I was watching National Geographic channel the other day learning how Philadelphia's SEPTA service that acts as a transit network is managed and maintained. The trains use an overhead power source that requires regular maintenance. Coupled with this, there are incidents occur that the authorities must respond to. Each out-of-service carriage costs the network and appropriate procedures are followed to ensure the safety of the passengers.
I enjoyed the episode and being a security professional, could quickly relate to the similar processes and controls in IT Security. The major difference was the impact or the experience not being as visual. Workers bringing down a power line to change a section of electrical cable and impacting the line during BAU is more tangible an experience to the viewer than a 0-day patch being applied to a Web Server that ends up effecting the business. The former is easier to explain too and the risks are more tangible i.e. carriage damage/financial loss due to delays or line failure or in worst case loss of lives. Talking about the risks of a compromise/malware outbreak and eventual data loss due to CVE-2010-1423 or CVE-2009-4324 used in Eleonore exploit kit will probably not have the same impact.
Visibility is the key here - of the assets and the risks. Most organisations clearly struggle to identify and classify their data assets as the business grows and the related risks are blurred or suppressed by business objectives. The patching process is a clear victim here and it usually becomes secondary and takes a back seat in order to support the business. Obviously, offense is easier, more exciting and rewarding (to the malware authors) than defense.
PCI-DSS has succeeded to an extent to identifying the asset and listing requirements to protect it. I'm not sure patching is as simple as requirements 6.1 and 6.2 lead us to believe. I have seen businesses struggle in this area and go past the nets of QSAs to remain exposed.
Bits are not as exciting, if only I could colour my data red and green and see it going across the network! Cut the cable and see the red drip. I would like to see more innovations happen at an application level where the data is created. Why doesn't MS-Word or Excel ask me to mark/classify my data? It may be as simple as red and green. Surely this model has to change. May be the customer is not asking for such functionality or it isn't being asked enough. There is DLP and then there is Web DLP. Organisations try to cap data leaks from ports on the devices but miss the big port i.e. the Internet.
No comments:
Post a Comment