Security Ripcord

Marked by Breach Disclosure

February 6th, 2009 cutaway Posted in Breaches, Data, Poll, Security, Web No Comments » 1,715 views

I stopped reading Jeremiah Grossman’s blog post Indirect Hard Losses to write this poll.  I am happy to see that people are showing their opinions to breaches through their wallets or the services they accept.  But should the customers be more forth coming?  Should companies have to mark on their web pages (all web pages that they provide to the public) that data in their possession was compromised?

This is a tricky situation.  In many states, persons who have abused children are required to disclose themselves to persons in their neighborhood.  We are also all aware of state or county run websites that display the name, offense, picture, and the last recorded address for these people.  Now, you might be thinking to yourself that this is a completely different situation and risk.  While I do admit that the situation is different I have to say that the level of risk could be considered similar.  If a victim of identity theft can go to jail because nobody will believe his story, I think the risks can be pretty high.  Also, although the risk of a sex offender is higher in cost to a community, company websites have the potential to affect a very large portion of the United States and even the international community.

Another argument against this is that the business is the victim of a crime and not the perpetrator.  I do admit that I understand and sympathize with this argument.  One way around this is to allow the business to provide information about the new protections that they have implemented to increase the security around the data they maintain (insert “mandatory information disclosure” argument here) and to provide a hot line to their support department.

So, without further ado, here is the poll.

Should companies that have experienced a data breach be required to disclose this fact on their websites?
View Results

Go forth and do good things,

Don C. Weber


Quit Complicating Our Controls

December 1st, 2007 cutaway Posted in Data, Firewalls, IDS, Management, Security 7 Comments » 2,204 views

After reading LonerVamp’s take on the application aware firewall, I started to wonder why people constantly want to consolidate their controls. This is not a new debate and DarkReading’s article Firewalls Ready for Evolutionary Shift is not ground breaking as the integration of firewalls and other security technologies has been bouncing around for years. Indeed, here we see Marcus J. Ranum talking about it on “Date: Fri, 29 Mar 2002 12:00:29 -0500″:

I suspect you are referring to “intrusion prevention” – which is a hot new marketing term but basically everything that’s being billed
as “intrusion prevention” is just firewalling + antivirus with a bit of fresh paint on it.

I’m willing to bet he has changed his tune a little bit since then but the evolution of firewalls with additional integrated controls has been going on since 2002 at least.

Of course I can see why people desire to integrate the technologies.

  • It is more cost effective to have two or more technologies on one piece of hardware.
  • You only have to manage one box.
  • The controls can augment each other more effectively and efficiently (according to the advertising on the box).
  • Firewalls usually represent a choke point to external and potentially hostile environments.
  • Vendors can market it as the Silver Bullet (no relation to Gary McGraw’s podcast) of controls.
  • “The next-generation firewall will have greater blocking and visibility into types of protocols,” says Greg Young, research vice president for Gartner.
  • etc

Well, I have a problem with all of this. Why are we making our controls more complex? Complexity leads to vulnerabilities. Vulnerabilities lead to exploits. Exploits lead to compromises. Compromises lead to loss.

Certainly, everything has vulnerabilities. But that is my problem with placing multiple controls on one system. Fine, if my firewall has a vulnerability then it can be bypassed and my organization is screwed until we can respond. But I would prefer that my firewall was not bypassed because of a vulnerability in another control like a protocol analyzer or an intrusion detection system. Oh wait, these will be newer technologies with better software development practices so there should not be any additional vulnerabilities that allow for exploitation of the system or bypass of the controls……RIGHT!!!!

Don’t get me wrong. I am all for developing new technologies that will allow organizations to analyze their traffic so that they get a better picture of what is traversing and exiting their networks. I just think they will be more effective if they are deployed so that they augment each other’s control measures instead of threatening them by increasing the risk through complexity. Controls should reduce risk, not increase it.

So, when considering how to protect your data please do not cut corners. Evaluate your data distribution and dissemination, consider your architecture, determine which controls will increase efficiency while increasing security, and then deploy those controls so that they augment each other effectively.

Go forth and do good things,
Cutaway

Technorati Tags , , , , , ,