ADDRESSING THE HUMAN ELEMENT OF SECURITY: AWARENESS & TRAINING PROGRAMS

1996

This post was originally published by (ISC)Management

Did you ever hear the story about the hyphen that cost 80 Million dollars? In the infancy of the United States’ space program, a programming error resulted in a forced abort of a rocket early in its flight to prevent possible injury along its crash path. Or how about the time a pilot miscalculated the required fuel for a flight from Montreal to Edmonton? These are both fatal examples of how human error can have serious consequences.

In our hyper-connected world, our errors can have damaging consequences. Sometimes, the harm can be minor, such as the “Melissa” macro virus of 1999, in the early days of computer viruses. More recently, however, the damages can have a greater impact, as in 2017 when the majority of National Health Services (NHS) operations suffered disruptions as a result of the global WannaCry ransomware outbreak. The error in that case was a mishandled classified government tool that was leaked to the public.

The best way to combat human error is through training and awareness. However, most folks regard security awareness training as boring, dry or unnecessary. Most people are confident that they could never fall for a scam. Sadly, this is a common refrain among many victims. These misguided mindsets cause one to seriously wonder: what are some of the ways that human error can be mitigated, and who are the folks best to carry the torch of awareness?

Security practitioners understand the problems

A security practitioner is specially trained to understand the attack vectors that scammers use to gain control of a system. Exploits to systems come in many forms and from all available avenues. Scammers will try each one until they succeed. However, no matter how technical the underlying mechanism, most of the attacks rely on compromising the human.

One of the jobs of a security practitioner is to understand and apply technical controls to combat some of these attack vectors. Along with that understanding, the security practitioner knows what methods they can use to best raise the level of security awareness of an organization.

It all begins with an understanding of risk

The security practitioner has an understanding of risk. Whether the formal framework is authored by the National Institute of Standards and Technologies (NIST), or one of the many other available publications, the security practitioner is an essential part of any risk assessment team. Those not trained in risk management may often derail an assessment by presenting scenarios that are not only irrelevant to a particular business but not grounded in reality. A security practitioner’s attendance in risk assessment meetings can mean the difference between a well-conceived plan and a wasted trip down the path of magical thinking.

Proper access control can mean the difference between a successful and a failed exploit

Who has access to the critical systems? Do all people with access have the appropriate level of access? Has access to the systems been removed from those who left the organization? These are all questions that a security practitioner has the ability to answer, and more importantly, the skills to implement. Careful application of access controls can mitigate the damage of a targeted attack.

Proper security awareness training of the staff also elevates the importance of the concept of access control. Towards this end, a manager will know that it is not only the responsibility of the security team to monitor system access. They will know that everyone has a stake in making sure that the staff has the appropriate level of access to a system.

Sound security operations can minimize an attack surface

Along with the practice of good access control, security operations are an essential element of controlling activity on a network.  The problem of “authorization creep”, whereby a person moves from one job function to another, yet retains permissions from their old position, can produce great damage if that person’s account is targeted. Network segmentation, port filtering and mobile device management all form the necessary elements of a defense-in-depth strategy. When staff are trained in security awareness, these protective measures make more sense and are no longer treated as unnecessary inconveniences.

The correct security awareness training for an organization

Security awareness can often be met with groans and resistance from the staff. Just as risk assessment must be tailored to a particular business, the choice of a specific kind of security awareness program can mean the difference between a successful training campaign and a failed one. There are multiple professional security awareness training offerings available to an organization. Some offer traditional quiz-styled engines as well as phishing simulations. More recent innovations include creative approaches, such as security “escape room” exercises. A security practitioner is uniquely equipped to assess these offerings to decide which works best for an organization. Sometimes, a mixture of home-grown creativity coupled with a professionally curated presentation is the correct formula. 

Read more here: blog.isc2.org

Ad

No posts to display