The Danger of Over-Classifying

Information security professionals can learn a lot from WikiLeaks.  It seems that there are always new lessons available to us every day.  One topic that came to light early in the release of the cables was that most of the information seemed rather trivial, which made it difficult to see why politicians were so upset over the incident. 

The Center for Public Integrity has an excellent piece on examples of over classifying data that is in fact trivial.  According to the Information Security Oversight Office report , the government spent $8.8 billion on safeguarding classified information.

“Over-classification is not in the interest of the government,” said Bosanko. “Finite resources are best deployed when they are focused on the information that truly requires protection.”

Over-classification a problem that creates inefficiencies, weakens accountability, and financially weakens an organization.  Some security professionals believe that security for the sake of security defines what security is.  This may be done to create perceived job security or because the individual believes it is the right thing to do.  If sometimes there is a temptation to label all data as the most important and critical for simplicity.  In the end this creates unnecessary expense in both equipment and personnel resources.  The proper thing for all security professionals to do is to deliver a customized solution that suits the customer or employer needs.

Security professionals should be aware of the organization’s operating objectives.  In an economic downturn this may mean under protecting some assets in favor of deploying finite resources to protect the organization’s critical areas.  Even in good times the security professional should accept that all businesses exist to provide benefits to the shareholders.  This includes government because the taxpayers are the equivalent of shareholders.

The security professional should be prepared to interact with various business unit heads to get their view of what is important.  Each department head or staff member will have their own opinions and these should be collected for senior management review.  Senior management with the assistance of the security professional will determine the appropriate level of protection needed for the organization’s data.  This may be driven by the sensitivity of the data or it may be a financially driven decision where a total budget number is given in the organization must find a way to secure the most critical information only.

Under the ISO 27,001 standard, "top management" should be involved in the security and risk decisions made by the organization.  The security professional should work with top management to find the best solution that suits the organization in terms of both costs and efficiency. Security professionals can increase their visibility and bring value to their organizations through partnering with upper management.

DLP and ERM Sought By Military

In our last set of trade ideas, Trading on Fear with WikiLeaks, we had picked a few equities in the DLP and ERM space that might be interesting plays for the government sector.  Currently the military is using something called Host Based Security System for endpoint protection.  Apparently HBSS is a McAfee product that may have been slightly customized.  The contract for end point protection was awarded in 2006 so it is understandable that they are looking for better solutions.  There is a deployment of Bivio Networks appliances for Deep Packet Inspection (DPS) at certain sensitive locations on the network.  Clearly the military is moving in the right direction and it is logical that they will eventually purchase some form of host based DLP agent.  When the request for bid proposals is released our picks might be a growth opportunity.  Other governments will also be seeking to secure themselves against any leaks in the future so this can present itself as a growth opportunity as well.   Bivio Networks is privately held; however, they are partially owned by Goldman Sachs(GS).  Much like buying Intel to get exposure to McAfee, buying some of the big finance houses is a way to get exposure to the security space while being fairly diversified.

Military Implements Removable Media Policies

The military has implemented a new policy stating removable media can not be used on SIPRNET computers.  While this may seem like a good thing the implementation may be lacking.  The private sector has warned of the exposure caused by removable media for years.  From a practical stand point banning all removable media is nothing more than a good sounding idea. 

“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the document admits. But “military personnel who do not comply … may be punished under Article 92 of the Uniformed Code of Military Justice.” Article 92 is the armed forces’ regulation covering failure to obey orders and dereliction of duty, and it stipulates that violators “shall be punished as a court-martial may direct.”

The military understands that efficiency will be impacted by their decision and they appear to be sticking by their guns on disciplining anyone who disobeys orders.  The key point here is a loss of efficiency via this policy . Private sector businesses rely on efficiency to maintain profitability.  Before implementing such a policy at your business, it is important to determine if it is the right thing to do.  The CFO is going to be interested in the impact any proposed policy has on the bottom line.  The loss of efficiency is something that will have to be weighed against security.  Based on the content of the Wired.com article it appears that no preventative technological controls are going to be used, otherwise punishing soldiers with a courts martial would not be mentioned.  The best solution would be to use technology to disable removable media as a supplement to the policy.  Policies that depend on the honesty of the workforce are seldom successful.  The anonymous sources in the article that intend to keep using removable media show that policies alone do not equal security.

Trading on Fear with WikiLeaks

In a previous post I had discussed how security professionals can benefit from WikiLeaks.  Today we we will take a look at how the security industry can benefit from WikiLeaks.  Physical security procedures can help prevent sensitive data from  leaving a secure facility; however, tracking and auditing your data is equally important.  The category of software that can help us out in this case is called Data Loss Prevention (DLP).  Most of these solutions involve a discovery component that finds all of your files on servers and workstations/laptops.  This is useful provided you know what you have and who should have it.  For example, the spreadsheet with employee salaries should probably be in payroll and HR only.  If someone in engineering has the complete list, that is probably a bad thing.  Government organizations can benefit from this more easily since workers are given security clearances and checking the document contents for a security classification, then matching it against a worker profile can be a quick way of checking for leaks.  This does not prevent personnel with access to the data from misusing it.  Some DLP products work by monitoring files traveling across the network for content that has been flagged by an administrator. Copying files to removable media or printing can also be flagged for an alert.

