Identity Theft is the fastest growing crime in the US according to the FBI
 

Information Security and Business Management: The History and Reality of Misconceptions, recommend, new approach

Written by OSAblog on Monday, June 29th, 2009

Daniil M. Utin, MS, Mikhail A. Utin, Ph.D.

Information Security and Business Management: The History and Reality of Misconceptions

Preamble.

We published an article in Information Security Journal: A Global Perspective, 17:1 – 6, 2008 “General Misconceptions about Information security Lead to Insecure World” [1]. We would like to return to its ideas and discuss them from a slightly different perspective as problems we identified are large in scope and cannot be addressed in a single article.

 The evolution of Information Systems (InfoSys) and information exchange opportunities caused the Dark Force to adopt and evolve its weapons from simple boot sector viruses and cunning social engineering to botnets and Hacking Services Industry (HSI) establishment. The latter grows in parallel with Information Security (InfoSec) Industry and has its own research and development, services and information for sale and, as the result, profits measured in billions of dollars.

 Continuous InfoSec failures both in government and commercial systems are raising questions not just about mishandling, sloppiness, or incompetence, but also whether basic InfoSec concepts as we know them are in fact correct. We need to reevaluate the way we go about security business as a whole.

 We identified the problem as utilization of InfoSys methods and principals of operation in a completely different business as InfoSec.

 

 Being Reactive or Proactive?

 We need to admit that HIS is always one step ahead of InfoSec, excepting when FBI or international enforcement authorities apprehended a few hackers. In general, InfoSec is reactive by its nature, as we understand it. It started its existence as a defensive system, fixing problems and finding a technology solution to new threats or overwhelming attacks.

Staying on the defensive means a PR-wise disadvantageous position. As the results of this, the battles are judged based on successful hacking attacks, and the fact that majority of the attacks fail due to defense is often overlooked.

Almost all current InfoSec technologies are defense-based meaning “reactive”: firewalls, IDS/IPS, anti-malware measures, etc. What could be proactive in this case? For instance, anti-bot searching software like web robots, which scan the Internet for botnets.

Such “reactive” approach is coming from InfoSys, which was, is, and will be business oriented set of naturally “reactive” services. InfoSec has its roots in InfoSys, and very often their roads cross paths. However, InfoSys and Infosec are different. Thus, we need to move forward with completely different methods based on InfoSec needs. Otherwise, the battle will always be lost to a more proactive enemy.

There were some attempts to develop methods of active defense, but the problem extends beyond technology. There is no legal basis such active defense, and legal issues are expected to arise.

Our Vision: Active InfoSec defense should be legally permitted in this country, and the rest of the world will follow. We need to utilize offensive methods in addition to defensive.

 

 Separation of duties

 Separation of duties is one of the basic security principals. The discussion of the managerial separation of InfoSys and InfoSec took quite a while before settling. A majority of security professionals agreed that two services should be divided. However, each organization arbitrarily determines for itself what kind of division is better. Unfortunately, InfoSys management usually considers InfoSec as a branch of InfoSys with all the following implications. It is very traditional point of view, and as we discussed above, came from early days of InfoSec.

Money also matters. Bigger budget means more power to control. The opinion of InfoSys management is that the security is “business oriented service”, and should stay bound to InfoSys. We anyway see InfoSec as Security service, not as “business oriented” one. It should be completely separated from InfoSys management even if management claims that organization cannot afford it. We think that if an organization has an InfoSys group, then it should have as least one InfoSec person, who does not belong to that group.

There is a tendency in InfoSys that makes the complete separation very urgent. We see that more and more InfoSys is managed based on a budget, not technical or organizational needs. The major criterion is money. The outcome is global outsourcing, which frequently results in inability to manage such outsourcing and technology. We’ve seen multiple examples when entire InfoSys has been outsourced to a services company leaving only a small group of managers to handle the budget and the relationship between the organization and the contractor. Within a couple of years this group has realized that they do not have people with expertise to understand where technically InfoSys should develop, possible solutions, etc. They got in the position blindly relying on the contractor and not knowing what should be the result. Extension of such practice to InfoSec is extremely dangerous regardless of what security services providers might tell you. You can be very easy out of control of your organization’s security depending only on what the provider says.

Our vision: InfoSec management should be completely organizationally independent from InfoSys management. Methods of InfoSys management are not aligned with InfoSec goals.

 

Why are we late?

Let’s discuss why InfoSec if frequently late in securing business assets. Basically, we are talking about the final result, not intermediate activities.

In our article [1] we discussed interesting case where it took 60 days to change 60 administrator blank passwords on government controlled enterprise network. It was a typical security situation where fast and easy fix was possible. However, it took 60 days instead of just a couple of days were system administrator to simply walk around the campus fixing passwords. Considering that all computers could be accessed by local personnel, it should not take more than just a couple of hours.

