A recent report out of the DHS's Inspector General's office raises concerns that the Department of Homeland Security is still not taking adequate precautions to protect sensitive information. From the article at Federal Computing Weekly:
“Procedural and operational issues, however, remain regarding the effectiveness of the implementation of the department’s intelligence security program and system controls,” the report said. “Furthermore, the department has not yet fully addressed the issues and recommendations that we reported in fiscal year 2006.”
What I find alarming is that the Inspector General's report reccomends, as a solution, security awareness training! From the actual report:
To better manage and execute the responsibilities regarding the department’s information technology security program for its intelligence systems, we recommended that the Under Secretary for Intelligence and Analysis, through the Director, Information Sharing and Knowledge Management, issue formal guidance for the department’s intelligence activities and establish an information systems’ security education, training, and awareness program for intelligence personnel.
Sorry Charlie, an information security education program does not make information secure. Technology, policies, procedures, and enforcement do that. With a heavy emphasis on technology. If "intelligence personnel" are walking away from their terminals with out logging out, impliment proximity sensors. If they are forgetting to hit the"encrypt" key on emails deploy a DLP solution that knows when to encrypt. Or encrypt everything.
If the Under Secretary for Intelligence and Analysis (Charles E. Allen) issues formal guidance to DHS on user awareness training the net impact will be zero and next year the Inspector General will be issuing yet another dissapointing report.
Advertisement: |
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
Training not Important?
I find your opinion on the situation particularly alarming. One of the biggest vulnerabilities of any network is it's users. While you may have seven layer security, guards at the racks, and have every inch of your building locked down. All it takes is one well-meaning authorized user to hand the attacker the proverbial "Keys To The City".
Comprehensive training is a requirement of ANY network, especially the networks that contain all the Patriot act information.
Technology has its limits
Stiennon, you are so wrong!
First of all, the technology that you evidently feel is The Answer To Everything has to be specified, designed, built, used and maintained by human beings. Security awareness, training and education is important at every stage of the development process (e.g. making managers aware of the risks and control options open to them to ensure adequate security, so that they correctly specify security requirements; making IT people aware of the security aspects of their jobs so they correctly implement and maintain the technical security controls; making users aware of their responsibilities to use the technical and other security controls properly etc.).
Secondly, how would you propose to secure that part of the information that is not in the form of computer data? Technical controls are important for data security, but what about conversations in person or on the phone, hand-written notes, knowledge in the heads of knowledge workers etc.?
If this is all too hard for you, consider this. Do you drive a car? How did you learn? Did your mummy explain how to cross the road safely when you were a kid? Did you read the road code to understand the basics of road safety? Did you go through on-road lessons with a driving instructor, followed by a test under controlled conditions? And after you passed the test, did you stop learning and improving? That's essentially the same education, training and awareness sequence that promotes good information security practices ('safe hex').
Technology is part of the solution, not the whole.
Gary.
Put it this way
DHS has a FIXED budget, very little installed security, and an ever changing user group. What do they spend their money on? A whiz bang mandatory course for all umpti-bajillion DHS employees, repeated every 6 months? Or, a managed password control system?
Or as we put the question to the security research team at Gartner several years ago: You have $100 per employee per year to invest in security. Do you spend it on security awareness training or deploying strong authentication in the form of tokens? It was funny because all of the "soft" security guys voted for security awareness training. All of the guys with real world experience voted for the RSA tokens.
If you are paying attention you might point out that just about everything I do on a daily basis, blogging, advising clients, interviews with press, and public speaking, is security awareness training. But that is to wake up decision makers, get them off their duffs and investing in security. That is such a hard task that it would be mis-guided to ask them to spend money on training Bobby at the front desk not to give credentials to Kevin Mitnick.
From One Who Knows
Investment of as little as $2 per worker can provide a world class security awareness program; given that it is a dedicated function run by one who is expert in this discipline. Consistent investment in people, process AND technology is the only comprehensive strategy to deploy. EVERY study or article published on this subject - without exception - points to the human element as the weakest factor, and that must never be ignored.
DHS Computer Security
As a career security provessional with the Federal Government, I can say with certainty that much of the computer security issues I have to deal with are, as my IT folks put it, PICNIC (Problem In Chair, Not In Computer). This issue is two sided: hardware/software and human. Fixing one does not fix the other.
Post new comment