Security in modern corporations
Foreword
I work as a developer in a single company. Penetration into the internal contour is a tasty morsel for fraudsters. In the company, of course, there is a security service. But, the way the security service works and the effectiveness of its work I have doubts.
In this article I want to share my thoughts and call for dialogue on how modern security service should work and what is expected of it.
further SB - security service
Disclaimer
I don’t want to offend the Security Council officers, and I don’t have personal dislike for them, revenge and intent to denigrate them. Moreover, I respect their work, I consider it important and very responsible. I express my opinion, which may be erroneous and subjective
They and We
Employees of a company usually refer to “safeguards” as an extremely intrusive and hindering department. Attitude is distributed from pofigisticheskogo to extremely negative. Even if the employee understands the importance of the Security Council , the Security Council will still stand somewhere for him and “stop” moving forward. Those. there is a permanent division into “They and We”.
1 + 1 = negative
Let's try to figure out why this attitude to the Security Council is taking shape?
Odyn
Let's start from the beginning. You have to work with the Security Council even before you see at least one Security Officer for the first time. In order to be accepted for work, they send the questionnaire and say that they need to pass the Security Council . The questions in the questionnaire are designed so that you have to solve them like a crossword puzzle, trying to understand what they mean. At the same time, a negative is already beginning to form, because if you don’t fill out this way, you will have to redo the questionnaire.
It would be more logical to ask a person to prepare the necessary documents to fill in the questionnaire and fill it out either with a staff member of the Security Council , or with HR, who will be trained in the proper way to fill out the questionnaire.
Another odin
After completing the questionnaire, you need to pass the interview itself. Most, if not all, members of the Security Council are recruited from the Ministry of Internal Affairs, the FSB, the military, etc. And apparently they have some code of conduct that they faithfully observe. Although I myself did not see this code, but watching them, I did reverse engineering and here are the points from the code I managed to restore:
- all around is guilty, even if someone is not guilty.
- who is guilty is your enemy
- a member of the Security Council must have a stone face, the more stone the face, the better
- when you speak with someone, it is necessary for the interlocutor to understand that you are very important, busy and his happiness, that you deign to talk to him
- it is generally better not to speak with enemies
- humiliate the interlocutor as much as possible, then he will be afraid of you
- be sure to show your power, even if there is no need
- speech system as easy as possible, do not use all the richness of the language. 5 words for each sentence is the maximum that can be afforded by such a busy and important person as you.
- A short question must have a short answer. If the interlocutor tries to answer your question in full, be sure to interrupt him. This is the secret trick of spies. Firstly, he is wasting your time, secondly, he wants to confuse you, thirdly, apparently, he does not know the answer, since he cannot answer with two words.
According to this code, even if you arrive at the appointed time, you will wait. You will be met so that you will be glad to get out of here as soon as possible. Be sure to remind you that everything is serious, and not playing toys. They will ask such questions that you don’t have to ask at all, but if you don’t answer them, you are obviously hiding something. A confession to a priest is nothing compared to an interview with the Security Council .
Yes, undoubtedly, the task of an employee of the Security Council during an interview is extremely complex and important, he must make a clear idea and give a verdict whether or not a reliable person. After all, if he agrees to accept a job as a swindler / cheater, then they will be asked first of all from him, otherwise, for what he gets paid?
Of course, I do not have any deep knowledge of psychology, but:
- Can a person be sincere and trusting in a negative environment?
- unless the person to whom to give the chance to speak, will not tell more, than when ask him questions?
- questions can be asked in the course of the story of the interlocutor.
My main message is that the interview should be conducted by a competent psychologist, charismatic, in a relaxed atmosphere, as little as possible like an interrogation.
If the psychologist is not a good specialist in the field of security, then a real expert can observe the conversation and correct the conversation through a mirror, through a microphone, through a monitor ... but whatever you like.
It is possible that a potential employee will never encounter the Security Council again, except at the checkpoint, and this is the only chance to win over him.
I do not know how in other companies, but in those in which I had to deal with the Security Council it takes a mandatory lag, in order to make a decision. This is usually, although I do not always think, warned after you have passed the remaining several interviews. And this lag is set for everyone the same, apparently in order to let you know again how busy they are, and you are just one of many.