Another interesting case came from one of major US (as well as world) banks. New coming security consultant needed a PC on the local network with certain access to network shared drives. It took two months (!) to finally get all things settled. Computer alone took one (!) month to set up. We see here a magic number as two months is actually 60 or so days as in first case.

In both cases security and general InfoSys requests went through multi-level support structure. It is possibly does not matter which exactly hierarchy in each case was. Everyone tends to act and react slowly unless it is an extreme emergency case. So, our first example is a copycat of InfoSys request processing in InfoSec. We think that we should not explain the danger and consequences of having a blank password, and that such requests should be treated by InfoSec in completely different way.

Our vision: A copycat approach to management structure and methods, for instance service requests processing from InfoSys to InfoSec, endangers business assets.  As per above, methods of InfoSys management are not aligned with InfoSec’s goals. When it comes to security issues, the time of slow multi-level response must come to an end.

 

Local or global focus

In the world of InfoSys, the blank administrator password does not affect any business functions, business connections, or company image. InfoSys generally does not care what happens outside of its local perimeter. And it does not even matter if it never gets fixed.

In the world of InfoSec, blank administrator password creates an obvious exposure of completely open computer and should be fixed as soon as possible. Compromised computers will definitely represent some danger to outside world as bots, sources of viruses, spamming, etc.

This is purely InfoSec’s concern.

Subsequently, we can draw the following conclusion:

- InfoSec considers local, and as well as global interests while InfoSys approach focuses almost solely on local business interests.

- The same issues that are not considered problematic from InfoSys’ point of view could potentially present far-reaching problems for InfoSec.

Our vision: Our world is interconnected. Our security dependencies are interconnected. The age of local thinking (InfoSys) should be coming to an end.

 

Jacks of All Trades: The System Administrator and the Security Analyst

Another aspect of Infosys influence on security matters comes through personnel management. Typical job requirements list for a system administrator contains a “laundry list” of operating systems, software, hardware, etc. We see very similar approach of ”laundry list” in InfoSec hiring. This identikit comes from management’s luck of understanding of InfoSec and its unique needs. If a system administrator is extremely busy working on his assigned projects and fails to complete 10% of the tasks, it is, in all likelihood, not a severe problem. In fact, majority of InfoSys administration tasks are not critical when it comes to a possible business impact. However, if we take the same approach to security tasks, 10% failure to complete is not acceptable. This is just like leaving your house when one in ten of its doors is wide open. 10% of misconfigured firewall or 10% of computers not having a security upgrade when new exploit is coming could have a heavy impact on the business. Security job cannot be judged by the same criteria as InfoSys job. Use of “laundry list” is inappropriate. Hiring should be focused on subject matter professionals in one or two major aspects important for the organization. If there is a need to cover more subjects, then another professional should be hired. When it comes to senior and leading positions, candidates should be, again, technically proficient in one or two areas (thus potentially capable of navigating through some other technical aspects) and certified by leading organizations like (ISC)2 to provide wide spectrum expertise.

Our vision: Hiring security professionals by InfoSys rules is, at the least, unwise. The InfoSec job is all about security and cannot be treated neither by quantity nor quality as just an extension of system administrator’s job function. Find a professional and educate to your needs.

 

Management’s Technical Expertise

While some level of technical expertise is expected from someone in a high-level InfoSys management position, the primary focus is business, not technical side. US government puts MBA with strong communication and administrative skills as major requirement for InfoSys Manager position. The Government’s intension to avoid hard technical work and get by just by moving papers and money around is understandable. Having MBA for this kind of job is definitely sufficient. However, InfoSec is a completely different story. Erroneous decision making based on the lack of technical expertise will have devastating consequences in security. Security Manager should be technically professional (see previous paragraph), well educated (MS or Ph.D.) and certified.

Our vision: Strong technical education and certification are required for InfoSec management. MBA is not desirable.

 

On par with the business management

There is very popular opinion that InfoSec should always seek a good relationship, support, and understanding from business management for its planned activity. Should the security of an organization, be it large or small, always depend on limited technical expertise and understanding of security matters of a business manager? This is especially troubling today where the complexity of both security systems and the threats they face can frequently be beyond the understanding of a manager with a very basic technical education covered in an MBA degree.

Today’s business can no longer divorce itself from or ignore security issues. Companies all over the world are connecting to the Internet in the normal course of doing business. Global economy is based on the global access to resources. If Internet is crippled, the global economy will suffer. While remaining largely insignificant from business management point of view, a security event can pose a real threat to the company’s livelihood and other businesses as well. Thus, business and security having different goals and means of activity, are tightly bound together, and basically cannot be separated from each other.

