security 2.0 means technological controls are not enough

(Disclaimer: Take this post as a week-starting rant, and nothing more. Skip the stricken parts, read the first paragraph, then the bolded part and you’ll get the gist. I’m just a terrible editor and hate removing things I’ve written!)

I’m a bit late to the party, but I finally read a feature article over on BusinessWeek dealing with the Pentagon (and US gov’t in general), e-espionage, and email phishing. The attempt to inject fake emails into the lives of defense contractors and workers reminds me of Mitnick’s phone escapades with telecom companies: Sound like you belong there, speak the lingo, establish trust through deception.

This harkens a big change in cyber security on any level. It is no longer about educating about phishing. While this is a good practice, it simply cannot guarantee a level of security. This is a fundamental change in how we do business and interact as humans.

The CISSP and many security fundamentals include the subjects of least privilege and separation of duties. It is important to realize that people will be duped. And if they get duped, what controls are in place to make sure they don’t do too much damage? If they authorize a fake order for military weapons, are there any checks or validations that can catch fraudulent activities that are within the bounds of that worker’s duties? Are they properly restricted in the access they have to various information? What change control is in place to prevent malicious (or accidental) activity? Will we even know an incident happened?

Other major news lately smacks of these same challenges since we’re all behind the curve in really digging down into what really will improve security, not just bandage and work around things. Hannaford had malware on 300 (all?!) internal credit card-processing servers–I still maintain this stinks of an inside job–how the crap did that happen? An insider recently made fraudulent trades, earning him quite a load of money just because he had access and there were lacking controls.

This is a shift from stopping technological threats with technological controls; malware stopped by AV, scan tools stopped by firewalls. This is bleeding into two far more difficult areas: business process and human mistake. It is easy for someone at Geek Squad to belt out AV, HIDS, NIDS, firewalls, spam gateways, and strong passwords as methods to add security. But I think we’re at a point where we need to move beyond those levels and get into the real deep stuff, the things that make our brains hurt trying to think about (or organize meetings with the appropriate stakeholders!).

Change control, data access policies, audit, access restrictions, strong authentication, authorizations by committee not just the IT team.. This is the real reason, in my mind, that so many people are clamoring about IT/security aligning with business: our next projects can only be done with the business cooperating. Ever try change management in the silo of IT? Or auditing, or any of that stuff? And in the absence of those projects, ever try to guarantee security using only technical means that IT is the sole proprietor of? I strongly believe in technological controls and the remarkably high value they have, but I’m also highly sympathetic that those controls alone are not enough, rather just the starting baseline of a strong security foundation.

Then again, I could be barking up a deaf tree. Business is not economically willing to stop all cyber insecurity, otherwise sec geeks wouldn’t be unanimous in our yearning for more staff and more budget and more business cooperation. It is still not nearly as economically challenging to business to meet PCI, implement firewalls, HIDS, HIPS, spam filters, and other technological controls.

I could also be way off the green in a sand trap by focusing on senational, one-off media news reports mentioned above. Maybe those are unfortunate incidents that got trumpted on front pages, but are not everyday or every-year happenings. If there’s one thing that the media will have in abundance forever are stories about failure. That’s life!

3 thoughts on “security 2.0 means technological controls are not enough

  1. There is a disconnect between business and security, and one of the reasons is that the wrong technical controls are being used. Network security is not an adequate defense against the types of attacks occuring today and that are described in the Business Week article.
    The requirement to defend properly is a granular access and audit control system at the datafile level, or information-centric security, as in the form of multi-level security. MLS is an enterprise solution that provides control over business data flow, enforcing data governance policies and better mapping security to business rules.

  2. Thanks for the comment, Rob! I agree with you!
    But, I only agree insofar that we maintain the multi-level security and keep abreast of the nework and OS and other levels we’ve gotten good at defending as they’ve matured.
    And I think we’ll only keep up as long as the protocols, OS, and network don’t change very much. Introduce change, for instance Vista failing and other OSs moving into the space re-opens the host to OS level attacks if the replacements haven’t been properly hardened. Or IPv6 introducing new issues, etc.
    A better example might be devices like the Asus Eee PC becoming a mobile computing option…which came with a remotely exploitable Samba vulnerability.

  3. I agree that we don’t throw out the best parts of network security, but overall, the model is not a good fit with information-centric security. That leads to dissatisfaction on the business side, and frustration on the IT side, as you expressed in your post. Look at yourself. You are very capable and knowledgeable at what you do, and yet you have expressed that frustration more than once I bet.
    You do bring up a key point. Traditional MLS has been limited to certain hosts in the past. Trustifier technology is a breakthrough in that is scales for all platforms and you can make changes to infrastructure and push the privilege settings when and where you require them. It is also a break-through in the way it maps security rules to business rules, but your blog is not the place to go into detail. There should be announcements later this year (re: certification etc.) but if you are interested in learning more, contact me, I am willing to pass on links and another doc that you might find interesting.

Comments are closed.