This is the last in a series of three presentations on the Fair Information Practices. This presentation is designed for system developers who create information managment and network systems. If an omnibus privacy law was passed, then busiensses would fall under new requirements. In order to remain competitive, vendors would have to update their products in order to facilitate compliance. Therefore, this presentation explains the types of changes that would need to be implemented in various systems and software in order to meet the privacy guidelines of the FIPs.

Summary

Relation to Enterprise Security

The security team within an enterprise often focuses on discovering and patching security vulnerabilities. While this is often one of the top tasks for the team, it would be better if more time was spent proactively thinking about security. When products are purchased from outside vendors, they should be analyzed and reviewed for their security characteristics. This process would include reviewing NIST/CERT and other reports for the application. Other possibilities include reading product reviews written by security professionals and organizations as opposed to white paper or general commercial reviews. When products are developed internally, it is important to have a quality assurance team which is well versed in secure coding procedures and practices. In addition, the application should be tested with security tools in a sandbox before deployment. By doing the upfront analysis, the costs of later mitigation are reduced because many of the obvious and easily identifiable security vulnerabilities have been eliminated. 

When security is an afterthought, the security team will always be playing catch up to the attackers. As a result, the attacks will be more costly because of time limitations based upon the urgency and criticality of the vulnerability. In addition, the proactive approach will help create security consciousness within the enterprise which will help in anticipating and reacting to the inevitable attacks. 

Discussion

I believe encouraging vendor security consciousness would also be a valuable presentation. I believe that even if this increased the costs of the software or information system, customers would be willing to pay more upfront for a more secure system. Customers could take the word of the vendor; however, it would be more useful if there was some trusted organization which could provide a score on the security or evaluate the security evaluations used internally by the vendor. 

I am sure that every day, many security professional make earn their salary finding the same common vulnerabilities over and over again on their customer’s systems. While this is great for the auditors and penetration testers, it is a waste for the customer. The customer organization could have saved more money up front making security conscious decisions. In addition, this would then allow the penetration testers and security researchers to focus on more intricate and complex vulnerabilities, instead of focusing on the simple exploits that can often be perpetrated with a found script or with “script kiddie” tool kits.

While it is not desirable, it is understandable that many companies continue to use vulnerable software and systems which are known to be insecure. At the time of the initial investment many years ago, security was probably not a hot topic or a major concern. Now, they are stuck with these systems until then next purchasing or upgrade cycle. I believe that today security has become more prominent, and that vendors will work to make their products much more secure. This is not only because of increased awareness, but the new reality of negative publicity and diminished customer retention that can result from being flagged as a vendor of insecure or “easily hacked” products. 
 
 

References

1. Hale, Gregory. Think Network Security First, System Second. Enterprise Security Today. [Online] NewsFactor Network, February 4, 2009. [Cited: February 5, 2009.] http://www.enterprise-security-today.com/story.xhtml?story_id=0110018EEM4R.

Summary

This article [1] by McMillan outlines some of President Obama’s plans and initiatives related to cyber security. The Obama administration is very interested in taking additional action at the federal level in order to clarify the “patchwork” of current state laws. The objectives primarily deal with strengthening protections from cyber terrorists and digital espionage. The Obama plan is based off of his objectives outlined during his campaign and is line with the recommendations from top experts. The plans will continue and likely accelerate initiatives which were previously outlined during the Bush administration. It is interesting to note that Obama does not simply state that America must address security concerns, but states that our cyber security is a “critical national asset”.

Relation to Enterprise Security

While many issues of enterprise security are related to an organization’s self preservation, a great deal of planning and action is related to government regulations. As the federal government increases its focus on cyber security, there will be a great increase in the number of laws passed. While some laws will simplify or improve existing legislation, both at the state and federal level, other legislation will likely arise to increase restrictions and reporting requirements. As a result, some enterprises may not be able to function for some period of time as they work to meet compliance or adjust practices to meet government requirements. If the government applies legislation broadly across sectors it could have many positive outcomes. Training and education will transfer across different businesses. In addition, it will be easier to develop future education programs and understanding of core security needs, as opposed to learning how to comply with some specific set of laws. However, the other possibility is that a great deal of time and resources can be used to create specific, detailed legislation that will likely need constant revision to remain useful.

