Shahriar Chowdhury,
CISSP, CISA, CISM, CRISC, CIPP/IT, CEH, CHFI is the lead consultant at Infosec Professionals, LLC. He attended New York University-Polytechnic
Institute and is currently pursuing MS-Information Security Assurance at Western Governors University. He worked in Information
Security consulting roles for over 12 years. Opinions expressed in this column are his own. He can be
reached at shahriar@infosecpros.com
THE MYTH AND REALITY
OF DATA BREACH
The recent news of data breach at data broker services such
as Lexis Nexis, Kroll and D&B is yet another reminder for security
professionals that the adversaries are getting stronger than ever before. As
Mathew Nicho and Hussein Fakhry point out in his article “Using COBIT 5 for
data breach prevention” in Volume 5 of ISACA Journal, COBIT 5 enablers and
management practices can be used effectively to prevent these types of data
breaches, yet, many organizations do not plan or implement preventive technologies. After a high-profile security breach is
reported in the media, senior management may spend some time thinking about the
issue and may decide to hire a security officer to combat the problem, however,
on many occasion security budget and resources are the bottlenecks. Organizational culture may be an impediment
to the new Security Officer role, as there is generally a mistrust of Security
Officers in some organizations. A major
shift in thinking in regards to technology investment vs manual process
creation is also required, as a new security role often means more work for
other IT teams, especially around tedious process of reporting improvements around
vulnerability management, malware protection and log reviews.
SECURITY LEADERSHIP
A major disadvantage for a new security officer is not
knowing the organization well enough, yet creating unrealistic metrics and
following to the letter, being too focused on operations rather than strategy. Other IT teams eventually realize that there
is little or no value to the constant repetitive work that they are doing for ‘the
new security team’, and do not feel inclined to stay friendly with
Security. I think the major problem is
that many security professionals are not attacking problems strategically—they
are trying to solve everything, or to maintain harmony with IT teams, are avoiding
hard ones, sometimes assuming that they are impossible to achieve. I have seen reluctance of adopting Two-factor
authentication requirements citing different research reports about how complex
and expensive it is to maintain, however in the last few years, there have been
many inexpensive and easy-to use solutions around this space. Organizations sometimes go overboard in selecting
technologies such as SIEM, where they go with the best-of-breed technology, as
reported in Gartner or other leading research reports, which may not be a good
fit for mid-size organizations without dedicated teams. The major research publishers do not always
provide independent reviews of smaller companies, or provide total cost of
ownership information in a clear manner—thus leaving the mid-size organization
out of the picture for new technology investment. Sometimes when security
budget increase due to reaction from a data breach, managers select what they
had previously wanted in their budget, without focusing on the current change
of threat landscape.
WHAT WORKS IN
PREVENTING DATA BREACH
Many of these data breaches are indeed preventable, as many are
introduced to an internal employee through phishing emails. Sometimes, due to
lack of understanding of how filtering tools and signature databases work, IT
thinks spam and URL filtering are effective controls for phishing attacks. CISOs
rely on network or other IT groups to maintain the Internet infrastructure, and
do not monitor when quality of URL filtering databases decline--misconfiguration
is also a major issue. To have a really effective
control around this issue, it’s time to think split networks and devices
(or virtualization) for Internet and Internal connections. Too reliant on what
worked and did not work in the past, and not forward thinking.
SKILLS GAP MYTH
When it comes to the current situation of having effective
security program, it is less of a technical skill gap issue, but more of a
management issue. COBIT 5 suggests separation
of Governance from Management, however, in many organizations, even Audit is
not fully independent, and they avoid touching important but sensitive subjects
that could be very effective in minimizing data breaches. Systems and databases that contain financial or
Personally Identifiable Information (PII) of employees and customers should
generally be segregated from the internal network, and only authorized users
should be allowed. However, many
internal and external auditors keep a blind eye on the problem, and suggest
ineffective work-around such as monitoring access logs, which do not get
performed on regular basis due to human errors, other workload, etc. Many organizations have tried to address
these issues by creating security policies, however many of those are not
enforceable. In some cases, there is a
whistleblower framework in place theoretically, but if an employee comes
forward to management with an issue, they are treated as if they betrayed
trust, instead of listening and trying to understand the problem, and then
taking reasonable steps to fix the issue.
HIRING THE RIGHT
TALENT
The growth in security job openings in recent year is
enviable, however hiring managers hold out positions for months for talents
that fit their budget, rather than paying market rate for the right position
and right talent. When these people
become managers, they continue to make the same mistakes. I have heard it from so many job-seekers that
when they are offered a job after multiple rounds of interviews and many weeks
into the process, the salary is at the same level or sometimes lower than their
current position, and with less benefits.
This is not the right way to attract talent to a critical function of
the business. I think there appears to
be a disconnect between management expectation and reality in the job market
for security professionals.
The problem could be that some CIO/CISOs do not prioritize in
terms of business and financial risks, or do not know how to quickly isolate a
problem by finding the weakest link.
They may be relying on technology too much, and do not listen from
business owners. When it comes to their
needs to expand the team, the same business owners think they will have more of
the same, and they are not thrilled to provide that budget.
CONCLUSION
There is no one-size-fits-all security pill to prevent and
defend against the security problems we are facing as security
professionals. However, it is high time
to raise our concerns to senior business management that IT Security is serious
business, and best practices around resource requirement for optimal IT
Security should be benchmarked.
Situations vary everywhere, but if a company has billions dollars of
intellectual property to protect, and will not want to invest a tiny fraction of
the budget to safeguard it, this should make their customers and investors
raise questions. And we know, to get the
answers we want, we have to take the first step of asking the question.
ENDNOTES
Data Broker Giants Hacked by ID Theft Service. Krebs on Security. http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/
Using COBIT 5 for Data Breach Prevention, Mathew Nicho,
Hussein Fakhry, ISACA Journal- Volume 5, 2013
Why American Banks will Continue to be breached. Forbes Magazine. http://www.forbes.com/sites/josephsteinberg/2012/09/27/why-american-banks-will-continue-to-be-breached/