Maksim Kabakou - Fotolia
The responsibility and culpability of users is a perennial argument. It is all too easy to blame the user when controls fail, as they are rogue entities in our layered security model. In a lot of cases, this blame is labelled “unfair”. But does that mean that “fair” is a reasonable, or even defined, target?
Think about it. Security controls are complex and multifaceted, we already know there is no silver bullet. Prevention fails. Therefore “ultimate protection” is not a realistic definition of fair. What about controls that automatically contain the damage – fair? Does “fair” involve detective or corrective controls? If so, reason indicates that the definition of a fair working environment should factor in this complexity; the definition has to be specific to your environment.
Let’s take an example. A user clicks on a malicious link, which is blocked. They are protected. What if a user compromise is identified by a detective control and your fine-tuned process triggers an automated system rebuild and reload after a short incident response exercise? A compromise happened. Damage was done, but contained. This latter scenario may be completely acceptable in one environment and a failure of security in another.
Taking that forwards, this means that the most important controls are not attachment analysis, sandboxing, or browser containerisation. The most important control is business engagement, and any control environment that features users as part of an information system should include them in the system’s model.
Take email attachment analysis and macro whitelisting. Those controls can be incredibly effective, but only if you have spent the time to learn how the business unit uses macros and attachments. Education aside, if you have no real relationship with the business, then these controls will do nothing but disinherit the user and ultimately weaken security.
The same applies to other user controls such as internal segmentation, configuration management and least privilege. These function best if you understand the business.
Read more from Computer Weekly’s Security Think Tank about security controls
Admittedly, this does not always scale. If you are Fortune 25 and you do M&A for breakfast, keeping up is going to be a real challenge and I’d advise you to read elsewhere. For the rest, I encourage you to take a systems approach that includes user processing needs as part of the information model.
In summary, if your information system features independent actors, such as users, understanding those actors is essential to designing “fair” solutions.