In addition to regulation, public sector practices and policies will need to be addressed by some private sector companies. For example, defense contractors and other organizations which interact with government information systems or perform classified work will need to change their policies in order to meet the internal government requirements. While these security considerations may not be enforced through regulation, failure to meet the same standards as internal government systems can result in termination of contracts and other agreements.
Overall, a strong focus on cyber security will result in long run improvements. The most important outcome will be increased awareness both by enterprises and individuals. When individuals are more aware of security concerns there is a lower likelihood of risky behavior, and in addition they are more likely to comply with an organization’s security practices. In addition, high level management will give stronger consideration to enterprise security needs, enabling CISOs/CSOs to get the funds needed to implement security programs within the organization. 

Discussion

As Worthen [2] notes, in the past cyber security did not receive the attention it deserved from the federal government. While efforts were made under the Bush administration, critics said they were not moving quickly enough to address the evolving challenges. An interesting point made by Worthen is that perhaps cyber security does not receive as much attention because a cyber/digital attack is not as readily noticeable as physical attack; the effects of a bombing are evident, whereas the victim of identity theft may not know for a prolonged period of time that he was victimized. The article further goes on to explain that critical elements of our national infrastructure are not even in the government’s hands, such as the banks and utility providers. As a result, the government must infuse security efforts in the private sector to truly ensure security. This can be a very difficult task as there are many areas that will likely need to be addressed and it may be very difficult to decide how much and who should receive funding. However, as noted earlier, increasing general awareness is an important step. If the president maintains his strong focus on securing national security private organizations and individuals are more likely to talk about security and make individual efforts to protect themselves. 

In looking at the White House report [3] it is clear to see that cyber security is being addressed in many aspects of national defense. First, a national cyber security advisor will be selected to coordinate efforts across agencies and to develop policies. The creation of such an office will ensure that cyber security is not just reviewed by some think tank of working group, but that there is someone constantly reporting to the President about important issues. Many of the points outlined will work to increase national security by addressing concerns in the private sector through legislation. Initiatives will also be created at all levels in order to investigate and prosecute cyber crime. This could result in a reduction of “script kiddies” or other minor attackers through fear of prosecution, allowing authorities to focus more on true criminals and issues with a greater impact on national security. Also of great importance are new cross-industry privacy initiatives which will seek to standardize privacy practices in order to reduce the ease of identity theft and privacy related crimes. 

References

1. McMillan, Robert. Obama plan says cyber infrastructure is 'strategic'. Computerworld. [Online] International Data Group Inc., January 22, 2009. [Cited: January 23, 2009.] http://computerworld.com/action/article.do?command....
2. Worthen, Ben. Obama’s Cyber-Security Agenda. The Wall Street Journal. [Online] Dow Jones & Company, Inc., January 16, 2009. [Cited: January 23, 2009.] http://blogs.wsj.com/digits/2009/01/16/obamas-cyber-security-agenda/.
3. The White House. Homeland Security. The White House. [Online] January 2009. [Cited: January 23, 2009.] http://www.whitehouse.gov/agenda/homeland_security/.

 

Summary

This article [1] by Tom Reilly focuses on enterprise security threats from employees (insiders). He begins the article by acknowledging that while insider attacks are not new, the proliferation of information systems increases the number of people who have access to valuable data. Thus, this significantly increases the number of individuals who may possibly steal information assets. Mr. Reilly notes that the recent economic downturn may be a strong motivator for individuals to commit information theft. White collar professionals may have access to valuable information and can easily find a black market customer via the Internet. Furthermore, there is a much higher level of risk from insiders as they do not have to be technically sophisticated hackers to steal a valuable asset; a employee can easily print or copy data to an external drive.

