2005 taught both consumers and businesses a number of important lessons when it comes to security. Numerous published breaches resulted from insider abuse and from attacks by, or through, business partners.
Organizations now know the importance of having a secure network not only
to protect against external threats such as hackers, worms and bots but also from insider and partner-originated threats such as disgruntled employees looking to hit the organization where it hurts—in the wallet.
However, one of the most important, and perhaps disheartening, lessons of the year was what and who you can trust: Can you click on that attachment from your employee? Can you trust Joe Smith in accounting with access to your customers’ sensitive information? Can you trust the security, policies, practices and people at your largest supplier, most important distributor, or business partner?
It goes beyond knowing that you are not being exploited. You need to know whether those in your circle of trust know about and adhere to your policies, practices, contracts and other compliance efforts and mandates.
To Know is to Trust
The first step in determining who you can trust is to have your own act together.
The primary goal of most regulations and compliance frameworks is to get you to understand your own organization’s risk and to take appropriate actions based on that risk.
Unfortunately, too many organizations look for a simple compliance check-list to follow. A check-list approach almost always leads to significant overspending, duplication of effort and wasted opportunities as well as leaving the organization unnecessarily exposed to common attacks.
A risk assessment is not a vulnerability scan. An appropriate risk assessment either focuses on your organization in context of attacks of all types that succeed in the rest of the world (bottom-up), or defines your organization and its sensitive information from the top-down.
In either case, the organization either follows a tailored risk-management program or builds one based on the results of the analysis.
One of the outcomes of such a risk analysis is the understanding of the risk that comes from your insiders, and from your trusted network of partners and customers: Who has access to your sensitive corporate information, and to your customers’ and partners’ sensitive information? Is this access an integral part of their job duties? Who actually needs this access to do their jobs?
One of the most common failures in approaching business partner risk is the failure to look at the data that is “there by accident.” Although common, it is completely unnecessary and extremely risky for someone with a legitimate need for sensitive information, like credit card numbers, to keep copies in buffers, special purpose software, intermediate systems, ancillary systems, old systems or long forgotten places.
It also is very common for individuals to make copies of sensitive information and then carry those copies with them in spread-sheets or other portable forms.
Not only should your internal policies and business partner contracts address issues like these, but you must also go out and look for them yourself.
The definition of your organization’s, your partners’, and your customers’ sensitive information followed by the discovery of these data “black holes” is the single most useful thing you can do to protect yourself from your circle of trust.
You should always identify the top three or top 10 most sensitive information types, and then look for instances of them throughout your trusted network. By looking both logically (e.g.: “given our architecture, where would this kind of information likely be found where it is truly not needed…”), and by looking at brute force (e.g.: scanning numerous servers and systems for fragments of common sensitive information and sniff for common sensitive information on important network pathways,) you ensure that this information is exactly where you understand it to be.
Once you have thoroughly explored your inside-out issues, you will need to understand your outside-in risk.
Evaluate all of the organization’s data and business relationships with both customers and trading partners: Who has access to your network and systems? Which data should each of these partners actually have access to?
Depending on your business practice, you may also need to more fully understand who your customers and business partners are. For example, the large data broker ChoicePoint identified fifty fraudulent companies that were created for the sole purpose of using information purchased from them for criminal purposes.
To understand what additional risk you incur by sharing sensitive information with “trusted others,” you need to appropriately evaluate your partners. Depending on your business, this might involve more detailed background, financial and other checks of your partners, for example, requiring your business partners to fill out a risk-oriented questionnaire.
You might also want to test their security, processes, procedures, people and policies, or request evidence that a reputable organization has recently evaluated these criteria.
For example, organizations with very large partner networks, like Visa and MasterCard, have created world-wide programs based on focused standards like the Payment Card Industry (PCI) data security standard.
Other organizations build specific programs, questionnaires, surveys, site visits, or specialized scanning techniques to assess their partners. Other methodologies include requiring a third party assessment using industry standards like ISO 17799, vertical standards like HIPAA, or general-purpose audits as a baseline.
Embracing regulations or mandates set forth by either the government or other organizations is also a key aspect of keeping the circle of trust alive and well.
Rather than rebelling against the current compliance-driven environment, you should seek to embrace these standards. By conducting a thorough risk assessment, and building policies based on the results, you will not only satisfy the needs of myriad regulations and other drivers, but you will also reduce compliance costs and efforts, thus reducing your organization’s actual risk.
Peter Tippett is CTO of Cybertrust and chief scientist for ICSA Labs, a division of Cybertrust. He specializes in the utilization of large-scale risk models and research to create pragmatic, corporate-wide security programs.