In a recent discussion with a large organisation’s security team they announced that the company had implemented a new approach to launching security technologies. In a nutshell, the message was “…there’s been a shift to buy solutions based on business requirements, i.e. the business needs to know that it needs a solution. The entire security team is there to serve the business.”
Now I don’t know about you but I’m kind of at a loss to know how the business would even realize they needed a security solution! I thought the idea of organisations hiring IT Security specialists was to help them advise the business of security risks to ensure the operational practices, critical assets and integrity of the business was protected.
Quite how the business is able to assess unmanaged and unquantified security and operational risks on its own is completely beyond me. Here’s a real-world example of the dangers of this approach. A friend returning a few weeks ago from a vacation in South Africa arrived three hours late at his destination because the flight had to land at a different airport.
Heavy winds at the original destination meant they couldn’t land safely. Apparently the majority of business-class passengers on the re-routed flight were complaining that they would be late or miss meetings as a result. After all it was the pilot’s job to get them there on time. Fortunately the pilot was not influenced by “business requirements”.
Unmanaged and Unquantified Risk
A recent survey conducted by Venafi revealed that organisations are deploying increasing numbers of digital certificates and encryption technologies, but that these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions. Ironically, digital certificates and encryption keys are critical components of all information security programs, but they become dangerous liabilities when they go missing and find their way into the wrong hands.
In the survey, more than half of those surveyed stated that “they had experienced either stolen or unaccounted for encryption keys, or they were uncertain if their organizations had lost, stolen or unaccounted for encryption keys in general” – in fact they didn’t know what was going on inside their own infrastructure.
A recent report from Qualys stated that 30% of internet-facing SSL certificates were not valid. They went on to say that “for businesses that operate online, this could cause a major breach of security as research has shown that even if a security warning appears on the screen, more often than not, an end user is likely to ignore it.” Additionally, they found that “the user runs the risk of being exposed to potentially harmful security breaches calling into question the sites’ validity – which could negatively impact the company’s reputation.”
It gets even worse according to Qualys when you realize that “almost two thirds of systems that are using SSL to secure access and authenticate themselves are not configured correctly, which means that they are potentially insecure”. So although setting up SSL is very straight-forward if you know what you are doing, it is time consuming and it can be a daunting task with so many things that can potentially go wrong, even for the experienced IT security professional.
Understand IT Security Risks and Requirements
Taking this a step further, there are a number of critical areas where the “business” really has very little understanding of what actually happens. For example, it is unlikely that business owners will have the understanding of the security risks that might be involved in security operations and encryption key management best practices such as separation of duties, least privilege access, and the necessary processes and access controls.
Also, although the business is likely to have requirements such as preventing application and service outages, it is unlikely that they will have any concept of what that means in practice and how to achieve it. For example how would the business propose the IT department address the challenge of ensuring that digital certificates do not expire, and the roots and intermediate roots are kept updated? Or what would the business propose as the answer to ensuring that key distribution and rotation is carried out in a secure manner?
And if compliance with the Data Protection Act, PCI, etc., is a requirement then it is even more unlikely that business owners understand the implications. For instance, how would the business propose that the IT department carry out the periodic changing of encryption keys when the keys have reached the end of their crypto-lifecycle validity period? And how would the business propose that the IT department implement best practices on cryptographic algorithms and key management, for example NIST Special Publication 800-57?
IT Security needs to ensure the business understands the risks
“Even the best encryption in the world is not going to stop an employee from bypassing procedures and making a mistake that results in data leakage, or a rogue insider from giving up sensitive information for money.” That is the main message from a group of prominent cryptographers at the recent RSA Conference.
According to the experts “encryption is sometimes deployed improperly, leaving gaping holes that can be used by attackers to steal sensitive data. Other times, encryption is used on a small subset of an organisation’s network – a risk-based decision that can have a profound effect on the security of interconnected networks”.
And as is often the case, this results from a business decision to try and ensure the most return with the least investment.
The first order of business when any new C-level exec starts his or her tenure seems to be the cancellation of any investment in order to demonstrate their value to shareholders. It’s time that organisations realize that short-term shareholder benefits and executive bonuses based on maximising profit and limiting investment is never in the best, long-term interests of a business. As Omar Baba might say “safety check on airplane cost too much… we have life jacket!”