Identity Theft is the fastest growing crime in the US according to the FBI
 

Information Security and Business Management: The History and Reality of Misconceptions, recommend, new approach

Written by OSAblog on Monday, June 29th, 2009

Daniil M. Utin, MS, Mikhail A. Utin, Ph.D.

Information Security and Business Management: The History and Reality of Misconceptions

Preamble.

We published an article in Information Security Journal: A Global Perspective, 17:1 – 6, 2008 “General Misconceptions about Information security Lead to Insecure World” [1]. We would like to return to its ideas and discuss them from a slightly different perspective as problems we identified are large in scope and cannot be addressed in a single article.

 The evolution of Information Systems (InfoSys) and information exchange opportunities caused the Dark Force to adopt and evolve its weapons from simple boot sector viruses and cunning social engineering to botnets and Hacking Services Industry (HSI) establishment. The latter grows in parallel with Information Security (InfoSec) Industry and has its own research and development, services and information for sale and, as the result, profits measured in billions of dollars.

 Continuous InfoSec failures both in government and commercial systems are raising questions not just about mishandling, sloppiness, or incompetence, but also whether basic InfoSec concepts as we know them are in fact correct. We need to reevaluate the way we go about security business as a whole.

 We identified the problem as utilization of InfoSys methods and principals of operation in a completely different business as InfoSec.

 

 Being Reactive or Proactive?

 We need to admit that HIS is always one step ahead of InfoSec, excepting when FBI or international enforcement authorities apprehended a few hackers. In general, InfoSec is reactive by its nature, as we understand it. It started its existence as a defensive system, fixing problems and finding a technology solution to new threats or overwhelming attacks.

Staying on the defensive means a PR-wise disadvantageous position. As the results of this, the battles are judged based on successful hacking attacks, and the fact that majority of the attacks fail due to defense is often overlooked.

Almost all current InfoSec technologies are defense-based meaning “reactive”: firewalls, IDS/IPS, anti-malware measures, etc. What could be proactive in this case? For instance, anti-bot searching software like web robots, which scan the Internet for botnets.

Such “reactive” approach is coming from InfoSys, which was, is, and will be business oriented set of naturally “reactive” services. InfoSec has its roots in InfoSys, and very often their roads cross paths. However, InfoSys and Infosec are different. Thus, we need to move forward with completely different methods based on InfoSec needs. Otherwise, the battle will always be lost to a more proactive enemy.

There were some attempts to develop methods of active defense, but the problem extends beyond technology. There is no legal basis such active defense, and legal issues are expected to arise.

Our Vision: Active InfoSec defense should be legally permitted in this country, and the rest of the world will follow. We need to utilize offensive methods in addition to defensive.

 

 Separation of duties

 Separation of duties is one of the basic security principals. The discussion of the managerial separation of InfoSys and InfoSec took quite a while before settling. A majority of security professionals agreed that two services should be divided. However, each organization arbitrarily determines for itself what kind of division is better. Unfortunately, InfoSys management usually considers InfoSec as a branch of InfoSys with all the following implications. It is very traditional point of view, and as we discussed above, came from early days of InfoSec.

Money also matters. Bigger budget means more power to control. The opinion of InfoSys management is that the security is “business oriented service”, and should stay bound to InfoSys. We anyway see InfoSec as Security service, not as “business oriented” one. It should be completely separated from InfoSys management even if management claims that organization cannot afford it. We think that if an organization has an InfoSys group, then it should have as least one InfoSec person, who does not belong to that group.

There is a tendency in InfoSys that makes the complete separation very urgent. We see that more and more InfoSys is managed based on a budget, not technical or organizational needs. The major criterion is money. The outcome is global outsourcing, which frequently results in inability to manage such outsourcing and technology. We’ve seen multiple examples when entire InfoSys has been outsourced to a services company leaving only a small group of managers to handle the budget and the relationship between the organization and the contractor. Within a couple of years this group has realized that they do not have people with expertise to understand where technically InfoSys should develop, possible solutions, etc. They got in the position blindly relying on the contractor and not knowing what should be the result. Extension of such practice to InfoSec is extremely dangerous regardless of what security services providers might tell you. You can be very easy out of control of your organization’s security depending only on what the provider says.

Our vision: InfoSec management should be completely organizationally independent from InfoSys management. Methods of InfoSys management are not aligned with InfoSec goals.

 

Why are we late?

Let’s discuss why InfoSec if frequently late in securing business assets. Basically, we are talking about the final result, not intermediate activities.

In our article [1] we discussed interesting case where it took 60 days to change 60 administrator blank passwords on government controlled enterprise network. It was a typical security situation where fast and easy fix was possible. However, it took 60 days instead of just a couple of days were system administrator to simply walk around the campus fixing passwords. Considering that all computers could be accessed by local personnel, it should not take more than just a couple of hours.

