Self Serve Security

Education of users has become a hot topic of late.  The final keynote at the recent RSA Conference was all about using education to combat cybercrime.  This article has statistics showing that, when Small and Mid-Market companies were asked, ‘what would help improve the level of security at their companies,’ 75% (48% for employees & another 25% for senior management) said Security Awareness.  And, the recent issue of SC Magazine featured an article where Dan Beard, the Chief Administration Office for the House of Representatives says that organizations must educate end users and that end user education is the weakest link in cyber security.  In that same article, Stephen Scharf, CISO at Experian explains:

“The human element is the largest security risk in any organization,”…“Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences.”

The human element has always played a role in security, cyber or otherwise.  Growing up in Rhode Island, we used to always leave the keys in the ignition of the vehicles parked in our driveway.  We felt safe were we lived – and granted, we lived in a rural area so the main crimes committed were things like stealing eggs from Carpenter’s Farm.  Certainly, there are still plenty of areas and towns that have that type cocoon.  As I went off to college in Milwaukee, I had to remind myself early on – ‘you’re not in Wakefield anymore,’ since I’d instinctively leave my wallet crammed in the sun visor of my Rabbit Diesel.  I had to change my behavior when I moved from a small rural area to a larger city.  Internet users must do the same but we are creatures of habit.  Similar to leaving a wallet in the car, since that’s what I did most of driving life up to that point, many internet users still behave as if it’s 1995 and they are still on Prodigy.  The threats are different and more severe but behavior is the same.  Times change but sometimes people don’t, won’t or can’t.  

As all those articles point out, End User Education is vitally important to any organization and should be a key part of the overall IT security strategy.  Users knowing what and what not to do when something seems fishy is an important part of your defense – especially when it’s something your firewalls, WAFs, IDS/IPS and other perimeter mechanisms might have missed.  Education needs to be ongoing however and not a one shot deal since, according to Dr. Maxwell Maltz, it takes 21 days to make or break a habit.  This has since been deemed a myth and everyone is different but it does bring up a good point.  Security education, training and knowledge is not an overnight cram session – any security professional will attest to that.  A single afternoon meeting going over ‘corporate policies for end users’ regarding information security will not help those who already have bad habits.  It needs to be ongoing, consistent and relevant to their daily lives, including the serious consequences of poor behavior.  Help users understand the risks/threats, break the bad habits that might lead to exposure and secure your infrastructure in a way that no piece of hardware/software can.  Help users help themselves.

While not directly security related, F5 recently started offering Free Web Based Training for our end users.  IT admins are end users too, ya know.  F5 Networks Web-Based Training (WBT) courses introduce you to basic technology concepts related to F5 technology, recent changes to F5 products and basic configurations for BIG-IP Local Traffic Manager (LTM).   These are self-paced and you can access them at any time and as many times as you like.  The cool thing is if you complete all of the lectures and labs for the LTM Essentials WBT, you have met the prerequisite requirements for the Advanced Topics, Troubleshooting, and iRules classes.

ps

Related Items:

• F5 Networks Web-Based Training
• It all comes down to YOU - The User
• Weakest link: End-user education
• Information security policies upended by untrained end users
• Update your security lessons for end-users
• The Hugh Thompson Show (RSA)
• FREE TRAINING!!! …in case you didn’t know

Technorati Tags: Pete Silva,F5,security,application security,network security, business, education, technology

Windows Shopping

I’m really not one of those vocal Operating System lover/haters. My dad worked at IBM for 30 years and so I grew up with computers and even took a PC Jr. with a whopping 128k of RAM and a color (what we called color) monitor with me to college in the 80’s. My first work computer was a Macintosh and learned about all that AppleTalk stuff and the cool publishing Quark could do. I’ve used and administrated Win3.1, NT 4.0 (on laptops), Win95, WinME, Win2000/Server, and of course a user of XP and Vista along with a few variants of Linux. I use Windows for home and work and personally I think each OS has it’s plus’/minus’. Very non-committal, I know. Now I’m looking to buy a new computer and with that, a new Operating System.

If you’ve been avoiding the news, TV or print ads over the last year, Windows 7 is the long awaited new OS from Microsoft.  Much has been written about Vista and the delicate balance between usability and security.  People want to be protected and secure but also want to do their daily computing tasks without much interruption.  Enterprises need to secure their access points but users want to single click to everything.  There has to be a balance.  With the endless amount of threats, I want a box that has the basic protections but also want to make some security decisions myself.  I also want to make sure that the computer I choose abides by the company access policies in place, in case I need to connect to my corporate network since I probably will be doing some work from my home computer.  This has become a requirement in recent years as tele-working continues to grow.  With Windows 7, Windows Server 2008 R2 and Direct Access, folks will be able to do that with ease.  F5 recently announced solutions to optimize Win7/Server 2008 R2 deployments and our FirePass SSL VPN already supports Windows 7 clients.

