Humans in Information Security

People have a lot of prejudices when trying to identify the different roles in Information Security for the different position scales in the companies, it is easy to oversimplify the responsibility levels as it is human behavior.

Everybody knows the different issues of IS in any company, actually companies and media has even blown them out of proportion sometimes, it has to do with a combination of creativity and common sense where everything begins:

A typical modern company has the following macro divisions on their workforce:

·         End Users

·         Information Security Officers

·         Top Executives

End users

End users take the brunt of the decisions of both ISO’s and TE’s and are mostly dubbed as the “enemies” of the ISO’s… there is nothing farther from the truth as the people who knows most about the micro management of the company is the End Users!!

They are the people who faces day by day the challenges and attempts of hundreds of wannabe small time criminals who want to obtain information or any kind of advantage from our company.

End Users are our first and best line of defense against information criminals and they deserve the support and training from the Information Officers and Top Executives.

ISO’s have to explain carefully the role of the EU’s in the security strategy, in this task it is imperative to keep the explanation in a mildly-technical manner, and this speech has to be simple, to the point and focused in their role, humans tend to lose focus in topics which are perceived as outside their area of expertise.

EU’s have to understand their responsibility on the business process and the potential impact of their actions in their job and the organizations to realize their full potential as partners in the security of the organization.

Information Security Officers

Information Security Officers are called “Good Guys” in the company because they are the rule makers and protectors of the realm, but it can easily become the contrary.

Information Security inside of an organization is a delicate matter as it needs to create a synergy between the business needs, the business process and, well, security.

ISO’s tend to become entrenched in the last factor only, they tend to become a “NO” man, which doesn’t go too far from becoming an obstacle for the company.

The primary task of an ISO is to listen to the needs of the business with the Top Executives, then listen to the way it is currently executed by the End Users and basically create a Security Strategy using a combination of both point of views.

The second task of the ISO is assuring this strategy will not hinder EU’s while covering TE’s objectives, this part can be done by designing and/or implementing tools and procedures with the EU’s.

The responsibility of the ISO is to protect the business, not only the information but the business too and this means protecting the way it is done too.

Top Executives

Top Executives are very important for the company as they define the macro operations of the organization, they help to design the security strategy and must help to enforce it by using their skills to create a culture out of this strategy.

TE’s tend to forget this second part and stay in a passive role, thinking that after issuing the order the responsibility is exclusive to the ISO, but the company’s security is not as simple.

ISO’s by definition cannot change business procedures as required by the strategy as this is a TE function, so the TE’s have to be involved on every adjustment to the business processes.

ISO’s have to explain their role and the implications of it to the TE’s so it is imperative for it to be described in a business language and be very careful with the technical language involved, as previously stated it is common in human beings to ignore ideas unclear or not perceived as part of their expertise.

Conclusion

In the matter of security an organization cannot leave its responsibility and execution in hands of one individual, it is a work for all echelons in the business to develop a security culture which will protect its employees and their jobs.

Security is not a new field but it is one of the less developed and new threats on new business fields are forcing a due sophistication on its method which calls for all disciplines to embrace new ways to get the job done without giving away our hard work to petty criminals

Criptología Clásica

La criptografía clásica evolucionó de la necesidad de enviar comunicaciones sin que personas no autorizadas pudieran darse cuenta del significado de las mismas, la confidencialidad de la información empezó a tener relevancia en el momento en que las vidas y fortunas de personas con cierto poder dependían de que solo las personas correctas compartieran la información.

Los primeros códigos como el César se caracterizan por el cambio de letras de sus posiciones originales o su escritura en dispositivos especiales que dificultaban su correcto ordenamiento para su decodificación.

La siguiente evolución fue el de cambiar el orden de las mismas o transposición, que da a lugar a la aparición de codificación con claves, el nivel de sofisticación a ésta era premecánica se obtiene cuando Giovan Battista Bellaso combina la cifra de César y la transposición con clave en un solo método que luego sería atribuido a Blaise de Vigenere y aún hoy es conocido como la cifra de Vigenere.

La cifra de vigenere fue el último de los criptosistemas que no utilizaba herramientas para ser encriptado y se creía que mientras no se supiera la clave utilizada no podría ser quebrado.

La idea es que al utilizar un alfabeto diferente para encriptar cada letra aquel que no supiera cual alfabeto fue utilizado no puede adivinar la letra correcta que permite leer el mensaje.

Esta misma idea se utilizó de manera más compleja años después con la ayuda de máquinas, en el caso de la segunda guerra mundial, la más famosa resultó ser la máquina Enigma.

La máquina Enigma gracias a sus diferentes discos y opciones permitía 158,962,555,217,826,360,000 alfabetos, lo cual era más que suficiente para que sus mensajes no fueran decodificados nunca…

A no ser por la misma razón que cifrados aún más seguros son rotos hoy en día, Ingeniería Social.

El ejército alemán cometía errores diarios de exceso de confianza que le facilitó al ejército aliado la tarea de decodificar sus mensajes enormemente.

Por ejemplo, durante sus preparaciones para invadir Polonia, por error envían una de las preciosas máquinas por correo normal, la máquina, al ser enérgicamente solicitada por la embajada alemana, es interceptada durante un fin de semana por la inteligencia polaca y es analizada a fondo hasta su entrega el lunes.

Asimismo su exceso de confianza los lleva a cometer un error imperdonable en el área de la criptología el cual consiste en comenzar TODOS sus mensajes con la misma frase, dando una pista ENORME de cuál era su configuración y permitía a los aliados a configurar sus versiones de la máquina de la misma manera.