Between 1930 and 1940, France built a massive system of defenses known as the Maginot Line. Designed to stop a German invasion, history illustrates its failure. The 1940 German invasion of France skirted the defensive Maginot Line as they swiftly penetrated through the Ardennes by way of Belgium. I’m not a historian and there are many facts that played into this but clearly the fate of France was at least partly determined by a false sense of security rooted in the Maginot Line.
Have modern day corporations and public entities created their own version of Maginot Line when it comes to the protection of sensitive information? I think the answer is clearly yes. William J. Lynn III, the deputy defense secretary who oversaw a recent attack simulation pointed this out in “In Digital Combat, U.S. Finds No Easy Deterrent“. An over-reliance on firewalls and anti-virus programs has created a false sense of security among those who store, transmit, and process sensitive information in the normal course of business. The changing threatscape, such as the new complex zero-day exploits and state-sponsored targeted attacks, are sometimes ignored much like the French failed to take action when Belgium declared itself a neutral country severing their previous alliance with France.
Consider this comment made in a recent story:
“The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations.” US oil industry hit by cyberattacks: Was China Involved? CS Monitor, January 25, 2010
We are not prepared. The attackers have become more nimble, motivated, and tenacious while we have become slow moving and complacent. Many organizations have been lulled to sleep. We’ve already seen changes in the way attacks are organized and the creativity being designed into their exploits. Collectively, we need to examine the new threatscape and actively develop new tactics that match the agility being demonstrated by the “bad guys”.
Let’s learn from the Maginot Line. Let’s not get caught sitting behind our old walls hoping that we can sustain a direct assault when the real threat is making an end run.
The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security. A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget. Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar. That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.
Threats are constantly evolving. “Aurora’ today will be something else tomorrow. Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation. Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.
- Vulnerability management is a process that requires checks and balances. How do you know that all your systems are patched? This goes beyond O/S patches but applications as well.
- Do you know what your users are installing? Software deployment and management is part of an overall strategy to protect your systems.
- How do you know your systems have the latest anti-virus updates and signatures? Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
- Do you actively look for compromised systems? How do you manage event information? Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
- Understand where your attacks are coming from and take action. Look for weaknesses in your defenses and fix them or provide some type of compensating controls. Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.
Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.
Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive. Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations. That is kind of sad. Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.
As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients. The information was stored on a portable disk drive that “disappeared” from an office. The information on that drive wasn’t encrypted. Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised. This is a failure on many levels but certainly a failure in leadership and crisis management.
What should we be asking ourselves?
- We need to understand the information that we use and how we use it. How is information accessed, transmitted and stored? What is our legal (and moral) obligation to protect this information?
- There is no such thing as 100% security. If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
- Do we have a communication plan in place so that we can effectively provide notification internally and externally?
- When examining other breaches, do we practice the same way? Are we at risk of compromise? How do we change this?
Part of information security isn’t just applying best practices and being vigilent. Unfortunately, there is a need to be prepared for an incident or crisis. I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982. Another example would be the handling of a Southwest airlines crash at Midway airport in 2005. Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied. Just do a search and look at the response from a corporate point of view. It’s really quite educational.
I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans. I’m afraid I may be waiting for awhile.
I may as well get on the 2010 prediction bandwagon.
1. With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies. Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure. I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.
2. The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk. Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security. This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required. This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.
3. I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year. The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable. Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.
4. Mobile platforms will be the target of attacks this year. The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers. As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up. Expect 2010 to be a big year for mobile attacks.
5. With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve. Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.
I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information. Good luck in 2010.
Business and Security | Paul January 28, 2010 | 
Comments (2) 