I don’t have to tell you that there’s a sea change underway in how society uses information. But there is something not immediately obvious about this change: How society’s dependencies are migrating from the real (analog) world to the network-connected digital world.
Once we had to walk down the hall and into a room to meet with co-workers. Today the Internet is mission-critical to our ability to work with colleagues around the globe. This shift in how we create, move, and consume information poses several challenges for cybersecurity professionals in 2011.
The Increasing Value of Information
The first is helping organizations understand and respond to the increasing value of their information. This need entered the public consciousness through the WikiLeaks controversy. The WikiLeaks website is just the first of many such sites we’ll see in the coming year. And it’s not just a concern for governments.
Big businesses are about to get a hard lesson about the real value of their information — data that, used wrongly or mishandled, can cause significant or even catastrophic damage. Data that once appeared innocuous or inaccessible is becoming more valuable, and potentially more damaging, by the day.
Public and private organizations alike must adopt a contemporary understanding of the value of their information, and the trust they place in the people who use it. Step one: End tolerance of lax enforcement of security policies.
Despite advances in security technology, the sad fact is that IT probably had better control over sensitive information 20 years ago. The reasons? Information was centralized. There was less information to manage. The client technology required to access it was slow. And the clients were incapable of massive mobile storage.
No more. Our employees now have petabytes of corporate information available to them, search engines that help them quickly find what they’re looking for, high-speed Internet connections to the outside world, and easily hidden storage devices that can walk terabytes of information right out the front door, in plain sight.
No longer can we automatically trust employees to handle information with confidentiality and integrity. The protection of information will need to be policed internally, and brought into a clearer legal framework. From a security point of view, this will mean much stronger confidentiality clauses in personnel contracts.
It will also mean monitoring how information is used. Resources will need access permissions. Information (including e-mail!) will need to be encrypted. Device use will have to be monitored — including desktops, laptops, smartphones, tablets; anything that taps the organization’s data. Firewalls will have to get smarter to monitor all information, to ensure sophisticated techniques, such as steganography, are not being used.
There are some who will say these approaches amount to an invasion of privacy. They do not. The need is for organizations to monitor their proprietary information, not their people. By understanding their organization’s normal information usage patterns, they will be able to identify anomalies in usage. These anomalies will serve as a red flag for quick investigation.
Governments and businesses now in WikiLeaks’ clutches might have avoided their fate had they monitored, understood, and acted on their organizations’ information patterns. Sudden, large data transfers to unauthorized persons would have been flagged. With the right processes and policies in place, it is possible the leaks could have been plugged.
Information Push, Information Pull
As I said earlier, we often fail to notice how our dependencies are moving from the real world to the digitally networked world. The next step in this evolution is the way that we are moving from a society where work is tied to a geography to one where geography has no meaning. It’s an evolution similar to how mobile phone networks transformed telephony.
The global network has moved from being geographically based to being mobile. Office workers no longer need to chain themselves to a desk in order to connect to their network, or jump through hoops to establish a poky remote connection. A speedy network is available to them wherever they are.
Data flow has also changed. We used to have to click our way through to the appropriate website, portal, or page to access or update information. Now the data comes to us whenever it’s been updated or when we need to pay attention to it. And we can act on it in real time, without having to navigate back to its point of origin.
These changes in how data flows raises three significant vulnerabilities that need to be addressed.
1. Mobile devices need both strong “end point” security and “identity authentication.” The devices should be monitored remotely by the organization. The information should be encrypted. Authentication should involve multiple factors, including biometrics (such as face, iris, fingerprint, or voice). Expect to see device and software vendors start to work on the biometric as an encryption key; e.g., identity cryptography.
2. Apps that “push” information require a different approach to information assurance. This is where identity authentication plays a crucial role. Organizations need to be confident that the mobile device is in the hands of a person who has the authorization to see the information being pushed. This will take time to develop, but the principles of information assurance still hold strong (confidentiality, integrity, availability, non-repudiation, authentication, and now privacy).
3. Changes in work behavior and work location will demand more attention to securing information, no matter the location. This is not something that we in the cybersecurity field can ignore or prevent. The economics are making these changes unstoppable. There are savings to organizations from not having to house so many workers in so many places. There are savings to workers in terms of travel costs (vehicles, fuel, insurance, expenses). And there are environmental savings to society from the decline in commuting, national, and global travel. Organizations must understand that they need to secure information at rest and in motion by encrypting it, monitoring its use, and locking down their increasingly dispersed infrastructure.
Information Security and the Butterfly Effect
The rapid transformation in how and where society uses information has one overarching outcome: It ends the era of compartmentalized, bolt-on information security. Today we largely compartmentalize data recovery, backup, redundancy into one bucket. We put end user support in another bucket. We put security in yet another bucket or, worse, end-user security in one bucket and data center security in another.
This cannot continue. Unless you take a holistic, systems-oriented view of your information system, you’re inviting failure. The compartmentalized approach isn’t sufficiently agile enough to adapt to today’s asymmetric, globally distributed use of information, and will eventually break. This butterfly effect means that even small changes in your network can have a disruptive impact on security.
For example, an increasingly common practice today is to encourage employees to network with customers and partners using social networking sites. This activity often takes place over the organization’s internal network. Unless you’ve thought it through holistically, you have no idea what the consequences might be. You could end up with a real storm in an unexpected area of your network, simply because you allowed access to social networking.
The pace of change continues to accelerate and, with it, so does the evolution of threats. We live in an era where it’s not only possible, but easy, for anyone with an axe to grind to make off with entire libraries of information and, minutes later, share their haul with the entire planet.
A few years ago, it would have required a crew from “Mission: Impossible” to make off with millions of U.S. Armed Forces or State Department documents. But as the WikiLeaks incident proves, today it requires only a logon and some portable rewritable storage.
The key to deflecting this risk is to understand that cybersecurity is no longer a technology or people problem. It is an information problem as well. Take a holistic view of your information system. Encrypt your information at rest and in motion. Monitor its use. Respond to anomalies. Update your policies (including how you authenticate). And enforce your procedures.