I have been talking with others and doing a lot of thinking about infosec and economics as of late. When you read reports such as the Verizon Breach report or talk to security professionals they will tell you that the motivators behind attacks today is largely economic. They will tell you we are no longer are seeing the script kiddie out trying to make a name for himself but that the world of hackers is dominated by cyber gangs and nation states motivated by economics and politics. My question today is focused around this very point. If they can see the economic value in security why can't industry? 

So our economy is going to hell in a hand basket. I think we are missing the big picture. You tell me, what is the bigger threat, the dept ceiling or a cyber attack on our financial systems when we hit the debt ceiling. I know, I am talking about an act of war, but think about it. If we were unable to pay our debt. Our financial systems were in turmoil and our credit ratting was shot to hell, would that not be the perfect time for a cyber attack on our financial systems and or our national resources and military? We know the capabilities are out there. We saw it with Stuxnet. We saw it with Sony and we know Lulzsec and Anonymous have the brain power to launch such an attack. What about China or Russia?

It looks like we have a new wave of Lulzsec and Anonymous activity hitting the scene. This raises the question again about what concerns the CISO. With these super hacker organizations launching massive attacks against big name organizations do we need to focus our efforts on this type of threat or should we continue our efforts on the econmoic threat that has been driving us for so long.

Have we reached a new age? With the onset of hacktavism bringing down government agencies and major corporations are we looking at a new world order where governments are no longer the controlling force in the world. Who will monitor these new influences in world politics that reign across cyber space. It is my contention that it will not be governments but rather the cyber community. As we see in the press today hacker communities such as LulzSec are beginning to lose the support of the greater cyber community. As they step on the toes of gamers and other hackers, ethical or otherwise, cyberspace is growing tired of LulzSec's antics. Has this group pushed the envelope too far. Have they reached the threshold where the cyber community will start to police itself? 

I have spent a lot of time, as of late, working on policy. This has helped me to realize two things. First and foremost that poor policy, or lack of policy really will undermine all of the other work that can be put into an information assurance program. Second is that behind every policy there needs to be adequate education. 

This second point I can not emphasis enough. I am finding that it is not simply a matter of educating people about the new policies that are being passed but that there is a level of education that needs to happen before the policies are passed so that the policies are written properly and to the correct audience. I come from healthcare and industry. Now, working in academia I find that the change controls that were appropriate for industry are different than the change controls we would use here at the school. That said, I also am finding that I need to educate the people I work with about the value of ITIL so that we may find a happy medium. 


On a separate note I wanted to mention the business that has been going on in Washington. and around the world. First the most obvious world news. With the death of Binladen I think that we in the security space need to keep an eye on the horizon for the potential of a cyber backlash. As they say, for every action there is an equal and opposite reaction. It the past this could have been assumed to have been a physical attack but since 9/11 we have clearly seen an increase in cyber warfare and it would not be unheard of for the response to this action to be a cyber attack. While I applaud our Military for this success I wonder what the response might be.

In other news I look to Capitol Hill and welcome the bill proposed by Kerry and McCain on Commercial Privacy Bill of Rights. I think this type of legislation, while it certainly will make the work we as security professionals much harder, is the right step for the consumer and for the industry. The more standardization we can get in this type of legislation the better off we will all be. It would be nice if Congress would work to unify some of these laws and to repeal some of the out dated laws so that we could consolidate some of our compliance efforts. I know this will never happen but the ideal is a nice one.

So what will come of the Epsilon breach? One of the largest clearing houses for email was compromised on March 30th and lost control of massive numbers of email records. Sure they did not loose any PCI or PII information, but how critical our our in boxes today? Are we going to see a flood of spam and phishing attacks? As security professionals we need to be vigilant in training our user base on how to spot a phishing attack so that they do not fall victim. Mail administrators also need to monitor their filters to ensure they are tuned for the inevitable influx of spam that we are sure to see.

Two thoughts for today. I found a resource that is a free Google App that looks great. for those that do much web conferencing, or need to do some but can't justify the cost of the big commercial products, check out Vyew in the Google App Store. Very Cool.

There needs to be a separation between corporate and general use networks. Many organizations have different levels of use on their networks: programmers, manufacturing, and administration, or in the case of the education environment you have faculty, staff, and students. These different environments need to be treated differently. There should be segmentation between them and the assets on them should be managed accordingly.

With the federal government entering into the space of breach laws can organizations still play around with security practices? What is the standard acceptable best practice for security in any sized organization and where is the burden placed as businesses and non-profits move more of their infrastructure into the cloud? These are all questions that we as security professionals need to be asking.