adventuresinsecurity.com Blog » Commentary

Holy Toledo! The iPod did it!

Tom Olzak — Sat, 17 Feb 2007 19:43:40 +0000

Unbelievable. It’s even more unbelievable because I live near the community of Oregon, Ohio where a police detective called a student’s iPod a “criminal tool”.

In an article in the Toledo Blade, Robin Erb describes an incident in which a former Clay High School student was charged with a felony for accessing school employee and student records. Not only did he access them, he downloaded them to his iPod. In addition to being charged with unauthorized use of a computer, he was also charged with possessing a criminal tool–i.e. the iPod. Nice police work, Oregon. Will I still be able to carry my iPod concealed when I cross the city line?

Although the former student used a school computer lab to access the sensitve records, no mention was made in the article about how this was even possible. It probably didn’t take much cracking of system security if access was gained in a classroom with High School staff supervision. Instead of vilifying the venerable iPod–or any other mobile storage device for that matter–it might be better to ask serious questions about how this was even possible. What steps is the school system taking to ensure this doesn’t happen again? Or will the school board simply add mobile storage devices to the list of criminal tools so it can assure parents and teachers that their information is now secure?

Calling endusers stupid isn’t helpful

Tom Olzak — Sat, 17 Feb 2007 19:00:01 +0000

I was reading a Tim Wilson article at Dark Reading this morning in which he asked the question, “So are users hopeless? Are they inherently brainless and/or evil?” My first reaction to the question was raucous laughter. When I finally regained my senses, I read the rest of the article in which Wilson makes a lot of sense.

As a security director, I have days when I believe the users are all out to violate as many security policies as they can, either intentionally or because they are brain dead. But this attitude isn’t helpful. I agree with Wilson that most end users are intelligent individuals who want to do the right thing. Keeping that in mind, helping users help themselves is a key element in any security program.

For years I’ve been a proponent of user education as a first step. If there is chaos in the halls of security compliance, then part of the blame usually lies with the lack of effectiveness of an organization’s security awareness efforts. This is always the first step, but it isn’t enough.

Employees will always make mistakes. Yes, they’re human beings not robots. So there are steps security professionals must take to mitigate the impact of those mistakes. Content monitoring for data transfers, locking down the desktop, and Internet access controls are three good places to start. Not only will this help stop the bleeding from an accidental incident, it will also help minimize the probability of malicious activities.

Wilson does finish his article with the assertion that end users are hopeless. OK. Maybe. But IT security shouldn’t be.

Writely: A great product with questionable security

Tom Olzak — Fri, 17 Mar 2006 21:38:57 +0000

For those of you not familiar with Writely, it’s an online beta word processing service that provides the following services:

Create documents online
Upload documents from Word
Publish to the web
Post to your blog
Participate in online collaboration with people you specify

Yes, it’s a great product with fantastic potential. And now that Google has purchased the company, Upstartle, things could get very interesting. There is just one catch; there are no safeguards to protect the content of documents during editing or viewing.

On February 27, 2006, in the Writely blog, Jen, an employee of Upstartle, responded to a thread in which users questioned why SSL protection was not provided.

[QUOTE=Jen]OK, now I have to reply ;-}

We don’t have SSL definitively planned as part of a premium service, although that’s certainly possible. SSL will definitely slow the service down, which is why we would likely not make it the default in the basic service. Yes, I know this response is vague, but it’s only because our plans are not final![/QUOTE]

As I posted to the Writely blog, it’s irresponsible for an organization to provide a tool like this without any apparent regard for safeguarding the activities of its users. I hope that Google takes a different approach with this innovative and, in my opinion, much needed service.

Author: Tom Olzak

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

Political Risks Associated with Personal Information Storage

Tom Olzak — Thu, 02 Mar 2006 21:16:10 +0000

When we think of risks related to malicious hacking, we usually list financial ramifications. But as global information delivery changes, the risks are increasing in severity.

This week, Google moved its search records from its Chinese site to the United States. The reason stated for the move was the possibility that the Chinese government might access those records without Google’s consent. This was a responsible move by Google, given the potential reprisals against individuals whose searches cause concern within political circles in Beijing. But is the data safe in the U.S.?

I wrote in a January 26, 2006 blog article about a successful attempt to acquire U.S. Military secrets by alleged representatives of the Chinese government. A foiled attack against the British government prompted the article. What prevents these same attackers from breaking into databases in other countries to search for evidence of dissident activity in China?

