The InfoSec Perspective for April 2010
It has been a busy month or so for information security.
Apple has patched a vulnerability that was showcased in a recent hacking contest, Microsoft has released a major set of fixes in its most recently Patch Tuesday, and and Oracle (which now owns Sun) has not yet committed to patching a Java vulnerability on Windows that has been exploited in only 5 days from public disclosure.
Oracle seems intent to stick to a quarterly patch schedule, which they have been able to do because the bulk of their applications are used behind the corporate firewall. Now, with Java as a major component of their software portfolio, this approach is unlikely to continue. They’ll either have to adjust the schedule for all products (which they really should consider), or put Java on its own schedule. Or, deal with lots of out-of-band Java patches. Anything but this quarterly nonsense.
On another front, due to a rash of recently vulnerabilities in its Acrobat products, Adobe is looking to enable silent, background updating of these tools to “keep users safe”. No official word yet on how enterprises will look at this approach, but I imagine there will be considerable discussion. (The comments at the end of the ComputerWorld article give just a taste of the concerns.)
Finally, there has been a significant increase this year in targeted attacks at high-profile Internet organizations, and there is no indication that this trend will decrease in the near future. If anything, the growth of cloud computing and outsourcing in general will present more of an opportunity for these types of attacks, because the potential payoff is substantial!
One of the biggest selling points to CIOs and business executives for cloud computing and outsourcing is that the hosting organization is better able to address security and other risk-related concerns than could the CIOs organization. While it may be true that the hosting provide *should* be more focused and have better, more trained staff to address these needs, the same kinds of politics that often prevent technologists from making or executing the right decisions (as opposed to the cheapest decisions) happen just as often in hosting provider organizations as in regular companies. It’s just that the stakes are higher.
Be sure you have a well worded contract with your Cloud Provider or Outsourcer when you decide to turn over the crown jewels of your data to an external provider. Hearing the following excuse from your provider will not bring your business back:
“Ooops, I’m sorry that the hackers from <insert suitable foreign country or government here> penetrated our defenses because we did not use quite as many layers of expensive security as requested by our security professionals. Hey, we’re not the only ones who got hit, anyway, and our auditors signed off on our environment just 3 months ago!”
I’ve previously spoken about the difference between an organization that is secure, and one that is compliant, so I won’t address that again. Suffice it to say, there is potentially a huge difference. What we need is more consciousness around security as a basic part of operations, not as some costly add-on.
If you purchase a car, you must get insurance.
Likewise, if you run an enterprise (or even a small business), you must secure that environment. And we’re not just talking about antispam and antivirus, which are just the very basic level of infosec (like locks on your car).
If there is not a change in the understanding around information security, and they fact that it is not a static state, but a very dynamic one, we will find the next 12-18 months to be horrendous in terms of security incidents and data breaches worldwide.
BTW, the reason that information security and compliance remains so expensive is that it is largely implemented in a piecemeal fashion. If it were baked into technology and business operations, the costs would naturally go down. This is true of almost every part of the technology infrastructure and operations. The things that are bolted on (Disaster Recovery and Backups) are more expensive than the things that are baked in (routing, switching and load-balancing).
If we want better security at the enterprise level, then we have to fund it. Better employee hires, better training, lab environments to test and deploy better fixes, and better practices throughout the organization. And they need to be listened to. Simply outsourcing your problems doesn’t work, especially if you’re not going to change your procedures and policies of operation.
Information Security is primarily an issue of people executing good procedures and following good policies. It is NOT primarily a matter of purchasing good technology.
Hopefully, businesses will stop paying lip service to information security, and to protecting the critical assets of their business and their clients. Hopefully. Unfortunately, I have no reason to believe that this will occur in 2010 for most organizations.