With Security, You Must Regulate Thyself

Internet security is a horizontal issue that we regulate vertically, and this is putting us all at risk.

eEye Digital Security – A November 2009 episode of 60 Minutes described recent serious Internet security attacks that largely went unnoticed. (Watch the segment here: http://www.cbsnews.com/video/watch/?id=5578986n). Sections of Brazil’s electrical grid were shut down by hackers, the state government of Virginia was victimized by a cyber-extortion scheme, and even the command and control infrastructure of the U.S. Department of Defense was breached by a foreign entity.

The scope of the threats makes your head spin.

Think of how many times a day you come into contact with the Internet. You shop online, you check your bank balance, you look on your smart phone for traffic conditions, you stop at an ATM, you use an electrical device – and chances are, you are on the Internet, albeit often indirectly.

Thinking about how often the Internet shows up in our lives reveals that practically every industry, from utilities to financial institutions to health care to entertainment, is now an Internet-enabled industry.

That is the crux of the problem.

Internet security is a horizontal issue, but we regulate it vertically. Regulations such as FFIEC and HIPAA address specific industries (financial and health care), even if the threats those industries face apply to many others. The few vertical regulations, such as SOX and PCI DSS, are narrow in scope and fail to address the broad nature of today’s wide-sweeping threats.

Utilities, for instance, are critical for every single industry and every single consumer, yet they have managed to run free without government-mandated Internet security regulations.

Why More Regulation Won’t Work

The simple solution to this problem is more regulation. But with the money that industries will inevitably spend to torpedo new regulations, the solution isn’t as simple as it appears.

Moreover, regulations don’t solve everything. FFIEC (Federal Financial Institutions Examination Council) for instance, offers guidance on things like authentication, but it doesn’t tell you exactly what to do; there are no tangible specifications. You still must make critical security decisions yourself.

Even if new regulations emerge, will they address each and every critical industry? Probably not, and even if they do, we need to act in the meantime. Waiting for someone else to solve the problem is an enormous risk.

If you’re in an unregulated industry, your IT staff is probably worried about other day-to-day concerns, such as application availability. They shouldn’t be. Every day that passes by without advanced security processes and systems in place is a day that you are at risk.

If your security is not up to par, today is the day to start shoring up your defenses and planning for the future. These five steps should help.

1. Gain Network Visibility. How do you secure a network if you don’t know what’s on it? Are there unsecured wireless access points on the network? Are there servers in branch offices you didn’t know about? Is there a networked office device, such as a printer or FAX, which could serve as an unlocked back door?

2. Conduct Vulnerability Assessments. Every entry-level IT worker knows that you must patch your systems in order to shore up defenses. What’s often overlooked, though, is that a vulnerability assessment is just a starting point. A complete vulnerability management program correlates weaknesses to risks and helps you prioritize as you cope with patches, updates and even new equipment purchases.

3. Establish Security Policies. Creating policies for such critical security issues as authentication, peripheral storage device usage, remote access and guest and contractor rights are all critical. For instance, if you don’t have a policy that expires contractor accounts immediately after they finish their jobs, you’re opening yourself up to outside attacks.

4. Match Security Tools to Your Risks. While some risks are consistent across industries, others are not. For example, in information-heavy industries, IP theft is a major concern. In healthcare, patient confidentiality takes precedence. As you invest in new security tools, such as multifactor authentication, policy enforcement, data loss prevention or compliance management, make sure they meet your most pressing needs. In addition, make sure these vendors offer regular security patches, especially if they are based on open source, to mitigate compliance-related risks.

5. Make Security a Priority. For most organizations, security is a job given to a system administrator who has a dozen other tasks on his to-do list. If you have the same person worrying about application availability and security, you should rethink your employees’ roles. Security is no longer a job that can fall halfway down the IT to-do list. If your organization is large enough to hire a dedicated security expert, do it. If your organization is too small for that, make sure security is part of the standard, daily IT workflow. Don’t allow it to fall through the cracks as IT puts out other fires.

Bonus step: Practice Full Disclosure. I didn’t include this with the top five because I’m being realistic. Few organizations will follow this advice, but they should.

Most major security incidents go unreported each year because organizations fear the embarrassment and bad publicity caused by disclosure. Many individual states have tried to remedy this when consumer information is breached through disclosure laws, but not all states have followed through, and this limited type of breach isn’t the only attack that should be disclosed to the public, or at least to the security community.

Security breaches over a certain dollar amount, say, $500K, or a certain risk threshold (which, granted, is harder to measure) should be reported, whether or not you are required to do so. If it has happened to you, it will happen to someone else. Reporting the breach will help others develop defenses against a similar attack. The key here is to learn from history, learn from someone else’s mistakes.

# # #

Morey Haber is Vice President of Business Development for eEye Digital Security, a provider of integrated vulnerability and compliance management solutions based in Irvine, Calif. For information visit www.eeye.com.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon