Data Security Responsibility Should Not be Pushed Down

Securing information assets is a continuous process, with new threats and user demands emerging every day, which requires changes to control frameworks.  But the dynamic nature of security and the increasing need to allow information to “travel” are not good reasons for security managers to push data protection responsibilities to business managers.

I decided to put pen to paper when I read a recent CSO Online article by Andrew Jaquith.  Jaquith starts off the piece by attempting to make the case that things are getting too complicated for CISOs; they need to offload some of the work of protecting information.

Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.

Source:  Data Security: Whose Job Is It Really?, Andrew Jaquith, CSO Online, 30 March 2009

As I read through this, I remembered the days when I tended to get confused about the right things to do.  That was before I decided to take a different approach.  Instead of reacting to vendor assertions and emerging threats, I developed a strategy to build a controls framework which encompasses all types of threats in general, with flexibility to address individual issues as they arise.  This is supported by a threat/controls matrix which allows my team to view at a glance gaps in our defenses.  If a vendor calls with their newest product or an exploit is announced, we use the matrix and an accompanying exploit assessment process to determine if we are already protected. We quickly determine whether we care about new solutions, exploits, or vulnerabilities without eating up a lot of resources.

Read the rest of the article at CSO Online…

Netbook Security Concerns Lack Substance

Internet users are tearing down old walls which constrained Web use.  No longer are they satisfied with waiting until they get home or to the office before checking email, buying movie tickets, or burying themselves in their favorite social network.  In large part, the iPhone and the iPod Touch provided the catalyst for this demolition work which is altering forever the way we communicate. 

Taking of advantage of new building opportunities is the netbook, an alternative to dealing with the limitations of handheld devices.  However, there are rumblings about inherent security issues in these crossovers between laptops and iPhone-like devices.  These rumblings are a lot of smoke without any real threat of fire.

Read the rest of this entry »

The Picture Says It All

Once again, the Chinese have been caught with their hands in other people’s computers.

Canadian researchers have revealed an extensive Chinese spying operation, which involved the hacking of over 1000 computers in 103 countries, according to reports in several leading newspapers today.

The new report from the Information Warfare Monitor, a group comprising researchers from Ottawa-based think tank SecDev Group and the University of Toronto’s Munk Centre for International Studies, was originally set up to investigate allegations of Chinese snooping on Tibetan exiles.

Source: Massive Chinese cyber hack revealed, Phil Muncaster, vnunet.com, 29 March 2009

This shouldn’t be a surprise to anyone following the exploits of the Chinese in cyberspace over the past few years.  And I imagine the Chinese government’s response will be the same as in the past, a response characterized by the image below (from the Muncaster article, caption is mine).

The 3 Monkeys Approach to Chinese Deniability

Compliance requires people supported technical solutions

Although I agree that reliance on human behavior is not a good way to ensure information security policy compliance, it will always be a factor.

Technology is not the panacea for fraud or executive-level “cooking the books.”  A certain amount of human oversight is necessary to verify that application controls work properly, enterprising employees haven’t found a way around them, and the layered security infrastructure is working as expected.  Further, relying on a 100 percent technical response to an external attack is too costly and prone to being hacked.  So I don’t completely agree with comments recently attributed to Charles Cresson Wood, in which he appears to assert people must be completely removed from the compliance process.

During last week’s SecureWorld Boston, Charles Cresson Wood discussed the need to go beyond development of policy when implementing information security.  In his keynote address, he describes the need for systems which ensure compliance.

A huge problem is that security policies are still too reliant on people, Cresson Wood said.

“If you want a high level of compliance do not rely on humans to get the job done,” he said.

“Things are going too fast in information security. A manual response to distributed denial-of-attacks, for example, is inconceivable,” he added.

Scripted and automated compliance enforcement needs to be put in place, supported by intrusion detection, intrusion prevention and other tools, Cresson Wood said. Security appliances will be documenting and vouching for policies, producing admissible evidence that can be used if disaster strikes and legal issues ensue. “Something like a black box when an airplane goes down,” he said.

Source: Expert Cites Big Problem with Security Policy Compliance, Bob Brown, Network World, 25 March 2009

I agree that writing policies and training employees on what is and is not acceptable behavior is not enough.  I also agree that layered technical controls are absolutely necessary to achieve business objectives defined in the policies.  However, relying completely on technology to safeguard information assets  is a poor business decision.

Read the rest of this entry »

Are they kidding?

Working through my ‘pile’ of unread RSS feed postings, I found one that piqued by interest.  It was entitled, Best Encryption Utilities: Protect Files, Email, and ostensibly provided a list of encryption utility downloads.  What I found was not only disappointing, but sad.

The link is to a PC World download list which appears to simply be a come-on for purchasing product (shown below).  OK, maybe I was expecting too much from PC World, like actually listing good, free encryption software (e.g., TrueCrypt and AxCrypt).  Oh, well.

Disappointment