Totally Odyn
Well, finally, you are at work and you want to start fulfilling your duties, and here you ’ll have it , everything is blocked, step to the right, step to the left - shooting. Before you is a very expensive typewriter, not a working tool. You need access, write an application and justify the need. Want to connect to Wi-Fi, write an application and justify the need.
Depending on the company, it turns out that you still need to conduct a bunch of approvals in order for you to have a workplace set up.
This problem is more likely, not to the SC , but to the organization of the process in the company itself, which could already make all the necessary forms, applications for the organization of the workplace, before the person comes to work.
And rushed
And now it turns out that in order to fulfill your official duties, you have to constantly deal with the Security Council . You are developing a new functional - agree with the Security Council , write tests and you need to connect to the database - agree with the Security Council , roll out the prom - ... well, you understand.
Of course, one will have to deal with the Security Council or not, depends on the responsibilities, and cooperation with the Security Council should be permanent in some cases, but the process is usually not automated in any way.
For example, when a business develops a new functional, presents it, then the SC staff must attend it, delve into the essence and help solve security problems in advance, and not be someone who, after everything is developed, chop everything up.
If the work of an employee implies constant communication and contact with the Security Council , so why not make this process such that the Security Service staff themselves are involved in the process as needed, rather than the team running to them, or at least automatic notifications, rather than generating regular applications . Those. A new functionality rolls out and the Security Council receives a notification about it, you can not roll out without their approval, so the time for the formation of applications will disappear.
Here my message is that the Security Council officer should be part of the team, work on a par with everyone, then it will not be “those who interfere with work”, but will become “those who help work”. People will finally know in person those responsible for security.
All in the garden
The approach of the Security Council to security is very simple: “Initially, prohibit everything to everyone”, allow only after a hearing.
No, of course, everyone signed a paper that he had read the safety rules and is ready to bear responsibility in case of their violation. And the rules were not written in small print in the middle of a ten-page agreement (although not always clear), and when signed, no one was surely in a hurry and did not distract. But:
- what was read as obligatory or for passing the test, on the psychology of the student - passed and forgotten
- trying to be right, but print a receipt for payment of utilities, bought a ticket, essay, etc. all the same you need - you will not be fired for it, right?
- and then it turns out that you are not the only one, others do this, too, and you are no worse? - Crowd psychology
Naturally, such an approach is extremely effective when there is a totalitarian state and there is a severe punishment for “crime”, but in the corporate environment it does not work.
There are companies in which, when you come to work, you give up all the gadgets and have to go with a regular phone. But if the company wants young specialists to work there, you will have to motivate them very strongly to persuade them to part with their gadgets. But this should be applied only on highly secret military sites or on sites that can be dangerous to a person, such as a nuclear power plant. And even then, this approach works more on paper. I have one friend who served in the army on secret objects and still says that they close their eyes to it. Here is an example of the Stuxnet virus
I think the Security Council should act without prohibiting everything so that people do not think about how to get around the prohibitions to achieve the desired comfort in work, and so that people do not think that they need to overcome something and can be punished for it. Establish such rules that will suit everyone. In more detail about it I will write below.
How many classes have you completed?
Naturally, it’s not only and not so much the SC as the employees. Banal illiteracy of people in the field of security (both cyber and ordinary) makes the most mistakes.
Many do not even think that the gadgets they wear are very productive computers, for which only 15 years ago people could get a fortune. General computerization and widespread accessibility has entered our lives at an extremely fast pace. A generation of people has already grown up that don’t even think about the fact that once this was not the case.
What can I say about gadgets. Smart houses and the Internet of things through which one can penetrate appear all around. Here is one example: WannaCry through coffee machines .
Moreover, believe me, there are people who quite seriously believe that hackers are fiction and a horror story from TV.
Of course, companies conduct trainings to eliminate information illiteracy among employees; and such work is formally carried out, but, unfortunately, so formally, that in fact it does not exist. Even in a very large company working with finance, for which information security is a matter of top priority, things are very bad. According to my observation, in small companies this is treated more strictly, sometimes bending the stick.
