Archive for July, 2008

The Man and his Beautiful wife
Once there lived a man who had a beautiful wife. The man was so concerned about the lady and dared to take her for parties or in public gatherings. He was afraid that someone will take his beautiful wife away .He got the best Security System in place to protect the house from Intruders. He had round the clock security for his house against trespassers. He planted several traps for Intruders around the place. But in spite of all these one fine morning he found his wife missing from his house and finally came to know that she was taken away by his servant. How did this happen? He had everything in place to protect his wife but still he lost her.

The cross section of the story
Let’s go to that in detail, we are not concerned about the man or his wife, our only concern is the reason for this. As I told he had the best security system in place but he was not able to ASSERT the working. He had security guards against the intruders but he never checked the credentials or integrity. He had several traps and controls also but was not able to preserve the confidentiality of the same. This is the case of Information Security with many organizations. They have the worlds best Access Control in place they will have the best Firewalls, IDS, or let say the best technical & process controls in place. So obviously they will have a feeling that we are 100% secure and our information has no chances for leakage. In fact the truth is that, they are most vulnerable to attacks. Now the question is, if it is not technical controls or processes what is the factor that influences Information Security to the greater extent. It is the HUMAN FACTOR, nothing else. As you all know in the early times, war was with weapons like stone, sword and Knife later it was transferred to Guns and missiles, as technology advanced then came the nuclear warfare and now it is the time of Information Warfare.

Firewalls, Antivirus, IDS & Myths
In today’s business, for any organization, information is the primary and critical asset. It is this information that keeps the company exists in its competitive world. So if the company cannot preserve the Confidentiality, Integrity or Availability (we Information Security professionals call it the CIA) this means that the organization cannot exist in their domain. If the company needs to preserve the CIA of the information they should understand the influence of the Human Factor. If they can understand this, we can say that they started knowing Information Security. Many Organizations have a feeling that if they have a Firewall, Antivirus and an IDS in-place, they are safe from attacks and they have achieved 100% Security. This is completely wrong. Technical controls can contribute a mere 10% to Information Security. Deploying technical controls is the easiest part in Information security; the most complicated part is of-course the human intervention. Whatever processes you implement and defenses you build, if the users have zero awareness on the CIA of information they handle, all you do is a waste. That is why organizations are spending more money & resources in User Awareness, Training etc.

Information Security – Where should it start from?
Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles).

Employee background check
Proper background check should be done for employee prior to the appointment. Performing verification for the sake of doing it won’t be of any use. (This is what most organization does).The verification should track his past employment, the reason for leaving the past employer, criminal track records and his family background.

Employee Training
The employees should undergo awareness programs & training for Information security and the most important thing is, this should be interactive, nobody likes long trainings packed with solid technical & process stuff, instead it should be made interesting with case studies, role-play. There should be methods to measure the current awareness level of the employees on Information Security. This can be done by of test or interviews. The training calendar should be prepared for the year and of course information security should be a part of the induction process

Security needs innovative thinking and creativity
The security team should think from the basic level, perspective or I would rather say that InfoSec team should come down to the employee level. This is where the real expertise of an information security professional lies. He should be able to communicate in their wave length. You can’t expect an employee in the assembly line to have knowledge on social engineering. But it is possible to educate them on social engineering, for this the team should find out their own strategy. The training should be a continuous process. The training program should be modified according to time and needs.
To conclude, an organization that realize information security and not as a show piece will have their policies and processes lined up to meet these challenges.

Thomas Kurian Ambattu

Hello,

Observing the traffic in Bangalore, you realize something important that you can apply for information security awareness management. Almost all drivers in Bangalore are “AWARE” of the traffic rules and that is the reason why they have passed the driving license exam and received their licenses.

But “AWARENESS” does not necessarily translate into BEHAVIOR (see the image above).

This is the situation with Corporate Information Security Awareness programs too. They focus very much on creating awareness through training sessions, posters, emails etc. But, how often do they go beyond awareness to check whether the awareness translates into “Behavior”.

Anup

Hello All,

Sitting at the new international airport in Bangalore, I was thinking about the hue and cry the new airport raised. Of course, the fundamental problem was not the airport in itself, but the connectivity from the Bangalore City to the airport. But, unfortunately, the airport ended up as the villain of the piece. Readers from India, may be familiar with the whole story.

In spite of all the issues that is raised, I am sure that it is only a matter of time before the airport proves it’s worth. The simple reason being that for “1″ negative aspect, there are a “100″ other positive aspects to the new airport.

Sometimes, information security works in the same manner. For the end-user information security means “restriction”. This means restriction of internet access, email, where you can go within the company, where you cannot go etc. Hence, initially, similar to the Bangalore airport, the acceptance is low. But over a period of time, people start seeing the positives. Some of the positives of good information security are,

• More business, because customers are more confident
• This means, employees get more rewards (pay, promotions etc.)
• More business means, the company earns more respect, which in turn makes employees proud and gather more self esteem

Good information security has many intangible benefits that people should see through. Of course, a good information security manager will be able to see this and slowly guide his workforce through the period of change. Just like the new Bangalore airport

Anup