By Rodney J. Johnson

President, Prescient Consulting, Inc.

Companies and other organizations don't have to just sit back and hope an attack won't succeed against them. They can take matters into their own hands - they can fight back. Fighting back is not something an organization can do in one day and then forget about. Fighting back means making training and a 'secure computing' mindset a part of the regular process of getting business done.

More than just getting the right tools in the door, the people component of IT security can't be an afterthought. In reality, people are the first and last lines of defense against attacks, and the element, that if unreliable, will cause the greatest damage. All parts of security are linked and inseparable. One area's weakness causes a ripple effect that causes security weaknesses in other areas. Training, physical security, and diligence are the tools of the counter fighter's trade.

Setting the right Environment - Security Policy
Creating and implementing a security policy to deal with IT security problems of all types - people and technical, has the benefit getting everyone thinking about the issues. It also brings up training, meaning everyone will get involved and at least realize that there is something to be aware of besides having the virus checker up to date.

The other main issue with security policies is in ensuring that the tough decisions are not left in the hands of those unqualified or unwilling to make them. Personnel on duty should never have to wonder if they are doing the right thing. They should know what the 'right answers' are when questions come up concerning sharing information like passwords, allowing physical and electronic access to systems, and setting up and maintaining their own machines. They should know that the right answer is usually no.

Think Like a Hacker
Training of personnel is the main weapon in fighting back against would be attackers. Untrained personnel can't defend themselves against what they don't know is coming. A little awareness of how an attacker goes about their mission does wonders for the abilities of an organization to keep their information private.

Information systems attackers are no different than any other trespasser. They are always looking for a door in - preferably the easiest one. The easiest door is the one that is unlocked. If all the doors are locked the next easiest one is the door with the key hidden under the mat sitting in front of it. To an attacker, a key is information and almost any information can be a starting point. If I want to do damage to you through your IT systems, I need to gather as much information about you as I can - that's where I'm going to start. I'm going to start by looking for information. I can find information a lot more easily by testing your non-IT security than by testing your IT security.

The fact is, an organization can't have good IT security without good physical security. Physical security is as much a part of IT security as any software or hardware. A would be attacker can gather the information necessary to initiate an attack through physical means like walking around the office, going through trash, or overhearing a conversation in the lunch room. Things as small as names, titles, and desk locations, when put together can be enough information to make a convincing phone call that leads to more and better information. Always escort visitors through the office. Always dispose of trash in a safe way. Just because the trash doesn't include any direct company secrets doesn't mean it doesn't include sensitive material.

To Hear is To Forget. To See is To Remember. To Do is To Understand.
As with many people related issues in organizations, the solution is training. Training first to learn, second to remember, and third to execute without thinking. Everyone must be trained, not just those named to protect information. Everyone must realize why information must be protected, and what information to protect. Leaving the issue to common sense is a recipe for disaster, as common sense doesn't have a lot to say about whether I should share my password with tech support supposedly calling from the floor below me. Asking an organization's people to protect themselves against trained and determined attackers without any help or guidance is ask too much. People need to be trained, and a security policy that creates the right atmosphere for secure business execution needs to be put in place. When these things are done, the weakest link is made strong.