Regular vulnerability scans and patch management? Check!
Web security software? Check!
Security thinking? Ch-e…what?
When we think about security we automatically think in terms of software. Without a doubt, these solutions are a must to enforce an organization’s network security but the journey shouldn’t stop there. You can only achieve all-round security by applying ‘security thinking’ and identifying how your users behave towards your security setup and measures. User behavior should be taken in consideration throughout the design process of any systems that are implemented on your network.
So how can you put this security thinking process into practice?
When, for example, you are creating a security policy, you need to think of the various parameters that will apply to that policy. How will you develop your password policy? Will you instruct users to use complex passwords, long passwords or a password that is both complex and long? Will you expect users to periodically change that password? These questions may be obvious to some, but you need to understand that each option will impact differently on users or group of users. Long complex passwords that change monthly, for example, will push users to write the passwords down since it will be hard for them to remember it every time. Always evaluate how your choices will affect users, and how, in turn, your users’ reaction to your choices will affect the network’s security.
Another example of security thinking is when you’re deploying software. Once again, you need to evaluate how the software’s deployment can influence your users and their behavior. Let’s take a Content Management System (CMS) as an example. On a basic level, when choosing what solution to implement, a sys admin might just consider the security features of the software. User access control might be viewed as sufficient security if content on the CMS can only be accessed by specific user groups. There is however a lot more to the process. You must see how user access control will be implemented. Will your user access control setup prevent your users from seeing document titles or just prevent them from accessing that specific document? If your users will be allowed to view document titles, in certain cases this can be a security risk. Titles generally reflect the document content, and can therefore, possibly give notice of confidential information to the wrong recipients.
Once you take the time to consider how the relevant security policies will affect your users, and how these users are likely to behave as a result, you’ll be able to predict potential security risks and thus be in a position to proactively strengthen your security infrastructure and set up without additional expenditure.