The Security Awareness Of People Is The Important Firewall In IT

About FocalPoint

Your company can have the best firewalls, the best intrusion detection and protection systems, and the best sensors and filters all wrapped around the IT organization. Your company can have the IBM i platform, legendary for its rock-solid security, locked down with the tightest security, and everyone can change their strong passwords frequently. Your company can have administrators using tools to monitor exit points and the Integrated File System that can be a breeding ground for viruses. Your company can have firewalls and antivirus software installed on every desktop, laptop, tablet, and smartphone that comes in contact with your infrastructure.

And yet, all it takes to get around all of that sophisticated – and expensive – security is for one employee, during a busy few seconds, to be distracted and then click on something nefarious during a phishing attempt.

At that point, the bad actors have a crack in your infrastructure security to start get in. That crack can be chipped at and quickly pried apart to create a breach, and a breach can result in massive data theft or the locking of your systems from the subsequent and absolutely predictable ransomware demands.

So in a real sense, the human firewall, comprised of employees who are well versed in the nature of modern security and, most importantly, are tested to show that they understand the threats out there and will not succumb to them.

That is what security awareness training is all about, and it is just as important as all of these security appliances and pieces of security software that we spend lots of money on in the datacenter and throughout the organization. You simply cannot skip this or skimp on it.

Basically, every employee needs to be a human firewall. They have to be constantly made aware of the current threats out there so they don’t make critical mistakes as they go about their day-to-day jobs. They particularly have to be made aware of social engineering attacks, where hackers try to gather information from specific employees and then they use that information against other employees to gain more and more information about your organization, so they can conduct an attack on your company.

This is not something that just happens to small and medium enterprises using IBM i platforms to run their critical systems. Just last week, ride sharing juggernaut Uber – known for the sophistication of its technology – was hacked in precisely this manner, and very embarrassingly and publicly. According to a report in the Wall Street Journal, the Uber hacker tricked an Uber employee into providing access to the company’s virtual private network, and from there was able to gain access to the privileged access management server, which houses access to all of Uber’s critical systems – it’s HackerOne security account, its Slack channels for developers, its internal VMware virtual infrastructure, and its cloud services on Amazon Web Services and Google Cloud. The hacker has not done anything except roam around and show off the access with screen shots, but it shows how important the human link is in this chain of security.

And with so many of us still working from home due to the coronavirus pandemic, the security of bring your own devices – laptops, tablets, smartphones – and the home network, which many of us use to get access to the corporate virtual private network, is vital. And therefore all employees, partners, and suppliers who are coming into the IT systems from outside of the firewall have to be aware of proper security protocol.

This security awareness is absolutely critical, and it has to be updated just like the malware fingerprints in an antivirus software has to be, because the nature of the vulnerabilities keeps broadening and changing. That’s why we conduct mock phishing attacks as well as provide video training as part of the security awareness service we offer. The video training that gives some specific categories of security awareness, but the phishing tests show us if the training was successful and that employees understand what a phishing email or text looks like, and that they always have to look for things that are out of context. Do you really expect to get an email from Uber or Amazon on your work email, or a new contract from a potential supplier partner in China on your home email? Some people need more practice always thinking about context, and they can get additional training until it becomes part of their thinking.

But it is even more than that. You can, for instance, install security software that analyzes emails and checks the links for malicious code and locations on the Web, and this software can place any attachments into a sandbox and detonate it, just like a real bomb. But there are Zero Day exploits, and this email security software may not be updated at the moment the attack comes to your organization.

We recommend that companies run security awareness programs at least quarterly. Some of our customers do it annually, depending on their capacity as an organization. Some do it monthly, which we prefer. We also recommend monthly phishing tests as well, but most organizations do it quarterly. We can do them, or they can learn how to do them under the control of their own IT organization. Either way is fine. What isn’t fine is not doing security awareness training.

We also provide security assessments for free on the IBM i platform for customers, and we can extend that out to X86 servers running Windows Server or Linux, or Power Systems machines running AIX or Linux. The security assessments expose potential weaknesses within your organization and take a hard look at the IBM i configurations and controls that may need enhancements, whether they are critical, high, or medium level, and then help you understand how to remediate these issues with best security practices. IBM i has system values that are set by administrators, and certain system values can create exposures within your IBM i platform, whether it’s controls, password levels, all that. These system values can be analyzed, but we can also give customers the best practices on how to change those values to be more secure. Because sometimes, changing those values can break applications that you’re utilizing, so we work with them to understand their environment and understand the effects that changing those values will have throughout the organization.

As far as security assessments go, it is important to do them on a regular basis, too, because values can change, controls can change, and configurations from IBM can change as IBM i gets new features

For our cloud customers, we really encourage security awareness training, and this is a line item that customers have to uncheck if they decline the training or suite of security products that is offered with the cloud environment. For any new cloud customer, we conduct a security assessment on existing environments, prepare a detailed report and perform remediation with customers prior to starting the migration to the cloud. The security awareness training service comes in small, medium, and large packages to cover different levels of system and complexity, but it is always meant to be affordable. We want no barriers here – except good ones in the human firewall to protect your company.

John Fehr is the chief information security officer at Focal Point Solutions Group. Fehr has been on the IBM i platform for more than 20 years, and was the vice president of infrastructure and IS operations for Sandia Laboratory Federal Credit Union. Fehr got his masters in information protection, security, and national security from the University of New Haven back in 2017 and is currently pursuing his PhD in Cyber Defense at Dakota State University. Fehr holds certifications as a CISSP and GISP and in cloud security. Fehr is a former board member and current acting member of InfraGard, a program to enhance our nation’s collective ability to address and mitigate threats to United States critical infrastructure by fostering collaboration, education, and information-sharing through a robust private sector/government partnership.