Back to security basics, say Infosecurity Europe exhibitors

By Ron Condon, U.K. Bureau Chief 19 Jan 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve!

A group of the show's exhibitors, plus a panel of CISOs, assembled in London this week to preview the April event and discuss the state of the market. Most were convinced that current security practices were not keeping up with threats. A rising tide of cybercrime is posing greater external threats, they said, while the economic downturn is likely to increase the dangers of internal fraud.

Know your current assets
Chris Schwartzbauer, VP of development and customer operations at Shavlik Technologies LLC, said senior management had been lulled into thinking security was under control because it had spent so much money on security products.

"They have bought the latest and greatest products because they're cool, but they don't look at what the technology is doing for them. They cobble together pieces and pieces, but that doesn't mean it will all work as a complete system," he said.

Schwartzbauer added that companies spend their time chasing threats and plugging holes rather than trying to be proactive in their approach. "Our problems are being compounded. Applications are becoming more complex, and therefore more vulnerable. Virtualisation allows us to run multiple operating systems. And in the third quarter of 2008, there were more vulnerabilities published for non-Windows systems than Windows systems," he said.

Criminals are looking to exploit those other vulnerabilities that may occur in Adobe Acrobat, iTunes, Firefox and other non-Microsoft environments.

His answer is to return to basics, and for organisations to get control over what assets they have, and apply proper policies. "You need to discover your assets to know what inventory you have on each machine -- operating systems, accounts, permissions, services and applications. If you don't know what's out there, then you'll never know how vulnerable you are," he said.

Agenda: Back to basics *Discover all assets and maintain inventory *Adopt some form of data classification *Put controls on systems administrators, identify individuals *Implement secure development practices (not just coding) *Have a policy, enforce it. *Take advantage of free information (Cabinet Office, Jericho Forum) *Automate where possible *Review defences and cut out duplication.   Infosecurity Europe 2009 runs April 28 to 30 at Earl's Court in London.

The only way to keep control of assets is to have continuous automated assets discovery and vulnerability remediation in place, he said. To back up the claim, he cited a study by the Aberdeen Group last July, which showed that best-in-class organisations derived huge benefits from this approach, in some cases saving $1.91 in vulnerability-related costs for every $1 invested.

Automation of compliance and risk management
Building on the theme of automation, Ed Cooper, vice president of marketing for Skybox Security Inc., outlined the problem of trying to keep compliant with regulations as systems and networks become increasingly complex. He described the situation as "a perfect storm" where IT is too complex, and companies have too few resources to manage the technology effectively.

"When Patch Tuesday comes, some companies spend a week deciding what to do and what vulnerabilities to prioritise," he said. "It is very labour-intensive, and decisions tend to be subjective and based on educated guesses."

Cooper advocated an automated approach -- called automated risk and compliance management -- which applies business intelligence techniques to security, pulling in information from devices on the network and then using BI-type tools to analyse and present the results.

He added that BI tools also allowed companies to model changes in the security architecture and assess the impact of changes. "We have seen layers of security build up over time to tackle different threats. Much of this could be cut by using automation," he said.

Focus on data classification policies

Security tips for surviving the credit crunch When budgets get tight, security experts will need to have smarter, more efficient ways of maintaining defences.

Most speakers agreed that some form of data classification is fundamental to good security, and most believed that few organisations have managed to apply it effectively. One speaker, Bernard Parsons, CEO of Becrypt Ltd., suggested that the industry could learn from the U.K. government, which in the wake of some embarrassing security breaches over the last couple of years has carried out a major Data Handling Review, and produced its Security Policy Framework last December. Designed primarily for the public sector, the document is equally applicable across industry and is downloadable from the Cabinet Office website.

As Parsons pointed out, the government takes a risk-based approach to classifying data against four levels of security, from "Top Secret" (a danger to the state if disclosed) down to "Restricted" (an embarrassment).

Paul Simmonds, CISO for AstraZeneca Plc and a board member of the Jericho Forum, suggested that even a three-level traffic-light model (red, yellow and green) as recommended by the G8 group of industrialised countries, can be effective -- and is certainly better than nothing.

The importance of knowing what data you want to guard is increased with the growing collaboration between organisations and the sharing of information with partners and sub-contractors. Simmonds said the Jericho Forum has developed a lot of guidance for companies on how to best build a collaboration-oriented architecture, all of which is downloadable from the Jericho website. "You have to architect for this [collaboration]," he said. "It is radically different from what you did before. For the first time in 25 years of information security, the sticking-plaster solution will not work. You need to go back to first principles. It is why the Jericho Forum was formed. Network-based security controls have had their day."

He said it is essential to tell people in an organisation how you expect them to handle data and give them a simple classification scheme. "If it's not simple, they won't use it," he said.

Who watches the IT department?
Several speakers identified the IT department as a potential weak spot for security, with poor separation of duties, and many staff having privileged access rights, all with the same sysadmin identity. As David Hobson, CEO of distributor Global Secure Systems Corp., said: "This is IT's dirty little secret. Most security money is spent keeping out external threats, while the IT people have the keys to the kingdom. They have highly privileged accounts that are not even linked to individuals.

Tags: Data Protection Solutions and Strategy,  Compliance Regulation and Standard Requirements,  Information Security Risk Assessment: Methodology and Analysis,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Information Security Risk Assessment: Methodology and Analysis Are you too small for an email retention and archiving policy? Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary