Security and Risk Management Strategies Blog

Blogger: Trent Henry

There's a lot of cool stuff out there.

I'd known for a long time that my alma mater had lectures and other educational podcasts freely available on iTunes, but late last week I ran across iTunesU (www.apple.com/education/itunesu/) for the first time. A treasure trove of learning materials, one could spend a lifetime exploring anthropology to zoology. (Well, maybe not quite that much content is available yet, but it's on the way....)

Being the faithful Cardinal, I browsed offerings from The Farm and quickly ran across "Forty Years of Computer Science: A Retrospective" with luminaries like John McCarthy and Don Knuth (the latter of whom endeared himself to me when once asked how to pronounce his typesetting program TeX, he answered, "you know you've pronounced it correctly if there is spittle on your monitor afterward.") These are amazing people who have contributed amazing things to computing. And many other lectures in Science & Technology are similarly intriguing.

But then it occurred to me: where's information security?

I poked around iTunes a bit more and found no academic treatment of the topic, although there were a few (non-iTunesU) podcasts on the subject. So I broadened my search a bit. I went to the Open Courseware Consortium (ocwconsortium.org) to see what free college-level educational materials were available for our discipline. Looking at the offerings from member organizations, I found a few courses, all from MIT:

• MIT: "Network and Computer Security"
• MIT: "Cryptography and Cryptanalysis"
• MIT: "Selected Topics in Cryptography"
• MIT: "Advanced Topics in Cryptography"

Given the plethora of other topics, that's an awfully small list. Is this just weird happenstance, or is it a more general indication that information protection isn't given much of a place at the higher-ed table?

I knew that UC Davis's computer security lab and Purdue's CERIAS were strong degree-granting programs, so after researching their sites a bit more I learned about the NSA's "National IA Education & Training Program" (www.nsa.gov/ia/academia/), which maintains a list of Centers of Academic Excellence in information assurance. They reference over 80 programs across the United States. That was comforting. It shows that some amount of educational focus is going on. Still, looking more carefully, I found that although universities like Georgia Tech and Johns Hopkins actually grant degrees, many of the schools only offer courses as a small multidisciplinary extension to other programs.  My concern returned.

Perhaps, like system administration, information protection is viewed more as art than science. Is it OK for practitioners to pursue undergraduate CS degrees with limited exposure to infosec, and then get on-the-job security training over time? Or, just as likely, is information protection well served when someone receives an entirely non-technical degree and then haphazardly finds their way to this field? My own journey was certainly circuitous. I planned to study International Relations and enter the diplomatic corps, but computer science drew me in, and I coupled it with sociology/education to create an interdisciplinary degree (I was going to be all about educational software--it didn't happen). But a stint in network engineering turned me on to security, and I haven't looked back. I don't think my story is all that unique. And I'm not sure this ad-hoc approach is the best way to further our domain.

I'm not saying that all security practitioners should have degrees in information assurance/security/protection/whatever. Rather, I'm arguing that we should call for improved education programs in this discipline, to provide the next generation of practitioners and researchers essential background. In other words, information protection should be taught as a primary area of study. This call is not only to academics; it goes out to the private sector as well. Although the US Department of Homeland Security offers a DHS Scholarship and Fellowship Program (www.orau.gov/dhsed), the only vendor support I could find was Symantec's ongoing Graduate Fellowship program, in which they fund select candidates' research endeavors. We need much more of this type of support from the vendor community.

In short, it's time to put educational resources and rigor behind information protection. It's important stuff. And we should see that reflected in students and practitioners of the future.

(Bonus blog question; Given the ostensible link between information protection and computer science, how many security-related Turing-Award recipients have there been? [You have to look beyond the obvious 2002 award to RSA namesakes Ron Rivest, Adi Shamir, and Len Adleman...])

Blogger: Diana Kelley

At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"

Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.

48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.

Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.

But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.

We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.

We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."

Blogger: Dan Blum

Bob Blakley and I recently sequestered ourselves for an entire day to work on revisions of two Burton Group security framework documents which had aged into the archive:

• A Systematic, Comprehensive Approach to Information Security
• Risk Management Concepts and Frameworks

The systematic, comprehensive security framework comprises business risk management, security objectives, security posture, business processes, security technology, lifecycles and contexts. We use it to remind ourselves that security projects must always be holistic endeavors; it is the framework that guides us.

Afterwards, I visited a number of large organizations and talked with them about various subjects Burton Group covers, including security programs. It struck me, as it always does, that defining security architecture or strategy is always a lot easier than actually making it happen!

