Friday, January 4, 2013

SANS - Securing the Human

The SANS has an interesting section about securing the weakest point in Computer Security: the user.

For the last few years, the attackers have focused on trying to fool users into clicking on link or executing programs on their computers, either by sending e-mails, leaving USB thumbdrives in parkings or even mailing CDs. Combined with vulnerabilities in common desktop applications such as Adobe Acrobat, Adobe Flash or Oracle Java, this proved to be an optimal process: the attacker, instead of trying to pry the perimeter open, tried to have his payload be directly injected at the hearth of the network. To that, you have to add the "mellow cake" network: hard at the perimeter but gooey inside.

While there is a huge room for improvement on many network (segmentation/segregation of machines, network access control and so forth), securing the human is by far the most efficient way of raising the security level of a network.

Let's make a thought experiment: what if on your organization's networks, no one would be to click on links in e-mails, no one would ever connect a USB thumb drive or device to any computer and surfing would be limited to corporate/professional website? What would the result be? I claim it would lower the risk of compromise by multiple orders of magnitude.

Dedicated to security, the SANS has started a series of advices to "secure the human": there is a monthly video and various resources, such as guides and documents. For example, December's is about  the seven steps to secure a computer.

Aimed primarily at CSOs and technical security personel, I think everybody will gain by getting there and reading some of the docs.

The worse that could happen is that our security level will be raised.