I don’t know what the solution is. But I do know that maintaining information that can be used to reconstruct an individual’s Internet habits is becoming a bigger problem than the privacy issues touted by many Americans. It’s important for Internet companies to understand that the emergence of a truly global Internet requires vigilance that many organizations operating within democracies may find difficult to comprehend. Business intelligence isn’t a good enough reason to store search information or other personal data that might be compromised by a foreign government for political purposes.

Author: Tom Olzak

Listen to our podcasts

Sorting through the Security-in-the-cloud Debate

Tom Olzak — Fri, 24 Feb 2006 19:20:44 +0000

There’s a lot of talk these days about security-in-the-cloud. Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter. Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.” Based on my experience as a Director of Security, I have sort of a middle-of-the-road position. In this article, I explore both sides of the managed services debate. I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.

Definition of Security-in-the-cloud
Before we dive into the debate, let’s take a closer look at what it means to provide clean traffic to a subscriber’s perimeter. Figure 1 is a logical view of Internet service delivery.

Figure 1

Data flowing from the Internet is filled with malware and packets intended to lure users into unknowing participation in criminal activities. The security-in-the-cloud model places all filtering and defensive solutions at the ISP. As the data, or packets, flow through the ISP’s cleansing process, bad packets are dropped and only good packets are delivered to the subscriber. A subscriber can be a business or a home user. In some cases, the argument has been made to move defensive solutions to the Telcos (i.e. AT&T, Verizon, etc.)

Position 1: “Give everything over to a Managed Security Service Provider (MSSP).”
This is the extreme outsourcing position. Most advocates of this approach make the assumption that preventing bad things from entering through the perimeter will prevent bad things from happening to information assets. In other words, ISPs fighting dangerous packets on a distant battlefield is better than the subscriber dealing with them at the castle gate.

Another argument in favor of the MSSP approach has to do with resources. The assertion is that small/medium business and home users don’t have the resources to effectively deal with network and Internet security issues. This includes challenges associated with day-to-day monitoring and maintaining a level of protection commensurate with the changing nature of Internet threats.

Position 2: “It’s a bad idea.”

Advocates of this position maintain that only the organization that owns the assets to be protected should manage the perimeter defensive layers. And even if an MSSP is used to provide a security-in-the-cloud layer, it’s just that; one layer in a defense-in-depth strategy.

As far as resources are concerned, proponents of the do-it-yourself model contend that the right tools and the right vendor relationships eliminate all resource constraint challenges. Besides, they don’t want no outsider taking care of THEIR data.

My Position
Although I lean somewhat toward Position 2, I believe the right answer lies somewhere between these two extremes. Yes, it’s a good idea to keep bad packets as far away from the perimeter as possible. But I don’t want to make the ISP or Telco responsible for protecting my network assets. In today’s litigious environment, any provider would have to protect itself by strict packet filtering rules. This may seem like a good idea, but what happens when your CEO calls to ask why she’s having trouble communicating with a known trusted source; a source that’s packet flow is seen by the provider’s filtering systems as dangerous.

Another argument against only deploying a security-in-the-cloud solution has to do with attacks from inside the network. Protecting the perimeter doesn’t protect information assets from the traveling user who just connected his worm-infected notebook computer to a conference room network jack. Only internal intrusion defense systems, like IDS/IPS and an effective patch management process can stop the spread of that kind of threat.

On the other hand, trying to deal with every worm, virus, trojan, phishing/pharming ploy, and cracker attack on the Internet with internal resources only makes little sense. Doesn’t the provider have some responsibility to provide a safe Internet computing environment?

Applying the principle of defense-in-depth seems like the right answer. The right combination of MSSP services and in-house intrusion defense infrastructure reduces information asset risk to acceptable levels. The right balance is subscriber dependent, but internal defense should never be ignored because an ISP, for example, is claiming full protection of the perimeter.

Finally, I want to address the issue of provider and Telco protection for a fee. This is one of my buttons. The international infrastructure that comprises the global network known as the Internet is an important asset to businesses, governments, and individuals around the world. Each of those entities is entitled to a safe environment in which to live and work. In my opinion, this includes use of the Internet. Governments and owners of the commercial components of the Internet must accept a fiduciary role in protecting global users from criminal elements in cyberspace. How is this any different from protecting a nation’s citizens from street criminals? And shouldn’t the owners of the infrastructure have some level of responsibility for assisting with security efforts to facilitate safe delivery of their services? Don’t the taxes we pay to our government and the service fees we pay to providers entitle us to some level of due diligence?