Sifting through some of the recent articles about Windows 7, there is this one that indicates Windows 7 is gaining but at the expense of XP – this one that announces Windows 7 passed Mac OS X in market share – and this one that says ‘Of all new Windows 7 users, 70% said that they were "extremely satisfied" and another 24% said they were "somewhat satisfied" with the operating system.’  And it seems like they’ve answered the most recent BSOD, saying it probably was malware but will still wait to see the final outcome.  Then, of course, there’s the Windows 7 Whopper to contend with while I figure out which hardware platform I want.

ps

• #23 out of 26 Short Topics about Security
• previous stories: 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related resources:

• 77 Windows 7 Tips
• Application Delivery & Optimization for Remote Users
• F5 BIG-IP v10.1
• Why should I care about Big-IP 10.1?
• F5 Solutions Optimize Microsoft Windows 7 & Windows Server 2008 R2 Deployments
• v10.1 - BIG-IP and Microsoft DirectAccess

You’ve Taken That Out of Context

Hello and Welcome to the new hit Game Show: You’ve Taken that Out of Context!  Hilarity ensues in this action packed half-hour when contestants try to deliver the appropriate resources to end users depending on several factors and circumstances.  So let’s get right to it: Our first contestant is Danny, an IT Director from Boston and he’s getting his first request…..OK, user is coming from a home computer, without a certificate, from a broadband connection and is a partner – what are you going to give them Danny?  Wow, Excellent!  You’ve provided a simple web application, delivered through a reverse proxy so he can enter his time & materials expense report.  Great decision, Danny!  Our next contestant hails from Chicago and runs a data center for a large manufacturer, please welcome Greg.  Whoop, here comes Greg’s request…..User is a trusted employee in sales needing to enter customer info, using an IT issued laptop with specific reg-keys and updates but working from a wireless network.  How you going to handle it Greg?  Nice move!  Offering them not only their specific order entry application that’s optimized but also giving them a connection to Exchange so they can download their email to stay current.  Sweet – keeping users productive while on the road – great work.  And our last contestant comes from Texas where he’s the Network Engineer for  a distribution company – round of applause for Tom!  Alright Tom, let’s see your request.  It’s coming fast, user is a vendor who needs to see inventory levels.  They are coming from their corporate LAN on an IT issued computer and does have a certificate for certain applications.   Whatcha gonna do Tom?  A full Layer 3 network connected tunnel?  Well, let’s see.  They get connected, they are navigating to their favorite app, so far so good, and logging in, cool.  Wait, what’s this – the user has initiated a sniffer and found some financial docs.  Oh no!  He’s downloading the latest financial statements that aren’t public!  That spreadsheet has much of our sensitive data but it’s too late, they are long gone along with your data.  Sorry Tom, a little too generous with that but you do get a copy of our home game where players act out partial scenes and you have to guess the context!  Thanks for playing.

User Centric or Contextual Aware Computing is finally starting to gain  some traction partially driven by cloud computing.  User Centric or Contextual Based networking is simply Adaptive Access using intelligence to dynamically change the security applied to a specific access request based on the context of that request, the resources being accessed and the policy applied between the two.  The goal is to provide a unified method of applying security and delivering applications regardless of the actual security in effect, the network or the device being used to request access.  It’s access security based on user, device, location and integrity both at the time of the request and the duration of access.  It provides intelligence, adaptability and auditability for every user, every time.  It is about the environment or conditions surrounding an event and  informs us about it. With that information, we may perceive something differently which might change our view and maybe our decisions.  It’s about seeing the bigger picture and making better decisions by comparing the information we have about the request along with the requirements of the application and policies in place to deliver the proper access.  Garner calls this the ‘Digital Me.’

Gartner predicts that by 2012, there will be more than 7.3 billion networked devices worldwide and 298 million subscribers of location-based services.  This is more than just delivering secure applications, it’s also about delivering the right resources to the right user at the right time.  More than ever users are dispersed all over the globe, arriving from a multitude of devices and networks while requesting access and information from your systems.  You need to offer the proper access to that user in a quick, secure and efficient manner with the proper controls.  You need to make the right decisions based on that moment of information as we move from Identity (user/password with some customization) based to Contextual (Identity plus a whole lot more) based delivery models.  You need to ensure that no-one is coming in or taking anything out, without context.

ps

• #21 out of 26 Short Topics about Security
• previous stories: 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related Blogs

• The Context-Aware Cloud
• Windows Vista Performance Issue Illustrates Importance of Context
• WS-Context
• Location, Location, Location
• Context-aware