Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.
Currently, we have a broken model and the state of security continues to spiral downwards. The main root of the issue is that the economics aren't aligned correctly to ensure accountability and responsibility. As a result, we have less security, higher costs, and greater pressure to opt for convenience over security and a fundamental failure to provide proper alignment and transparency to either company or government information security. Without making fundamental changes we are destined to have an ongoing erosion of our security which also translates into an erosion of our privacy and national security.
We need a new approach or paradigm shift, that is not radical, but rather one that offers the hope of changing the information security equation. This change in approach to security can be broken down into three distinct areas: embracing a different approach to legislation, focusing on nailing the basics, and establishing transparency about overall security posture. This approach will not be embraced by everyone as many have motivation and economic interests that conflict with maintaining good basic security practices. However, addressing these three areas are our best hope to changing the momentum toward improving security and privacy from our current trajectory.
Rules and regulations need to be more prescriptive
Today, many regulations and rules are written in ways that can negatively impact good, overall security practices and drive costs much higher. They provide an illusion of security without the benefits. Regulations today are written to incorporate every possible instance of the rule on impacted parties. A good example is the FFIEC regulations for financial institutions to increase the authentication safeguards over the Internet. The goal of FFIEC rule was to implement two-factor authentications for customers to access their information over the internet.
Rather than implementing a true two-factor authentication for their Internet facing websites, most if not all of the financial institutions implemented something that I call "double single factor authentication."
As a reminder, security has defined three types of authentication: something you know, something you have, and something you are. In the end, financial institutions implemented the so-called double single factor authentication, something you know and something else you know. If you go back to the definition of multifactor authentication, the financial institutions generally implemented password, which is something you know, and answers to some questions or knowledge-based authentication to supplement passwords. Both of which are susceptible to keyboard logging interception, which clearly do not meet the original intent of the regulation.
What would have happened had true two factor authentication introduced? What if the legislation had been much more prescriptive in its wording? When you look at the security landscape today, how many events would have not occurred had true two factor authentication been implemented? How many identities would not have been stolen or account cleaned out my man in the middle attacks.
So what does all this mean?
Since the general attitude is to do at best the minimum of the letter of the law and at the worst to do nothing at all, we need to correct this misalignment of non-prescriptive regulation. For example, the PCI DSS standards for credit cards. While this has not solved all the problems in the payment card industry, it has had a significant positive impact on security postures. Business lobbyist have worked legislators to water down security laws to be nonspecific under the banner that prescriptive laws will cost too much and will interfere with business flexibility. Yet ironically, when businesses needed to strengthen security, the credit card companies created something much more prescriptive than the government. The government must take the lead in either providing prescriptive legislation (not more regulations but effective ones) or by encouraging companies in the same industry to form security governance functions (not sharing forums like ISAC but real rule making group) similar to the credit card industry.
Another important factor is that the economics needs to be aligned to reflect damages. Years ago legislation was put in place that held a limit of liability for lost or stolen credit cards to only $ 50.00 for individuals. At the time many banks said the new requirements would put them out of business but that was not the result. What happened is that banks improved fraud and security measures to limit their losses. This is an example where legislation, aligned economic incentives to drive good behaviors. Economics can be part of the answer for changing the security paradigm.
How do we move forward?
Prescriptive regulations to ensure basic hygiene security
The recent 2012 Verizon Report states that 97% of data breaches were preventable with basic security measures. Many companies and individuals are not adhering to what most security professionals would call basic security hygiene. Security hygiene includes things such as antivirus, anti-spyware, personal firewalls and encryption to name a few. If we take the Verizon report and numerous other breach notification reporting, it is very clear that many of the items are preventable. It is astounding how many large organizations appeared not to have what is call basic hygiene defined as generally accepted controls by standards bodies when it comes to security. Often times this lack of basic hygiene is cause by several factors. First and foremost, many organizations think that some of the security controls are optional when they should just be implemented.
Take the deployment of ATMs for example. Over the last 40 years, ATMs have become mainstay of our daily lives, but they also serve as a lesson. ATMs where implement with a true two-factor authentication. A password or pin (something you know) and a card (something you have) are required to access the machine. This two-factor system was implemented at the inception of the machines and has delivered a high-level of security over the years. Are ATMs perfect? No, as they are still subject to skimmers and eavesdropping, but those are also manageable events. If basic hygiene security features are made optional as they are today, the argument against security because of its expense and intrusive nature will become a self-fulfilling prophecy. Prescriptive regulations that require basic hygiene security built into products and systems is the most cost-effective and efficient way of improving our security posture.
Transparency to ensure compliance
One of the great fallacies in today's information security environment is the issue that transparency makes us less secure rather than more secure. The lack of transparency allows companies that don't meet basic security to hide in the shadows hoping nothing bad will happen. While at the same time, companies that value good security and spend the money are not differentiated from the laggards in the marketplace. Attempts to create some security visibility have not garnered very much support for their efforts. One of the main reasons these efforts have failed is due to companies not wanting to share information related to their security practices for concerns that they could be compared against their competitors. Instead, companies have been willing to incur the expenses of third-party reviews and other assessments so as to obscure the consensus finding and distribution of their security posture.
Over the years there have been various voices advocating ISO frameworks, the use of SAS 70s or the old SysTrust reports now the SOC3. There are numerous frameworks the challenge is just to pick one. Also there is no definitive database of best practices to reference policies against. All of these factors combine make an assessment of a company's security posture almost invisible to customers and other business partners.
Part of the answer to transparency is that there has to be a concerted effort to establish an organization or framework so that security postures of individual companies become transparent and something easy for people to understand.
The current security model is broken, because rules and regulations are not prescriptive, basic hygiene is not practiced, and there's a lack of transparency that exists to understand the security posture of any organization. This broken model is causing a significant amount of financial losses, a significant loss of intellectual property and it also opens the US to economic harm from our adversaries. The current model needs immediate changes. Rules and regulations need to be prescriptive. Basic hygiene needs to be enforced regardless of the size or complexity of the organization. Such basic things as encryption at rest, encryption in transit, true dual factor authentication for all remote access, etc. Are these the only items that have to be addressed? No. But they are starting points to address the problems rather than attack symptoms of the problem which is only adding cost and complexity and security to the environment.
Craig Shumard is Principal at Shumard and Associates, a strategic security consulting company specializing in helping decision makers improve and measure information security solutions. He also serves as an advisor to Tenable Network Security. Formerly the Chief Information Security Officer at CIGNA, Shumard has extensive experience in the areas of information security, privacy, and compliance.