Sesseto Security Knowledgebase

HR has a huge role to play in the security of your networks.

Yes, Human Resources.

For all the effort your organisation goes through to implement robust IT policies and infrastructure to help keep everyone safe, the sad fact is that the biggest threat to an organisation’s safety comes from its employees.

Whether through malice, ignorance or human error; the people in your businesses are the most likely factor in enabling malware.

And where there are people, there is HR.

Why Do Staff Cause Problems?

Rarely a rogue employee targets an organisation to do damage by accessing systems and information. This is one aspect of “Social Engineering” which we’ll discuss on another blog.

Most employee breaches happen for less dramatic reasons:

• Employee works on files at the weekend on their home PC. They upload their work via USB stick onto their laptop or desktop, not realising that they’ve transferred malware between the two devices, or that the USB stick itself has been compromised
• Employee lets their bored child use the laptop or smartphone to play games in the car. Children download apps and games far more readily than any adult, and are more comfortable doing so. Many of the games which children download are, in fact, malware by design and infect your company device with unwanted code
• Employee is searching for help with a particular problem on their device (e.g. a free "clone" version of an expensive tool such as Photoshop for a presentation). In doing so, they inadvertently download infected code to their machine, or download malware along with the program they wish to use
• Employee is viewing videos on YouTube or similar. This is probably unwanted behaviour in any circumstances but the possibility of malware being downloaded at the same time is always present.
• Employee clicks through a link on their Facebook account and inadvertently opens up a link they didn’t expect, such as a spoof offer for a freebie.
• Employee uploads files to a personal DropBox or similar. This could be a useful tool, but could also constitute data theft

However, there are many specialist products which can mitigate such behaviour.

Content management, network monitoring, strong firewalling, can all help to stop an infection after the fact, but if the human element could be controlled, then the need to take action against it would be lessened significantly.

Strong employee policies and codes of conduct are imperative in mitigating the threat posed by outside agents.

• What sites are employees allowed to access?
• What is the organisation fair usage policy?
• Are there specific times when “personal sites”, such as Facebook, can be accessed (e.g. lunchbreak)
• What is the policy on staff usage of personal USB sticks and other forms of data storage?
• Is there a robust data policy?

So how can HR help?

We could be all Big Brother about it, throw up restrictions and firewalls everywhere but is it really the best solution?

HR are incredibly good an influencing behaviour, often using both carrot and stick to derive the desired behavioural outcomes.

To enable this, security must be an integral part of every employee’s onboarding process. And HR should have responsibility for ensuring the ongoing education and exerting behavioural influence over staff in a regular and planned way.

Ensuring the policies in place regarding usage, security, accountability and responsibility are adhered to, without it being a highly restrictive environment.

Employee control is like a wedding prenup – everyone agrees that everyone should have one; they just don’t think it will happen to them!

If you'd like an off the record chat about updating your database security, or anything else security related, you can book into my diary here.

Best wishes,

Liz

If you have a problem, if no one else can help, and if you can find them, maybe you can hire A-troubleshooting team.

When you have a solution which isn’t working correctly, or you just don’t think it’s performing well enough, it’s often worth taking the time to re evaluate the situation and get expert help to solve the issues.

It’s common for organisations to think that a rip and replace strategy is better than spending the time to resolve issues, but upgrading in the hope of solving an underlying problem simply replicates the problem – poor performance running faster, rather than strong, optimised performance made better.

The organisation wants answers and you are responsible.

What options do you have?

1. Cap in hand to the board for more money- you might get sacked. High risk.
2. Fingers crossed that it is resolved by your current team- Might get sacked. High risk.
3. Delegate to a team with a head of project- Looks like it’s being take seriously. You can sack someone else. Medium risk.
4. Hire A-Troubleshooting-Team- if you can find them. Low risk.

Troubleshoot, Triage, Remedy

Great troubleshooters will look beyond the preconceptions about your security framework, will bring to bear experience gained in a multitude of different environments, and will deliver a range of possible solutions, starting with what can be done within your current set-up.

