Wash, Rinse, Repeat Security

Wash, Rinse, Repeat Security

This week is the RSA Conference in San Francisco and it focuses on information security and all that entails.  While this is a very broad topic that covers everything from anti-virus software to how to prevent the next cyber attack, the common goal is the same.  Each of us has something that others want to steal or exploit and we need to figure out a way to prevent them from doing that.

While governments and security experts focus on big ideas, and they should, most of us are still caught in the never ending cycle of patch, detect, remediate or wash, rinse, repeat.  Our information systems are flawed and malicious people are continuously finding ways to compromise them.  We find problems, patch them and fix the damage.  It’s a never ending cycle. 

Part of the problem is that we have accepted this as being the norm.  We accept that no system can be secure.  Software is inherently flawed.  Someone can always find a way to get around the system.  Maybe most of us have seen too many science fiction movies where these great hackers penetrate the most sophisticated systems and take over the world. 

Unfortunately most people and organizations view information security as an afterthought.  It’s a necessary evil and gets in the way of doing our work.  Just last week there was a story about some multinational oil and gas companies that suffered computer network intrusions from some hackers.  The hackers used some fairly simple techniques to compromise the network and stole financial documents related to field exploration and bidding for new oil and gas leases. 

One technique used was spear phishing, which is an email scam that appears to come from a trusted source.  Spear phishing is a social engineering scheme where people must click on links to compromise information.  The website attack used SQL injection techniques to grab data.  Both of these are tried and true, but they are also easily prevented.  The SQL attack could be prevented by encrypting data, limiting account access to the database, data validation and other techniques.  The email user should not click on links unless they are certain of their validity.

If we accept the assumption that we can’t foresee nor prevent all problems, we need to take a different approach.  In the case of the oil and gas companies, the hackers were after information inside documents.  Rather than worrying about the roads that lead to the documents, it’s better to think about protecting the documents themselves.

I like the analogy of an automobile design.  Engineers design cars to keep passengers safe.  They put in early warning systems, like anti-lock brakes, to help prevent skids.  They have crumple zones to absorb the impact of a crash.  They have air bags to cushion the blow from an impact.  They have a reinforced chassis that can withstand impact and forces.  They have suspension systems to cushion road bumps.  There are countless systems in place to prevent the passenger from getting harmed in numerous situations which may crop up while driving.

The bottom line is that the automobile is expendable and the passenger is not.  Obviously we want to avoid harming our cars, but when a catastrophe hits, the passenger’s safety is paramount.  This is the way to approach our data and document security.  Clearly it’s important to safeguard all the access points into our networks and computers, but ultimately we want to protect our information.

Think about what information is the most confidential and sensitive in your organization.  The best way to protect that information is through strong encryption.  If data is in databases, turn on encryption inside the database.  If someone gets through the defenses and grabs the data, it’s useless.  If information is in documents, use enterprise digital rights management (EDRM) to protect them.  EDRM protects the content inside the documents.  If someone steals them, the information is useless.  The strong encryption makes the information look like random characters. 

While it is important to get companies and developers to design more secure systems, we can’t wait until then.  You need a multi-level approach to prevent the bad guys from getting and exploiting your sensitive information.  The thinking needs to be strategic.  Focus on the information.  Assume someone will get it and think about how to protect it.  If all the systems that lead to the data are compromised, make sure the data isn’t.  We still need the firewalls and AV software in place, but the ultimate goal is to protect the data.  Just like in the car analogy.  If the entire car crumbles around the passenger, the passenger needs to remain safe.

Think about how much easier it is to fight a fire, if the building has been designed with flame retardant materials and real firewalls.  Focus on preventing exploits in the first place by creating secure systems.  Spending a small amount on prevention is a better idea than spending thousands or millions on detect, patch, remediate.


Photo credit Rosebrocks

Leave a Reply