Monday, December 23, 2013

Risk, Recrimination, and Reporting: Detecting and Handling Breaches

I read Ericka Chickowski’s article on empowering employees to detect outside attacks earlier this month and I made some notes that have finally found their way into a blog…three weeks later.

Well, better late than never—especially when it comes to the importance of teaching effective employee behaviors. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.

data security, human firewall, training
Quote #1: "They should be teaching employees to spot suspicious activity and report it without fear of recrimination..." 

Yes, yes, yes. Fear of recrimination is the key here. Unfortunately, it’s hard to convince a person that they will not come under some form of scrutiny if they are victimized. In fact, many are not necessarily afraid of getting fired. Rather, they are just embarrassed by their own dumb mistake. This really is similar to violent crime victims who do not report crimes—often from embarrassment, shame, or a simple lack of faith in the authorities to handle it properly.

In fact, many are not necessarily afraid of getting fired. Rather, they are just embarrassed by their own dumb mistake. This really is similar to

Quote 2: "The fact is that security has always been a game of reducing the odds of exposure rather than eliminating it." 

This is exactly right. Risk management is not a 0-100% dilemma. It is just a minimization effort. Yet, IT security leadership may develop a “crying wolf” attitude when it comes to taking reports seriously (since the vast majority of reports will not be malicious). Obviously, this creates a vicious cycle.

Quote #3: "In many cases, human intuition may not kick in fast enough to prevent someone from falling for a phishing ploy or a malicious link altogether..."

There is a false perception that, once a successful attack takes place, the damage is done and the danger is past. Unfortunately, in the vast majority of circumstances, that successful attack was just a part of a campaign that can be repeated as long as it can be successful. That is why it is so important to react to and report even small suspicious events.

Quote #4: "Not only should this team be working to sift through these reports and triangulating them with logs and other detection technology output, but it also needs to establish solid and positive communication with the employees that send the reports to encourage future cooperation..." 

Correlation of data and report incidents is key. Having a simple and painless way for employees to report events is worthless if no one is assessing and correlating the data in conjunction with other event logs and resources.

Someone has to make judgments about how to respond to reported issues—and, all too often, it is just low on the priority list. Responsible parties just hope against hope that no serious threats arise.

Now, does that sound like any way to manage security?

More on Information Security