Thursday, December 14, 2006

Allow Me To Geek Out For A Moment

My day job is in Information Security. Normally, I don't talk so much about that here. I get more than enough of that topic during work and with my off-hours research.

That being said, I would like to address an article that was linked to in one of the myriad of security related mailing lists I belong to. The article in question is by Greg Meckbach in IT Business titled There are only two IT network security issues.

Just from the title alone I could see I was going to have issues with this article. Some of the points are valid, such as the fact that physical security is not the domain of Information Security. Except he talks about IT managers not specifically Information Security (which is an entirely different beast). What follows is a post I sent to the security mailing list I got the link from. I have changed it somewhat, due to the fact that I am grammar impaired and I have had more time to think on this topic. However, the primary point I was trying to make is unaltered.

I agree with some of what Mr. Meckbach said, but a couple statements he made struck me as wrong (or perhaps mislabelled).
If a criminal could steal something as a result of hacking into a network, that again is a management problem. It's the manager's job to make sure sensitive information is not stored on accessible drives.

Wouldn't this fall under the category of "spying", which he specifically names as one of the two concerns?

Anyway, what does he recommend "management" do? (and which management? Operations, IT, HR?) Reduce the distribution of sensitive business information to sneaker-net? Create a secondary network which would require multiple NICs and custom config to guarantee one network cannot see another (even then, comprise a dual homed host and even that's useless), or require users to have a separate workstation for each isolated network?
The fifth issue - compliance with securities regulations - is supposedly one of the security problems with instant messaging, because some IM programs do not have an archiving capability, which would allow investigators to check every record of an employee's correspondence.

While this may be a problem, it's not a security problem. Letting employees communicate, without monitoring that communication, is the business manager's problem, not the IT manager's problem.
Mr Meckbach seems to be confusing IT management with Information Security. Yes, the decision to archive and monitor IM may ultimately be an executive-level decision, but the implementation is most definitely the communications group's responsibility (which would fall under IT). The actual risk assessment and use of mitigating controls in an attempt to pro-actively prevent or limit the type of information transmitted using IM, without a doubt, is an IS concern.

For any business that is concerned about these things, risk assessment is a major part of the security framework. And a company's Information Security team plays a large part in risk assessment and mitigation. IS's primary function is to allow the business to conduct it's day-to-day operations with as little risk as necessary. IS involves more than just securing a network and attached hosts.

Information Security is about information. While the majority of IS does involve technological systems and solutions, it also involves things like standards and practices, security policies, compliance, and risk assessment. I have seen the attitude expressed in this article before, but usually it comes from people that don't seem to understand the security is not an end unto itself. It is the means in which a company can conduct its business with relative safety.

While I do believe a line to be has to be drawn somewhere (unless we want to drown in unnecessary work), Mr. Meckbach seems to have a too strict a definition of what IS should encompass.