Author: Tom Olzak

Listen to our Podcasts:

Laptop Encryption: Reasonable and Appropriate?

Tom Olzak — Mon, 20 Feb 2006 17:52:39 +0000

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999. The GLBA places a set of constraints on how financial insitutions should handle customer information. There’s been plenty of coverage on this issue since the ruling. But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?

Judge Kyle (Security Pro News)

Stacy Lawton Guin, the plaintiff in a suit against John Wright, held that any financial organization storing investor information on electronic media must encrypt that information. Wright, a financial analyst, did not encrypt Guin’s information on his laptop. So when his laptop was stolen during a burglary of his residence, Guin became potentially vulnerable to identity theft, fraud, or other types of crime related to the use of sensitive personal information.

When brought before Judge Kyle, he dismissed the case. Judge Kyle’s reason for dismissal was the lack of encryption requirements in the GLBA. But does this relieve Wright of all responsibility? Did he implement “reasonable and appropriate” safeguards to protect his clients’ information? Let’s examine the facts.

According to information presented before Judge Kyle, Wright’s home was in a low crime area. Further, the information stolen was in Wright’s home due to the nature of his job; he worked from home as a financial analyst for Brazos Higher Education Service. Finally, indications were that Wright took reasonable steps to secure his home. Based on this information, I personally believe Wright did take reasonable and appropriate steps to protect Guin’s information. But that’s just my opinion.

There are a lot of what-ifs that didn’t make it into the case, probably because they were irrelevant to the incident under review. I spent about five minutes thinking about variations for how Wright’s laptop data might have been used. Figure 1 is a short list(strictly fictional). Next to each condition I list whether I believe encryption should be used.

Figure 1 (Click to Enlarge)

It’s pretty clear that under any circumstances other than leaving his laptop in his locked home, with little or no transient foot traffic, in a low crime neighborhood, that it’s reasonable and appropriate to encrypt sensitive customer information stored on the laptop.

The point I’m trying to make is this — Judge Kyle’s decision based on a necessarily narrow interpretation of the law should’t be used as an excuse for businesses to immediately back away from any or all projects leading to laptop encryption. Because the GLBA isn’t grounds for civil liability in this case doesn’t mean that there aren’t strong liability issues under many other circumstances. Besides, protecting consumer information is the right and ethical thing to do.

Author: Tom Olzak

Resources: RSS Feed for our Podcasts

Your email:
subscribe unsubscribe

Goodmail Systems CertifiedEmail: What is it, and why all the fuss?

Tom Olzak — Tue, 14 Feb 2006 12:37:37 +0000

Last month, AOL announced it was beginning to use a certified email system designed by Goodmail Systems. Basically, the Goodmail solution attaches an encrypted token to business/marketing email from certified businesses. When AOL sees the token, and validates it, the email is treated as a non-spam message. The catch for the sender is a small fee per message. The impact on AOL email users is an increase in email with no other purpose than the delivery of unsolicited marketing material.

In this article, I’ll explore how Goodmail’s CertifiedEmail works, what the implementation of this solution means to business, and what users of AOL email services can expect.

How CertifiedEmail Works

According to Goodmail, “…CertifiedEmail is a comprehensive email certification platform that eliminates the uncertainties associated with email delivery and message safety” (http://www.goodmailsystems.com/certifiedmail/). In other words, this solution is not designed to reduce the amount of spam received by Internet email users. Instead, Goodmail claims it will allow the delivery of business mail (which many would call spam) while mitigating the risk of receiving malware or phishing email.

Figure 1, downloaded from the Goodmail web site, steps through the message certification process.

Figure 1 (click image to enlarge)

Enumerated steps in the image walk through the process Goodmail uses to deliver messages to its ISP Partners (i.e. AOL). In essence, when the sender (business) wants to send a message to an AOL email subscriber, the Goodmail Imprinter calculates a message hash value. It also requests a valid token from the Goodmail Generator. Senders pay for the tokens. The hash value and the token are attached to the message, which is sent to the receiver (AOL). The receiver checks the token. If the token is valid, the message is sent to the recipient’s mailbox. If not, the message is run through the normal content and volume filters to determine if the message meets spam criteria.  Again, the sender pays for this spam-filter-bypass service.

