We've been working on an assumption that you need different levels of security for the internal network versus the external one, the Internet - the Big Bad World out there. That's been an incorrect assumption for at least ten years.and earlier,
Start designing everything now to be externalisable.
We've approached security layer by layer. I have one tool for Web access, another tool for network access, another tool for e-mail. And yet I can't answer the basic question: Am I secure?
If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve. People don’t work that way, and we shouldn’t. Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert.
I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face. And that is healthy.
The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems.
Just because something is configured 'correctly' doesn't mean that the system is actually secure.
The root source of risk is dependence — dependence on system state, including dependence on expectations of system state reliability. Indeed, my definition of security has co-evolved with my understanding of risk and risk’s source, to where I currently define security as the absence of unmitigatable surprise. Thus, increasing dependence results in heightened difficulty in crafting mitigations. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
And that is the crux of the matter: our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable. That sounds more apocalyptic than I intend, but the competent risk manager always asks, “How bad could it be?” or, in the altogether American tortious style, “Who will have to pay?”
It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.
It takes dozens of microprocessors running 100 million lines of code to get a premium car out of the driveway, and this software is only going to get more complex.
Just as medieval alchemists were convinced a (mythical) philosopher’s stone can transmute lead into gold, today’s privacy practitioners believe that records containing sensitive individual data can be “de-identified” by removing or modifying PII [Personally Identifiable Information]. -- Narayanan, A. and Prof. Shmatikov, V.Src: Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of "personally identifiable information". Commun. ACM 53, 6 (Jun. 2010), 24-26. DOI= http://doi.acm.org/10.1145/1743546.1743558
Are there any risks associated with continuous monitoring?Src: NIST FAQ
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Authentication will not be able to solve the untrusted platform problem. If you use a compromised system, authentication doesn't matter. Out of band communication will only work if the out-of band channel and associated hardware is secure, which may be questionable if devices like smartphones are used. -- Dr. Johannes Ullrich, CTO of the Internet Storm Center & Dean of the Faculty of the graduate school at the SANS Technology Institute.Src: SANS NewsBites Vol 11 Num 98
While technology and information have evolved and grown dramatically over the past 100 years, people's behaviors to cope with this growth have evolved at a much slower pace and our ability to keep up with the complexity foisted upon us is limited. So today, high value is found in taming the complexity so that humans can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. -- Art Coviello, President RSASrc: RSA Executives Offer Seven Guiding Principles To Maximize Megatrends Redefining the Information Security Industry | Reuters
Let users dictate enterprise security needs.He went on to give an analogy that I am very familiar with, that of campus sidewalks: the planners place sidewalks and grass; students create their own paths through the grass (usually the most direct route); planners have to put roadblocks (chains, planters) to keep students off the grass.
It is not easy to find metrics for security goals like security, trust and confidence. The main reason is that security goals are “negative deliverables”. The absence of incidents for an extended period of time leads to think that we are safe. If you life in a town where neither you nor anyone you know has ever been robbed, you feel safe. Incidents prevented can’t be measured in the same way a positive deliverable can, like the temperature of a room.Src: Security Metrics | Information Security Management Maturity Model Blog
When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one. And it is likely that it would cost society far more money to live with poor security than to address it. -- Simson Garfinkel, associate professor at the Naval Postgraduate School in Monterey, CASrc: Privacy Requires Security, Not Abstinence | MIT Technology Review
We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner GroupSrc: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls
In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?Src: [RANT] Call Me a Realist | Digital Soapbox - Preaching Security to the Digital Masses
Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right? --Rafal Los, IT Security Risk Strategist, blogger at http://preachsecurity.blogspot.com/
Instead of trying fruitlessly to be the enterprise's all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.As well as:
Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.Src: Data Security: Whose Job Is It Really? | CSO Online
That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security's primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.