Another interesting case came from one of major US (as well as world) banks. New coming security consultant needed a PC on the local network with certain access to network shared drives. It took two months (!) to finally get all things settled. Computer alone took one (!) month to set up. We see here a magic number as two months is actually 60 or so days as in first case.

In both cases security and general InfoSys requests went through multi-level support structure. It is possibly does not matter which exactly hierarchy in each case was. Everyone tends to act and react slowly unless it is an extreme emergency case. So, our first example is a copycat of InfoSys request processing in InfoSec. We think that we should not explain the danger and consequences of having a blank password, and that such requests should be treated by InfoSec in completely different way.

Our vision: A copycat approach to management structure and methods, for instance service requests processing from InfoSys to InfoSec, endangers business assets.  As per above, methods of InfoSys management are not aligned with InfoSec’s goals. When it comes to security issues, the time of slow multi-level response must come to an end.

 

Local or global focus

In the world of InfoSys, the blank administrator password does not affect any business functions, business connections, or company image. InfoSys generally does not care what happens outside of its local perimeter. And it does not even matter if it never gets fixed.

In the world of InfoSec, blank administrator password creates an obvious exposure of completely open computer and should be fixed as soon as possible. Compromised computers will definitely represent some danger to outside world as bots, sources of viruses, spamming, etc.

This is purely InfoSec’s concern.

Subsequently, we can draw the following conclusion:

- InfoSec considers local, and as well as global interests while InfoSys approach focuses almost solely on local business interests.

- The same issues that are not considered problematic from InfoSys’ point of view could potentially present far-reaching problems for InfoSec.

Our vision: Our world is interconnected. Our security dependencies are interconnected. The age of local thinking (InfoSys) should be coming to an end.

 

Jacks of All Trades: The System Administrator and the Security Analyst

Another aspect of Infosys influence on security matters comes through personnel management. Typical job requirements list for a system administrator contains a “laundry list” of operating systems, software, hardware, etc. We see very similar approach of ”laundry list” in InfoSec hiring. This identikit comes from management’s luck of understanding of InfoSec and its unique needs. If a system administrator is extremely busy working on his assigned projects and fails to complete 10% of the tasks, it is, in all likelihood, not a severe problem. In fact, majority of InfoSys administration tasks are not critical when it comes to a possible business impact. However, if we take the same approach to security tasks, 10% failure to complete is not acceptable. This is just like leaving your house when one in ten of its doors is wide open. 10% of misconfigured firewall or 10% of computers not having a security upgrade when new exploit is coming could have a heavy impact on the business. Security job cannot be judged by the same criteria as InfoSys job. Use of “laundry list” is inappropriate. Hiring should be focused on subject matter professionals in one or two major aspects important for the organization. If there is a need to cover more subjects, then another professional should be hired. When it comes to senior and leading positions, candidates should be, again, technically proficient in one or two areas (thus potentially capable of navigating through some other technical aspects) and certified by leading organizations like (ISC)2 to provide wide spectrum expertise.

Our vision: Hiring security professionals by InfoSys rules is, at the least, unwise. The InfoSec job is all about security and cannot be treated neither by quantity nor quality as just an extension of system administrator’s job function. Find a professional and educate to your needs.

 

Management’s Technical Expertise

While some level of technical expertise is expected from someone in a high-level InfoSys management position, the primary focus is business, not technical side. US government puts MBA with strong communication and administrative skills as major requirement for InfoSys Manager position. The Government’s intension to avoid hard technical work and get by just by moving papers and money around is understandable. Having MBA for this kind of job is definitely sufficient. However, InfoSec is a completely different story. Erroneous decision making based on the lack of technical expertise will have devastating consequences in security. Security Manager should be technically professional (see previous paragraph), well educated (MS or Ph.D.) and certified.

Our vision: Strong technical education and certification are required for InfoSec management. MBA is not desirable.

 

On par with the business management

There is very popular opinion that InfoSec should always seek a good relationship, support, and understanding from business management for its planned activity. Should the security of an organization, be it large or small, always depend on limited technical expertise and understanding of security matters of a business manager? This is especially troubling today where the complexity of both security systems and the threats they face can frequently be beyond the understanding of a manager with a very basic technical education covered in an MBA degree.

Today’s business can no longer divorce itself from or ignore security issues. Companies all over the world are connecting to the Internet in the normal course of doing business. Global economy is based on the global access to resources. If Internet is crippled, the global economy will suffer. While remaining largely insignificant from business management point of view, a security event can pose a real threat to the company’s livelihood and other businesses as well. Thus, business and security having different goals and means of activity, are tightly bound together, and basically cannot be separated from each other.

Our vision: The goals of business and security have become equally important. Security does serve business as business serves security. The dominance of business management basically acceptable in InfoSys leads to insecure decision making in InfoSec.