Businesses wishing to sign-up as authenticated, reputable senders must apply for and pass an accreditation process. Prospective accredited senders must possess the following qualifications:

Have at least one year of verifiable business history

Have business headquarters in the United States or Canada

Must Transmit messages from dedicated IP addresses with a six month history of doing so

Must have a sending history with a complaint rate among the lowest of senders transmitting to Goodmail’s ISP partners

Must be able to comply with Goodmail’s Acceptable Use and Security Policy

Must agree to the Token Purchase Agreement

Business Benefit

So what value can a business realize from accreditation? According to Goodmail, marketing effectiveness is enhanced due to:

Assured email delivery – messages no longer pass through a receiver’s spam filters

Confirmation that a message was delivered

Invalid addresses identified

Accurate detailed reports

It’s not clear what affect this pay-as-you-go approach to email marketing will have on small businesses. Small businesses without the working capital of large companies, with seemingly bottmless buckets of marketing cash, will be at an apparent disadvantage.  In the new model, if you have money your spam is not spam. But if you can’t afford to pay, you’ll remain a spammer.

Well, it looks like this is a great idea for big marketing companies. But what about consumers? What is the impact on personal mailboxes?

Impact on Consumers

Spam filters are not just tools to keep out malware. They also prevent personal mailboxes from filling with marketing and sales literature. Without spam filtering, the time Internet mail users might spend going through their email looking for meaningful messages would significantly increase. The following is a list of alleged consumer benefits from using a receiver (ISP Partner) that subscribes to the Goodmail service:

Consumers will have an improved email experience because they can differentiate CertifiedMail messages from others in the inbox. OK, the marketing and sales email is filtered and marked. But it doesn’t show up at all now.

Ability to easily identify, safely open, and respond to messages with confidence that the sender is legitimate. I’ll admit, this has some value. Opening only marketing or sales related messages marked as safe is a start on the road to solving phishing problems.

Assurance that important messages they expect to receive will be delivered and not lost to spam filters. Another good point. But most email users are capable of checking spam folders for important messages to prevent losing messages due to false positives in the spam filter. Once a trusted sender is identified, it’s pretty easy to add it to the trusted sender list.

Conclusion

Although there are obvious benefits to consumers, businesses will derive the most benefit from messages circumventing spam filters.  Email service providers like AOL should provide their subscribers with the ability to opt out of CertifiedEmail. In fact, this should be the default setting for new mailbox configurations.  It hasn’t been that long ago that we began to prevent the large amounts of unwanted marketing information from intruding into our lives. Let’s not take a step back.

Author: Tom Olzak

Your email:
subscribe unsubscribe

An Intrusion Defense Solution

Tom Olzak — Tue, 31 Jan 2006 12:13:03 +0000

Rather than write another piece on security in general for today’s post, I’m going to share my team’s experience in selecting an intrusion defense solution that expands on our existing firewall perimeter defense. During the past several weeks, my team and I struggled with the new infrastructure and management design to support our enterprise security strategy. We looked at IDS and IPS. We looked at SIM products. And we assessed each solution based on the following criteria:

It has to provide general protection at the perimeter from common intrusions.

It has to provide visibility into our entire network. The solution has to collect log data from all firewalls, switches, routers, IDS, and IPS devices and place it in a central repository. It has to aggregate and correlate the data into meaningful information about the state of the network. This information must be presented to approved IT personnel via a portal delivered through a browser interface.

We have to be able to implement tough access rules at the entry points to the network segments in our data center on which our critical information assets reside.

The solution must be able to identify and report on vulnerabilities in our data center.

This list is a high-level version of our requirements, but you get the idea. As we assessed various solutions, we also asked ourselves whether it was better to meet our monitoring requirements with a managed service or whether we should do it ourselves.  These are our conclusions:

The effort in configuring and managing IPS devices is usually at the front end – especially if you just use the default blocking rules and leave IDS turned off. Based on our research, we believe we can implement an IPS behind our Internet firewall that we can manage with very little recurring cost.