One of the people we visited was a security manager at a large financial institution. He says that his CISO organization has created a new security strategy and identity management architecture to cover various business units and outsource partners throughout their global environment. “This is a new initiative for us,” he said, “The first strategy is being approved, and others will be brought in to cover additional domains.”

The security manager went on to say that the challenge was not only to create architecture but to communicate and enforce it. He calls this “the politics of architecture” and notes it is particularly difficult in a global, outsourced environment where multiple technical architectures must be received and reviewed from sub-contractors. Internally to the organization, it will be critical to manage expectations, set up success metrics, and show some real progress by the end of the year. The security manager struck me as a very intelligent, buoyant and optimistic person – someone who thrives on chaos.

Continuing to make the rounds of companies that are interested in Burton Group, I later visited the Head of Information Security at another large global organization. He radiates an air of crisp competence and organization. He is living the life of the CISO as we describe in our report Security Governance for the Enterprise. The subsidiaries and business units share a corporate culture of independence and autonomy, but they track to a baseline set of controls chosen from ISO 270001, as does the IT services organization. Reports are rolled up into a dashboard for management consumption. Clearly, the company understands about accountability and metrics, things that we’ve emphasized in other documents. One weakness, he admitted, was that the reports are self-assessments and only lightly spot checked by internal audit.

Whether we are talking about the politics of architecture on the grand scale of the information security program for a Global 2000 company or on the smaller scale of an identity management project, the challenge is clear: how to traverse from theory to practice? Burton Group has a lot of good ideas already published, but we’ll be mindful of this issue as we plan more coverage and work to prepare for our Catalyst conference Successful Security: Getting Proactive track. Hope to see you there!

Blogger: Eric Maiwald

We hear it all the time – “use this technology to secure your information” or “the system was tested and found to be secure.” We also hear it with regard to products – “secure email” or “secure remote access.” But secure from what? Secure under what conditions?

The use of the word “secure” came up again this past week as I read articles regarding the TJX fiasco. The latest information is that the data was encrypted but somehow the intruders gained access to either the encryption keys or to the data when it was not in an encrypted state (see the Boston Globe article for some of the information). So clearly, here is a case where encryption was insufficient to “secure” the data.

But what does it mean to “secure” something? According to Webster’s dictionary:

• Secure (verb): to relieve from exposure to danger: act to make safe against adverse contingencies

The American Heritage Dictionary is a little different but generally along the same lines:

• Secure (verb): to guard from danger or risk of loss

I like the Webster’s definition – “act to make safe against adverse contingencies.” I want all of my stuff to be secure! Of course if there are no adverse contingencies or consequences, there really isn’t too much risk. Wow! A life without risk! That would be wonderful. But I digress, so back to my point…

So, we hear this word from vendors, from technologies, from regulators, etc. But we still don’t know the threat we are being protected from. Maybe the word “secure” is intended to mean whatever we want it to mean. Secure is whatever it means to me, which might be different than what it means to you. Is that a postmodernist mind set? That is a question for another day…back to the topic at hand…

I think that when we use the term, we have some threat, vulnerability, or consequence in mind. For sensitive data, we probably mean that we are protected against disclosure to unauthorized individuals. In other words, the confidentiality requirements are being met. But confidentiality is only one aspect of risk. There can also be threats against the integrity or availability. The intended use of the information could be violated or we could lose the ability to identify who had access to the information (and thereby reconstruct past events).

Mechanisms (in the case of TJX – encryption) often help to manage one type of risk. Encryption can help to manage the risk of unauthorized disclosure. Sometimes, it can also help to identify (and therefore help to control the risk of) unauthorized changes which helps to meet integrity requirements. Of course, encryption mechanisms require a supporting cast of other technology – proper authentication and key management just to name two. Depending on how encryption is used, it can protect us from one risk (unauthorized disclosure from the loss or theft of a laptop for example) but not from another risk (insider release of information). Even worse, incorrectly used, encryption can actually increase some risks (such as the loss of availability of information if the keys are not managed properly). I’ll be talking more about the use of encryption in my Catalyst talk “…But the Information was Encrypted!” on June 28 in San Francisco.

Maybe what we need to do is to properly qualify the use of the word “secure.” We have email that is secure from unauthorized access while in transit. We have remote access that is secure from eavesdropping. We have used encryption to secure our data from unauthorized access if the laptop is lost or stolen. Or perhaps we should not promise actions “to make safe from against adverse contingencies” and talk instead about risk management and the tradeoffs that we must make to manage risk to acceptable levels.