Blogger: Eric Maiwald
We used to talk about doing business over open networks as the big security concern. In fact, we had a topic by that name at Catalyst 2008. Given the further proliferation of key loggers and other malicious software (that is becoming more stealthy and customized), I think we need to start talking about doing business in completely hostile environments. It is not only the network that is open and filled with eavesdroppers but it is also the client endpoint. Key loggers can capture passwords and other sensitive information unbeknownst to the user. We also have cases of malicious software operating in servers and capturing sensitive information there (see the Heartland case). Where is it that our data is safe?
When I first came to Burton, I talked to Dan Blum (Principal Analyst in SRMS) about what I called “Star Trek Security.” What I meant by it was that information seemed to be free for the taking. If you watch Star Trek, it seemed any time the Enterprise came across an alien ship, the aliens could download any information they wanted (usually by scanning the ship or the database but sometime by pulling it directly out of the crew’s minds). Crew members could gain access to any information whenever they needed to (even if unauthorized) and it was only when some abnormal measure was taken that any data could be controlled. Similar themes are now shown on TV shows like NCIS where superstar agents can “hack” into any database they need to get into or break (or bypass) any encryption mechanism at will. It seems that these fictional situations are not all that fictional.
I wonder if we are seeing the results of too much dependency on preventative controls. No control is absolute and we lived for a long time on the difficultly of circumventing our preventative controls. But as the rewards to breaking or bypassing these controls increase, the level of effort exerted to do so also increases. The end result is that we find our controls circumvented or broken on a regular basis. Defense in depth does not seem to matter nor does compliance with standards such as PCI. Any attempted penetration can succeed given sufficient funds to hand to an employee with access.
Perhaps we need to think about how business can be conducted in this type of world. Rather than concentrate on controlling access to information, maybe we need to think about detecting and limiting the misuse of the data. For example, if I can’t prevent my credit card number from being compromised, perhaps I can detect when an attempt is made to misuse it. This is obviously a simple example and the issue becomes more difficult when we talk about sensitive financial information or trade secrets. But it seems to me that we need to move beyond the idea that we can assume any type of “secure” environment (on the network, on the client, or on the hosts).