Information Technology Reference
In-Depth Information
over e-mail. Some of these actions may open doors to security threats
that are not well understood.
Not all security attacks are through technical or electronic means. Social
engineering attacks are driven by a keen understanding of human behavior
patterns. Some of these techniques garner passwords, access information,
or personal data for misuse from unsuspecting customers and employees.
Employee Separation
When there is a separation (resignation or layoff), there may not be a
clear understanding of the knowledge employees carry with them —
which may include valuable details about vulnerabilities of the system.
Sometimes these layoffs are also handled in a physically compressed time
period with little handover or debriefing. Security guards standing to
collect laptops, or network access being switched off, help in only some
aspects of security. One problem that exists despite sufficient information
being there about avoiding it is that many an application or object remains
under the “ownership” of employee user IDs. Automatically deleting or
inactivating such user IDs can have a cascading effect, which is often
difficult to predict. Such organizations may not deactivate user IDs very
quickly. It is seen as not being an issue because the ex-employee's network
access is turned off. Avoid allowing production jobs to be owned by
individual user IDs. Developers should build cleanup mechanisms in an
application to handle user ID changes without affecting any data loss.
Specialization
Responding to security threats has become a special skill. The problem
with specialization, however, is that one can get into a mode of transfer-
ence of responsibility. Security is left to the “security organization” respon-
sible for security, and one can only hope that they are doing a fine job.
Appropriate response, however, lies somewhere between mass mobiliza-
tion and total specialization. Security awareness in the public (nonofficial
security) domain has always been encouraged (“Loose lips sink ships”
posters during World War II) and many companies have regular security-
related education programs or initiatives.
Processes and Procedures
This section examines some of the processes and procedures needed to
support technical approaches to security.
