The news that hackers are targeting Linux users should be real surprise; it’s been happening for a while.
In the third week of October 2004, Red Hat, the biggest Linux developer, said attackers had begun targeting its users with an e-mail-based scam similar to methods commonly used to target Windows.
Unsuspecting users were being tricked into viewing a maliciously crafted tiff image with an application that could, at best, crash the computers and at worst and execute malicious code on the user's computer. Worse still another attack focused on the use of fake update messages from Redhat which when acted upon also exposes companies’ systems to attack. And these are only the known hazards; many, many more are suspected.
What it reveals is the constant battle that every company faces and that really the best way of dealing with such attacks is not technological per se but cultural. That is to say company’s adopting practices and policies which, in this case, educate their workers to beware of clicking on images from unsolicited emails.
Standard practice you may think. You may be very wrong. Companies with strong culture of security awareness are not ubiquitous even though awareness is the key to the locked down organisation. Getting to grips with security awareness could be the best investment in security that you could make.
It could well be the case that you consider creating and implementing successfully awareness programs is arduous, time consuming and deflects you form your core mission. Whilst the former two may be true the latter is wrong. Awareness should be your core activity.
Such thinking is at the heart of many a leading firm and Royal Mail is a great example. Royal Mail has effectively had an information security place since 1793 when a Security & Investigations department was established but realistically it was in 1980 that the age of security awareness began with a formal recognition that information had a value of its own and the setting up of a specialist team. The journey carried on until 2001 when Royal Mail gained BS7799 certification and then two years ago when a dedicated Computer Crime Unit was established.
The person on whom Royal Mail charges with making sure a culture of awareness is maintained is Information Security Carole Embling. Embling’s main roles are maintenance of the BS7799 certificate, reporting on levels of infosecurity compliance throughout the company, managing internal infosecurity-based communications and providing the means of obtaining infosecurity training and awareness. To Embling there are four main reasons why security awareness is so important: to protect company assets; to company with legislation; to provide a duty of care; and to eradicate weakest links in the security chain.
One common complaint among security professionals is that they don’t have any senior management support for their awareness plans and this is crucial. Some would say that it is not enough to even have the backing of your IT director: you need to go higher than that.
When it comes to gaining management support, Embling’s strategy is to point out to senior management the various pieces of legislation concerned with information security that they couldn’t ignore: it was them who would be held personally responsible for the execution of such policies. The key pieces of legislation falling into Royal Mail’s corporate governance areas and which Embling bring to senior management’s attention are the Turnbull report on corporate governance, Basle II, Sarbanes-Oxley, the Computer Misuse Act, and the Data Protection Act.
Embling is a firm believer in using real incidents as a benchmark for the company, and advocates strongly talking up the availability of products that fly the BS7799 banner within her organisation.
At Royal Mail, successfully delivering awareness has four key stages, the most important being planning, and right down to the most finite detail. You also need high profile endorsement for the top, and that means actually participating in awareness. She cites board members wearing their building passes as a prime example of this.
Well-timed delivery and relevance of awareness also play key roles. Awareness should complement other activities even within other departments. She asks: "Can you join forces and work effectively with another department? And will your message be understood by everyone?"
In the case of Royal Mail, the vision has to be explained to postmen on a round as much as to Board members. And Embling’s aim for this vision is to "get it in everyone’s heads,” something she believes that she has achieved making information security accepted as part of everyday business at the organisation. In addition the infosecurity team is usually a first port of call when the organisation discusses new products-, such as mobile devices for postmen etc.
As well as its BS7799 certification, Royal Mail has built up an information security community that extends far beyond the core team; launched an information security intranet strategy, achieving 2500 hits per week; and delivered a copy of the information security guide to every PC in the company. Home workers have to sign up to adopt company-defined guidelines and practices.
With senior management buy-in, detailed planning and knowledge of your real business issues, awareness should be readily accepted and adopted. If it isn’t be warned; the buck for breaches will stop with you.