Fixing Omissions in 5 Questions

In a recent issue of a leading security magazine was published an “advertorial” with a few missing pieces, we aim to correct the lapse, or at least make a few tweaks that might improve the result.

The main change in data since computers entered the business scene, is the density and ubiquity.  That’s correct in our opinion, but neglects to explain why it’s important, which was part of the question.  It’s important to enterprise IT for one reason, competitive advantage.  That’s business 101, and we’re surprised something that fundamental got overlooked.  So that’s fixed.  C/A, for anyone not familiar with the term, is simply some advantage one company has over another.  It can be technology, funding, personnel, knowledge, IP, or anything that differentiates one company from another.  In simple terms, one could claim that Coke has a competitive advantage over Pepsi because it tastes better.  Or vice versa.  That one’s a holy war, like vi vs any other pathetic excuse for an editor.  C/A is what usually lets one company win, unless it has disadvantages that counteract that advantage.  Like Sony and Betamax.  And  competitive advantage degrades over time, which means ongoing development is necessary.

New examples of types of data breaches are kind of problematic.  O-day, in particular, is something that’s been around since the dawn of hacking.  O-day isn’t really a type of breach, whereas PHI exposure is, but that’s not new either.   A better answer would have been blended threat, but that’s not entirely new, or the Lollable APT buzzword.  The best answer, in our opinion, is not the technique employed but the crimes, since we’re asking about a form of breach.  In which case, massive parallel bank fraud comes to mind.  That’s new.  Not too long ago, less than 10 years, it would have been very, very difficult to pull off a heist using 1000 fake credit cards.  It’s a hell of a lot easier now.  Are the credit card numbers the actual breach, or is draining the accounts the breach?  Meh.  Here’s a solid “new” example, exposing 10,000,000 patient records in a single breach.  Hasn’t happened yet, but it will.  We’ve come close, so I’ll stick with that as a “new” breach.  To do that 10 years ago we’d have needed to raid multiple hospitals EMR applications or an insurer.  Still do, but it doesn’t pay as well as the credit card scams.  Come to think of it, there really isn’t any form of breach that is new, they’re all old hats, matched with shiny new technology.  They just happen bigger, better, faster.

As for why the traditional approach of data protection work, this question is poorly constructed.  For starters, by what definition?   According to a couple famous sources, the traditional approach is to flush money down the  toilet on a bunch of useless vendor solutions that don’t really secure anything, which we agree with.

Moats as defensive measures is sort of traditional, if we’re in the year 1217 fighting the Germans and Estonians.  The analogy of moats is about 30 years behind the times, but its workable, although we’re still looking for “smart screen filters” and keep getting this new Micro$oft thing, which couldn’t be considered a “traditional” approach.  The biggest failure in classical security (in IT, the real world has known this bit since at least the time of Pharaoh),  is the lack of detection to supplement the use of access controls.  Alarms are wonderful things.  Locks are wonderful things.  Locks without alarms aren’t really that useful.  Security, and here is the 100% best definition ever, is a time based system (Schwartau).  So if  4 hour locks, 10 hour firewalls, and 20 hour social engineering education sessions fail, without alarms, you won’t know until you detect it by the article on page 1 of The Post.  And the bad guys win.  That, more than anything else, contributed to a lot of #fail in the past.  Why?  It’s difficult sometimes to write or build alarm systems.  And difficult, in the business world, frequently becomes “not done”.  Here’s a thought, consider it a “competitive advantage” while your competition is getting raided by foreign spies and you’re detecting the attempts and countering.

Encryption is a nice solution for security, although it doesn’t really a solve anything, especially if we’re trading information across a border, which everyone is, and our partners are not encrypting.  Furthermore, claiming that encryption prevents data loss in a breach is absurd, it’s just another bit of time-based security like everything else.  Every data breach we’ve ever worked on or with involved compromised passwords and user accounts, and if you have the credentials, you have the encryption.  Unless they did a really bang up job on the encryption, in which case we’ll just go with screen shots or SE to get what we want.  Without detection, encryption has a reduced impact.  Without monitoring and oversight, it may actually hurt a company, since it creates a blind spot in the risk profile.  Companies should invest in a detection system way before investing in an encryption system.  Otherwise how will they know when someone didn’t encrypt something?

Look, if you want security, you need only a few things, and most of them can be had for free or for much lower costs than vendor solutions.  Follow the SANS Top 20, and invest in detection and alerting infrastructures.   And quality security personnel.  Stop trying to cheap out on security.  It’s just another business center, so treat it like one, and make your business partners treat it like one.