No wars are won through awareness…

In security, as in life, one is forced to make certain choices, certain trade-offs on how they focus their time and energy. If one is able to mass unlimited resources, one could come as close to fault tolerance and a secure position as is possible. But in the real world of IT one is faced with limited resources, whether they be knowledge, time, people, money or access to technology. I think it’s great that one can arm themselves with a Sun Tzu Art of War quote-a-day desk calendar and make declarations about how one would actually secure a complex, globally distributed network and how focusing efforts on user awareness training will fend off Mongol hordes riding against our golden palaces, but that is just not realistic.

To be clear (once again) I am not against user awareness training, I think it can potentially have benefit, but only once we have, at the very least, put in place the minimum set of bare bones security measures, then we can skip barefoot and joyfully through the glass shards that are human behavior. So what would this minimum set of bare bones security measures be, and which one of these would you de-prioritize to focus on a security awareness program, where in the following list (which is not in anyway exhaustive) would you recommend an organization prioritize user awareness training?

Desktop Security
– Anti Virus
– Anti spyware
– Personal firewall
– Host-based IDS/IPS
– Encryption
– Data Leak Prevention
– Patch Management
– Security Configuration Management
– Vulnerability Management
– Application Control
– Device Lock-down
– Network Access Control
– Other

Network Security
– Firewalls
– Segmentation/VLANs
– Network Behavior Analysis
– SIEM/Log Management for Security monitoring
– Anti Virus (gateway/http/email)
– Anti spam
– Vulnerability assessment scanning
– Penetration testing
– Other

Application Security
– Secure code scanners/web application scanners
– Threat modeling
– Segmented dev/test/production environments
– Web application firewalls
– IAM/User provisioning integration
– Active Directory integration
– SoD
– Application Activity Monitoring
– Other

Database Security
– DB vuln scanners
– DB transaction monitoring
– DB security configuration management
– DB Virtual patching
– Other

User Security
– Identity and Access management
– User provisioning
– Reduced sign-on (single sign-on is a myth)
– Secure Tokens/IDs
– User activity monitoring

Ok I can go on here but you get the point…now toss in a healthy dose of process coordination, a loving spoonful of work flow integration to enable auditing and transparency of change management, and a big heaping mound of extremely sophisticated, stealthy and malicious badness.

12 thoughts on “No wars are won through awareness…

  1. There are two sides to every argument, as always.

    My take on this is that _if_ you leave awareness rasing processes until _after_ you have done everything you list (and more) then you are missing a trick.

    You mention that in the real world of limited resources what should be “de-prioritized” in order to increase the priority of awareness raising. This assumes an either / or approach which I would suggest is somewhat blinkered.

    My take is this, the more people you can get thinking about InfoSec the more people you have in the army defending the castle. Eventually, you will build a critical mass where everyone is helping everyone else think about InfoSec matters. Than then builds momentum, which can only be a good thing.

    Yes, it is correct to say that the listed items (and others) are important, but implemented in isolation they will not be as effective as if they were part of an all round programme which indluded awareness.

    I’m not going to list them all, but a lot of the items you list require certain awareness levels to be reached in order for them to be operating at their best. Take Anti-virus, for example. If the user is not aware that opening an unsolicited email and attachement is a bad thing and that email happens to contain a new virus / torjan etc. not yet detected by the AV software then infection ahppens. With some education, this particular incident might be avoided.

  2. ummm…with all due respect, are ye daft? What you say may be true on small networks where most of the users are techies. On large, Enterprise networks, if you’re installing a database scanner _BEFORE_ telling your 60,000 users not to be opening executables sent from someone that they don’t know, you’re dead in the water. On large networks with large amounts of users, one of the best investments is training users early and often.

  3. @Dmitry

    And with all due respect if you think you can train 60,000 users to not open executables from someone they do not know, well, then you are probably already infected with Malware…but you feel that awareness training goes before all the database security – fair enough

  4. @apm

    Yes, Balance is important, so you would place awareness training near the top, and before any of the others are deployed, in terms of the activities an IT organization should be performing

  5. Pingback: Epistemological Relativism » Bare Bones Security

  6. Pingback: » Suggested Blog Reading - Thursday June 15th, 2007

  7. I’m unclear as to where Sun Tzu says this, but he wasn’t really a great user of e-mail, webcasts and other 21st century dissemination methods.
    Awareness is very important, think of it as propaganda. Which, by the way, has contributed to the winning of more wars than you give credit for.

  8. Amrit, I’m not sure why I seem to hit your hot buttons, but I want to make sure that you and I really understand one another. I agree that UA is NOT the end all and that it has it’s limits. Does it come before, after or during the implementation of technology controls? Yes, it has it’s place in all 3. I’ve never suggested that UA is the only answer. If that is what I believed why would I have spent my career as a techie in the trenches? I would have a job in the UA space. I know that people will do dumb things no matter how many times you tell them not to but that doesn’t mean that you quit telling them how to be safe. I also agree that you have to spend you time where you get your most ROI. More often than not it’s on the technology side. But you can still push for and practice everyday UA. It doesn’t have to be a formal class. It can be a quick email, comment, or tutorial. If everyone in IT that does understand security took a few minutes a week to do these things then it would make a lot more difference than a stuffy UA class or video. That is the kind of stuff that I’m talking about. That is why I use Sun Tzu, Dilbert and other things from time to time. Like them or not, think they are practical or not they do have benefit to some users. Everyone learns differently and relates to things differently.

    As for using my Sun Tzu calendar to secure my network that was really a cheap shot. There is a big difference in pointing out how things that he said hundreds of years ago can relate to security and trying to “fend off Mongol hordes” with his quotes.

  9. @Robnewby

    Propaganda is far different from awareness, it is almost like the anti-awareness. Disinformation, counter intelligence, and other forms of perception manipulation have certainly played a large role in War and will for the foreseeable future – isn’t this why the US Government runs a Muslim television news service, the amount of counter-intelligence during the cold war and WWII were overwhelming. Hell there is tons of it in IT Security. But the fact that perception manipulation can be an effective method of changing people’s viewpoints of others does not in anyway mean you can change user behavior

  10. @Andy

    I never said you used a Sun Tzu calendar to secure your network, but if you did that would be really stupid 😉

    FWIW – Sun Tzu is far more relevant to fending off Mongul hordes than he is to IT Security

  11. Actual “real-world” awareness may be the opposite of disinformation, but that’s not really what I said. Propaganda does not have to be disinformation, just the reporting of what you want people to believe to support your position, it could even be the truth.

    Security Awareness is very much like propaganda – it’s what you want the masses to believe and you do it by reporting a common message via many different channels. My security messages are always way over the top, in the vague hope that just one user will change their behaviour a little.

    Saying that changing people’s viewpoints does not in anyway mean you can affect their (user) behavior therefore sounds incorrect. An example: If a user believes that it is OK to keep his password on a post-it note because it will remind him what it is, and then I change his viewpoint to that of someone who is more vulnerable to attack, loss of information and everything that can happen because of that, he will adjust his behaviour.

    I think maybe Sun Tzu’s context was different to yours.

  12. “My security messages are always way over the top, in the vague hope that just one user will change their behaviour a little.”

    I would assume that your actual success rate was far less…remember every time you spread security FUD God kills a kitten

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s