Enterprise Rights Management (ERM) software is similar to the Digital Rights Management (DRM) copy protection that was found on MP3 music in the early days of the iTunes store, and what you find on eBooks from Amazon and other retailers.  ERM can be applied to Microsoft Office documents and email.  It works by encrypting the documents and only decrypting them if an authorized user or computer accesses them.  If someone were to steal an ERM protected document it simply would not open on an unauthorized computer.  It is also possible to restrict documents by department within a company, but that involves fully understanding the complexities of who should have access to what.  ERM can also prevent printing, copy & paste, and print screen if needed.  Several reference customers I have talked to simply setup their ERM to prevent opening their files on computers not owned by the company.  Employees could carry documents on USB drives, but could only access them from company computers.  ERM and DLP might have prevented WikiLeaks from happening.  Oracle has a nice video of an ERM product they acquired.

Most of the companies in the DLP and ERM space are privately held and the larger ones have been absorbed by other companies in the security space.  Oracle & Microsoft are also companies that make many software products other than just their ERM offerings.  Intel acquired McAfee who also had an ERM product. Most of the examples below are from Gartner’s Magic Quadrant research on the DLP space and have and upward trend in the 50 and 100 SMA.  Will DLP and ERM become an important market in 2011 and will these companies be able to take advantage of increased data loss awareness caused by WikiLeaks?  Traders may want to keep an eye on these companies if DLP or ERM take off.  Well diversified companies such as EMC or Oracle may see some additional revenue from their acquisitions of other companies.

EMC

2010-12-06-EMC

SYMC – Symantec

2010-12-06-SYMC

WBSN – Websense

2010-12-06-WBSN
CHKP-Checkpoint

2010-12-07-CHKP

ORCL – Oracle

2010-12-07-ORCL

INTC – Intel

2010-12-07-INTC

WikiLeaks Good For Security & Securtiy Professionals

The Tao Te Ching brings us Yin and Yang, two opposites that are a part of the ever changing universe.  The misfortunes of the State Department (Yin) can be transformed into a victory for the security profession (Yang).  Or to simply put it, when life gives someone else lemons, you take their lemons and make lemonade.  One important aspect of Cable Gate is that it has brought attention to information security and the need for information security.  Security professionals across the world can expect organizations to begin asking if they are vulnerable to the same thing. And more importantly, what to do about it. This is a grand opportunity to bring your skills to the table and represent the profession when your employer or customers turn to you for help .  It does not matter if you are an engineer, a consultant, or management.  When a breach happens the spotlight is on security and it is our time to sing.

Technology Is A Tool Not The Solution

In the world of information security it is all too easy to propose technology solutions that are not the whole solution. The technology can be a part of the solution, but we must realize that there is no silver bullet and that the truly motivated will find a way around any barrier.  A solution is a combination of leadership, with a strategy, direction, and a team that can bring it all together.  The most important component is leadership.  Leadership does not have to come from the top of the organization.  Security professionals by nature have to interface with other professionals in finance, public relations, marketing, and other areas.  Be the expert in what you know, but do not discount the knowledge that other team members bring because they are a part of the solution. 

Know That Everything Can Not Be Fixed

Leadership is also about knowing what can and can not be done.  Not every exposure can be fixed.  Not every risk can be effectively mitigated.  Not every budget is unlimited.  Not everyone wants to hear that no matter what you do, there is not a silver bullet.  Setting expectations with other professionals and the public is extremely important.  Security is about providing reasonable protection against threats.  Sure, it may be possible to secure something by sending all the workers home and burning everything that is left.  Even then you can not be sure that everything is gone.  The stakeholders in the business would certainly object to shutting everything down.  They would also object to a more pleasant picture than an army of security professionals could paint.  Reasonable protection is about compromise between all stakeholders.  This means that security professionals may also have to compromise.  That does not mean that security is unimportant.  Understanding that fact brings us back to the solution with many professionals working together and to teamwork.

Protecting Your Cellphone Privacy

The Ohio Supreme Court has ruled that the contents of your cellphone is private information and authorities can not browse your mobile device without a warrant.  This is great news for the American People.

 

The Ohio Supreme Court ruled this month, by a 4-to-3 vote, that the search violated the Fourth Amendment’s protection against unreasonable search and seizure. Rather than seeing a cellphone as a simple closed container, the majority noted that modern cellphones — especially ones that permit Internet access — are “capable of storing a wealth of digitized information.”

This is information, the court said, for which people reasonably have a high expectation of privacy, and under established Fourth Amendment principles, police officers must get a search warrant before they can look through call logs or examine other data. The court wisely decided that it made no sense to try to distinguish among various kinds of cellphones based on what specific functions they have. All cellphones, the court said, fall under the search warrant requirement.

The judges were wise in their decision.  Modern smartphones contain a great deal of information that you don’t want falling into unauthorized hands.  Today many people sync their entire online address book to their phones.  Also consider that social networking applications app could expose your associations beyond the address book on your phone. And while not sound information security practice, many small businesses use free email services and employees do work on personal equipment.  As an employee, you could be exposing your employer’s business to unauthorized viewing.  Small business employers should also be concerned.  You normally don’t want just anyone reading your company information without a proper NDA.  If you are planning to IPO anytime soon, this would not be a good thing.

You can protect yourself by setting the password on your phone.  I won’t go into specific details since there are many different phones.  A 4-digit PIN is all you can get out of most older phones.  If you have the option to set a password that consists of other characters you might consider enabling that feature. Password protecting your phone will also help prevent anyone from going through its contents or making calls using your account.  If you’re going to put a password on your phone for privacy reasons, then consider the cost of someone using your phone to make international long distance calls. 

Many people put off reading the user manual, but now might be the time to take a look.