by Ben Malisow
There are almost no companies in the country that can continue to dispute the need for information security; the recent spate of DDOS attacks proved that size, sophistication, and skill can only attenuate risks- not eliminate them. As information security professionals and departments begin to take their places among senior management and trusted executive ranks of companies, a new dynamic has evolved, an "Us Vs. Them" motif unlikely to change any time soon.
This is further exacerbated by growth and maturity of the user base. All employees are reaching levels of sophistication once held only by the sole "company computer expert," and the trend will continue as the next generation of employees (raised already in a networking environment) enter the workplace. It is both inappropriate and ill-advised to treat this new crop of skilled workers in the same manner as their predecessors- they won't stand for it, and your security program will be hurt as a result.
The History of Information Security
In the interest of gaining perspective on the origins of the current state of information security policy and practice, it's helpful to be familiar with a cursory and brief history of the nature of military thought; a great deal of the mindset governing information security stems from the military milieu. The following is not intended to be anything like an adequate historical study, but instead an insight on the genesis of societal behavior, cultural mindset, and methodology as it pertains to information security.
The importance and value of information has been understood by military strategists for thousands of years; practitioners such as Sun Tzu, Clausewitz, and Jomini all noted the importance of gathering as much information about opponents while enacting a close-hold policy for their own. The power and primacy of information in this century is borne out by world leaders who have experience with intelligence agencies of their nations, civilian or military.
That information is power is unquestionable, and power, historically was the province of the military (religious and political thrones notwithstanding). Means for securing that power were first honed in military practice; one of the simplest early-20th century examples is the tank. Today, the nomenclature designates an armored unit, clear in the minds of the world's populace. But "tank" was originally the codeword bestowed by British forces upon their new invention, in the hopes of keeping such knowledge from nascent German wartime intelligence.
For many years, and well into the first half of the 20th century, government supremacy and secrecy went unquestioned, and the citizens of most nations accepted the fact that their governments did not disclose information wholesale to the public. National policy, as stated, was, for the most part, not the province of the people, but of high-ranking officials, and just about all information fell under that bailiwick. There was no tradition of the free press (where such existed) infringing on such matters, and virtually nobody outside official government circles expected to have access to that information.
The 20th century, however, saw a surge of technology unprecedented in history. The dramatic developments in science and industry affected not only their specific -or even related- field, but our culture and our lives on a granular level. Leaps in almost all technological endeavors caused a volume of information to be created almost instantly (in political terms), and governments and military forces were hardly able to contain it with their current resources.
World War II
World War II, and the research and development progress associated with it, demanded more people let into "the know" of what were formerly state secrets than ever before. Civilians were recruited to perform tasks heretofore unknown in even military circles, as armed forces personnel were unable to keep pace with the demands of the technology and prosecute a war concurrently. Examples of wartime technological necessity include the Enigma and Purple code devices and processes, the Norden bombsight, radar and its associated telecommunications infrastructure, early computers, and atomic weapons, to name a brief few. Scientists, engineers, and technological sophisticates, as well as laypeople, were integral to the war effort, and the geopolitical processes involved therein, and had to be processed into the confines of a system which had subsequently been restricted to a select few.
The demands of security were paramount. With the drastic escalation of personnel involved in the decision-making process concerning technological advance, a method for containing the knowledge those people held was essential; there was no illusion that a security breach could instrumentally affect the tide of war and the future of the world. Furthermore, there was an undeniable presence of intelligence networks actively trying to access Allied information, just as we were doing to the Axis powers. Security forces, however, had certain benefits: patriotism, blind acceptance of government primacy in wartime policy, and outright fear of conquest. Information technology personnel knew and understood the threat, and acted in accordance with security policies because of it.
After WWII, the Cold War afforded no possibility of rescinding the security processes already in place; the balance of power was seen as tenuous at best, and the perceived threat still existed.
Personnel in key fields were overseen by strict measures and stricter taskmasters, as even entertainment media felt the brunt of sociopolitical security heavyhandedness in the form of Congressional Anti-American Affairs investigations. The nuclear threat was held over the heads of not only those involved, but the entire culture; the populace truly believed that not only could the world be destroyed at any given time, but that it inevitably would.
Such fear placated citizens' frustration with government intrusion in everyday life, particularly in information industries. Technology experts of any kind were co-opted wholesale by the government or by corporations with close ties to the government. There weren't enough such people to meet demands, and those personnel took corporate/government security measures for granted and accepted policy without question.
The End of Unquestioned Acceptance - The '70s
The abrupt segue of unchallenged government supremacy in the monopolization of information and technology was heralded by Vietnam and Watergate. The Baby Boom mentality was supplanted by Hippy/Yippie iconoclasts, and blind faith was no longer a sufficient reason for partaking in security methodology.
The newest and best information technology no longer originated in corporate thinktanks, university laboratories, or government research facilities, but from individuals acting in an almost rebellious manner. Microcomputers (of course) began to change the face of the business culture, as they would eventually do to American culture.
The use of technology in the workplace began to evolve from isolated, sequestered mainframe systems to units accessible by many, if not all, personnel. Modern business practices necessitated increased access, and security policies -by then becoming outmoded- could not keep pace.
Then, in one fell swoop, the world changed, and everything went along with it- except for security ideology.
The New Paradigm - Post Cold War
The Soviet Union caved, in a startlingly rapid and violent manner. The threat that demanded such rigorous Western security models was gone; granted, there were other threats, new and old, but none with the visibility, awe-inspiring grandeur, malevolence, and pervasiveness of the USSR. American hegemony replaced a foreboding balance of power, everyone breathed a sigh of relief- except for security personnel, who understood the preciousness of information even in the Post Cold War world.
