Opinion

Business Partner Security: Mistrust Never Sleeps

A healthy suspicion of every business partner can pay dividends for the CSO.

By David H. Holtzman

April 01, 2003 — CSO — As I write this, the country is deciding whether to pass or play at war. I live in the Washington, D.C., area, where our nerves are shot. During the past year and a half we've lived with the anticipation of terrorists, anthrax, then snipers. We're back to terrorists again. Safety has become a commodity as tangible as duct tape or gas masks; it is the negative space left behind when fear is erased. Security is different. It lasts longer. And it's not about finding a feel-good solution. Security is about trust.

The modern world has become too complicated to navigate solely from our experiences and senses. We have become reliant on too many unseen others. Every time we eat in a restaurant without watching the food being prepared in the kitchen, it's an act of faith, which is shared by other diners. Consumer trust comes from numbers.

Recently, we heard in the news that someone had hacked 8 million Visa, MasterCard and American Express card numbers. The break-in occurred at an unidentified merchant payment processor. How did this middleman acquirelet alone losemillions of consumers' intimate data? Customers trusted the merchant, and the merchant had faith in the payment processor, or more likely a fourth party that sold the store a turnkey solution.

The corporate pressure point in all of this is often the unfortunate CSO who is tasked with being suspicious of everyone and everything. At the same time, however, the CSO must depend on the kindness of strangers. Not only is he reliant on procedural adherence by every employee of the company, but he must operate with the knowledge that every new ware, hard or soft, could be stabling a Trojan horse.

The health of corporate security at any given time is defined by the worst of thousands of buying decisions. The reasons for the choices are soon forgotten, but any vulnerability remains behind until the gear is replaced.

As supply chains grow, it becomes increasingly likely that people who do business together will never meet. Much of the value gained from consultants and expensive management hires comes from their ability to vouch for a strange company. Reputation and reliability have become even more important in the digital world. Untrustworthy employees can compromise passwords; unreliable vendors may have unknowingly integrated exploitable mistakes; and undependable protocols can lull administrators into a false sense of security.Digital TrustFifteen minutes with a packet sniffer or one hour with password Crack will scare sense into anybody. Most protocols still send passwords in the clear (simple mail transfer protocol and Wi-Fi come to mind), meaning that anyone who has unrestricted access to a computer can get into the whole network.

• Email
• Print
• Comments
• Digg This
• SlashDot

• How to Minimize E-Commerce Risk
• SAS 70
• Don't Mind Your Own Business