Contrary to reports, IDS is not dead. IDS devices provide an inexpensive, non-intrusive way to gain visibility into our network. In the graphic below, we show how we plan to leverage it. IDS solutions are different from IPS. IDS devices can collect thousands of lines of data each day. The trick is to sort out the false positives, and try to make some sense out of what’s left. This function was definitely a candidate for outsourced management.

IPS and IDS products are typically not very good at scanning the network to locate vulnerabilities. So we decided to implement a network scanning tool, the output of which is fed to the SIM database. But this tool requires regular updating to remain current on known vulnerabilities. This became one more candidate for outsourced management.

Collecting log data from over 30 devices and churning it into SIM dashboard information was found to be another time-consuming task. This also was a candidate for outsourced management.

Overall, we found that outsourcing the management of the monitoring tools released the Security Team to concentrate on dealing with the findings of the various solutions rather than on managing the tools. But we also realized that whether we outsourced management of the solution or not, we were ultimately responsible for protecting our network.

We decided to outsource all aspects of monitoring and the management and presentation of the collected data. Using a web portal, we’ll have access to information about the health of our network at any time. We’ll use this information in risk management activities designed to mitigate overall risk to the company’s information assets. The graphic below is a conceptual depiction of our solution.

Let’s walk through this diagram, starting at the perimeter router. Packets from the Internet enter our network through this device. A Network-based IPS (NIPS) is placed behind it. In this example, the NIPS is positioned in a DMZ.

All data passing through the DMZ must pass through the NIPS. In other words, this is an inline device that is configured to fail open. The NIPS will block known packet or network anomalies as well as known network attack signatures. When an attack is detected, an alert is sent to the responsible security analyst. All non-attack traffic is allowed to pass through to the internal network.

Upon entering the internal network the packets pass through a core switch. Attached to the core switch is an IDS Sensor. This is known as a Network Intrusion Detection System (NIDS). Unlike a NIPS, a NIDS is not typically placed inline with the data. This is due to performance issues common with intrusion detection devices. But we still want to gather all the data passing through the switch. We do this by configuring one of the switch ports as a Switched Port Analyzer (SPAN). All traffic passing through the switch is copied to the SPAN port. The NIDS scans the data and logs the results; it doesn’t block any information.

Also connected to the core switch is another NIPS. Like the DMZ device, this NIPS is inline with the data and configured to fail open. It acts as a security gateway between the servers housing the critical business systems and the rest of the network, blocking traffic that it suspects of containing suspect packets.

Note the layered approach to implementing IPS and IDS. Each of these technologies has strengths and weaknesses. IPS is great at blocking traffic, but if you tighten the rules too much you might cause your own DoS incident. On the other hand, IDS is great at collecting large amounts of information about your network traffic, but it isn’t suitable for inline operation. Nor is it reliable enough to end sessions over which attacks are traveling. But putting the two technologies together creates a synergistic environment in which each technology helps shore up the weaknesses in the other.

Next, we come to vulnerability scanning. The vulnerability scanning solution is not pictured in our conceptual drawing. But it’s a critical piece of our intrusion defense implementation. NIPS and NIDS are great at providing visibility into the network, but they’re not perfect. Malicious packets will get through. So another layer of defense is the process of identifying and remediating hardware and software vulnerabilities. Regular scans of the network, or of specific network segments, provides a list of vulnerabilities known to exist in operating systems, applications, or network devices. This information is passed to the portal where we’ll assess the risk posed by the vulnerability and manage remediation activities.

Now we’ll discuss the portal. Click here to view an example of a security dashboard. All the information collected by the IPS, IDS, and vulnerability scanner will be aggregated, correlated, and posted to a dashboard like this one. Further, logs from the network firewalls and switched will be included in the dashboard statistics. This provides a single window into the health of our network instead of trying to piece it together by looking at 30 or 40 individual logs or reports.

Is this a perfect solution? Absolutely not. But it’s good enough. We implement security solutions based on risk management principles. The use of sound risk management practices allows us to see just how critical a vulnerability or a potential threat is to our environment. It also helps us decide what resources to apply to risk mitigation and how much to reduce the risk. Yes, we will make improvements over time. No, we probably didn’t do everything we should or could have. Resource constraints are as real in our organization as they are in yours. But I believe this is a good start.

Resources:

Juniper IDP Solutions

Verisign Managed Security Services

LURHQ Managed Security Services

Foundstone

ISS

Cyber-espionage: How vulnerable are we?

