3 reasons why America's security model is broken
Craig Shumard argues that lack of transparency, a refusal to implement even basic controls, and rules and regulations that make no sense have led to a broken, dysfunctional security environment among U.S. businesses. Here's how he suggests we fix it
By Craig Shumard
June 28, 2013 — CSO —
Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.
Currently, we have a broken model and the state of security continues to spiral downwards. The main root of the issue is that the economics aren't aligned correctly to ensure accountability and responsibility. As a result, we have less security, higher costs, and greater pressure to opt for convenience over security and a fundamental failure to provide proper alignment and transparency to either company or government information security. Without making fundamental changes we are destined to have an ongoing erosion of our security which also translates into an erosion of our privacy and national security.
We need a new approach or paradigm shift, that is not radical, but rather one that offers the hope of changing the information security equation. This change in approach to security can be broken down into three distinct areas: embracing a different approach to legislation, focusing on nailing the basics, and establishing transparency about overall security posture. This approach will not be embraced by everyone as many have motivation and economic interests that conflict with maintaining good basic security practices. However, addressing these three areas are our best hope to changing the momentum toward improving security and privacy from our current trajectory.
Rules and regulations need to be more prescriptive
Today, many regulations and rules are written in ways that can negatively impact good, overall security practices and drive costs much higher. They provide an illusion of security without the benefits. Regulations today are written to incorporate every possible instance of the rule on impacted parties. A good example is the FFIEC regulations for financial institutions to increase the authentication safeguards over the Internet. The goal of FFIEC rule was to implement two-factor authentications for customers to access their information over the internet.
Rather than implementing a true two-factor authentication for their Internet facing websites, most if not all of the financial institutions implemented something that I call "double single factor authentication."
As a reminder, security has defined three types of authentication: something you know, something you have, and something you are. In the end, financial institutions implemented the so-called double single factor authentication, something you know and something else you know. If you go back to the definition of multifactor authentication, the financial institutions generally implemented password, which is something you know, and answers to some questions or knowledge-based authentication to supplement passwords. Both of which are susceptible to keyboard logging interception, which clearly do not meet the original intent of the regulation.