Occam’s Razor for Information Security

April 10, 2012 by · Leave a Comment

What if the principle of Occam’s Razor was applied to information security controls?

“All things being equal, a simpler explanation is better than a more complex one”

In other words, if we spent more time applying simple controls rather than chasing buzzwords and “big stories”, would we see an overall reduction in data breaches?  According to the recent  Verizon Communications report (pdf)  we would.  The report indicates that 97-percent of data breaches were the result of bad guys using simple techniques that could have been countered by applying “simple or intermediate” controls.  Have we been running in circles for this long when the “simple” solution has been staring right at us?

I think this is the case because “simple” things are boring and mundane.  As such, people become complacent and start to believe that effort placed on simple tasks is a waste of time since the “real” threat is going to be much more sophisticated.  If the reported facts of data breaches are true, then that belief isn’t supported.

A variation of Pareto’s Principle (the 80/20 rule) seems to come into play.  Perhaps if we are diligent in applying simple controls (the 20%) then maybe 80% of breaches can be avoided.  Maybe instead of focusing on complex systems that require massive amounts of human resource overhead, a focus on simple controls would yield greater security results.  Applying the principle of least privilege to limit access to sensitive information or replacing local administrator rights on workstations with user or power user may just have a bigger payoff than a $100k SEIM solution that is never fully deployed.

If most breaches are due to a failure in applying simple security measures, then doesn’t it make sense to apply our efforts in improving simple controls?

———————————————————-
Photo Credit:  ddpavumba at freedigitalphotos.net

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

Cybersecurity Bill – DHS as Punisher

November 23, 2010 by · Leave a Comment

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

Filed Under: National and State Privacy/Security Law, National InfoSec · Tagged With: , , ,

Be an Agile Defender

March 18, 2010 by · Leave a Comment

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Evolving the Security Message

October 23, 2009 by · 2 Comments

Richard Power wrote an article for CSO Online entitled  “Red Pill?  Blue Pill?  Ruminations on the Intersection of Inner Space and Cyber Space”.  It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security.   Power writes:

There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.

The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”.  If the change is not apparent, consider the way communication has changed over the last few decades.

Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media

Different generations have different preferences in the way information is communicated to them.  While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world.  In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message.  We must be better at communicating the value of security in terms and context that is important to the “receiver”.

The bottom line is information security is a collective effort.  We simply cannot afford to lose the message in transit because of a rigid approach to communication.

Be passionate.  Be open.  Be clear.  Be agile.

Filed Under: Business and Security · Tagged With: , , , ,

Security Scotomas

September 28, 2009 by · 3 Comments

youngwomanoldlady

It it a young lady or an old woman?  Is it both?

The potential for information security to enable business often gets lost on our own scotomas.  We get so locked into our world of information protection that we fail to see alternatives and opportunities.   The inability to see more than one option is the experience scotoma we all suffer from time to time and for some, more often than not.  We only see the “old lady” and therefore that is all we can act upon.  In order to see options and alternatives, we have to break our scotomas and communicate in a way that breaks the experience scotomas of others.

Only by breaking down the psychological barriers that prevent us from seeing the whole picture will we be able to apply business-focused security solutions.  That is where the business-value of security comes in.   Don’t just see the young lady.  Don’t just see the old lady.  See both.

Filed Under: Business and Security · Tagged With: , ,