO of KnowBe4. KnowBe4 hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, Sjouwerman teamed with Kevin Mitnick, the world’s most famous hacker, to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.