The news that hackers are targeting Linux users should
be real surprise; it’s been happening for a while.
In the third week of October 2004, Red Hat, the biggest Linux
developer, said attackers had begun targeting its users with an
e-mail-based scam similar to methods commonly used to target
Windows.
Unsuspecting users were being tricked into viewing a maliciously
crafted tiff image with an application that could, at best, crash
the computers and at worst and execute malicious code on the user's
computer. Worse still another attack focused on the use of fake
update messages from Redhat which when acted upon also exposes
companies’ systems to attack. And these are only the known hazards;
many, many more are suspected.
What it reveals is the constant battle that every company faces
and that really the best way of dealing with such attacks is not
technological per se but cultural. That is to say company’s
adopting practices and policies which, in this case, educate their
workers to beware of clicking on images from unsolicited
emails.
Standard practice you may think. You may be very wrong.
Companies with strong culture of security awareness are not
ubiquitous even though awareness is the key to the locked down
organisation. Getting to grips with security awareness could be the
best investment in security that you could make.
It could well be the case that you consider creating and
implementing successfully awareness programs is arduous, time
consuming and deflects you form your core mission. Whilst the
former two may be true the latter is wrong. Awareness should be
your core activity.
Such thinking is at the heart of many a leading firm and Royal
Mail is a great example. Royal Mail has effectively had an
information security place since 1793 when a Security &
Investigations department was established but realistically it was
in 1980 that the age of security awareness began with a formal
recognition that information had a value of its own and the setting
up of a specialist team. The journey carried on until 2001 when
Royal Mail gained BS7799 certification and then two years ago when
a dedicated Computer Crime Unit was established.
The person on whom Royal Mail charges with making sure a culture
of awareness is maintained is Information Security Carole Embling.
Embling’s main roles are maintenance of the BS7799 certificate,
reporting on levels of infosecurity compliance throughout the
company, managing internal infosecurity-based communications and
providing the means of obtaining infosecurity training and
awareness. To Embling there are four main reasons why security
awareness is so important: to protect company assets; to company
with legislation; to provide a duty of care; and to eradicate
weakest links in the security chain.
One common complaint among security professionals is that they
don’t have any senior management support for their awareness plans
and this is crucial. Some would say that it is not enough to even
have the backing of your IT director: you need to go higher than
that.
When it comes to gaining management support, Embling’s strategy
is to point out to senior management the various pieces of
legislation concerned with information security that they couldn’t
ignore: it was them who would be held personally responsible for
the execution of such policies. The key pieces of legislation
falling into Royal Mail’s corporate governance areas and which
Embling bring to senior management’s attention are the Turnbull
report on corporate governance, Basle II, Sarbanes-Oxley, the
Computer Misuse Act, and the Data Protection Act.
Embling is a firm believer in using real incidents as a
benchmark for the company, and advocates strongly talking up the
availability of products that fly the BS7799 banner within her
organisation.
At Royal Mail, successfully delivering awareness has four key
stages, the most important being planning, and right down to the
most finite detail. You also need high profile endorsement for the
top, and that means actually participating in awareness. She cites
board members wearing their building passes as a prime example of
this.
Well-timed delivery and relevance of awareness also play key
roles. Awareness should complement other activities even within
other departments. She asks: "Can you join forces and work
effectively with another department? And will your message be
understood by everyone?"
In the case of Royal Mail, the vision has to be explained to
postmen on a round as much as to Board members. And Embling’s aim
for this vision is to "get it in everyone’s heads,” something she
believes that she has achieved making information security accepted
as part of everyday business at the organisation. In addition the
infosecurity team is usually a first port of call when the
organisation discusses new products-, such as mobile devices for
postmen etc.
As well as its BS7799 certification, Royal Mail has built up an
information security community that extends far beyond the core
team; launched an information security intranet strategy, achieving
2500 hits per week; and delivered a copy of the information
security guide to every PC in the company. Home workers have to
sign up to adopt company-defined guidelines and practices.
With senior management buy-in, detailed planning and knowledge
of your real business issues, awareness should be readily accepted
and adopted. If it isn’t be warned; the buck for breaches will stop
with you.