August 30, 2006

Wanna be Famous?

All I know is just what I read in the papers, and that's an alibi for my ignorance.
           — Will Rogers

There it is. Front page. Headline. Someone else has now achieved his or her 15 minutes of fame that will unfortunately become a career-defining moment. And not in a good way. Who has not read about the latest case of identity theft in the papers and wondered what really happened? Every article starts the same way; a bold headline that grabs the reader's attention, the exaggerated surprise by those charged with safeguarding the identities that were stolen, the claims that security was and continues to be a high priority, and the all important expression of dismay and disbelief at how such an incident could possible have occurred. Of course, investigations are being conducted, and it will take some time before the full extent of the damage is known, not to mention the cause.

This organization is now in a serious public relations quagmire. Their hired PR guns weigh in next, firing phrases like “compromised information” in place of the more condemning “stolen customer identities”. Updates will be issued, still with no real information as to how the breach actually occurred or who was really responsible, since after all, that is confidential information that could disrupt the ongoing investigation. And you’ll never see a follow-up that doesn’t contain the assurance that “every effort is always made to protect customer (or alumni or patient) information.”

Finally, a low level staffer will be selected and offered up as scapegoat, accompanied by assurances that those who remain employed were pure as the driven snow. Then as soon as the wriggling sacrificial victim is out the door, everyone in charge breathes a heavy sigh of relief.

As a security professional connected with other security professionals, I would find the unending march of these articles funny if not for the real pain, suffering and economic hardship it means for the actual human beings who now have their social security numbers and mother’s maiden names up for sale on some black market auction site. My only intent in adding humor to the following categorizations of poorly implemented security strategies is to make them memorable and to hopefully spawn a lively discussion within your organization. Let me also say that I fully understand what a difficult task it is to design a plan that meets investor, board, customer and staff expectations. That said, let’s have a bit of a chuckle at our own expense (for any similarities however oblique) and then discuss a few steps that can actually make a difference for your customers.

The Cuban Missile Crisis Strategy: I’m sorry to say that I am old enough to remember the emergency drills in elementary school where we put our heads between our knees with our hands on our heads, and knelt under our steel and wood desks. This, we were told, would protect us best in the case of nuclear attack. Unfortunately, many published stories of security breaches contain the same kind of naive thinking, most commonly involving the assumption that a simple firewall will protect me from the hacker holocaust that is currently mushrooming just over the horizon.
Underlying problem: Way too much faith in protection systems that are way too weak.

The Invisible Man Strategy: Because of the highly automated nature of attacks that search out cracks in security perimeters, even the smallest organization located far from the big city are being regularly tested by criminals. According to the March 1, 2006 issue of Personal Computer World, there is a 40% chance of infection with malicious code during the first 10 minutes of connecting a PC to a broadband connection, and a 94% chance of infection within one hour. When you connect your business to the Internet, you are no longer in a small town; you are on the busiest street in the world. You cannot be invisible in today’s interconnected world.
Underlying problem: The invalid assumption that the networked world mirrors the physical world.

The Wizard of Oz Strategy: This has to do with the show of security without the substance. In the current regulatory environment, this strategy can be unintentionally adopted as an organization tries to look secure without taking the steps that make them actually secure. If you expect your visitors to be impressed by explosions of flame and a huge talking head suspended in space, know that the savvy ones know to look behind the curtain.
Underlying problem: Hackers don’t care how impressive your security looks. Their automated systems are programmed to locate and exploit a specific weakness, and if you have that weakness, you will be penetrated.

The Sackcloth and Ashes Strategy: As its name implies, this strategy relies on effective rhetorical skills after the building has burned to the ground. Well-crafted apology letters and press releases sometimes do convince the customer, alumni or patient that the organization really is going to work even harder at securing their records. There may even be free identity theft insurance offered as proof of the organization’s deep regret. But the information is still out there running free; the real damage is already done.
Underlying problem: Ponemon Institute in their 2005 Privacy Trust Survey for Online Banking found that even a single privacy breach would cause 57% of customers to take their business to a competitor despite a high level of trust in their current bank. This is a very expensive strategy.

O Woe is Me! Is There Any Hope? Yes, there is; there is a lot you can do, and it may be easier and less expensive than you might think. The following steps will do wonders for your organization’s security health by driving out the above failed strategies.

• Understand and acknowledge that security design is not something that should be attempted by people who are not trained and experienced in, well, security design. Unless you are a Fortune 1000 company, you are extremely unlikely to have that level of expertise on your payroll, and your whole company is at risk.
• Given the previous issue, everyone needs to agree that “jobs are not on the line” if a security auditor finds a problem. If you don’t articulate this clearly and convincingly, you will have staffers working at keeping their jobs rather than helping to find the truth about your security stance.
• You trust your bookkeeper and yet you hire an auditor to examine your financial systems. Similarly, go ahead and trust your IT staff, but hire a third party to perform a security audit on your policies, network and systems. And don’t waste your time with penetration tests until you’ve first done the hard work of auditing followed by mitigation of any uncovered weaknesses. What you don’t know can indeed kill you.
• Understand that good security is a constantly shifting target. Good management requires facing the brutal facts, and the facts about security in today’s world are as brutal as they come. At the board level, acknowledge that having solid security is a moving target that requires a proactive, ongoing approach. Auditing your systems once a year is a good idea, but it won’t keep you or your board out of the papers. That new e-mail server your security consultant just blessed might have its gates locked tight today, but the patch that Microsoft is going to announce next Tuesday could well fling them wide open.
• Good security absolutely requires constant vigilance. Once you’ve fixed all your security issues, you must constantly watch, measure and report on your security posture; think of it as a continuous security audit. And don't expect one magic box to do the trick; security is a varied and constantly changing landscape that requires ongoing awareness of several different areas, and box or software solutions usually only address one or two. Instead, deploy a system of countermeasures that provides ongoing awareness of key security metrics and adds new ones as the need arises. Imagine for a moment what would happen to the profitability of the company if there were no daily, weekly or monthly statistics or reports from which to manage between annual audits. The fact that security risks change even more frequently and abruptly than business risks should carry great weight.
• Prepare for the worst. Although this may sound pessimistic, so does your disaster recovery plan. You really do not want to have to decide in the heat of battle what actions to take should the unthinkable occur. Remember that when you speak to the press, they will quote the most memorable thing you say, not the most intelligent. Name a spokesperson and adopt a policy requiring everybody else to defer to her. Do not just voluntarily hand them your head on a platter.

Take these steps, then go back to conducting the business that earns your daily bread with the confidence that you have done all that is reasonably within your power in adopting a strong security posture.