Are humans the biggest security problem?

I read a story today about a person that got his mobile phone infected with a virus when he received an MMS that happened to contain hidden software. The journalist that wrote the story talked to a representative from Microsoft who said that end-users are the biggest security problem. I do not debate that users has to take some responsibility to ensure their safety but I still think that we in the industry cause more problems then most users. It is strange that in an area where so many people (and companies) depend on communication so little is done to fix the underlying problem of security. Many applications are badly designed, badly written and full of holes. Access systems are seldom used or badly implemented. In any other industry consumer groups would be shouting (and suing) suppliers that lie as much as the IT-industry does. So humans are never the "problem", let us start to think about their needs instead.

More about the architecture

I have to admit I am a little bit lazy now.. I copy this text from one of an internal AppGate paper....but I do this to show that it is not that complicated to build a more secure and cheaper architecture for security. The base of the solution is that a user should never see any resources on the network before he or she is properly checked and indentified...to use a new world expression...the firewall is a part of the access system.
1. User finds a machine and connects to an AppGate Security Server.
2. The user is authenticated; ideally, the user should only have to log in once to the system (‘single sign-on’) which is possible for many services.
3. The AppGate Security Server checks availability of possible services (authorisation) for the user. Availability may depend on many different parameters for example based on authentication method being used and the user’s physical location.
4. The system provides the user with information about service availability and the user selects a role depending on what he/she wants to do (this step can be optional and all access could be completely transparent for some users)
5. The AppGate Server will allow authorised users access to requested services while blocking all access to unauthorised users. This makes internal services completely invisible for all unauthorised users regardless of who they are and their physical location .
6. Traffic is normally encrypted to provide message integrity and/or confidentiality over the networks. This step actually makes it possible to use both internal networks and the Internet for transport and makes the borderline between them less important.

An alternative architecture for security

I got an email from a reader of my blog. He wanted to have more information about "non-firewall based" security. This is my answer:
Chris,
Thank you for your email and your comments. It is not a question of replacing the firewall...more of a question of making the firewall a part of the architecture rather then the center of the architecture. Firewalls have traditionally been used to build a supposedly secure wall around the network. However, users on the inside need access to outside resources and many trusted users found on the outside need access to internal resources. In addition, more granular internal security is needed since the corporate LAN is normally not secure enough and does not give enough protection to all resources. The traditional firewall- centric view that treats everything on the outside as malicious and everything on the inside as benign is no longer as useful as it used to be.
A new architecture where each device is capable of protecting itself is needed. To implement this, protection mechanisms must be moved away from the perimeter and be placed much closer to the servers where applications execute and the data is located. All end-systems used for access should have personal firewalls and software that protect them from other network threats. In a world when every system, each server and all clients, are able to protect themselves and only admit authorised users to access data, then the role of the firewall is diminished. In this world, the networks are only used to transport data and the boundary between the internal network and the Internet will become much simpler.
It is possible to create centrally defined policies that govern how all computers that connect to the network should behave. With this model, it easy to offer secure access to all types of services and since all users are treated equally regardless of location. It is now equally easy to offer access for internal users as it is for business partners, home workers and mobile users.
Firewalls can still be present but will in the long run be transformed into systems for data collection for example for intrusion detection (IDS) and intrusion prevention systems (IPS). This new architecture can be compared with modern cities; we no longer build a ring wall around the city and now protection has moved from protection at the perimeter to protection at the source, i.e. to buildings, shops and stores where the assets are located. The streets are just transport paths just like the network will be, and simply having access to the network does not mean that all services are available or even visible to the user.
Regards
Goran

I have blogged about this before...but it is important

Yesterday when I visited a customer I was reminded about something that I wrote about last year under "who can you trust?". The question is simple: can you trust your IT department to always do what you want them to do (yesterday I heard the expression: no creativity..just hard work ). The IT department has an enormous power within any given organisation and their failures have a direct impact if you can do your job or not. On the other hand, when things runs smoothly no-body thanks them…
I often say that people have to much access to information...and that is certainly true for people at IT departments. They are often by definition power users and can access more information (and do stuff) then anyone else in the organisation. It is essential for the management to make sure that the rules and regulations regarding access as are applied also for the IT department. I usually recommend the two-hand principle for anything that has vital implications...an example of this is that one person handles the LDAP system...and other person handles the access system.

