Comment: With information security, you must regulate yourself

Calling company out on security breaches benefits every organization through increased awareness
Calling company out on security breaches benefits every organization through increased awareness

A November 2009 episode of 60 Minutes portrayed recent serious internet security attacks that largely went unnoticed. Sections of Brazil’s electrical grid were shut down by hackers, the state government of Virginia was victimized by a cyber-extortion scheme, and even the command-and-control infrastructure of the US Department of Defense was breached by a foreign entity.

The scope of the threats makes your head spin.

Think of how many times a day you come into contact with the internet. You shop online, you check your bank balance, you look on your smart phone for traffic conditions, you stop at an ATM, you use an electrical device – and chances are, you are on the internet, albeit often indirectly.

Thinking about how often the internet shows up in our lives reveals that practically every industry, from utilities and financial institutions to health care and entertainment, is now an internet-enabled industry. That is the crux of the problem.

Internet security is a horizontal issue, but we regulate it vertically. Regulations from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA) address specific industries (financial and health care, respectively), even if the threats those industries face apply to many others. The few vertical regulations, such as Sarbanes-Oxley (SOX) and PCI DSS, are narrow in scope and fail to address the broad nature of today’s wide-sweeping internet security threats.

Utilities, for instance, are critical for every single industry and all consumers, yet they have managed to run free without government-mandated internet security regulations.

Why More Regulation Won’t Work

The simple solution to this problem is more regulation. But with the money that industries will inevitably spend to torpedo new regulations, the solution isn’t as simple as it appears.

Moreover, regulations don’t solve everything. The FFIEC, for instance, offers guidance on things like authentication, but it doesn’t tell you exactly what to do; there are no tangible specifications. You still must make critical security decisions yourself.

Even if new regulations emerge, will they address each and every critical industry? Probably not, and even if they do, we need to act in the meantime. Waiting for someone else to solve the problem is an enormous risk.

If you’re in an unregulated industry, your IT staff is probably worried about other day-to-day concerns, such as application availability. But, they shouldn’t be. Every day that passes by without advanced internet security processes and systems in place is a day that you are at risk.

If your security is not up to par, today is the day to start shoring up your defenses and planning for the future. These five steps should help:

  1. Gain Network Visibility. How do you secure a network if you don’t know what’s on it? Are there unsecured wireless access points on the network? Are there servers in branch offices you didn’t know about? Is there a networked office device, such as a printer or fax, that could serve as an unlocked back door?
  2. Conduct Vulnerability Assessments. Every entry-level IT worker knows that you must patch your systems in order to shore up defenses. What’s often overlooked, though, is that a vulnerability assessment is just a starting point. A complete vulnerability management program correlates weaknesses with risks and helps you prioritize as you cope with patches, updates and even new equipment purchases.
  3. Establish Security Policies. Creating policies for such critical security issues as authentication, peripheral storage device usage, remote access, and guest and contractor rights are all critical. For instance, if you don’t have a policy that expires contractor accounts immediately after they finish their jobs, then you’re opening yourself up to outside attacks.
  4. Match Security Tools to Your Risks. While some risks are consistent across industries, others are not. For example, in information-heavy industries, IP theft is a major concern. In healthcare, patient confidentiality takes precedence. As you invest in new security tools, such as multifactor authentication, policy enforcement, data loss prevention or compliance management, make sure they meet your most pressing needs. In addition, ensure that these vendors offer regular security patches, especially if they are based on open source, to mitigate compliance-related risks.
  5. Make Security a Priority. For most organizations, security is a job given to a system administrator who has a dozen other tasks on his/her to-do list. If you have the same person worrying about application availability and security, then you should rethink your employees’ roles. Security is no longer a job that can fall halfway down the IT to-do list. If your organization is large enough to hire a dedicated security expert, then do it. If your organization is too small for that, then make sure security is part of the standard, daily IT workflow. Don’t allow it to fall through the cracks as IT puts out other fires.

Bonus Step: Practice Full Disclosure

I didn’t include this with the top five because I’m being realistic. Few organizations will follow this advice, but they should.

Most major security incidents go unreported each year because organizations fear the embarrassment and bad publicity caused by disclosure. Many individual states have tried to remedy this when consumer information is breached through disclosure laws, but not all states have followed through, and this limited type of breach isn’t the only attack that should be disclosed to the public, or at least to the info security community.

Security breaches over a certain dollar amount – let’s say, $500K – or a certain risk threshold (which, granted, is harder to measure) should be reported, whether or not you are required to do so. If it has happened to you, then it will happen to someone else. Reporting the breach will help others develop defenses against a similar attack. The key here is to learn from history by studying someone else’s mistakes.


Morey Haber is VP of business development for eEye Digital Security, a provider of integrated vulnerability and compliance management solutions based in Irvine, California.  

What’s hot on Infosecurity Magazine?