 

Conclusion

If we want our InfoSec to function, we need to forget about our currently prevalent InfoSys approach. Each InfoSec function should be carefully researched and weighed in light of its primary goal – to protect. It is no longer a business goal; it is instead a security goal. How do you decide how much to spend on the security of your company? Any amount justified by an expert opinion and thorough researched is not a waste if it goes toward building up your company’s security infrastructure and systems. A single InfoSec breach can incur hundreds of millions of losses, or in some cases, bring an entire company to its knees.

Business management must understand that the information environment has changed drastically as compared to what it was 20, or even 10 years ago. We have vastly improved capabilities for sharing and transferring information, but at the same time we now face a large variety of new threats. Today, it is not uncommon to see an old managerial structure fail to respond, sometimes with catastrophic results, to an ever-escalating number, complexity, and strength of cyber attacks.

This new information environment requires new managerial structures and solutions.

We once tried to discuss and still consider as valuable our idea of having two independent governing branches in each “good citizen” corporation. One branch is a traditional business management (Chief Executive Officer) and another one is security management – Chief Security Officer (CSO). This idea might be viable as US Government has three complementary branches, which, on a balance, work well together as evidenced by the history of our country. Responsibilities of CSO should be extended to include not just InfoSec, but Financial Security as well. We’ve seen a lot of financial misconduct in the last several years, and only appropriate corporate governing structure with independent CSO and overall audit functions can put a stop to this misconduct.

Born in Russia, 1974. Emigrated in US in 1990. Graduated from Brandeis University, MS in Computer Science. Co-founder of three Internet services corporations. Director of R&D in Internet gaming software company. Co-author of articles published on Internet and in professional magazine.

Article Source:http://www.articlesbase.com/security-articles/information-security-and-business-management-the-history-and-reality-of-misconceptions-recommend-new-approach-993915.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!

Technorati Tags: , , , , , , , , , , , , , , , , , , ,

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • Ultimate Security Suite Is Not Secure Even though it is a sham, Ultimate Security Suite gets a lot of people because of its promises to provide complete Internet browsing anonymity while simultaneously providing complete protection for your PC. In theory, this would be a nice service, if they actually gave you what they promised and didn’t......
  • Considerations For A Successful Online Business With so many problems in the economy many of us are looking for alternate ways to make money. With all of the corporate layoffs, the shutting down of some laedrge corporations and other large institutions, many people today have a lower feeling of confidence in the market and many are......
  • Do Businesses Need Antivirus Protection? Antivirus software and services are designed to help keep your computer safe. Businesses, large and small, are at particular risk. Most businesses have some sort of accounting records stored somewhere on their computers. This is typical to help keep track of payments made, payments owed, and to help determine the......
  • Importance of IT Support Services for Large Business Since the IT networks have grown to be more business focused, reducing and minimizing the network downtime has become exceptionally important for large businesses in order to stay productive. When we talk about large business, we also talk about large number of employees, large client list, and large flow of......
  • Twitter is Down And this mess is your fault. When Twitter launched a few years ago, it was largely a tech and Internet insider's destination. It was a place where the Web cognoscenti dumped 140-character missives about the work they were doing, who they had met that day, and the color shirt they......
Blog Traffic Exchange Related Websites
  • Get $1000 Fast! - Magic PaydayPayday Loans and Fees Payday loans can come in handy at times, especially if you have late bills, including shut-off notices. Payday loans are quite expensive and are illegal in some states; therefore, the loans are not available in all states. Depends on where you get the loan, but most places charge around $60......
  • Remote Backup Securely Moves Your Data Where You Need It, When You Need It Not long ago, the thought of sending private and critical data across the Internet was radical and dangerous. In addition, leaving that data in the hands of a third party was unthinkable.Now, the most logical choice for a small to mid-sized business is to outsource data protection to managed......
  • Online Information Marketing-How Online Information Marketing Helps In Generating Income Recently, the business of online information marketing is gaining popularity among masses as a profitable way to make money.Information marketing is a concept that can be utilized in a number of ways to sustain a steady flow of income. Nowadays, the most common and effective tools that can be used......
  • garden designLandscaping Design Basics We all have enjoyed a nice landscaping design, perhaps in somebody else's yard, or on television or in a magazine. Why aren't we trying harder to have such a landscape design for our own selves as well? If you are brand new to the field of landscaping and you are......
  • Hire A Business Manager A few weekends ago, I was listening to Marketplace Money when they ran an interview of Scrubs star Donald Faison. Faison got his big break with the movie Clueless and then followed that up with Scrubs. The entire piece was about him making bad money decisions and then turning it......
 

Leave a Comment

CommentLuv Enabled

« Internet Antivirus Pro Must Be Removed and Avoided | Home | Anti virus360remover Happens To Be One of the Oldest Cons Around »