I have been working with a new model for InfoSec. As I spell it out more I will surely post something out here. It boils down to Education, Architecture, Technology and Governance (EATGood) and the cornerstones of InfoSec. Watch for a more full fledged model as a paper on the main page.
|
I don't do many posts out here and perhaps I should do more but I thought it time to comment on my transition from corporate to EDU. Many state that EDU is so different from the corporate world and I will tell you having been here for a year now that it is not. From a security perspective the concerns are all the same; PCI, HIPAA, data loss, and data integrity are still the concerns. What is different between Higher Ed and corporate is the emphasis that is put on security. Much like Healthcare, EDU is new to security. It is just just figuring out that security is a serious thing that needs resources, time and commitment.beyond that there are still internal and external threats, architectural issues and policy issues and all of the other concerns. On benefit to EDU that corporate does not have is the benefit of well established collaboration strategies. The world of Higher Ed has been practicing collaboration for years and has extended this into the world of security. Business is just now starting to figure this practice out.
I have been talking with others and doing a lot of thinking about infosec and economics as of late. When you read reports such as the Verizon Breach report or talk to security professionals they will tell you that the motivators behind attacks today is largely economic. They will tell you we are no longer are seeing the script kiddie out trying to make a name for himself but that the world of hackers is dominated by cyber gangs and nation states motivated by economics and politics. My question today is focused around this very point. If they can see the economic value in security why can't industry?
I understand that it may be an inverse correlation. For the attacker they are working with a business model where they may be selling a product such as compromised systems or stolen assets. For industry that inverse value should compute to a significant tangible value. How do you show the CFO's of the world that there is a definable value to recovered CPU cycles or to data that does not walk out the front door. These may be abstract values but placing a value to these abstract tangibles is an important challenge for the security professional. The attackers have been able to accomplish this task. They have been able to take the CPU cycles that they are stealing and find a way to sell them. We need to find a way to sell the CPU cycles that we are recovering and sell them back to the CFO's of our companies. When we can stop working to compliance and stop relying on regulations to set the values of these items and find a way to correlate dollar values to the data and assets that we protect then we will be more effective at motivating our senior administrators to back security. So our economy is going to hell in a hand basket. I think we are missing the big picture. You tell me, what is the bigger threat, the dept ceiling or a cyber attack on our financial systems when we hit the debt ceiling. I know, I am talking about an act of war, but think about it. If we were unable to pay our debt. Our financial systems were in turmoil and our credit ratting was shot to hell, would that not be the perfect time for a cyber attack on our financial systems and or our national resources and military? We know the capabilities are out there. We saw it with Stuxnet. We saw it with Sony and we know Lulzsec and Anonymous have the brain power to launch such an attack. What about China or Russia?
I will be honest. I don't give a damn about the balanced budget at this point. I think both the democrats and republicans are missing the big picture. We are playing a dangerous game right now and it is not about the inability to pay our dept it is about the inability to defend our country. Yes, we need to get the budget balanced. Yes we need to stop spending. Yes we need to bring our boys home from over seas. Right now they need to raise the debt ceiling and stop playing stupid politics. I am ready to fire all of them. I did not vote for any of the It looks like we have a new wave of Lulzsec and Anonymous activity hitting the scene. This raises the question again about what concerns the CISO. With these super hacker organizations launching massive attacks against big name organizations do we need to focus our efforts on this type of threat or should we continue our efforts on the econmoic threat that has been driving us for so long.
I would argue that as CISO's we are looking at it all wrong. Our focus should not be on defense any more. These super hackers can not be stopped. We need to focus on how to motivate business through security. If NATO or the CIA can not stop these attacks why should a college X or Mid-sized company Y sink massive amounts of resources into trying? The answer needs to be that it is good for business. If you can show that through segmentation you can: 1. Increase performance, 2. Decrease data loss. 3. Reduce errors. 4. Improve efficiency. 5. Mitigate risk. You know that there will be backing for your security efforts and that you will hav Have we reached a new age? With the onset of hacktavism bringing down government agencies and major corporations are we looking at a new world order where governments are no longer the controlling force in the world. Who will monitor these new influences in world politics that reign across cyber space. It is my contention that it will not be governments but rather the cyber community. As we see in the press today hacker communities such as LulzSec are beginning to lose the support of the greater cyber community. As they step on the toes of gamers and other hackers, ethical or otherwise, cyberspace is growing tired of LulzSec's antics. Has this group pushed the envelope too far. Have they reached the threshold where the cyber community will start to police itself?
