Creating a culture of security: Part 2

User behavior can sometimes cause CSOs and CISOs to have heart palpitations. In part two of a two-part series, we look at technologies that can safeguard users and enterprises, and how organizations can foster a culture of security.

Juniper Networks

Dave Mihelcic is federal chief technology and strategy officer for Juniper Networks, recently joining the company after a long career in government IT, including 12 years as CTO of the Defense Information Systems Agency (DISA).                                                                                                           

While attack technologies have evolved, it seems many hackers still rely on social engineering.
Absolutely. Social engineering has been around forever, and some of it is very subtle. You’re sitting at your desk and you get a call: “Hey, this is Dave from corporate IT. There’s a problem with the network. I need you to sit down at your computer and walk through what’s going on right now so we can get this problem diagnosed.” The caller walks you through logging in, and while you’re logging in, you tell him your user name and password. Unbeknownst to you, you just disclosed your login credentials to a hacker in Byelorussia.  This is a real scenario that has been repeated thousands of times in the real world.

Yet we can’t always blame the end user, especially when hackers hide malware in hyperlinks and well-disguised emails. Sometimes clicking on links and opening emails is part of an employee’s job, and we have not trained them to know the difference between good hyperlinks and bad hyperlinks. The truth is, if your entire security architecture can collapse when one user reads an email or clicks on a URL, there’s something wrong with your corporate security architecture.

Which technologies can IT leaders deploy to protect users who are unaware of the risks they take?  
Multi-factor authentication can help mitigate a range of attacks that revolve around password stealing or guessing. In terms of combating malware and advanced persistent threats, cloud-based or on-premises detection capabilities are essential. These should include signature-based detection; subscription-based threat intelligence feeds that can block known malware command and control networks; and most importantly, sandboxing capabilities to identify previously unknown or zero-day threats. 

By combining these capabilities with automated response actions like firewalling hostile servers on the internet, or isolating infected user workstations before the malware can compromise the entire network, enormous security gains are possible.

If an organization isn’t leveraging these capabilities, they’re leaving themselves wide open to the most popular range of attacks occurring today on the internet.

How can organizations encourage better cybersecurity habits among users?  
Start with awareness. Educate employees on the real-world business impact of something as seemingly trivial as clicking on the wrong link in an email. Then, move to training – in person, online or both – on the specific security policies, best practices, and internal security tools of an enterprise. 

Finally, test employees with things like simulated spearphishing attacks. If they fail, give them more training. The bottom line is they need to know they have an important role in security and they need to know what they can do to excel in that role.


Copyright © 2017 IDG Communications, Inc.