Information Security: Awareness is Spreading, but Not Fast Enough

If you knew that burglars were operating in your neighborhood, that they possessed technology rendering the locks on your home useless, and that affordable lock technologies that provide better protection were available, what would you do? Most people would change their locks ASAP. But many companies bring a different sensibility to bear when it comes to information security.

There is plenty we can do to improve our security, even if perfect protection is an illusion. And much help is available. But survey data by Cutter Consortium suggests that too few companies are buying new information security locks.

It’s not as though no one is paying attention. The data from the Cutter survey shows that a majority of companies are acting on the information security threat. But the data reveals disturbing details as well:

• A surprisingly large number of respondents don’t think the security of their IT infrastructure is all that important.
• Unrealistically large numbers of respondents believe that they have not yet been attacked, which probably indicates that they have been and do not realize it.
• Too many respondents select the “middle numbers” (i.e., 3 on a scale of 1 to 5) in characterizing their current security or level of threat, which may indicate a lack of detailed knowledge about security issues.
• Too many respondents “don’t know” the level of security within their organization, indicating a lack of awareness.
• Too few companies are making use of significant countermeasures, such as compartmentalization of IT infrastructure into zones.
• Too few companies are paying adequate attention to change control.

This last point is especially troubling. According to the survey results, only 48% of companies stringently control the applications that are installed on corporate computers. Although this survey question was perhaps too narrow (it asked about “all corporate computers” and added “keeping [applications] to a bare minimum”), change control keeping close account of exactly what runs on corporate computers and what should run on corporate computers is nevertheless an absolute necessity in determining whether an attack has occurred, what kind of attack it was, and what must be done in response.

This is more than a technical issue. If you don’t know what has happened after you’ve been attacked, you may not know what needs to be disclosed to the public, to your customers, or to law enforcement. Change control is the basis of solid forensics, and it’s necessary if an enterprise is to press charges against attackers. Furthermore, change control includes patch management: ensuring that recent security fixes issued by vendors are promptly applied. This is important because when fixes are released, hackers immediately set out to understand the threat that the fix is intended to address and to create new attacks that work against those who are slow to apply the fix. Attacks against recently announced vulnerabilities usually appear within days of a patch release.

A failure to keep track of what ought to run on your systems is also simply operationally sloppy. This kind of sloppiness should be no more acceptable to responsible companies than is sloppiness in tracking inventory or cash in a company’s bank account. When we stop thinking about information security as an esoteric problem and start thinking about it as an operational challenge that responsible companies must manage, we’ll approach the right level of awareness. Unfortunately, according to the survey results, only a subset of companies are recognizing this.