Build a Security Culture, One Awareness Step at a Time
You've successfully engaged others in the company to take on the tasks of selecting or developing the teaching and learning assets, structuring the courses, and finding the right people to act as trainers and teachers. You've got them managing the identification of which employees need what levels of learning, how often they need it, and when they need to get the learning accomplished. As the on-shift or day staff security administrator, that's a great segregation of duties to achieve! Now what?
Walk the hallways of the company's campus or locations; keep your eyes and ears open for signs that awareness, learning, and skills-building are happening. Look for signs of trouble that suggest it isn't working fast enough or well enough. Step into those situations informally and casually, and lead by example and inspire by action and word. Suggest to people in these problematic contexts, be they workers, supervisors, or mid-level managers, that they've got the opportunity to empower themselves, and you can help them.
Too many organizations fall into the administratively simple task of regularly scheduling repetitive training activities. These could be messaging opportunities that strengthen each worker's future with the company by enhancing the organization's survival and success. Instead, they oftentimes turn them into tick-the-box, square-filling exercises in futility. If this is happening in your organization, shine some light on it; help others become aware of the need to turn that messaging around. Quickly.
PARTICIPATE IN PHYSICAL SECURITY OPERATIONS
Information security specialists, such as SSCPs, need to be aware of all threats to the information systems in their care and be able to assist, advise, and take action as required across many functional areas in their organization. If your company is truly cloud-based, with no data center of its own, you've still got threats in the physical domain to contend with. Remember, too, that your attacker could turn out to be an insider who turns against your team for any number of political, financial, emotional, or personal reasons.
Physical Access Control
If the attackers can get to your systems, they've got a chance to be able to get into them. This starts in the physical domain, where access includes physical contact at Layer 1 network systems, at the USB ports or memory card slots on your endpoints and other devices. It includes being able to see the blinking LEDs on routers (which blink with each 1 or 0 being sent down the wire), and it includes being bold as brass and just walking into your office spaces as if they're a pizza delivery person or business visitor. And although we've not yet seen it reported, it won't be long now before we do see an attacker using hobbyist-grade UAVs to carry out intrusion attempts.
Chapter 2 will look at the concept of defense in depth, integrating a variety of deterrence, prevention, and detection capabilities to defend the points of entry into your systems. Threat modeling, done during the risk assessment and vulnerability assessment phases (which Chapter 3 examines in more detail), have given you maps of your systems architecture, which show it at the data, control, and management planes as well as in the physical dimension. Start at the outermost perimeter in those four planes and put on your penetration-tester hat to see these control concepts in action.
One major caution: What you are about to do is tantamount to penetration testing, and to keep that testing ethical, you need to first make sure that you're on the right side of law and ethics. Before you take any action that might be construed as an attempted penetration of an organization's information systems or properties under their control, gain their owners and senior managers permission in writing. Lay out a detailed plan of what you are going to attempt to do, why you propose it as worthwhile, and what you anticipate the disruptions to normal business operations might be. Work with them to specify how you'll monitor and control the penetration test activities and how you'll suspend or terminate them immediately if required. As you learn with each step, err on the side of caution and go back to that management team and ask for their written permission to take the next step.
At a minimum, this will keep you out of jail. It will enhance your chances of staying employed. It will also go a long way toward increasing the awareness of the threat and the opportunity that your management and leadership stakeholders have to do something about it.
The vast majority of businesses and nonprofit organizations have almost nothing to do with national defense or with international intrigue; their leaders, managers, and owners see themselves as light years away from international terrorist plots or organized crime. And they probably are. Unfortunately, this distance can bring a false sense of security with it, one that turns off their imagination.
In virtually every cyber attack, the target is the data that the organization holds. Data about their employees, their customers, or their suppliers; or transaction histories with their partners and their banks. Attackers may have far more reasons for finding value in your data than you think.
Without your data, you can't operate. With your data, your attackers can gain in ways you don't have to imagine in order to stop cybercrime in its tracks.
Property Approach
From early reconnaissance and target selection onward, an APT actor will need to see, sense, observe, and probe at your facilities, your people, and your IT systems. You need to balance allowing these contacts for legitimate outsiders while not making it too easy for a hostile agent to learn too much. You don't control the Internet any more than you control the physical spaces outside of the property line around the buildings your company occupies, but you can and should consider what you choose to make visible, audible, or otherwise physically observable, for example, via:
Visual line of sight, depending on the sensitivity of the organization's operations. Line of sight might be obscured by limiting windows in construction, covering windows in sensitive areas, obstructing views with landscaping/formation, or other means.
Vehicular approach, including roads and driveways toward the property/facilities. For secure facilities, these should deter a straight approach to disallow a drive to build up excessive speed and should include obstacles with bollards, barriers, or retractable tire spikes.
Movement patterns of your workforce can reveal when they're working a special, important activity that demands a surge of effort, versus a normal routine pattern of arrivals and departures.
In the digital domain, use periodic black-box ethical penetration testing techniques to examine all publicly-facing information that your organization makes available on web pages, via e-commerce or e-business connections, and even in advertising and print media. Port scanning and network mapping also may show you spots where your systems reveal too much about themselves.
Perimeter
At the outer boundary of the property, security controls can be implemented for access control.
Fences/walls: While generally seen as deterrent or preventive controls, fences and walls can also be combined with additional mechanisms