There’s no doubt about it: Being the cyber security support in any IT shop is a challenge.
For many years, systems were designed for self-contained networks. The level of security involved nothing more than a password, and the level of impact if the device was accessed with malicious intent was limited.
Today’s environment is different. The global interconnection of the world’s networks makes the threat global. At the same time, the competitive nature of providing new, marketable products and useful support systems puts engineers under a lot of pressure to get solutions into production. Anything seen as additional work (like cyber security) is viewed as a blockage.
Since companies hire security professionals to deal with security, systems integration engineers and system administrators tend to think of security as not part of their job. But this flies in the face of two very important facts:
The security professional does not own the solution (the system or network he or she is securing).
The security professional does not own the relationship with the vendor and/or developer of the solution.
The rightful owner of a solution or system -- the integrator or administrator -- wouldn’t want a security professional to make changes to a solution that would impede its performance. The owner would rightfully raise concerns if the security professional unilaterally went to the vendor or developer and demanded changes that would delay the delivery date.
At the same time, solution owners are under such pressure to meet business goals that they either knowingly or unknowingly ignore basic security tenets.
The issue is the ownership of cyber security. It is unreasonable for a team of security professionals to be responsible for solutions where they hold no direct ownership. It is also unreasonable to expect owners, who have no background in cyber security, to have the sole responsibility without support.
The model has to be one of solution owners working closely with the cyber security professional to assure all needs are met, with leadership providing oversight.
Here is a definition of how the situation might work:
Owner. This entity owns everything concerning the solution, including security. This includes building the solution in accordance with the published security requirements developed by their company, and insisting their vendors and developers deliver solutions that meet the published security requirements. The owner must be aware of all risks entering production.
Security Professional. This entity understands the cyber security requirements of the company, along with the changing landscape of the practice. They recommend the requirements applicable to the solution and work toward agreement with the owner. They work with the owner to identify requirements not met by the solution and to advise the owner of the level of risk the solution will present to the business.
Leadership. This entity holds the profit and loss (P&L) responsibility for the solution. Leadership must insist that the company’s security requirements have the same level of importance as features and functionality. Leadership is the only group that can accept identified risk to the business.
In this manner, the owner gets the advice of the security professional. There will be disagreement, and the two entities need to engage in open discussions around the security need vs. the business need. Any issues left unresolved need to have a level of risk attached to them, so decisions can be made by the owner concerning future resolution.
Because security risk could affect the business, someone with P&L responsibility should review the risk and approve the risk’s entry into production. This provides for a holistic view of security and its impact on the solution and the business.
— Bruce Kaalund is the cyber security group leader for a large telecommunications company.
Yes, education is vitally important, for all levels of the organization. Heck, even the White House is bringing in folks to do cybersecurity training (one has to ponder why this wasn't done way sooner and incorporated into standard practice?). Part of this education is having users sign a user agreement that clearly states what they can and can't do on the system/network.
Having proper access controls in place is another major theme, the principle of Least Privilege. Supervisors have to approve a person's access levels, as well as any changes to them.
The third leg of this rickety little stool is auditing. Have an auditing solution in place that concentrates all the logs in one place, runs queries on them to discover trends, and can automatically notify <someone with authority to do something> if a violation of policy occurs.
These suggestions will help stave off a lot of the scenarios you describe in the case of an 'ordinary' user. Obviously, a talented, determined insider can still do a lot of damage...
Right Ira, giving someone the responsibilty for security, but not the c-suite horsepower or resources, is why so many organizations made headlines - the wrong sort of headlines. It has been a long road, full of hard, expensive lessons... and the education process continues apace.
The point though is that a CRO would be ultimately responsible for ensuring proactive security and dealing with reactive issues. There is frequently not a senior level person representing those issues.
="The wave of attacks began early last week targeting corporations in the form of email messages that alerted victims of a "system upgrade." Email is accompanied by poisoned attachments and links; in some cases it poses as a message from victims' IT departments, including their actual email domains, and alerts them about a "security upgrade" to their email accounts."
="Zeus traditionally has been one of the more difficult malware variants for some antivirus programs to detect: According to recent data from Trusteer, Zeus is detected only 23 percent of the time by up-to-date antivirus applications. It's also hard to kill because it hides itself so well in the operating system."
Appointing a CSO, CRO or whatever a person wants to call that position won't truely mitigate risk. What do you do when someone without Admin access hacks that access then puts the most sensitive info on a thumb drive. Then that person walks out and sells that info.
The thing to remember is that disgruntled employees, or one or more that need money, to play the ponies or whatever he/she/they need money for, can do this if that person is fairly competent with a computer. Or a person can ask the Admin for a temporary use of the Admin account, say for completing a program, gets it, takes the info on a thumb drive, and sells it. Admins are notorious for just giving access without thinking about what needs to be done.
Remember, Security Ownership doesn't belong just to whomever is the chief security person, but to all persons involved. It only takes one person to grab information, sell it, give it away or use it for personal reasons. Security begins at the personal level. There should be someone at the exit that has a person empty pockets, although there are lots of places that a person can hide a drive that would constitute a violation of rights and grounds for a lawsuit, which the company would lose.
There are just too many variables in security, risk or whatever a person wants to call it. If security needs to be tightened, then it really is up to the admin to take charge, educate people as to risks, and make sure, by possibly checking a program if a person wants a temporary admin access and making sure he/she really needs it. If not, that person should be fired. As well as any admin who gives that right willy-nilly.
appointing a chief risk officer won't fix anything
in this security debauch as in other problems with bad behavior ACTION is REQUIRED to SUPPRESS the bad behavior
appointing a CRO will not fix anything. What ACTION will the CRO take? What TOOLS will the CRO use?
Under MVS/RACF I could not put a modified program into a production library until I had reviewed my test results with the opertation supervisor. if I tried to violate this policy I would get an ABEND and a secuirty report would be logged and I would get called on the carpet to explain how the error occured
If you do not have control over what software you have in your computers you are going to have a hacker festival on your hands.
="If we were talking about this topic 15-20 years ago, I would agree that the software vendor must build security into their OS/applications. []
The size of the code, [the vastly increased number of users, and the vastly increased extent of the network and ] the speed at which we are adding content to the masses, and the need to find the next big thing are the drivers behind what the Internet has become."
="However, the OS you mention did not provide the flexibility today's users expect. When there was a glass house, there was much more control over what could be run. "
that doesn't mean the security concepts are not applicable. the x86 went into service in a vastly expanded network environment with very weak or non-existant security,-- kinda like a lamb straying into a pack of wolves
MVS, btw, did provide remote access -- via TSO and JES -- and these services resulted in most shops implementing RACF. Competent managers knew it was necessary. and it didn't stop any of us from doing our work: we just had to follow procedures.
These are the folks with the tools, calculations, metrics and the mandate - who I've have been finding are very good partners when it comes time to explain to leadership why we should take certain steps. Use every tool available, if it suits, from Business Analysts to the C level.
More technical types are learning the ins and outs of the business side, when traditionally we aren't supposed to care so much about it. Part of the evolution of a smarter organization.
Chief Risk Officers have been traditionally financially risk people. They are attorneys or accountants who dont really care about technical security unless it affects something else.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
