When I was a teenage a Gym instructor told me that if I workout 1hour everyday for 3 months I can certainly build a healthy and well shaped body. However, he also warned me not to overdo exercises. He clearly warned me that if I start doing workout for 5-6 hours per day for (say) 15 days it’s only going to harm my body.
Point taken and I am sure most of us will agree with this piece of advice.
I wish management executives understand this wisdom and start applying the same in IT Security and risk management projects, more specifically in compliance projects.
Time has come when at least large organizations are under pressure to meet the compliance & regulatory requirements. Certainly it’s a long awaited milestone and will have significant impact in developing a positive security posture. However conventional style of project execution involving pushing your team members hard to reach targets ASAP may easily lead to frequent failures and finally loss of this long awaited opportunity.
Reaching compliance levels is not a 2-3 months job (unless and until organization/team is very small). We may have such short duration projects for planning and preparation of external certifications such as ISO27001 or PCI (Though not recommended). Still to have a sustainable and secure environment we will have to have a plan extending in years not just months. Not to forget that, even if you have received external certifications in 2-3 months you are bound to go for regular reviews which will require a sustainable security posture.
To succeed in forthcoming reviews and become really resilient to IT Security Risks, your employees and process owners must dissolve the policy, process and procedures in their day to day working. Just attending security awareness trainings and then signing attendance sheet will not solve the purpose. I have seen many cases where employees have gone through a lot of security trainings or quizzes but still they don’t understand the basics of their company’s security procedures.
Organizations will have to realize that attaining a sustainable security posture is a gradual process and may easily take years and multiple reviews. Have patience and work with your employees. Let it become part of your organization’s work culture and gradually cost of security projects will start coming down system administrators as well as end users will become proactive. Reporting of security incidents will not be considered as a time wastage activity and Information Security Managers will no more be considered as police man.
Thursday, June 26, 2008
Thursday, February 14, 2008
Physical Security: Tailgating
Few years back when Smart Access Cards were introduced as a solution to unauthorized physical access, Information Security Managers (ISM) felt very relieved. Even in Information Technology organizations, Physical Security breaches were more prevalent and damaging than the network based attacks and hence their relief was justified. However, soon they realized that Access Card based access control wasn’t successful due to tailgating. Social Engineering attackers were easily able to bypass this access control by following an authenticated user. Soon most of the ISMs felt that it’s a technical limitation and either they will have to live with tailgating or else deploy a full time security guard (defeating the purpose and wasting the money invested on Access Card and readers) at premise entrances. I have seen organization (and some of these are among top 20 IT organizations of the world) where Security professionals had deployed a full time guard at all entrances to combat tailgating.
Solution:
Good news for security professionals that there is an effective solution to control tailgating. You may call it an enhancement over the current smart card based access card systems. Of course the cost of control is going to increase, so be ready to convince finance guys with an ROI calculation. The solution is as follows:
Install a one-way turnstile in front of entrances and current access cards will permit access to premise through the turnstile. When a user presents her access card in front of access card reader, turnstile will allow only one person at a time to enter in the premise.
Additionally, a buzzer can be installed to alarm in case a deactivated/fraud card is presented.
Notice, that above mentioned turnstile is one-way, hence for exit you will have to have a separate door with conventional access control. You would agree that tailgating is a problem at the time of entering the premise rather than exiting.
Limitations:
1) This solution will not work if a user presents her access card three times, (intentionally) to allow two other users to pass along with her. However, this abnormal activity can easily be noticed by fellow employees or nearby guards.
2) Due to additional cost, it may not be practical to install turnstiles at every door. Hence, risk managers’ help may be required to identify suitable areas. In my opinion, this solution must be implemented at
a) building perimeter and
b) highly restricted areas such as server rooms, data center and highly restricted project areas.
Solution:
Good news for security professionals that there is an effective solution to control tailgating. You may call it an enhancement over the current smart card based access card systems. Of course the cost of control is going to increase, so be ready to convince finance guys with an ROI calculation. The solution is as follows:
Install a one-way turnstile in front of entrances and current access cards will permit access to premise through the turnstile. When a user presents her access card in front of access card reader, turnstile will allow only one person at a time to enter in the premise.
Additionally, a buzzer can be installed to alarm in case a deactivated/fraud card is presented.
Notice, that above mentioned turnstile is one-way, hence for exit you will have to have a separate door with conventional access control. You would agree that tailgating is a problem at the time of entering the premise rather than exiting.
Limitations:
1) This solution will not work if a user presents her access card three times, (intentionally) to allow two other users to pass along with her. However, this abnormal activity can easily be noticed by fellow employees or nearby guards.
2) Due to additional cost, it may not be practical to install turnstiles at every door. Hence, risk managers’ help may be required to identify suitable areas. In my opinion, this solution must be implemented at
a) building perimeter and
b) highly restricted areas such as server rooms, data center and highly restricted project areas.
Subscribe to:
Posts (Atom)