NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘Information Security’

Thoughts on NetSPIs 10-year anniversary

| Friday, May 20th, 2011

We celebrated NetSPI’s 10 year anniversary last month. It’s amazing that it has been that long.  The anniversary has led me to reflect on NetSPI’s history and on the security industry’s history (at least since I’ve been involved – so, from around 1995).

Being on the forensics team at Ontrack in the mid 1990′s, we saw a significant number of criminal and security related incidents. It truly was the Wild West, with companies moving to Windows 95/NT3.51 before they had a clue about stabilizing them, let alone securing them.  Many people didn’t understand that email lived beyond what you saw on your screen (let alone that files lived on forever on various hard drives). At that time, very few people in corporate America (including those in IT) had any idea about what was going on within their IT environments. In many organizations, the CFO ran IT and no one else at the C-level wanted anything to do with it.  Security wasn’t even a joke for most companies – it was a non-issue, and at Ontrack we got to see that first hand.

That NetSPI started around 9/11 is an unfortunate but good reference point. It was ironic that an event that should’ve heightened corporate America’s focus actually led to decreased attention and reduced budgets for information security. In 2001 almost everyone that I met discussed what a great industry information security must be due to the focus created by 9/11. Nothing could have been further from the truth. Companies were cutting spending dramatically. This wasn’t necessarily the case in the Northeast (because of the proximity of 9/11), but it was around the rest of the country.  IT security was an abstraction unrelated to corporate operations.

From 2001 through 2005 or so, there was lots of commiseration surrounding the lack of traction that information security was attaining.  The “I’m beating my head against a wall” feeling was pretty strong for those in IT security, at least everywhere but in very large financial institutions.  There was always hope that one day people would start to care. In fact, in many conversations there was an underlying sentiment that “the C-level isn’t giving me what I need and some day they’ll pay.” It felt like that someday was probably decades away, but everyone hoped that non-IT and executive management would start to get it.

It’s hard to believe, but I think that day – the upper management getting it day – has come.  Just look at Sony. Because they’re a Japanese company there are some cultural issues that have played into holding the person at the top accountable. It is amazing that there has been discussion about his accountability and the future of his job. It didn’t start entirely with Sony, things have been changing for a while. Events like the RSA breach were a wake-up call and because Art Coviello, RSA’s President, responded, I think we’re seeing a sea change in attitudes and accountability with regards to information security. While the responses and/or the programs are not entirely what many in our industry would consider adequate, we’re seeing C-level responses and there appears to be action behind their words.

At least let’s hope.

Permalink | Email the Author | No Comments

Tags:

Information, Data, and Holistic Protection

| Monday, August 2nd, 2010

A dichotomy exists between information and data – and the way that information and data are discussed, stored, protected, and used. Any number of people reading this might identify themselves as working with “Information Systems” in the field of “Information Technology,” and some of them work with “Information Security.” Sometimes they attend meetings and talk about “Information” and “Information Sharing.” But most often they are talking about “data” – data flows, data stores, data shares, data systems, data access, data security, and so on.

There is no need for a primer on the difference between data and information. It is clear to the users of information that what they want is information. They may ask for data, they may seek so-called data points, but what they are really asking for is information. After all, information is useful; it makes the difference between decisions and informed decisions. And at the end of the day, the information systems people deliver information to decision makers. They store this information in their information bases. No, wait a minute – it is stored in databases. So what they are really working with is data?

Data becomes information when it delivers something meaningful to someone. We can take any block of data and extract from it an endless stream of meaningless information. An example is baseball. From data recorded from each game, we can extract the number of runs scored, the number of bases stolen, the number of games won at home, the number of games won away,  the number of errors made in the last ten years… the list goes on to infinity. Who cares? Well someone at some point may care. Perhaps the real question is “Which was the best team last season?” Or perhaps “Who is the best player of all time?”  Or any other question you could dream up. Regardless of the question, the fact remains that the person recording the plays and the scores at each game does not seek to answer these questions. He/she is simply collecting data and storing it for later use. What will it be used for – 50 years from now? Who knows? Who cares? For some just simply knowing that the players will be back on that field next season is good enough. In the meantime, just let our information people hold on to that data in a safe place so that it’s there when we need it, for whatever reason we might need it .

Now let’s say that some of that data is sensitive. Well, we should protect the sensitive data. Which data is sensitive? (I don’t know – it’s your database, you tell me) The sensitivity of the data will be determined by the sensitivity of the information that will be conveyed when it is accessed. Meanwhile, are you keeping your eye on the ball like a good player? Good – I just stole second base. Are you keeping your eye on second base like a good fan? Good – I just stole your hot dog from under your nose.

Regulation guides us to identify what data is sensitive. PCI DSS tells us to protect cardholder data. HIPAA directs us to protect health and medical information. Upper management decided that your customer list is private and must be protected from the competition. Everything else is not sensitive and need not be protected the same way.

Yet I know of a web-based charity that boasted of impenetrable cardholder data security. Indeed it was. But when credit card accounts were stolen from donors who made charitable contributions to the organization’s website, it was the customer contact list that was stolen, not the credit card database. Why go through all the trouble of hacking a secure database when you can simply telephone the donor and ask for it? They were just as willing to give it out over the phone as they were online.

Information is pulled from an information system. When we know WHAT information will be pulled, and when we know HOW that information is sensitive, then we know the sensitivity of the data from which that information came. If we don’t know the sensitivity of the information or how it might be used, then we don’t know the data. Since it is the job of information systems professionals to store all data holistically, then it is their job of securing all data holistically – not selectively.

Permalink | Email the Author | No Comments

Tags: , ,

Secure360

| Friday, May 21st, 2010

We held the Secure360 conference in the Twin Cities last week. Presentation topics included PCI, cloud computing, and problems within the security industry. While it can get tiring discussing the industry’s problems, I like trying to understand the difficult nature of information security and enjoy the challenge of trying to overcome the obstacles related to rationally dealing with risk.

On this topic, Rich Mogull had a very good presentation, “Putting the Fun in Dysfunctional,” about the inherent problems with information security. I appreciate insights from someone with both an IT and a physical security background and I thought he did a nice job discussing why security is such a difficult area for a business to understand.  I agree with the points he made that at the most simple level security and risk are abstract, long-term concepts that require a rational approach.  Rich did a good (and entertaining) job of illustrating that, as humans, we are often not rational. Generally we deal in the short-term and prioritize with our basic needs. In the context of a corporate environment, understanding and dealing with risk is extremely difficult.  

I’d add to Rich’s discussion that in most organizations building mature risk management is essentially like playing a game of telephone across functional departments, most of which find risk and security to be totally foreign concepts (except, of course, at financial institutions).

Rich’s thesis created a nice framework for the other core topics at the conference. A number of presentations dealt with the dangers of cloud computing. Because we created the cloud without rationally dealing with risk and security, it’s an afterthought; there are huge holes in cloud computing security and therefore significant risk.  David Bryan had a great presentation on the subject.

The other core topic, PCI, is generally thought of as a compliance issue.  Anton Chuvakin put some context around PCI and how it fits as a basis for a security program.  I’ve seen a number of organizations do this, and Anton did a nice job outlining the gaps related to using the standard as a basis. While no standard is ideal, it’s a start and generally kick starts a maturation of risk management within organizations that adopt the approach.

Overall, the Secure360 conference was very good and the speakers both local and national were great.  Kudos to the organizers. I look forward to next year.

Permalink | Email the Author | No Comments

Tags: , ,