At many large branches, customers are greeted at the front door by an armed guard providing perimeter security. Inside, the bank is well-equipped with security cameras for surveillance and manual alarms that can be activated by threatened tellers.
The last line of defense of course is the bank vault itself. Securing the money in a safe means that bad guys have to go to extraordinary lengths (think dynamite or safecracking) to pull off a heist.
This classic "defense in depth" architecture protects every layer of the infrastructure and is the basis of all good security models. Take Visa's Cardholder Information Security Program, or CISP, for example. Mandated in 2001, the program defines 12 security standards for all Visa payment system constituents. The standards include perimeter security, ongoing surveillance and protecting critical data at rest and in flight.
Visa clearly understands the risks of weak information security on its business, which is why it demanded CISP compliance. Service
Compared with systems at other enterprises, CISP is like Fort Knox. Most companies still dedicate most of their security budget to perimeter products such as firewalls and filtering gateways--and things go downhill from there. Businesses tend to pay marginal attention to surveillance by setting up chatty Intrusion Detection Systems, or IDSes, and occasional system audits.
When it comes to protecting the crown jewels--that is, corporate information--few companies do anything. Servers maintain default configurations, loads of system administrators have root access, databases are tuned for performance not security, and information is stored on open storage platforms in clear text.
Anyone else thinking "Swiss cheese" at this point?
Confronted with this situation, many companies freak out and rush to find an encryption tool to protect their intellectual property. I think this has something to do with the popularity of Dan Brown novels myself, because encryption is only part of the solution. If I can break into the server, or exploit database or system vulnerabilities, I can still get access to encrypted data--every time.
The first step here isn't nearly as sexy as encryption: It's boring, old audit. For example, remember Oracle's "unbreakable" campaign?
Since many small businesses just don't consider security, database-penetration testing, vulnerability and (yes) encryption, tools from companies such as Application Security can help. The same is true of host vulnerability-scanning software from providers such as Foundstone (McAfee), Internet Security Systems and Symantec.
Moving down the proverbial technology stack, storage infrastructure seems to have a permanent spot at the back of the security line.
In a recent Enterprise Strategy Group survey of end users, 30 percent of respondents said their information security policies and procedures don't include data storage technologies such as storage arrays; Storage Area Networking, or SAN, switches; or storage management software. Eight percent of storage administrators and 16 percent of security administrators believed their storage infrastructure was insecure. Only 37 percent of the respondents claimed that their companies had undertaken a storage security audit. Does anyone else want to stuff their money into a mattress?
Again, this doesn't need to be the case. Service offerings from @Stake, Glasshouse and McData specialize in storage security audits and remediation. Storage security technologies from Decru, Kasten Chase, NeoScale Systems and Vormetric are slowly gaining visibility.
Even with some of these leading-edge technologies available, will anything change? You bet it will. Chief financial officers loathe spending money on insurance such as information security technology, but they hate having their intellectual property lifted a heck of a lot more. Marketing executives feel pretty foolish when national headlines describe how the company's customer database was cracked by some "Star Trek"-loving system administrator.
Finally, let's not forget those government wonks with the ever-growing list of regulations. These aren't isolated issues; they have an impact on companies every day. Something tells me there will be less rhetoric and more vaults, moving forward.
One additional security cliche warns against locking the doors but leaving the windows wide open. Leaving corporate data unprotected is clearly an example of this. Let's face it: There are simply too many risks and vulnerabilities out there to continue this type of irresponsible behavior. Heck, Visa certainly recognizes this and is mandating changes to its constituents. Smart companies will respond quickly to protect themselves and their customers, while fools will wait for further regulations or costly breaches before they learn.
Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
See more CNET content tagged:
perimeter security, Visa International, surveillance, information security, defense
1) Security incidents reported to CERT grew by 2,099% between 1998 and 2002.
2) NIST estimates that the 4,000 security flaws, bugs and errors found in software each year cost the U.S. economy $59.5 billion per year.
3) Gartner estimates that 35% of all successful attacks are a result of software defects
4) Both NIST and The Software Engineering Institute at Carnegie Mellon agree that most vulnerabilities come from software implementation (coding) errors
Okay, but those are just stats/opinions, right? Wrong -- because of this trend, the powers that be: analysts, the U.S. government (http://news.yahoo.com/news?tmpl=story&u=/nm/20041207/tc_nm/tech_security_dc_5), and purchasers of software are recommending that vendors will be required to certify that their software has been tested for security vulnerabilities (buffer overflows, malformed inputs, symbolic links, etc.)
You mentioned some services firms that can help companies identify some of these security issues, but there are also a growing number of companies that have products that automate the process of identifying security vulnerabilities in source code (in the long run, a more cost effective solution than using services alone). One of these companies is Klocwork Inc. (http://www.klocwork.com)
Keep up the good work.
Nick
I full support QDSC in concept to create cerfitied companies, basically licensing them to uphold certain standards. I think this should be the case across the industry for security professionals and secuirty companies performing security assesments. ISC2's CISSP professional cerfitication is an attempt to kind of do that for the individual or ISACA's CISA fo the auditor but probably don't go far enought to ensure that a professional upholds the necessary high standards of ethics and talent.
What I'm wondering is whether it is considered fair business practice to cause descrimination of smaller talented security assesment organizations because they find it difficult to justify spending $20k to become QDSC and $10k per year to remain cerfitied, these are the base fees not counting other expenses such as training and other cerfitication costs.
What is the feeling of others, are we headed for rising security assessment costs for organizations because the number that can pay the fee are smaller or the companies that do pay the fee will need to raise their rates to recover this expense?
Ken M. Shaurette, CISSP, CISA, CISM