When It Comes to Cybersecurity, Look Past Your Employees
Hardly a week goes by without media reports of a well-known business or agency having its data center hacked and sensitive information being stolen or damaged. When news of these attacks breaks, the cybersecurity industry does a lot of hand wringing and pontificating over what is to be done about the increasing frequency and sophistication of today’s cyber attacks.
Many security professionals are quick to blame the user. I’ve been in many a conference hall or closed-room meeting when the speaker, while sharing a story about how a user opened an email they shouldn’t have, turns to the audience and says with a knowing smile, “You can’t fix stupid.”
This kind of thinking really chaps my hide.
The Internet is an incredibly complex system of systems. Even individual computers are so enigmatic these days it’s tough even for experts to explain how everything works. I used to teach computer science back in my younger days (I think I still have the slide deck somewhere that explains how the CPU functions by adding 1s and 0s together really, really quickly).
But even I have trouble getting my head around the fact that adding 1s and 0s together at high speeds allows me to play World of Warcraft — complete with three-dimensional graphics and a head-set enabled communications system — with my friends in Korea. Even I think that somewhere between the 1s and 0s in the CPU and the “Trip to a Dark Portal” quest in World of Warcraft, something magic happens.
To expect that cybersecurity experts will know everything they need to know in order to stay safe on the Internet is debatable. To expect that from a normal user is laughable. Yet enterprise security teams continue to spend resources training employees to be security conscious; the idea being that if employees are the weakest link in the chain than that’s where we should spend a lot of time and effort in order to improve network security.
I respectfully disagree. Expecting non-security professionals to be able to identify and stop the intrusion methodologies of today’s cyber advesaries is unrealistic, costly and provides little benefit for the effort required.
By no means am I saying that employees shouldn’t receive cybersecurity training. But that training should be focused on making them aware of the organization’s security policy and procedures, not training them to be cybersecurity experts.
Users should know how to use the corporate VPN, where to store sensitive documents, how to construct a corporate approved password, how to authenticate, and who to call when they think they’ve done “something stupid.” We should not be spending time trying to make employees experts at spotting phishing emails or determining which web sites are good or bad based on how the URL looks.
Protecting the enterprise is the security team’s job. If one of your security team’s best security controls is relying on an end-user to stop the bad guy, then your program has some serious issues.
Instead, the security community should be designing systems that protect their employees. This will take work from both the vendor community as well as internal security teams, but it is possible. Threat prevention is the key. Security teams will never be able to keep out every advanced adversary, but they can make it extremely difficult. Here are some best practices:
- Deploy security controls at each point in the Kill Chain.
- Realize that these security controls don’t work by themselves out of the box. They must be configured to function in the manner that you want them to. You have to bend them to your will.
- Regularly capture metrics for each deployed security control to confirm it’s doing what you originally wanted it to do.
- Regularly review your initial network security needs so you can make appropriate changes. When done, go back to the top of the list and start over.
Threat prevention is an ongoing process; it’s not something that you do once and walk away. So stop spending time and money trying to make users security experts and start spending on improving your threat prevention program.
Rick Howard is the Chief Security Officer for Palo Alto Networks.
For further Information – http://www.wired.com/2015/03/comes-cybersecurity-look-past-employees/