Security Watch | Matt Hines | InfoWorld | Reducing secondary data exposure | September 12, 2007 12:17 PM

MORE ENTRIES

Reducing secondary data exposure

September 12, 2007 | Comments: (0)

Reducing secondary data exposure

Sometimes there just isn't enough time.

I have to give my colleagues here at IDG credit for running a great Security Standard conference in Chicago this week, but I suspect that many attendees (like myself) could have done with less of the self-promotion from Cisco and Microsoft, and more time with Global Security Management CTO Paul Williams.

As I noted in my blog on his Monday presentation on real world attacks, Williams is a master showman and he likes to make all sorts of fantastic claims and bold observations about the nature of enterprise security and hacks.

Some people like to theorize about the pervasive nature of threats, the involvement of organized crime and nation states in attacks, and the woeful shortcomings of most companies' IT security strategies -- mostly in broad terms and generalizations.

Williams will look you in the eye and tell you that his company is actively chasing down attacks from foreign nation states against the world's largest businesses and United States government entities and the unbelievable lengths attackers are going to. For real.

GSM specializes in security training and post-incident computer forensics. From what they claim, the company knows how to do a lot of bad things to get onto your network and has developed a number of techniques for addressing the issue.

While his claims sometimes seem to border on the outrageous (such as that companies can "profoundly" improve their security -- by as much as 90 percent -- merely by working harder to configure networking infrastructure), the truth is that I walked away believing just about everything that he had to say. And so did most of the conference attendees that I spoke to.

In his second thirty minute installment at the show, Williams shifted gears from the ubiquitous presence, variety and efficacy of sophisticated and targeted security attacks to some of his concepts for improving enterprise security.

One of the primary tenets of his advice revolves around the strategy of reorganizing network assets and data to reduce "secondary vulnerability exposure."

The idea is simple: design your network like the Navy builds its submarines, i.e. -- with sealed-off compartments to prevent a small breach from taking down the whole shebang.

Hackers or more invasive criminals will be able to break into your network no matter how good you are at security, he said -- whether by intercepting remote workers' passwords or subverting your trusted administrative assistants with large sums of money to get a foot in the door, or by any other means they can devise.

The key is to keep different silos of data disconnected or partitioned away from each other sufficiently enough to prevent hackers from running wild on your network once they break in.

"Hackers aren't the problem, it's really us, the organizations, and how we approach information management," Williams said. "We don't worry about hackers, we worry more about what people [read as enterprise IT shops and business users] are doing."

For instance, even if your assistant isn't being paid by ex-KGB spies to let them into your sensitive database (the wildest story he told in the meeting was about someone who parachuted onto the roof of a DoD installation to install listening devices for the purpose of spying), they are probably leaving their computer open to Web-based attacks or even physical exploitation -- such as by leaving their machine unprotected when they go away from their desks to retrieve your coffee. (I've never had an admin, and it shows, eh?)

Williams is big on the idea of real human facilities infiltration by scumbags in the name of carrying out attacks. Scary stuff indeed.

Anyway, a watered-down version of his concept is that companies need to do as much as they can to strictly partition sensitive data away from other resources and limit access to it by line-of-business applications.

It sounds simple enough but the expert contends that the largest companies in the world still don't get it and allow applications developers to build tools for business users that leave significant opportunities for anyone who gets on a network to access an organization's most sensitive data.

"The networks we see day-after-day in [the world's largest companies] are almost entirely perimeter-based defenses with very little protection on the inside, if someone gets through that they're typically almost unlimited in the things they can do," said Williams. "At [today's] level of attack there's no way to stop experts from getting through, so, you need to mitigate risk on the inside so when someone gets in the damage can be compartmentalized."

In addition to re-architecting networks so that sensitive data is kept under lock-and-key and connected to only those applications that must have access to the information, Williams said that companies need to build alert systems that tell them whenever anything else tries to access the information.

The CTO blames the push to get business apps up-and-running fast as the biggest enemy of this type of approach.

"This is the root cause of almost all the risk we have today, it's a constant battle to get operational data out over departmental boundaries; this is the problem companies need to solve first to set the stage for success," he said.

"Conflicting ideas over business risk are at the heart of the matter, with everyone trying to protect their own turf, and solutions tending to be borne of what has done before [even when apps are built in an insecure fashion]," he said. "IT workers don't have the ability to qualify risk to business people and everyone is speaking their own language; the endgame is a series of compromises that undermine security for years to come."

In addition to drastically shifting sensitive data storage and the ability for applications to access it, Williams advised that firms should engage in some cloak-and-dagger work of their own.

Using a concept he calls "honey tokens," the expert advises that companies should create repositories of information that looks like sensitive data, leave them relatively unprotected, and then simply sit back and see what happens, and who ends up touching the info.

In addition to seeing just how they are being attacked, the system may be useful at tricking attackers into walking away with useless data, confusing them and wasting their time, Williams said.

Another piece of advice that the expert revealed was to take a truly holistic view of data protection that focuses on the most valuable information you have to protect, and building tools and policies to defend assets based on their values.

"Everyone thinks that they're doing this today but many are not; it works best to implement a strategic risk management scheme across all areas of risk at once," said Williams. "Come up with a master plan running years into the future to address all areas with one plan for securing everything; by managing risk in a long-term fashion, you can avoid nebulous response to individual attacks."

At least one of my fellow show-goers was impressed with the presentations, which Williams admittedly said were rather high-level and lacking on technical details given the amount of time he had to work with.

Lloyd Keith, the director of IT for the Psychology Department at the University of Illinois at Chicago, and a former military security officer, also thought that Williams provided a breath of fresh air in his stage shows.

He agreed that the type of process-oriented change that the CTO described is still usually trumped by decision makers' tendency to throw point products at problems instead.

"Moreso than process, in my career we always looked at buying software to prevent attacks, and in the military we used clearances to manage access, but trying to implement these kinds of changes he's talking about and get people to change their behavior is one of the hardest things to do, people don't even read your policies," Keith said. "The problem is that everyone has a knee-jerk reaction after something bad happens, unfortunately that seems to be the only way to get a wake up call out there -- trying to stay ahead of the curve is a real challenge."

Keith also found it believable that companies could probably do a lot to help themselves with little investment by working harder to move away from out-of-the box settings on their IT and networking gear, and by avoiding "conventional wisdom" type configurations to make life harder on hackers.

"We should probably increase our focus on that type of thing in IT, people take products out of the box and they just want them to work, they use the same advice as everyone for securing things and probably do as little as possible in many cases," he said. "We try to make sure we have the right help around to avoid that, but in the end just about everyone is pretty cookie-cutter in their approach on some level."

Posted by Matt Hines on September 12, 2007 12:17 PM

RATE THIS ARTICLE: