Thinking outside the box (but pressed right up against it)

I recently had a very interesting discussion with an IT manager about the various means of securing an enterprise.

  • E-Mail
By  Imthishan Giado Published  May 11, 2009

I recently had a very interesting discussion with an IT manager about the various means of securing an enterprise.

He was keen to expound on the topic because his firm had just completed an ambitious programme of security certification – a worthy cause, especially considering that security forms a cornerstone of his daily income.

Now, this editorial isn’t about the implementation – for the full story, you’ll have to look out for it in an upcoming issue of ACN. What is more interesting to me is exploring the reasons behind why enterprises choose to get certified, and what it actually means for the business.

The most obvious reason is that it conclusively proves that a business meets the global standard by which its peers are judged, moving it out of the realm of ‘regional’ enterprise. It indicates that a firm has taken the time to improve its standards and processes where previously they might have been found wanting.

However, there’s always a differing school of thought. One well-known integrator has remarked to me off-the-record that most certifications are really only done for the purposes of marketing and improving a firm’s value proposition to potential clients. This is not to suggest that enterprises are going through the motions and only implementing the bare minimum in improvements to pass the security audits. The companies providing the certification are unlikely to stand for that sort of thing.

What it does mean, though, is that many companies end up focusing solely on one aspect of security related to the guidelines laid down in the certification document. Unfortunately, the people interesting in compromising the security of an enterprise have no such limitations.

For example, in 2007 I spoke to a well known security expert and he explained that the easiest way to gain access to confidential documents in an enterprise is to take the social engineering route. Rather than attempting to bypass the myriad firewall and intrusion prevention devices extant on an enterprise network, it is considerably simpler to dress up as a courier and pretend to be delivering a document to a management executive.

Depending on the level of security, this may very well grant access to even the CEO’s desk. Our security expert certainly managed to; he even managed to walk straight out the front door of a major government office carrying extremely confidential documents without a single soul stopping him.

Another example is relying on the basic standards of human courtesy – most people would be happy to hold the door open a second longer for someone who was walking behind them – especially if that person was easy on that eye. Once a miscreant has gained access to a secure area, it’s fairly unlikely that a person will question how they got in – because it’s automatically assumed that security has done its job and screened all visitors.

The list goes on and on. I mentioned these examples to the IT manager from the beginning of this editorial and in his replies, he appeared remarkably confident that the training he had provided for staff wholly negated the chances of anyone breaking through his security wall.

Confidence is a good thing, but unguarded confidence is dangerous. While I’m not suggesting that this company’s defences aren’t up to scratch, it’s a fact that incidents can and will happen, even to the best-protected organisations. The mere fact that these events are not sufficiently reported in the Middle East is no excuse for CIOs to let their guard down.

One only has to look at the US and the UK, where data leakages are on the verge of becoming a regular occurrence – and I’m fairly certain that many of those affected had every certification under the sun next to the sun. Don’t get me wrong; companies should not rush out to the nearest security consultant and draw up plans for every eventuality. That just plays into the hands of vendors who would happily sell presidential-level security to a paperclip manufacturer if they could.

All I’m really saying is that companies should approach security in an intelligent, considered manner. Don’t buy more security than you actually need, protect only the assets you actually have, defend against social engineering access and most importantly of all – think outside of the box.

The rest, as they say, is in the hands of fate.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code