I had to work in one company that manufactures children's toys and without going through a polygraph, they did not take this company. Children's toys, Karl! Apparently, the leadership measure of all on their own, they were afraid of industrial espionage, and about the company itself, not without reason, there were rumors about where they got these or other novelties.
Do you think that only housewives, secretaries and accountants are illiterate in cyber security? Alas, among programmers there are people who do not think about it at all. If this were not the case, then the hacking stories would not have appeared so often.
Sometimes, a single department or team is responsible for the security of the application, while other programmers are developing, relying on the fact that they are protected. So to say, are on another layer of the application. In principle, this approach to some extent can be justified if you have a small application and the risks of hacking are acceptable. But anyway, personally, I believe that a member of the Security Council should at a minimum be a reviewer of each release.
')
But in a complex way, I think that there should be a completely different approach. Each programmer should not only be able to understand and pass security tests / courses and, at a minimum, know all the most popular ways of hacking that are used in his programming language, but also the company should conduct trainings and trainings on a regular basis and not allow the development of someone who does not have a minimum.
And it's not just employees, hackers are often easier to hack into the system of partners of a company of interest to them, which is mediocre for their security. Hacker group Cobalt
The sucker is not a mammoth, the sucker will not die out
According to research results, the most popular and successful way of hacking is still a person, not a system. It is much easier to deceive an unlearned person than to break into the system that the specialists developed. Hacker Magazine
Read the entire list, please!
So, what happens?
- SAT in companies is so “out of touch” that you want to have as few things as possible with them, even if you understand the need, usefulness and importance of the work of the SAT, the employees themselves and the process with them is structured so that it causes a continuous negative.
- most people have a banal safety illiteracy
- safety education process is built so formally that there is almost no sense from it
After a hundred meters, turn right
How to properly build a corporate security process?
First of all
You need to rebrand the Security Council so that they are part of the company, so that everyone can approach a person from the Security Council sitting somewhere nearby, and ask him to help deal with an incomprehensible letter or consult on relevant security issues without having to write applications, and after talking to they do not feel humiliated.
Secondly
We need regular safety training within the company of all employees, taking into account the position held and duties performed.
Naturally, for a programmer who is at the peak of digital technology, a fundamentally different approach to training is needed than for a secretary.
Thirdly
Training should be as less formal as possible, training should be interesting, in an interactive form, so that people who have received knowledge would like to share with others, rather than complete and forget.
Fourth
It is necessary not to prohibit, but to find ways for employees to voluntarily participate in the process of shaping the company's security.
For example, a company may primitively offer to pay for anti-virus software on all gadgets and systems on which an employee’s work is used within a company. If an employee connects via VPN to the network, you need to make sure that he has a “clean” workplace.
If Internet access is available on workstations, access should be open and transparent, but should be performed in a protected environment. So, inside the company in which I work, there is such a thing as a secure Internet, a specially designed browser that runs on a remote machine, and if something goes wrong, it will not be on a working machine. I believe that this approach is very promising, but to work through such a browser in the current implementation is extremely inconvenient.
Conclusion
In today's world, providing security through prohibition is an extremely inefficient way.
A completely different approach is needed, based on the education of employees and the joint interaction of each employee with the SC.
Since the biggest vulnerability is human stupidity, only the company that can develop and implement a system for eliminating illiteracy will be able to achieve an effective method of protection.
When developing a security level, it is necessary to take into account comfortable working conditions for employees. If a person needs access to social networks, then it’s worth thinking not about how to prevent him from doing this, but about how to give him the opportunity to safely use them. It is easier to train an employee than to continue to inflate the staff of the Security Council .
I would also reflect on how security can be organized, but only the article turned out to be too big. Perhaps I will continue in another article, if this article is read is popular.
Useful links on the topic:
- A podcast that came to my hand at the time of writing this article and Silicon gave me a lot of help . Vasily Dyagilev (Check Point Security)
- WannaCry through coffee machines
- Hacker group Cobalt
- Hacker Magazine
Source: https://habr.com/ru/post/345474/
All Articles