Split tunneling

Most corporate networks today are well protected and so hackers are increasingly targeting end point devices instead. This makes the task of protecting these devices and servers just as important. One key step when it comes to protecting information is to establish different security domains and avoid handling information of different sensitivities at the same time. For example you should not proofread the upcoming quarterly report whilst browsing eBay. Doing this turns your computer into a gateway between protected information and the unprotected Internet - an ideal starting point for information theft and other attacks. It's often referred to as the "split- tunnelling-problem". A simple solution is ensuring sure that there is a personal firewall on the PC with an automatic rule-set. When a user connects to a secure domain..all other un-secure traffic is prohibited. The word automatic is important, as users are too important to hassle with security issues

Securing SAP

SAP/ERP systems can provide considerable benefits for medium and large organisations but they can also introduce significant risk to the security of critical data and resources.
But what surprises me is that this risk is frequently not acknowledged or managed effectively when SAP/ERP systems are deployed.
Central to ERP is the commitment of all business function resources and information to a central ‘resource planning’ platform. Centralising information is essential for sharing data across the organisation but, should any malicious user gain access, the threat to the business is much greater.
What is surprising is that information security is not a central consideration as part of a standard SAP/ERP deployment. Instead, it tends to be treated as an after-thought. The result is that network security is inflexible or ineffective leaving corporate data and assets vulnerable to attack. Holes in the network perimeter via ‘backdoor’ access routes are not closed off, internal security risks are overlooked, usernames and passwords are passed un-encrypted. Where attempts are made to provide security, users face inflexible procedures that make SAP applications difficult to use and the user less productive.
The costs to business as a result of unauthorised access to corporate information are well documented and include not only direct costs but also a drop in share price and loss of customer loyalty. For organisations implementing and running SAP/ERP, information security should be recognised as a strategic issue.
By managing user access needs for the SAP/ERP system as a whole, including at the deployment stage, the relevant security issues can be fully addressed whilst also helping users make full use of the ERP environment. “Unified Access” is an information security model that aligns very closely with the SAP/ERP model, allowing security and user access policies for the whole system to be managed through a centralised access control platform.

(Thanks Malcom for the info)

The difference in helping users or forcing them

Many security systems are built to force people to behave in a certain way. The user-friendliness of security systems is seldom discussed. A very simple example: users often need to behave differently depending on where they are or which device they are using. They need to use different authentication systems, different access applications (that looks and behaves differently) and sometimes even the target applications looks different depending on if they are on the outside or the inside. Add to this that we expect them to take security decisions and avoid security issues (as written in the latest security policy document which can be found in the second drawer under the coffee machine on the second floor).
Does anyone wonder why users see security as an obstacle? When we design our security infrastructure we need to address the issues of the users and respect their wishes. The plan should be for optimal security...for the users and the organisation. Well-implemented security solutions can and should help the users to do their job in an efficient way. Always try to make it as simple for the users as possible to access data and take away as many obstacles as possible (usually due to many point products and in-efficient security policies).

Mastering the Internet

I read today about the rumours that the U.K Government plan( called Mastering the Internet) to increase monitoring of Internet usage. I do not know if the rumours are true but they help us to sell security solutions. I spoke to a customer today who has bought a VPN solution from an U.K. operator. His conclusion is that he cannot continue that service anymore as he sees that operators will have to store his secret information in the future. According to him this is the same for all 3-party security providers that also operates a network (he also mentioned an Canadian mobile phone provider..). He will now build and operate his own solution..and make sure that all traffic always is encrypted. During the discussion he also realised that he uses so called MPLS lines from the same operator to connect branch offices...so most of his internal traffic is un-encrypted as well...and is possible to monitor.
I wonder how the operators will deal with this. I think that they have been very silent. Maybe they are afraid to loose customers.