Every year or two, we face a new unstoppable IT trend that threatens the way we handle network security . Think instant messaging, USB keys, social media sites, and mobile computing. There are more on the way, as I wrote about last week, including Web 2.0 and cloud computing.
Tracking these new computing trends is important for IT admins: They represent a potential swath of new opportunities for attackers to breach systems, steal data, and spread malware. Early recognition and management are essential to get a handle on the situation.
Just as there are five recognized stages of grief, I see a series of stages in the life of a security IT admin coming to terms with a new IT threat. Those stages are as follows: ignorance; peripheral awareness and recognition; denial or casual acceptance; strong opposition; and formal acceptance, followed by the creation of a solution or system to manage the potential threats the new trend creates.
When we first see a new trend emerging, we typically ignore it because it isn’t widespread enough to garner hacker attention. As it gains popularity, it usually becomes an avenue for exploitation and spreading malware, and we, as security professionals, have to take notice. In most cases, our natural tendency is to fight the new thing’s use. Typically, we feel there is already an existing, managed, “better way” for the same task to be accomplished.
For example, I still don’t see the big need for instant messaging over email. As an old fart, I’m still trying to come to grips with the societal importance of Facebook. Nevertheless, if a technology has infiltrated the organization, we need to accept it and come up with a defense strategy.
One security policy to rule them all
One strategy to ease adoption of new technologies is to build into our official standing policies a general process for embracing them, rather than examining each as a separate aberration and treating them as ad-hoc one-offs. For exxample, your policies pertaining to digitical communications should be written to cover such technologies in all forms, no matter where they exist, as opposed to specific brands of software or even types, such as email and IM. If users are allowed to install any software they want, they should understand the safeguarding of company assets and data no matter where they exist. That means if your entity has a policy that confidential business data and business-related communications (email, IM, and websites) must be encrypted, end-users should understand what that means and where they apply.
It reminds me of the time when my CEO asked me to add a new sentence to our existing email policy stating that it was illegal to sexually harass someone using email — which had just happened at the company. My reply: “Shouldn’t sexual harassment be illegal no matter how it happens? I mean if the harasser used a fax, would that be more acceptable?” It’s the message, not the medium.
Secure the message (data), and don’t let your policies get caught up in minutiae that lawyers love to argue about. Then make sure users are aware of their responsibility to protect data, no matter where it exists, using today’s and tomorrow’s technology.
Let HR define the penalties for ignoring the rules. I’m not a big believer in firing for most first-time offenses, ignoring the obvious felonious behaviors. People make mistakes, and I’m not just saying this because I was the first person written up under an email policy I drafted years ago (for the same CEO mentioned above) when I accidentally sent a dirty joke (intended for my future wife and close friends) to a senior executive VP (who was as close to a nun as you could get). I became a legend in that company for being the first person punished under my own policy. I still remember my boss restraining herself from outright giggling as the CEO handed down my punishment shaking his head.
Tailor your security policy to fit
Accept that new trends will occur and people will have legitimate needs — or, as I see them, strong wants — for new technology and products. Institute a policy-driven review process for any new technologies that start to invade the workplace. A standing committee can review the technology, rule upon its appropriateness in the workplace, and forbid its use or suggest controls. The decision should be signed off by senior management. This committee should understand that many of their decisions will be debated again, and requests should be allowed for resubmittal in future time periods.
For example, a year or so ago, Macs were outlawed in most corporate environments. Then the CEO and senior IT people were among the most prominent users. iPads showed up in general use in weeks. They went from being used as cute toys to displaying corporate data in a matter of weeks. Now many vendors are presenting iPad-only versions of their software.
IT security will be tasked with researching threats and risks, as well as presenting them to management or the approval committee. A position paper, with the requisite pretty charts and pictures, should be created and presented for senior management to review and sign off. Depending on the decision, the security team should next research and deploy defenses and controls.
The user experience and the security risk of the environment will improve quickly if you spot evolving trends and manage them as an expected part of normal business policy.
He is also the inventor of the patented meshDETECT, Secure Prison Cell Phone Solutions.
LinkedIn Profile
- The Customer Edge Drives the Need for NaaS - June 25, 2023
- Blockchain Evolves And Secures - January 13, 2019
- Bessemer Ventures’ 2018 Cloud Computing Trends - February 25, 2018
