Misconception No.3: Too Many People Assumptions

By Ed Adams

(Back to article)

First, let’s agree that information security management is difficult. It is fraught with many unknowns and lots of empty promises from technology vendors pledging to solve your security woes.

These variables force you to make tough decisions, and often result in you extending inappropriate trust to your staff, employees, partners, and customers. For anyone who dealt with application performance issues circa 1998-2001, this is going to sound familiar.

View the Entire Series

The Five Most Common Misconceptions of Enterprise Security

Misconception No.1: Over-Relying on Network Defenses

Misconception No. 2: Believing the Hype of Technology and Tools

Misconception No.3: Too Many People Assumptions

Misconception No.4: Assuming Secure Software is Costly

Misconception No.5: The “Recency” Trap

If you want to comment on these or any other articles you see on CIO Update, we'd like to hear from you in our IT Management Forum. Thanks for reading.

- Allen Bernard, Managing Editor.

FREE IT Management Newsletters

Information security is taking a rather similar approach to application and network performance; those few short years ago that seem like a distant memory now (I think I’m just blocking out the pain.) It’s a difficult process where developers are not sure how to code or test for security. Management views it as part of their job and assumes they will figure it out, unaware that it’s a special (and mostly new) skill set and as such needs investment and time to develop in their teams.

Meanwhile, hardware vendors are telling you to just throw some more iron or another appliance at the problem and you’ll be fine. Suddenly firewalls and IPS systems sound a lot like the network load balancing solutions of the late '90’s.

Faulty Senses

There is an absence of acknowledgement when it comes to information security. All too often, organizations assume their network or IT staff has adequately protected them because they’ve got the latest anti-virus or firewall installed and running.

This false sense of security is partly due to vendor misdirection and over-promising, but that’s only a small part of it. People want to believe their information systems are secure, but consumers with that false sense of security are rather ignorant to some of the most dangerous threats their systems face.

Specifically, the dangers of insiders (both malicious and unintentional) and the sophistication of organized attacks on your information systems.

As much as I love compliance regulations because they keep the consulting world gainfully employed, too many CIOs have been duped into thinking that compliance means security. It does not.

Take the recent data breaches at Stop & Shop supermarkets. This company is a poster child for PCI DSS (the payment card industry’s data security standard). They are more secure than most companies I’ve worked with and yet they were still breached.

Much to their credit, they disclosed right away and cooperated with the proper local and federal authorities leading the investigation. (Incidentally, there was an arrestarrest in this case just this week.)

The Stop & Shop incident was more of a physical security issue than a digital one, unlike TJX Companies who made a series of people assumptions and got themselves into a heap of trouble as a result.

First, TJX didn't have a CISO role (someone solely responsible for information security); organizationally, they do not place great importance on such a role. Further, TJX decided to hide the fact that they had incurred a loss of customer data instead of dealing with it directly and immediately.

These bad choices ultimately led to their CEO resigning and two class action law suits: One from their customers and one from the banks who issued the credit cards. I suspect an FTC (federal trade commission) law suit is soon to follow.

Education and Inertia

Education is the next big people mistake organizations make. Not only are computer science graduates coming out of school with little or no information security know-how, but they are not getting security training on the job either. This is especially true with application security and development teams.

We have noticed over the past few years working with our Fortune and Global 500 clients there is a huge demand for application security education. Everything from risk management teams to audit teams. This is a very encouraging trend, but the majority of companies still believe they don’t need to educate their teams on information security.

Inertia is a huge culprit, too. There is always resistance to change particularly when you are limited to time and budget as most of us are. Money is always the biggest driver.

When making budget decisions, you also need to consider the risk of not making an investment. TJX might have been better served buying a web-application firewall to protect themselves against common SQL injection attacks instead of paying the bank of lawyers and incident response consultants who helped them make the decision to hide their security problems for years and break disclosure laws in the process.

Know Thy Enemy

We all know there are malicious users, and they have become more sophisticated and more anonymous. A disturbing trend is the organized, targeted attacks on specific companies.

You’ve undoubtedly heard about net-bots, or bots. These nasty little pieces of ingenuity enable anyone to completely outsource an attack on a certain company, with complete anonymity.

Insiders are a major threat, too, and often overlooked. We’re not just talking about hackers anymore as a risk to companies, but people within the company who are both malicious and innocent.

Who is an “insider," you ask? Key employees that work inside your building are obvious, but what about telecommuters? Are they an insider just because they have login credentials and access to your network? Consultants? Temp workers? What about partners? If they are an insider, how much of an insider are they? Do they have access to all your strategies and pricing? Probably not. The line is quite grey these days between insiders and outsiders and they are all a threat to your business.

The causal hackers aren’t the real threat. Many companies get uncomfortable with me saying so, but hackers actually help us! They trip land mines that are waiting to be exploited. You have much more control about your insider threat – so acknowledge it and act.

Insiders already have access to your systems and know where the crown jewels are. A recent study done by the FBI crime lab reported a staggering statistic: over 80% of all computer crime was committed by insiders.

Companies focus on hackers but this is the wrong assumption. And they always forget it’s their crappy software that allows hackers to exploit them in the first place. These same defects are there for your partners, employees, and consultants to exploit too.

Troubling Case Studies

One client of mine is an organization in the manufacturing sector. This company has an extranet where partners bid on parts, submit quotations, and respond to proposals.

One partner was so paranoid about what their competitors were doing they used a cross-site scripting defect in the extranet to escalate their rights to administrator level. Once they had uber-user privilege, they were able to view all bids and see exactly how competitors were pricing their products.

Another example involved a financial services company that outsourced its application development to a company in the Far East. This was a CMM level-5 company, which means it had a well established and documented process.

This outsourcing company had a few malicious users on the payroll and they coded a back door in the application that was sent off to the client. This error was not caught immediately because the financial services company just did a cursory security scan as part of their acceptance testing.

They made the fatal people assumption their outsourced vendor employed ethical staff and didn’t do any checks on either the employees or the code they wrote. The back door was simply a URL that went undocumented and could be triggered remotely.

Once the program was deployed, the malicious users were able to skim customer information such as account numbers, statement balances, and other information. The company who had deployed the system had no idea until their clients contacted them complaining of fraudulent charges. It was traced back to the embedded URL, but not until months later.

A company must be able to educate its employees on the risks facing it. These risks include writing applications securely, auditing outsourced functions for security holes, and providing training to everyone from your procurement team to your network IT staff.

Unfortunately, we can’t trust everyone implicitly. Background checks are useful, but secure your information systems from the inside out put you in a situation where you can’t be burned as easily.

Consider how to build in checks and balances to your critical data flow to protect yourself from bad people assumptions. Practice threat modeling and brainstorm with your management team about possible abuse case; you’ll be amazed at what they come up with (and how unprotected you might actually be!).

And if you ever hear your team say, “We don’t need any security training,” or “It can’t happen to us!” be afraid … be very afraid.

In the coming weeks look for more expanded articles from Ed Adams covering each of these themes: Over-relying on Network Defenses, Believing the Hype of Technology/Tools, Too Many People Assumptions, Assuming Secure Software is Costly, and Falling into the “Recency” Trap.

Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.