We have seen time and time again that, while some of the best theologists and researchers in the industry may be in the military or in business and education, the best practitioners seem to be the freelancers and hackers. These individuals repeatedly show us that they are one step ahead of common practice or even best practice. It is here that we now turn to watch as these individuals join together with the researchers and the community as a whole to work to police itself. This organic process seems to now be forming a new virtual order where the cyber community finds its balance along side of the the physical world which drives it. I have spent a lot of time, as of late, working on policy. This has helped me to realize two things. First and foremost that poor policy, or lack of policy really will undermine all of the other work that can be put into an information assurance program. Second is that behind every policy there needs to be adequate education.
This second point I can not emphasis enough. I am finding that it is not simply a matter of educating people about the new policies that are being passed but that there is a level of education that needs to happen before the policies are passed so that the policies are written properly and to the correct audience. I come from healthcare and industry. Now, working in academia I find that the change controls that were appropriate for industry are different than the change controls we would use here at the school. That said, I also am finding that I need to educate the people I work with about the value of ITIL so that we may find a happy medium. On a separate note I wanted to mention the business that has been going on in Washington. and around the world. First the most obvious world news. With the death of Binladen I think that we in the security space need to keep an eye on the horizon for the potential of a cyber backlash. As they say, for every action there is an equal and opposite reaction. It the past this could have been assumed to have been a physical attack but since 9/11 we have clearly seen an increase in cyber warfare and it would not be unheard of for the response to this action to be a cyber attack. While I applaud our Military for this success I wonder what the response might be. In other news I look to Capitol Hill and welcome the bill proposed by Kerry and McCain on Commercial Privacy Bill of Rights. I think this type of legislation, while it certainly will make the work we as security professionals much harder, is the right step for the consumer and for the industry. The more standardization we can get in this type of legislation the better off we will all be. It would be nice if Congress would work to unify some of these laws and to repeal some of the out dated laws so that we could consolidate some of our compliance efforts. I know this will never happen but the ideal is a nice one. So what will come of the Epsilon breach? One of the largest clearing houses for email was compromised on March 30th and lost control of massive numbers of email records. Sure they did not loose any PCI or PII information, but how critical our our in boxes today? Are we going to see a flood of spam and phishing attacks? As security professionals we need to be vigilant in training our user base on how to spot a phishing attack so that they do not fall victim. Mail administrators also need to monitor their filters to ensure they are tuned for the inevitable influx of spam that we are sure to see.
Two thoughts for today. I found a resource that is a free Google App that looks great. for those that do much web conferencing, or need to do some but can't justify the cost of the big commercial products, check out Vyew in the Google App Store. Very Cool.
Second Thought: Where do we sacrifice security for social involvement? Some organizations, whether schools, non-profits, or other agencies, often feel a certain pressure to provide resources to the community around them. Where do you draw the line between offering those resources to the community and sacrificing your network security? Is there a way to offer the desired services and still maintain the integrity of the organization? this question is one that encourages InfoSec to push their businesses to look at their community involvement from new angles and to see new ways to offer services that once came from a different space. Not only can this be an opportunity to tighten security for the organization but may also be an opportunity to enhance the serv There needs to be a separation between corporate and general use networks. Many organizations have different levels of use on their networks: programmers, manufacturing, and administration, or in the case of the education environment you have faculty, staff, and students. These different environments need to be treated differently. There should be segmentation between them and the assets on them should be managed accordingly.
This is not to say that different organizational divisions should not have shared resources or that there are not times when datasets cross boundaries, but when there is not appropriate segmentation in a network it becomes difficult for proper security safeguards to be put in place. Also There becomes a fuzzing of the lines between what is what in the corporate space. Tools such as DLP become difficult to implement and harder still cultural boundaries become b |
Ian BurkeI have been doing information assurance and security work for many years with a focus on network security monitoring and incident handling. I have been working in IT for more than fifteen years with a focus on architecture and systems. Archives
February 2013
Categories |
RSS Feed
