Establishing Digital Trust: Don't Sacrifice Security for Convenience
As 2005 comes to a close, what have we learned and implemented to assistus in managing our information security? And what does the future holdfor us who live and work in this information assurance space?
Let's start at the turn of the millennium: Almost six years ago, duringthis same time period, people all over the world were wondering if wewould technically survive the turning of the new century. Old Cobol andFortran programmers were called back to work, and many people rang in theNew Year staring at computer screens. And yet, nothing really happened.Was it because of the preparation for the event or would the computershave kept running without noticing a change in their date/time banks? I'mnot sure we ever will really know that answer.
Then in 2001, we had the terrorist attacks on the U.S. which shook theworld. And we learned our contingency plans and disaster recovery effortsrequired more than they had been covering. Our business continuity plansneeded to address more than fires in the building and updated backuptapes. They need to address business functions, hot/warm sites, andpersonnel.
A few years back, 2002 brought us Web Services, and all the securityissues that went with it. Then 2003 and 2004 introduced new securitythreats, such as spam and phishing. Identify theft through computers washuge, as were the SQL Slammer and MS Blaster worm attacks. Security typesworked hard to come up with new policies and regulations to try andaddress some of these issues.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
During 2005, did we embrace our information assurance policies andenforce the rules? Did our renewed contingency planning and disasterrecovery efforts help when disasters struck? Have we, as informationassurance professional, kept pace with technology, and those who would domalicious harm to our systems?
Here are some of the highlights so you can make your own informedopinions: Regulations, Polices and Standards -- The National Instituteof Standards and Technology (NIST) published many special publications.The documents addressed security controls and risk management. There wasan effort to coordinate policies from both the federal government and theDepartment of Defense. These guidelines are very helpful in assistinginformation assurance practitioners. We have the policies and proceduresfor great security. What is lacking is the enforcement of these policies.
Enforcement -- I believe we are still struggling with theenforcement issue in regard to information assurance policies. TheFederal Information Systems Management Act (FISMA) attempts to try andenforce good security practices, however, it has fallen short of theintent of the act. The Government Accountability Office (GAO) is publishingmore reports on agencies that have not correctly or thoroughlyimplemented security in their environments. This is one of those areaswhere the information assurance world will continue to struggle, but it'sabsolutely critical.
Technical Controls -- The information assurance arena hasmade great progress in developing and implementing technical controls intheir systems and networks. We have seen a progression from defensivefeatures to proactive features. Firewalls, intrusion detection systems(IDS), and DMZs now are automatically considered in networkarchitectures.
Continuity & Disaster Recovery -- This past year was one forcontinuity and disaster recovery planning. Hurricane Katrina proved thatin order to survive a disaster, prior planning must be done. Thosecompanies that had plans in place and had tested those plans, survived.We have seen natural disasters on the increase, as well as disasters thatare created and implemented by man. I know people who have endured ananthrax scare. Add to that the fact that the Center for Disease Controlhas advised large companies to have continuity plans in place as theyexpect an epidemic flu this year. Continuity planning must move frombeing system-based to enterprise levels, taking into account people andprocesses, as well as data. I believe we will see more disasters on alarger scale in the future.
I continue to be optimistic that information assurance will rise inimportance, and business management will understand why we need to havesecurity in our systems and networks. I also believe that as securityprofessionals we will figure out how to enforce our security policies andprocedures.
Most of all, I wish you all a safe and secure new year!