This week, head hacker Dale Pearson digs into an area that we infosec guys and gals often give lip service too, but all too often fail to properly address.  Cheers mate!

By Dale Pearson

I have a problem; well maybe it’s more of an addiction. I just love gadgets and technology, if it beeps and has lots of flashing lights I just have to have it. I am sure a lot of you share my affliction - we are like magpies - we all like new shiny kit arriving at the door. Ok, so it’s a personal problem, but it’s a problem that exists in organisations also, and it’s a real problem.

In the world of business, organisations are constantly reminded of the threats and risks that exist, and the steps they need to take to reduce and eradicate these so called threats. So how do organisations spend their security budget? Well they spend a lot of money on little boxes that sit in huge racks, with lots of flashing lights and the occasional beeps. Sounds like heaven right. With all this firewalls, IDS, AV and filtering technology we have nothing to worry about, the virtual gates are tightly locked. 

It doesn’t stop there though; we need policies, procedure and governance to, so we have to spend a little money here as well. We need to tick those regulatory and legislative compliance tick boxes so we can get the nice certificate on the wall, and assure our customers that we are secure because we are compliant. The purse strings are tightening a little now, but we are jumping aboard the risk management framework train now, and this is a big deal, so we need some money for this. So now we are on the circular line of risk procrastination and unrealistic checklists, but it all sounds good and sets the right image to the outside world. 

Now there really is no money left in the kitty, but we need to carry out penetration testing and user awareness to keep our certificates on the wall. So we employ a team of penetration testers to run a vulnerability assessment on a small portion of our infrastructure. Now for user awareness training, a simple presentation we can rinse and repeat each year on the Intranet should do the job.

So lets quickly recap. 50% of the budget spent on infrastructure, 25% spent on compliance maintenance, 20% spent on risk management, 4% spent on penetration testing, and 1% on user awareness. Money well spent, and a secure environment has been achieved. Free publicity on the TV, Radio and the Newspapers when millions of customers records left the building via portable storage and boxes of paper….. priceless.

Companies say they take security seriously, and they know people are the weakest link, and they have training in place to cover this risk. I say FUD. They should hang their head in shame.

Here me when I say, you have personnel problems. I am not saying forget about all the shiny toys and flashing lights, but remember and invest if your wetware to. People are the weakest link. Humans are programmed to be helpful, not to question, challenge or be suspicious. We need to empower our personnel; they need to be regularly reminded of the risks, and the forms they take. They need procedures to follow to mitigate risks, reward them for following processes and challenging the unknown. This can't be done on the cheap with a presentation knocked up one weekend.

Just ask yourself how much the information that walks out the door is worth or when users give full access to the network via a Facebook application, or when offered the chance to win an iPod, and calculate how much you should really be investing in real awareness and education. Obviously the other components are important, we just need to readjust the allocation of funding to ensure adequate coverage for all area of vulnerability. Awareness and education needs to hit home at a personal level, and it needs to be realistic, effective, constantly maintained and reinforced. Security is everyone’s responsibility.

It’s not that simple I hear you cry. In order to get funds we need buy-in, we need to demonstrate ROI, and besides nothing has ever walked out our front door, we would have known.  If this is the case I encourage you to find the budget at least once for a no holes bared full on social engineering assessment, and I am confident you will be shocked at the results, and if done properly you should be on your way to starting your journey that gets the buy-in and the required ointment to your personnel problems.

There is no magic red pill that will cure the rash that is human stupidity, but through regularly monitoring and constant treatment, we can reduce the inflammation to an acceptable level, and allow us to go outside and face the world.