Tom Olzak — Thu, 26 Jan 2006 17:56:33 +0000

Hacking activities thought to be related to the theft of government secrets are a real threat to national security. In a January 25, 2006 article in ComputerWorld, John E. Dunn reported that email containing an exploit for the Microsoft Windows WMF vulnerability was sent to recipients in the UK House of Parliament.

According to Dunn, over 70 PCs were targeted on January 2, 2006 with messages intended to install keyloggers. This was confirmed by MessageLabs Ltd – the government’s message filtering company. Luckily, the messages were identified and stopped before they could reach their targets. The most disturbing piece of information coming out of this incident is the source of the attack – Guangdong Province in China.

An isolated, one-time attack might be passed off as just another malicious individual flexing his muscles. But this is at least the second incident in which Chinese attackers have targeted foreign governments.

On November 1, 2004, attackers located in Guangdong Province launched an attack against the U.S. Army facility at Redstone Arsenal.  But this attack is thought to have been successful. It is believed that U.S. military secrets, including aviation specifications and flight planning software, were stolen. It is also believed that the intended recipient for this information was the Chinese government. This successful breach of U.S. Government security is part of an on-going attempt by the Chinese to hack into government computers. U.S. Officials have named the hackers Titan Rain.

So just how vulnerable is the U.S. infrastructure to cyber attacks by other nations or terrorist groups?

During a 2004 FISMA required audit of security implemented by entities within the Federal government, seven departments failed to achieve a passing grade. Included in the list of failed departments was the Department of Homeland Security (DHS).

Congress and the Bush administration cut by 7% the 2005 DHS budget for cyber security programs.

In February 2005, The Presidential IT Advisory Committee (PITAC) completed a report entitled “Cyber Security: A Crisis of Prioritzation.” The following findings and recommendations were presented to the Bush Administration:

Finding: ”The Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security.” Recommendation: The NSF, DHS, and DARPA budgets should be increased significantly.

Finding: “The Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States.” Recommendation: Double the size of the civilian cyber security fundamental research community by the end of the decade.

Finding: “Current cyber security technology transfer efforts are not adequate to successfully transition Federal research investiments into civilian sector best practices and products.” Recommendation: The relationship between the Federal government and the private sector must be strengthened. Lines of communication and cooperation must be developed and maintained.

Finding: “The overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversite.” Recommendation: The Interagency Working Group on Critical Information Infrastructure Protection should become the focal point of R&D efforts, coordinating and priortizing all activities.

In December 2005, the members of the Cyber Security Alliance expressed to the Bush Administration its frustration with the lack of progress made in addressing online crime. The Group - including organizations like Computer Associates, McAfee, Symantec, and RSA – believes that the lack of support and leadership shown by the Federal Goverment threatens the economy and national security.

We should not expect the Federal goverment to solve all our problems. But we should expect leadership when national security and the overall public welfare are threatened. Congress and the President must change their priorities when addressing cyber security within the context of overall defense and social spending.  If this does not happen, hackers will continue to outstrip our ability to protect our national infrastructure; terrorists and foreign governments will find us a soft target.

Author: Tom Olzak

Sources:

Security experts lift lid on Chinese hack attacks

Tech Group Blasts Federal Leadership on Cyber-Security

PITAC Report on Cyber Security, February 2005

Your email:
subscribe unsubscribe

Security?

Tom Olzak — Mon, 23 Jan 2006 12:00:29 +0000

Picture this. A security manager sits quietly contemplating the previous several months. No known successful attacks against her network. No loss of revenue or productivity due to system failure/recoverablity issues. Her team flawlessly executed two disaster recovery tests.  Her boss is happy, telling everyone that the network is secure due to her efforts. Life is good. What’s wrong with this picture?

There’s nothing wrong with it if the security manager and her boss understand that this period of calm is temporary. As attackers come up with new ways to penetrate and compromise business networks, security teams must remain flexible, continuously working to adjust safeguards to keep the network safe.

Too often these periods of safe computing are perceived by management as an end state. In other words, security efforts have achieved their objectives; it’s time to move on to something else. This is dangerous thinking.

Security management is an ongoing process.  It requires continous monitoring, analysis, and adjustment to maintain information asset protection at an acceptable level. It’s the responsibility of the security professional to educate her peers, subordinates, and executive management of this fact. Failing to do so will inevitably result in a weakened network defense, and an eventual attack causing significant business loss.