: Vigilance"> Security Step 5: Vigilance By Peter Coffee During the past five years, the standard of what constitutes due care for maintaining an enterprise security posture has risen almost beyond recognition. It can be difficult to find good estimates of the associated costs, since organizations are understandably loath to discuss in detail their security efforts or their spending thereon. What seems likely, though, is that many of the widely reported costs that are laid at the door of Sarbanes-Oxley Act compliance would arguably have been incurred much earlier if a disciplined security framework had been constructed before it became a SarbOx compliance prerequisite.In some cases, sad to say, appropriate diligence has metastasized into obsession-as when a passion for preserving the confidentiality of directorial discussions at Hewlett-Packard led to last years devastating "pretexting" scandal that stripped the company of key managers, officers and directors. Even a well-conceived security strategy can be executed to excess. That said, most organizations rightly suspect they have yet to reach the level of "good enough," let alone any fears of going too far. A survey conducted last year by ControlPath, a developer of automated compliance management solutions, found only 28 percent of organizations expressing confidence that they were entirely in compliance with regulations affecting their process governance. Moreover, merely meeting legislative or regulatory mandates is not enough to let the well-informed IT professional sleep soundly. More is required. Cultures of carelessness Any long-term progress in elevating enterprise security will have to be an achievement of making a culture swim upstream against the currents of evolving technology. Like trends in real-world weaponry that favor the insurgent over the conventional armed force, the IT worlds trends in processing, connectivity and storage pave the way for both intentional and merely careless leakage or abuse. Only organizational buy-in to the relevance of security awareness and to the appropriateness and necessity of broad participation in the security process can overcome adverse technology trends. In processing: The "Deep Crack" machine, built by the Electronic Frontier Foundation to demonstrate feasible brute-force attacks on the DES (Data Encryption Standard) algorithm, cost $250,000 when constructed in 1998. A comparably powerful system could probably be built today for well under $10,000, or a parallel algorithm could be devised and executed on Sun Microsystems public grid (www.network.com) for $1 per CPU hour. In connectivity: The term "war driving," for opportunistic location and disclosure of unsecured wireless network access points, was coined in 2001. Today, a handheld detector less than 3 inches square-selling for less than $60-can show on its LCD readout the SSID (service set identifier), signal strength, encryption status and channel assignment of any Wi-Fi access point within range. Maverick unsecured departmental Wi-Fi setups have never been easier for a parking-lot snooper to find and use as entry points into a network. In storage: Formerly too small to be dangerous, the capacity of USB thumb drives has exploded to the point that 1GB devices have followed Wi-Fi detectors down through the $60 price floor-and may come in unexpected forms, such as the back end of a ballpoint pen or a foldout element on what looks like a Swiss Army knife (along with other useful geek tools). The pervasive threat of USB storage devices was dramatically demonstrated when several were seized in a New Mexico drug raid in October. The devices turned out to contain what appeared to be classified files from the Los Alamos National Laboratory, with an apparent connection between the accused drug dealer and a Los Alamos contract employee. A pre-9/11 viewpoint might envision security attacks as expensive and complex, requiring some combination of exotic or conspicuous equipment and unusual expertise. In that environment, detecting and precluding the unusual and unacceptable was a sufficient strategy of vigilance. Post-9/11 reality is that tools of attack, and the knowledge and skills required to use them, are in many cases common and in other cases trivially easy to obtain-such as when news surfaced in September that a simple Google search was enough to open the master-password back door into a widely installed model of cash machine to make it disgorge $20 bills while counting them as if they were worth only $5 each. There are too many opportunities like this, and too many ways for them to be discovered and shared. For example, exploits aimed at Microsofts Windows Vista operating system went on sale at $50,000 per revelation toward the end of 2006. Its therefore necessary to switch the approach to vigilance from denying the forbidden to a far more disciplined model of defining and permitting only whats meant to be allowed. Implementing that culture is a process that some technologies can assist. Last year, McAfee acquired Preventsys, adding the latter companys expertise in wireless network analysis and automated audits to its own portfolio of policy-driven tools such as Hercules. Hercules became a McAfee product with McAfees acquisition of Citadel Security Software. Proactive design of useful and necessary business processes, identification of the data and the privileges needed to carry them out, and instrumentation of systems to detect any violation of those boundaries are the techniques that will succeed. Best practices: Vigilance
Respect the fundamentals: Processing, connectivity and storage improvements facilitate leaks and attacks.
Move beyond denial of the forbidden: Make definition and management of authorized and necessary access a priority.
No security by obscurity: Shun assurances that complexity or obscurity will be adequate protection, and use appropriate tools to look inward.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
Estimates of SarbOx compliance costs may therefore serve as something of a proxy for more general security costs, and the levels and trends of those compliance costs are staggering. A survey of corporate board members conducted in 2004 by RHR International and The Directorship Search Group found an estimated average annual cost of $16 million for compliance with SarbOx-with some companies, such as top-tier insurer AIG, reporting almost 20 times that figure. And these arent merely startup costs-there are indications of ongoing comparable expense.