Our vision: The goals of business and security have become equally important. Security does serve business as business serves security. The dominance of business management basically acceptable in InfoSys leads to insecure decision making in InfoSec.

 

Conclusion

If we want our InfoSec to function, we need to forget about our currently prevalent InfoSys approach. Each InfoSec function should be carefully researched and weighed in light of its primary goal – to protect. It is no longer a business goal; it is instead a security goal. How do you decide how much to spend on the security of your company? Any amount justified by an expert opinion and thorough researched is not a waste if it goes toward building up your company’s security infrastructure and systems. A single InfoSec breach can incur hundreds of millions of losses, or in some cases, bring an entire company to its knees.

Business management must understand that the information environment has changed drastically as compared to what it was 20, or even 10 years ago. We have vastly improved capabilities for sharing and transferring information, but at the same time we now face a large variety of new threats. Today, it is not uncommon to see an old managerial structure fail to respond, sometimes with catastrophic results, to an ever-escalating number, complexity, and strength of cyber attacks.

This new information environment requires new managerial structures and solutions.

We once tried to discuss and still consider as valuable our idea of having two independent governing branches in each “good citizen” corporation. One branch is a traditional business management (Chief Executive Officer) and another one is security management – Chief Security Officer (CSO). This idea might be viable as US Government has three complementary branches, which, on a balance, work well together as evidenced by the history of our country. Responsibilities of CSO should be extended to include not just InfoSec, but Financial Security as well. We’ve seen a lot of financial misconduct in the last several years, and only appropriate corporate governing structure with independent CSO and overall audit functions can put a stop to this misconduct.

Born in Russia, 1974. Emigrated in US in 1990. Graduated from Brandeis University, MS in Computer Science. Co-founder of three Internet services corporations. Director of R&D in Internet gaming software company. Co-author of articles published on Internet and in professional magazine.

Article Source:http://www.articlesbase.com/security-articles/information-security-and-business-management-the-history-and-reality-of-misconceptions-recommend-new-approach-993915.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!

Technorati Tags: , , , , , , , , , , , , , , , , , , ,

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • Information Security Titles “Out Of Control”         We are in an era where Security and Compliance have made it to the forefront of corporate board room discussions. It is now one of the key topics on the agenda.  Are we protecting our corporate and personal data?  Are we meeting both corporate and regulatory requirements as it......
  • Security in E-Business Security in E-Business: An Introduction           A central issue in the commercial use of the Internet is security. Surveys state that the economic success of electronic business applications is inhibited because the Internet lacks appropriate security measures. One way to increase the trust of consumers in electronic business applications is......
  • Why do you need computer security? Computers are an inseparable part of our lives today, life that has increasingly become technology driven. Besides work, we use computers for communicating, banking, entertainment, research – just to name a few. Besides hardware, security of the new-age machines is threatened by malicious software, viruses, Trojans etc. all designed to......
  • Information Security Guidelines Information Security Policy Guidelines in your organization By Ki Grinsing In 1858, a telegram of 98 words from Queen Victoria to President James Buchanan of the United States opened a new era in global communication. The queen's message of congratulation took 16½ hours to transmit through the new transatlantic telegraph......
  • Don’t Trust Ultimatesecuritysuite Many people today are superstitious about having people spy on their browsing activities, and rightly so. Spyware that infiltrates your system and steals your information is a dime a dozen these days. The situation gets even worse when you have applications like ultimatesecuritysuite that pretend to be programs that help......
Blog Traffic Exchange Related Websites
  • Quick Ways To Gain Money - Starting An On-line Business It is pretty secure to utter that start a net business is one of the greatest actions you may make at this times. For a thing, the basic capital that you would need to start the business is far little than that of a conventional business. Along with it, your......
  • The Best Way To Get Started Making Money Online When you start a business online, you are working with a whole different beast than when opening a standard storefront facility. While you don’t have to worry about zoning and permits, you do need to be concerned with taxes, internet law, and the general strategy behind your business. How are......
  • Many People Dream To Create The Home Business Many people dream to create the home business, at least small business that will bring the additional income besides the main job. It is impossible to have enough money, therefore the majority of people go work and this work for them is the basic source of the income. And imagine......
  • Online Business: Don't Hesitate! Just Try It! Online business - to deal or just forget once and ever? Online business is a bad thing and it is a good at the same time. Why we talk this way? Because there are many folk who think online business it is bad thing and there are some folk who......
  • Report Forex Online Trading Review For SEM Business Plan When it comes to trading on FOREX, there can be several problems with brokers and trying to learn how to trade with books. I've had serious troubles with my trading on FOREX i truly had a few big problems when trying to deal on forex, because all of the books......
 

Leave a Comment

CommentLuv Enabled

« Internet Antivirus Pro Must Be Removed and Avoided | Home | Anti virus360remover Happens To Be One of the Oldest Cons Around »