Introducing Inside Security
I started my IT security career as a member of the Australian Federal Police Computer Crime Team in the early 1990s. Now, such a team would be referred to as the Cybercrime Unit.
My role was two-fold, investigating hacking incidents (yes, I’ve heard all of the reasons why ‘hacker’ is the wrong word but it’s the one that has stuck) and providing forensic computing support to non-hacking related investigations. This meant that I was like a first responder when it came to hacking incidents; an incident would be discovered and I would attend the scene to start the process of identifying what happened, how it happened and who did it, while recording everything I did and found so that it could later be used as evidence in a prosecution.
In almost every case I investigated the main reason that a hacker was able to break into a system was that someone responsible for, or using, the system had either done something wrong or hadn’t done something right. Firewalls were misconfigured, application permissions were granted too extensively, networks and systems were left unprotected, system and application patches were not applied in a timely manner… and so on.
Since the 1990s one significant thing has changed – organised crime and nation states have started committing significant resources towards the art of hacking. With all the money and ingenuity being thrown at the development of hacking tools and techniques, the most damaging attacks usually require a person to do something wrong or not do something right. By clicking on a link or opening an attachment in a phishing email they’re doing something wrong. By delaying the application of system and application patches, they’re not doing something right.
My point is that people are capable of being both the weakest and the strongest link in the security chain and the difference between the two is derived from education and awareness. This was true 20 years ago and it’s still true today.
Yes, there are zero-day exploits out there, capable of being used to beat outsmart the security controls on the most well-defended targets. Yes, I can all but guarantee that your organisation will have security incidents over time. We need to accept these facts and inevitabilities and plan accordingly.
Ensuring that your users are informed regarding information security risks will go a long way towards reducing the number and severity of security incidents in the first place. Layered defences combined with a solid process, with supporting technologies, for detecting and responding to incidents will minimise the harm resulting from those attacks that get past your defences.
At Dimension Data we have a security team that spends all its time helping clients with the people, process, and technology side of security. We deliver services and technology to assist clients from the very early stages of understanding their risk environment and their tolerance or appetite for risk, through to designing, building, supporting, and managing security controls. I’m proud of the work that we do… but it’s not enough. We all need the people who use technology every day, be it at home or in the workplace, to become more aware of how they can improve their own IT security habits so that we can collectively derive more productivity, privacy, leisure time, and security (in all senses of the word) from the fantastic array of technology that’s available to us.
One contribution that we, in conjunction with our technology partners, are making towards this end is the creation of a series of educational videos that are focused on demystifying IT security, while giving insights and practical guidance in an accessible and, hopefully, engaging manner.
These videos are available to you at no cost. There are no strings attached … no advertisements to sit through. Please use them however you see fit, at home, or within your organisation, to further the cause of IT security awareness and hopefully help to create better security habits for people. You could play one or more of the videos to employees as a part of your staff induction process, or to educate your executives or board members on specific issues. You could use the videos as a part of regular, online security training for your employees. Please be creative ̶ provided that you play the videos in their entirety and you don’t use the videos to make a profit.
If you like what you see, please let us know. If you have suggestions for topics or improvements, please let us know. I don’t think anyone has created high-quality (I’m making a bold assumption that we’ve achieved that) IT security awareness material and just ‘set it free’ to assist the community. We’re doing this because it’s important and because we can, with the assistance of our technology partners.