Be very wary of people who tell you it can’t be fixed. No-one ever sold a new platform or implementation by repairing the old one.

Find a team who are well renowned for finding the root cause of problems and making solutions sing, even where others have failed.

If you'd like an off the record chat about updating your database security, or anything else security related, you can book into my diary here.

Best wishes,

Liz

I've been watching the news surrounding one of the UK's major retail banks aghast and bewildered.

How could they let this happen?

First of all there was a data breach following a system upgrade. This resulted in customers being able to see other people's accounts.

Secondly, the same customers then watched helplessly as their own savings were plundered by hackers.

It's evident that something went very wrong here, and then continued to fail.

We have a major UK institution in crisis through ineffective security and archaic data architecture.

There are so many problems here that it's difficult to know where to start but the following is evident.

Good practice around updates.

New updates should never be applied to live databases. NEVER!

Bank databases are huge, and the development overhead of spinning up instances can be overwhelming. It's tempting to flout legislation and simply apply new changes and hope for the best.

However, modern architecture around big data can avoid this problem. Solutions are available which make spinning test and development quick and easy.

Security Retro-Fit

Simply adding an overlay to an old database with "flat" security around it is chronically insufficient. A minor glitch in one or other of the authenticating tables should never be sufficient to cause records to open inappropriately - such as one user  seeing another's private details, as seen during this breach

If security is retro-fitted, it needs to be multi-layered to ensure that authentication is repeatedly checked against various markers, this will render breaches of this type impossible.

Bank databases are huge. And old.

Thirdly, age is a major factor. Bank databases have been built over many years and new functions have been added over legacy technologies.

The  underlying databases haven't evolved. This is predominantly due to the cost and the massive upheaval involved, but as the database is a fundamental tool of the trade, and investment is critical.

We recently implemented multilayer security throughout the architecture of a brand new database environment for a financial institution. It would simply not have been possible to apply the same levels of protection to their old infrastructure.

In most instances a replacement programme would likely be cheaper and certainly have more longevity than papering over the cracks and hoping it doesn't rain.

Either way it's a lesson for any institution looking to implement security updates and upgrades, do it properly - if you don't your business reputation, if not your entire business, is at risk.

If you'd like an off the record chat about updating your database security, or anything else security related, you can book into my diary here.

Best wishes,

Liz

One of the most annoying things I see on a daily basis is companies with great security products – huge capital expenditure, spent wisely on market-leading products which are great assets, but which are totally under-utilised and going to waste because the infrastructure, fundamentally, hasn't been set up correctly. ​

Even worse, we sometimes come across clients who are looking to remove a fabulous product which they've already paid for, to replace it with an inferior solution, all because they didn't understand the capabilities they already had. 

I can't tell you how frustrating this is, but saying that I have complete sympathy for their position. 

There is constant pressure applied to be moving forward with protecting the organisational assets, and, in many cases, this mean simply being seen to be moving forward.

Typical situations:

• Products have been procured to fulfill a particular need, the features which pertain to that need have been switched on, but nothing else has. 
• Products have been implemented to fulfill an immediate need with the intention to go back later and revisit the solution, adding additional configuration to use more of the product, but this last step never happens.
• A product was implemented and was fit for purpose at time of implementation, but the business has changed since that time, and the product implementation hasn't been updated.
• A product was implemented but it's now on an out of date software version – which means that the customer is missing out on additional features which have been added to the product suite.
• Fear – sometimes administrators don't want to rock the boat, so they do nothing, rather than progressing their solutions.
• Disillusionment – a poor initial implementation means that clients lose faith in their infrastructure and write it off as a bad buy, rather that having someone take a look and get the products to really sing.

The difficulty is, unless you have been in the project since it's inception, with the same team much of the information can be lost.

What's required is a objective set of eyes and opinions, ones that are both abreast of the capabilities of your current technology and not just there to sell you something new.

Which we both know can be difficult to come by.

If you'd like an off the record chat about optimisation, or anything else security related book into my diary here. 

Best wishes,

Liz