TECHNOLOGY originally published on DaftBlogger.com
By Antonio Ieranò on September 29, 2013 at 7:45 PM
OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.
I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?
From where should we start?
Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.
Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.
And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….
I said it all but…
Wait a moment are we missing something here? Here are some considerations :
- Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
- How do they want to “communicate”?
- What do they want to “communicate”
- Why do they want to “communicate”?
- Why they need to “communicate” in that specific way?
Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.
There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.
Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.
Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.
All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.
Go on, buy your firewall