threat-modelThe African proverb “It takes a whole village to raise a child,” is often used to convey the message that the responsibility for child rearing is a communal effort—parents, grandparents, teachers, friends, and like-minded individuals—all play a part in helping the child grow up and succeed.

The same philosophy needs to be applied when protecting an organization’s computer networks and systems. The Chief Security Officer, security administrator, and other IT staff members can’t do it alone. It takes a balance of people, processes, and technology in order to stand a chance against today’s cybercriminals.

Recent events have questioned the qualifications of the security administrators for the UCLA Health System, the Pentagon’s Defense Information Systems Agency, and two Texas state agencies–all organizations that had personally-identifiable information exposed online. These breaches occurred as a result of human-error; therefore, people and systems were at risk. We are all capable of making mistakes. It is how we handle the situation that makes all the difference.

According to a recent article in The Washington Post, human frailty is often a factor when data breaches occur:

“In an era of soaring national investment in cyber-security, the weakest link often involves the inherent fallibility of humans,” the article reports. Experts say even the most skilled system administrators struggle to keep every computer at large institutions running smoothly, with the proper software updates, security patches and configurations.”

“There’s an old joke,” said Columbia University professor Steven M. Bellovin, “that computers need a ‘Do-What-I-Mean’ function.” In addition, Bellovin, who teaches computer science, added, “Some systems are just impossible to configure correctly… The code is complex.”

Joseph Lorenzo Hall, chief technologist for the Center for Democracy & Technology, summarizes the situation in a nutshell:

“People think that there’s all this wonderful technology and it’s great. But at the same time a lot of these institutions may have one full-time technical person who they staff to do this stuff,” Hall said. “To think that a local government IT administrator in a small town is going to be able to adequately protect from all threats is woefully misguided.”

The morale of the story is that if we expect our computer networks and systems to stay secure, we all need to work together. Understaffed departments or ill-trained staff can only lead to disaster. Consequently, agencies can only benefit from new technology if the right people are in place to configure, analyze, and protect it. The right processes and guidelines need to be in place and enforced. And, lastly, people need to realize their part in the equation and handle their responsibilities. Then, and only then, can we be that village.

View the full Washington Post article here.

======

IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.

======

It Takes a Whole Village to Protect Networks and Systems

Leave a Reply