Editor's Note: This guest blog post is from John Andrew at Honeywell.
In my last ‘Securing the Human’ blog, we looked at the need to persuade key decision makers – encouraging them to go beyond a ‘Check the Box’ Security Awareness mentality. We looked at the wildly successful ‘Smokey the Bear’ awareness campaign, and discussed how Security Awareness can become a part of our corporate cultures. There’s a real problem with my argument for Security Awareness. The ‘Smokey the Bear’ wildfire prevention campaign has been successful in raising awareness and reducing the number of forest fires. Despite the fact it was hugely successful, we still have fires. Even with benefits like significant reduction in systems compromise, Security Awareness efforts will not completely eradicate compromise from malware. Awareness especially won’t stop attack by ‘APT’ or sophisticated and systematic Advanced Persistent Threat actors.
The IT Security world has key leaders – with significant influence – who are very quick to point out Security Awareness limitations. Great minds like Bruce Schneier advocate that systems should be designed with security in mind, and that these systems should prevent compromise. In one blog, Schneier is quick to point out that all it takes is one employee to be compromised for the bad guys to get in. In theory, I agree with Schneier. I actually look forward to a day when computer systems have ‘six nines’ or 99.9999% reliability in preventing malware compromise. Recently, a number of new end point protection products have taken a significant step in that direction. Using phrases like ‘virtualization,’ ‘sandboxing,’ ‘hyper-visors,’ and ‘micro-visors’ – these new products work by isolating potential malware and preventing it from gaining a foothold on a system. But, there’s still a significant problem with these new end point protection solutions. They are not perfect. Their weakness is that they rest on foundations of Operating Systems (Kernals) or Hardware that have either known or potential vulnerabilities. It is only a matter of time before determined actors exploit these vulnerabilities. When they do, we are back at square one – with a compromised machine. Perhaps one day we will have end point protection solutions that approach ‘six nines’ in reliability. Even then there will be a ‘Human Element’ to security. If attackers cannot gain a foothold through malware, they will seek information through Social Engineering attacks. As such - we will continue to need Security Awareness efforts to ‘Harden the Human OS.’ Return on investment upside to Security Awareness efforts is supported in metrics that show employees are becoming more resistant to phishing or theft, that employees are engaged by reporting attempts at compromise, and that your’ SOC (Security Operation Center) is identifying less compromise on computers. Cost savings can be significant. Less compromise results in fewer systems having to be reimaged and less downtime for our business leaders and employees when those systems are being reimaged. Your Security Awareness efforts won’t be perfect, but then again – there is no perfect technical solution available either. Go beyond check the box, ‘Harden the Human OS.’
John Andrew's Bio: John supports Honeywell Global Security Awareness efforts as a Project Manager (PM). His IT experience has been varied and extremely interesting, requiring massive amounts of lost sleep. John has been involved in systems development, database administration, ERP implementation and Security, SOX Compliance, IT Audit, PM for Vulnerability Assessments / Penetration Testing and Remediation efforts, and various Corporate and IT Risk Assessments. His interest in IT and Network Security began with his tenure at Internet Security Systems (now IBM) — where everyone from the CEO to the janitorial staff ate, drank, and lived security.