ISACA-WNY: Control and Compliance 2011 - 4/5 - Marcus Ranum Key Note Presentation Notes

"why do we keep working so hard and accomplishing so little"

Budgets are going up, why aren't penetrations going down?

If we stopped spending, things would get immeasurably worse

Firewalls don't work?  You're installing it wrong.  If you're allowing everything through port 80, don't blame the firewall. 

Threat landscape is changing so quickly, battefield is shifting

The problem is complex, by the time that we understand it
 things change

In '90s, installing patches and a/v would solve security.  Now, Microsoft Patch Tuesday and a/v is still a focus, but good software development practices and configuration management is less so

Systems need internet access to be patched and then are exploited by bagel worm

Ranum uses unpatched Office 97 because it works

Game Over - In '00s, security was in the news and became expensive
Security professionals cried wolf too many times and became identified as a cost center despite trying to sell ROI

Cloud computing paradigm is now attractive as a result of '00s expensive security infrastructure build-outs and administration requirements

Use of thumb drives added complexity to finding data and ensuring its handling

Cloud computing builds dependency, will cost increase after dependency exists? 
Unix/Linux crushed Mainframes and then price increased
Suggestion: Do projection on cost savings and perform EOY analysis to see what is realized

2010s - Regulation and Advanced Persistent Threat (APT)

Cyberwar was fought and US lost to China without knowing it was happening

Compliance monitoring and auditing adds complexities to administration and redundancies to security operations

If A trusts B and B trust C, A trusts C and does not know it

APT is frequently malware and intelligence gathering

iPads and smart phones are "gift" to next generation of security pros, "toxic love canal", executives walking around with equivalent of "h-bomb on their hip:

Advanced Threat Management operation is needed to manage organizational data threats regardless of Cloud

Tabletop risk management drill can be useful to understanding threat response.  What would you do if your customer database was on eBay?

"Security is an expense that you pay to avoid a much bigger expense"

Southwest grounded all of their planes to save law suit expense and identified several other affected planes

Not All Data Is Created Equal

It seems that Wikileaks has become the cause-du-jour.  In late 2010, rabidinous supporters launched targeted cyberattacks in efforts to bring their own DDoS-flavored retribution upon dissenters. Working in the field of information security, it is difficult to not be whole-heartedly against both this position and method of “support”. 

Data classification is the bedrock upon which information security best practices are founded. Without an understanding of what data is more sensitive in nature than other data, determining appropriate protection levels is folly. 

Should financial data be considered any more sensitive than e-mail correspondence?  Should Human Resource data be handled differently than a stock image archive?  Certainly.  Why?  Because corporations, and as we have most recently learned, banks and their account holders; can be damaged or otherwise placed at a competitive disadvantage by the unauthorized disclosure of their financial data. Because as individuals, the unauthorized disclosure of our SSNs or background check data can lead to identity theft among other long-term harm. It is the same reason why we cringe whenever we receive correspondence that begins, "We regret to inform you..." and blush when our personal correspondence or photos become public.

Therefore, the impact of the disclosure or breach of such data may fairly be considered to be justifiably high. The probability of its unauthorized disclosure or breach in this example is also recognizably influenced by the quality of controls protecting the data, inclusive of both the logical and physical.

Supposing that government or bank classification systems overprotect data in conflict with the right to public knowledge is to arrive at a belief without due consideration given to employed risk assessment metrics inclusive of probability, impact, and contributing risk factors. As such, the public, is at an unfortunate disadvantage in its ability to weigh the threat posed by unauthorized disclosure and astoundingly unqualified to speak to its need.

Consider this: If your fellow employee were to use their database access privileges to review your compensation package for use in their own salary negotiations, have they violated corporate trust?  If the same employee then were to e-mail your compensation package to a company-wide distribution list, have they violated your right to personal privacy?  If the same employee were to publish your compensation package to the web as they passionately argued that the information illustrates principles of corporate greed and the unfair labor practices of third world countries, have either corporate trust or your right to personal privacy been violated?  Did the worthiness of the cause justify the unauthorized action?

In the case of Wikileaks, Mr. Assange's alleged source of 260,000 United States State Department cables, 22-year old Army intelligence analyst Private Bradley Manning, despite the extensive background checks employed by the military prior to granting clearance, still allegedly found a need to share. Since then, it has been reported that former Swiss banker Rudolf Elmer, despite the due care similarly taken prior to granting his access, also felt compelled to admittedly share over 2,000 confidential records of account holders in violation of Swiss banking laws in supposed reaction to bank inaction regarding alleged tax crimes.  Further rumor of future release of internal banking documents have also been speculated to be pending.

While it can be certain that in post-breach lessons learned data, the United States government and banks around the world will pay closer attention to identity governance controls if not, at least, Data Loss Prevention considerations; the concept that it may be acceptable to flaunt organizational policy, state and federal laws, or even societal mores given personal belief in just cause is a slippery slope.  Any media outlet willing to be complicit further threatens to erode whatever journalistic integrity it may have otherwise possessed.

Finally, as we individually consider these, and what is likely to be many more cases of unauthorized disclosure of information, and come to determine our personal views on each; we may also wish to take a moment to consider exactly how we can be so concerned with our Facebook privacy settings and in the very same breath view the unauthorized disclosure of any other data with less severity.  For should we continue this course, our own information will one day too be “wikileaked” to a chorus of believed justified “supporters”.