Blogs

I recently registered for a website hosted by a government agency that handles some of the most sensitive personal information available within U.S. Government. While the site is only a simple scheduling system, imagine my dismay when I received an email confirming my registration that included both my username in password in the email body. That email demonstrates that, despite all of the reported attention to security over the past several years, especially within the Federal Government, we are failing to build an effective information security culture.

As just about everyone who reads the news knows, Google announced on Tuesday, January 24, 2012 that it would merge the data it collects from individual users across all of its properties starting March 1, 2012. Basically, Google will be able to better anticipate how to direct individual user activities to best serve their needs, building a grand database of all user activity and behaviors. The question that few are asking, though, is what the impact will be on businesses. That's where things get really complicated.

I've always been a strong proponent of the judicious use of strong authentication. Due to the government's push to introduce smart cards (known as HSPD-12), and industry standards like PCI, multi-factor authentication is becoming increasingly common for certain system access scenarios across a wide range of organizations.

Imagine that each of us would need a tank to safely drive on the road. We would be well protected from any obstacles that could come our way, but at the expense of speed, agility, and cost. We could also blow each other up, forcing us to buy bigger and better tanks all of the time to retain a consistent state of security. That's the kind of environment that companies face when using the Internet. Rather than being able to invest in economical transport, each has to regularly procure stronger individual protection to defend themselves. What went wrong?

Organizations are demanding access to data and services anytime from anywhere on any device. Users really only require a device with a browser to access many enterprise applications or services from anywhere or anytime. Organizations are rapidly developing applications to enable their employees, customers and partners to access their data while on the go.

A Rogue Access Point is an unauthorized wireless device that acts as a gateway to your internal network. They are typically attached to an open network port in an empty office or cubicle, but may be setup anywhere that an open and active network port can be found. During our wireless assessments we always include a check for rogue access points. We recommend that our clients check for Rogue Access Points on at least a quarterly basis if real-time wireless IDS tools like AirDefense are not in place.

The 21st century workforce is demanding a flexible work environment. Employees do not want to be constrained by an office or dealing with the traffic to and from work. Most information workers today can work from anywhere as long as they have an internet connection and a mobile device. This rapid shift in the workforce demands are threatening traditional organizations’ comfort zone. Organizations do not want data leaving the perceived safety net of their controlled environment and do face the real threat of data leakage and other real security risks.

Check out this article, "Analysis: Cybersecurity puzzle is a tough one to solve," from Federal Computer Week. While it provides some well-reasoned perspective on the lack of cybersecurity effectiveness in U.S. Government systems, I think that the conclusions of the analysis are misdirected.

Organizations have a lot of cybersecurity challenges and the Federal government probably has it worst than most. It represents a highly visible target, presents a huge attack surface, and maintains some of the most valuable information on the planet. To the modern hacker (state-sponsored or otherwise), U.S. government systems look collectively like a huge walled-off fresh water lake in a desert full of thirsty people.

Having spent nearly my entire IT career supporting the Federal government, I would argue that cybersecurity is only a tough puzzle to solve when your trying to force the pieces into the wrong places. Rather, in my experience, the government tends to be deluded into seeing the cybersecurity picture as something different than reality. That's not to say that there are no good people in government cybersecurity. There are. But, those people lack the tools and access to make much more than baby steps in progress, and are often supported by security practitioners who depend too much on ineffective practices that they defend as "leading."

I attended a series of web meetings over the past two weeks for the Federal Advisory Committees (FACAs) under the HHS Office of the National Coordinator for Health Information Technology. After listening in to the public Privacy and Security standards working group, I became a bit frightened by how legacy thinking around information security continues to leave us vulnerable to general mischief. The IT industry needs more innovation than we're receiving, especially with regards to the protection of our personal information.

Last week, I presented an argument for why the new SEC cybersecurity disclosure guidance is really a big deal for the information security community. If my prediction is right, then publicly-traded companies in the U.S. are going to start facing auditor requests for more cybersecurity information by late next year. Companies need to start preparing for those requests now to prevent potential negative shareholder action in the future.