In Part 1 we looked at the deterrence quality of security controls. It’s one of the three attributes of security controls that are often ignored; sometimes consciously but more often due to ignorance. Now we will look at another attribute that is too often neglected: awareness. Typically when discussing security awareness the immediate mental image is of mandatory courses, presentations and drab, unimaginative posters around the workplace. What this post talks about is the information security situational awareness: what is happening, where, why, and who is involved.
We’ll use the same example as in Part 1:
Consider a large warehouse that contains a number of valuables. Now consider the security controls that warehouse will have.
A 3m tall chainlink fence. That’s all. Nothing more, nothing less.
Awareness level: Some awareness went into the design and implementation of this control, but that’s also where it ended.
A set of CCTV cameras installed around the perimeter. Another set of CCTV cameras installed in the warehouse. Thermal (IR) motion detectors. Seismic detectors to alert if anyone decided to dig a tunnel underneath the warehouse, or drove a large truck towards the warehouse. Security guards on premises that periodically check the perimeter and inside the warehouse.
Awareness level: These controls are designed to give the monitoring and response team as good awareness of what is going on at any given time as possible. Without good detection and awareness the response is at best stumbling in the dark, at worst actively helping the attackers and destroying the organisation’s ability to survive the incident.
Security operations that monitor the camera screens. Alert security guards on any activity that needs to be checked and confirmed. Alert relevant law enforcement if the response to activity requires it (activity threatens to breach the perimeter, or has already done so; activity requires pursuit outside the perimeter; delayed response; etc).
Awareness level: Detective controls provide initial and ongoing situation data, but that data needs to be analysed and interpreted by responders to gain the most out of it. What response does is augment and interpret the detection data, improving overall awareness.
Now imagine that the warehouse is your corporate environment.
Typical firewall-antivirus-patching combo. It’s a low obstacle and is business as usual work. Keeps honest people honest.
Awareness level: firewalls and antivirus come with basic reporting capability that can increase awareness, but that requires detective controls to use. In themselves prevention controls do not provide awareness.
Standard intrusion detection/prevention system, security incident and event management system, and log management system. Good organisations will also keep a track of what applications are started on which computer and who accessed what information (in the database or unstructured) and when.
Awareness level: This is the core of the awareness creation on the technology level. These controls must be designed and implemented to do so, which is not as easy as it seems. Security awareness (and by this I mean actual understanding of what is going on, not the mandatory courses, presentations, posters, quizes, etc.) is the holy grail of information security posture. It is deceptively easy and many fall prey to its many traps.
Staff reviewing the alerts produced by detection technologies. Virtual security incident response teams assembled when and as necessary. A clearly defined set of metrics that help decide the initial response: will it be dealt with locally and report given to senior management, or does it need crisis management team engagement? Containment of the breach or monitoring? Stop information leaking, or is it OK because it’s false data? Heads up to appropriate national CSIRT and law enforcement? (No, most incident responses will not follow canned procedures, but procedures are there to provide structure.)
Awareness level: Every response will increase awareness since the initial detection controls typically only answer the “what” and “when” and partially “who” questions, leaving the more challenging “why” and “how” for response teams to deduce.