Page - 255 - in The Future of Software Quality Assurance

Security: It’s Everyone’s Business! 255 I’m not talking about turning every employee into a security expert—that will not bea practical (orcost-effective)solution. Thebasic training that’s requiredshouldallow theorganisation’sstaff: 1. To summarise theneed for security to protect technology/process/people 2. To relate themotivationofa malicioususer to theorganisation’sassets 3. To recognise potential security vulnerabilities in the day-to-day tasks of their own job role 4. To followsecurityprocesses! There should also be a small team of people within the organisation who do specialise in security. The training for this team would go much further—allowing this group to write, test/audit, and maintain the organisation’s security to the required level. It’s up to them to continuously test these procedures, and ensure thepeopleusing themnotonlyunderstandthesteps,but thereasonsbehindwhythe stepsarenecessary. Earlier, I mentioned time. It takes time for an attacker look for vulnerabilities, and toexploit themoncefound.It is everyone’sjob in theorganisation(andour job for our personal lives) to reduce the possible vulnerabilities. But they will always exist. There might be a determined attacker who, based on MICE, might want to attack your organisation, or even you personally. You cannot stop all attacks, but you can make the time and resourcesneeded to expend in the attack to be too high a price for the attacker to pay. It’s like a cryptic crossword—many people look at it and don’t even attempt it. A smaller number start, and might even get part way through to completing it. But a few will be either determined enough to complete it (but it takes a long time) or both determined and clever enough to do it quickly. Although these people are to be feared, they are not invincible. But, luckily, they are few in number, and the methods of defeating them are growing. But so are the methods they can use to attack. Security is a subject that if you are standing still, you are moving backwards faster than you would realise. Your aim is to make the resources needed to expend in the attack greater than the attacker is willing to put on the table.We must do this throughreducingvulnerabilitiescontainedwithinour organisation’s technology,ourprocesses, and,most importantly,ourpeople. Finally, let’shope it’snotanationstate thatwantsyourstuff.Thisattackerhasa potentiallyunlimited set of resources—if they want your stuff, theywill get it. The only way to stay safe is to switch off all internet connected devices, destroy them, thengoand live ina cave.Puttingon tinfoilhatnow . . . Reference 1. Hadnagy, C.,Fincher, M.:Phishing Dark Waters. Wiley,Hoboken, NJ (2015)