The technology, and the role it played, also changed. Systems were no longer seen as a personnel force multiplier, but a productivity multiplier; instead of "less people, same work," the new concept of "same people, more work" entered the corporate mindset, and eventually graduated to "more people, more work."
A new relationship between the personnel and the systems they worked with developed, as we reached the modern state. Unlimited access of personnel to systems necessitates even more trained personnel with even more control over their systems.
And these personnel don't see or accept the need for pervasive and intrusive security.
The Modern World
The new generation of personnel refuse to accept restrictive, intrusive security policy as a matter of standard workplace practice. They are not afraid of nuclear annihilation, and, indeed, almost scoff at the folly of those who came before for believing that such a possibility existed. That information is still vital and intrinsically valuable is irrefutable, but for different reasons; a dot-com startup, an ebusiness, a killer app mean almost unlimited financial gain for those with the information, not the rise or fall of world empires. Investment empires- not political ones.
Moreover, the speed at which those empires fluctuate has depleted the workforce of qualified personnel. Personnel unhappy with their position, for any or no reason, can, and do, leave. The practice of staying with a company for a lifetime is gone, and employers are lucky to keep highly-skilled and well-trained personnel for a matter of months.
Security measures can detract from the corporate environment in terms of job satisfaction. Whereas earlier procedures that governed employee conduct and access were seen as essential, they are now perceived as Draconian and disgusting.
Security dimensions have changed, and the responsibility has utterly reversed; maintaining a hold on data is now the province of every employee (read: user), not that of a security office or team. Unfortunately, security models have not recognized this and adapted accordingly.
Current users are simply not interested in blindly accepting security policy as rote, especially when such entails mundane, restrictive, or intrusive procedures. A large part of the new security model will have to be basic instruction: the Why of security. Security professionals must be teachers, trainers, guides, and mentors, in lieu of practicing the "Because I Said So" methodology. An informed user (and users are not stupid, and cannot be treated as such) is a safe user.
The simple reason: the weakest link of systems, current and otherwise, is not the technology, but the personnel; secrecy and distrust fosters an atmosphere of increased threat- the less personnel know, the greater the chances of breach. As illustrious cracker Kevin Mitnick explained in his testimony to Congress, all the technological protection in the world can't keep your system free of intrusion if just one user lets an intruder in voluntarily. Mitnick's proficiency in hacking was dwarfed by his ability at social engineering, and security professionals would be foolish to ignore one threat in lieu of combating the other.
Another facet of the new security paradigm flies in the face of all previous security tenets: explicit trust. Each user must be treated with the respect afforded each other user, from the CEO to the mailroom, as any user can affect the system deleteriously. Added to that, the modern security team is forced to look in at a system as much as it looks out. The ability of a user to harm a system (inadvertently or maliciously), combined with the possibility of intrusion at almost any level, requires constant monitoring, but not the type that security professionals are familiar with; in large part, passive monitoring. Assigning security teams to watch over every user, in every conceivable employment of a system, is not only ridiculous, it's futile. Security policy mandates will have to reflect the reliance on self-reporting, which predicates an entirely new way of looking at security.
New security models will have to concede a certain amount of passivity when dealing with security incidents and breaches; many such instances can occur wholly unknown to the security office if not for the willingness of the user community to report indiscretions. Here is the crux of the matter: if every incident is treated as a reason to punish and denigrate the user, the user -and every other user- will be much less prepared to come forth with future incidents.
An organization cannot afford to mistreat users, if for no other reason than that the organization is reliant on the user's forthrightness and readiness to report errors and problems. The old security method, that of heavyhanded, overarching authority, will not bestow that willingness on the users' part. Fear is simply no longer a viable motivator in the modern environment.
Which means that that the response to security incidents must change along with the nature of the relationship; gratuitous punishment can no longer be the fallback position for dealing with any indiscretion. Yes, by all means prosecute malicious, felonious activity, of both internal and external origin, to the full extent of the law. But humiliating and demonizing a user who has faithfully and voluntarily admitted wrongdoing is extremely counterproductive, and will -ironically- detract from the organization's security posture, and, eventually, its productivity.
So enter another new role for security professionals: positive and absolute screening. The major portion of security wherewithal, insofar as personnel are concerned, will be before the user ever accesses the system. In the modern environment, finding out that a user is untrustworthy once they have entered employment is far too late, and breeds suspicion and distrust for the security team in other users. Every conceivable measure for determining the veracity and integrity of a new hire is essential, even at the cost of passing over an "otherwise perfect" candidate. The risk here, of course, is two-fold: that staffing will become difficult through security processing/interference, and that organizations that subscribe to the older, superceded model will never fully trust their users, no matter what the vetting procedure.
And trust, implicit and explicit, is the name of the game. Mistrust brings contempt to both parties, and is no longer an acceptable basis for a relationship.
The present security motif of having a small, high-powered corps of information systems personnel with overarching power who impose restrictive and repressive policies is not conducive to productivity; but by far the greatest risk of implementing the outmoded security dynamic is from a security standpoint. If employees are mistrusted, mistreated, and punished for the slightest possibility of security indiscretion, communication between employees and security management will not be forthcoming; open lines of notification are the only way to minimize risk, and blurring those lines foments threats. All personnel have to treated with a modicum of trust reflecting their responsibilities and value.
Security posture must change, not because the Information Age presents new technological challenges, but because of the new sociological dynamics.
Ben Malisow is an INFOSEC policy analyst for a Department of Defense contractor in Virginia. He received his B.Sc. from the Air Force Academy and recently completed his MBA. Currently Ben is a political columnist for a Washington, D.C. newspaper and senior editor for a humor website.
Model Security Policies
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.