As a result of this internal threat, the author notes that many companies are increasing their employee monitoring efforts in order to track down and stop insider attacks. The key activities to monitor are what applications employees use, how much and how often certain data or datasets are accessed, and to where and at what time information is copied or duplicated (e.g. email, printed). For example, it would be very suspicious if a scientist was accessing a highly important database and printing out 100 records every night at 9:00 PM. The author also notes that based upon his customer interactions, that companies are increasingly more concerned with internal attacks rather than external hackers. The author also surprisingly notes that not only is management interested in these monitoring practices, but employees seem to support such initiatives. The reason for this is that employees realizes that if an insider sells company secrets that the company may subsequently go out of business. In order to protect their organizations, and thus themselves, employees will support such initiatives. 

Relation to Enterprise Security

This concept is absolutely paramount to enterprise security. While quite often there is a focus on external attacks and hackers breaking into an organization’s systems, a much more likely attack can come from the inside. The costs to perpetrate an internal attack are much lower for the attacker because they often already have access and are well aware of the security measures and if the rules are in fact followed. Internal attacks could very easily be comingled with legitimate work activities; as a result, the attacks could be much more difficult to detect. In terms of costs to the enterprise, internal attacks can be incredibly damaging because the attacker will usually know how to get the most valuable asset for a given attack cost. Furthermore, to monitor employee activity requires not only looking for irregularities or violations, but also patterns of activity over time.

Monitoring of activity is also often mandated by regulatory requirements. For example, email records must be stored for some time and under some regulations must be reviewed by a compliance officer. In addition, other laws such as HIPAA require detailed auditing of when and by whom records are accessed [2]. As a result, over time is may be expected that there is limited privacy within a business setting and employees will act with higher levels of discretion. Perhaps now it is not only expected, but also accepted by employees that they will be monitored as a result of news stories and regulation. 

Analysis / Discussion

The tools and training for mitigating and monitoring internal attacks is not as widespread as external risk management tools such as firewalls, IDSs, and penetration testing. To some degree these tools can help track down internal attacks; however, monitoring internal attacks and violations is much more complex because they can be highly dependent upon the organization’s internal policies and specific applications. For example, should an individual have restricted access to a database only between certain hours? Should they further only be allowed to access so many records at any given time? Should an executive receive access to this system simply because he is an executive? These questions are often very difficult to answer and can often be subject to internal politics. In general, information should be accessible only on a need-to-know basis with only the minimum level of access required. Furthermore, additional measures may be necessary; while it is possible to prevent copying or printing of data on some systems, could some attacker take a screen shot or do they have a camera on their cell phone? While the costs of the attack are very high, the cost to hire a security guard to pat down employees as they enter a locked room with a computer terminal may be extremely high or employees may simply choose to leave such a restrictive environment. As a result, it may be very difficult to prevent security breaches internally. However, the development of firm, enforced policies and monitoring programs can help limit such attacks or greatly increase the attack costs to the point where it is too costly or risky to perpetrate the attack.

In an older article [2] by Daintry Duffy, the author addresses how organization’s can effectively implement monitoring programs. One of the keys addressed in this article is that policies must be explicit and well communicated. In this way the employees will understand the rules and will reduce behavior that the monitoring would identify as potentially risky; as a result, there is less incidents and data to sort through in order to find the real insider attacks. Next, action should be blocked whenever possible, for example some companies block access to external FTP servers from inside the enterprise. When a potentially risky action cannot be blocked, then restrictive measures must be put in place and monitoring of actions becomes required. Another point to consider is the legal standpoint on monitoring. Some monitoring may be mandated by regulation and forced upon the organization. On the other hand, privacy laws may prevent other forms of monitoring; these laws can vary from state to state and country to country. 

References