Companies often rely too heavily on security technologies and ignore the impact a "human firewall," can have on security explains noted software security expert Hugh Thompson. In an interview with SearchSecurity.com, Thompson explains that social engineering attacks have made it extremely difficult for employees to weed out legitimate messages from those designed to trick users into giving up sensitive data.
We're approaching this crisis of trust because it is harder even for educated, security conscious, moderately paranoid people to tell the difference between a good or bad site or a good or bad email.
Hugh Thompson, chief security strategist, senior VP, Blue Coat Systems Inc.
Data loss prevention, Web filtering and antimalware technologies help boost protection, but Thompson says investing in creating a security-aware culture within the organization can make employees the last line of defense.
IT security teams need to balance risk mitigation with employee productivity, ensuring that employees can use the tools at their disposal to get their work done while protecting sensitive data. File sharing services, webmail, social networking and other online collaboration tools create an interesting challenge from a data governance perspective, Thompson said.
"How do I know where my data is going, where it is going to live, and what the policies are on it?" Thompson asked. "It's this world of IT that is moving outside of the lens of IT governance. For that reason, it's becoming a very important issue in information security."
Thompson, currently chief security strategist and senior vice president at Sunnyvale, Calif.-based Web security vendor Blue Coat Systems Inc., also holds the role of RSA Conference program committee chairman. He is the founder and chief security strategist at security awareness and secure coding training firm, People Security.
We're consistently seeing a social engineering element to data breaches. In some cases attackers don't need to exploit a software error, they trick employees into giving up their account credentials. Is user education failing in this area?
Hugh Thompson: This is the real crux of where security is today; that human element of security. If you were an attacker and trying to get into an organization, would you spend weeks and in some cases months looking for a specific unknown vulnerability in their systems or would you try social engineering? Find information about specific employees through social networking sites and then give them a call or shoot them an email. Of course you do the latter first because it is easier.
The problem is that most people aren't thinking about risk when they make those daily incremental choices to trust or not trust something. That trust/not trust decision has gotten so much more complicated. It used to be pretty easy to tell if someone is trying to rip you off. Today the problem is that these attack scenarios, through email or a website are boring and look like all the other boring stuff I have to deal with every single day. It's harder to tell the difference between something that looks like an attack and something that's legitimate. I think that we're approaching this crisis of trust because it is harder even for educated, security conscious, moderately paranoid people to tell the difference between a good or bad site or a good or bad email. I think education is still important but you also need tools that are going to stop that decision from ever being presented to the user.
Are the IT security teams failing at creating a culture of security? Does it take a long time to develop a culture of security minded individuals within an organization?
Thompson: In the industry that is a very controversial topic. I'm an optimist and an educator and so my firm belief is that people can improve when it comes to security. If they are given the right educational opportunities , the right training at the right time then over time they will become better and more resilient to attack. But if you talk to some chief security officers, I think they have had experience with bad training and they just closed their mind off to this just being a compliance exercise. When that happens you go down this dangerous road.
What does this dangerous road look like?
Thompson: You don't try to improve the security hygiene of the citizenry then you are betting the farm on third-party tools or compensating controls in the environment. I think more than ever it is this human firewall; those processes and thoughts that go through your head before you click on something or install a browser plugin that you've never seen before, that is becoming increasingly important. I think the range of security controls that sit between your enterprise and risk, those that manage the web are very important and I also think that those that sit inside your head and make those go/no go decisions are increasingly important.
How do I know where my data is going, where it is going to live, and what the policies are on it? It's this world of IT that is moving outside of the lens of IT governance.
Think about technologies like DLP. It's very good at addressing a special purpose problem and looking at structured data to figure out if it is going to places that shouldn't. But you can imagine an attacker that really wants the data, like a Social Security number and they realize that some sort of DLP software is running in the environment. We'll get to the point where it is worthwhile for them to create this highly personalized social engineering attack that mails a set of physical forms over to the victim, asks them to write that stuff out on the form and send it back through the mail. It not only doesn't hit the DLP system, it never touches any piece of technology. When you start to think down those roads, it's important to increase the human firewall. It's one of our greatest challenges in the security industry.
Do smartphones and other mobile devices complicate security strategies at enterprises?
Thompson: This move towards individuals having a choice with technology is the move of our time. Not just in IT, but in security as well. Think about how many different ways you can share a file with a colleague today. You can go on to whatever the corporate structure is to do so, maybe it is Sharepoint or something else. To use that thing maybe you have to VPN into the system or authenticate or login to it. Another option is to use a file sharing service like Dropbox. It is always on, it's just a folder that sits there. You don't have to be VPNed. Today you have that choice. The fact is that if you don't want to choose either of those ways to share the file, you have five other ways that are outside the purview of typical IT. I think that it presents an incredible opportunity for businesses because it lets employees get their work done faster and collaborate in new meaningful, innovative ways . But from a governance perspective, it creates an interesting challenge. How do I know where my data is going, where it is going to live, and what the policies are on it? It's this world of IT that is moving outside of the lens of IT governance. For that reason, it's becoming a very important issue in information security.
For a long time the security industry was not a very comforting place to turn to for advice when we had this problem because we had this culture of no. They would restrict Dropbox . That has kind of been our conviction, knee-jerk response: Just block it. But that's a pretty naive response because it doesn't incorporate the reality that people do have a choice. People are being asked to do more with less .I think it's a great struggle with our generation. We're asked to be more productive. We're asked to make sure we respond to that email that comes in at 9 p.m. on a Sunday. We're supposed to be always on and always productive, but yet policies inside the enterprise sometimes hold us back with technology instead of enable us with technology. If you look at where IT security as a discipline will change going forward, we're going to move from this "department of no," which is where we are right now, to this "department of yes and let me help you make this happen." They will be the people that are going to de-risk some of the activities that employees want to do and frankly what employees will do.
For a lot of companies mobile is a big shift. We no longer have an agent that is on the device. There are thorny issues around e-discovery. What happens when the company is sued and we have to confiscate the device? I don't think the answers to many of these questions are baked yet. People fall into three camps from what I can tell: One group says we need to think of mobile devices the same way thought of laptops and put some type of monitoring agent or antivirus on the device. Another group is thinking of ways to be innovative by addressing the problem on the network. And another group is thinking of instrumenting corporate applications and protecting them in some way. You're seeing a lot of effort on all three of those fronts, but I think the paradigm that is going to win is the one that allows users to make the choices that they want to make and have the security guys in the background figure out how to make all those things reasonably safe.