On January 4th, Kroll, a worldwide risk consultancy firm headquartered in New York, released their “top 10 data security issues for 2011.” Two days later, we published Redspin’s “top 10 security issues for 2011.” (I promise, we didn’t read their version first!) So aside from the coincidence, it’s the differences between the two lists that really caught my eye. Maybe it’s an East Coast-West Coast thing. Or maybe they wear their Bruno Maglis a little tight, while we’re sporting Vibram FiveFingers. Perhaps it’s just a difference in perspective. Kroll, being risk consultants, created a list of potential data security risks. Redspin is in the business of providing security assessments which include findings and analysis. For us, a list of risk areas alone is incomplete without actionable recommendations.
In Kroll’s Top 10, they simply identify potential breach types. Number 2, for example, is theft, of laptops, cell phones and even “low-tech” item such as paper files. Kroll’s # 3 is lost devices. Their other breach concerns include sending private data (such as EHR) over networks and unintentional social media exposure. Kroll also discusses the risk of the regulatory environment tightening, particularly HIPAA/HITECH, in response to publicized breaches. To me, this is a little like saying “fire” is dangerous but the new fire safety laws might also hurt your business. At Redspin, our version might be “don’t play with matches, at least not around any sensitive data.”
Thus our Top 10 list looks quite different. We start by assuming sensitive information will be accessed, wired and wirelessly from all possible devices – desktops, laptops, iPads, Droids. As penetration testers, we know that our “assumption” is basically just the cold hard truth. Almost any networked computing device can be hacked, given enough time and resources. If you accept this premise, does it make any sense to still try to exert control over the device itself? Further, an increasing number of companies are deploying applications and storing data in the cloud. Wireless is nearly ubiquitous. Secure the perimeter? What perimeter?
So we say focus on the data. Quoting from the #1 issue on our list: “Ensure only people who need access are granted access. Understand where the data must be stored to support business processes and update your information security policies to include mobile devices.” If you get stuck on that last part, we offer a free mobile device security policy template on our new website at www.redspin.com Our full Top 10 List is there too.
As technology use becomes more mobile and social, the line between personal and business use will continue to blur. My hunch is that Pandora’s inbox is already wide open. Social media is already a fertile ground for farming private data (and I don’t mean “Farmville.” Oh wait, maybe I do!), we strongly suggest that you “ensure that your policies clearly state what can and cannot be communicated through social media and train your employees appropriately.”
Which brings us to a 2011 New Year’s resolution that both Redspin and Kroll agree on. Train your people on privacy issues and information security awareness. In this regard, we offer social engineering testing. Our assessment determines how vulnerable you are to employee disclosure through insecure or shared password information, unapproved use of portable media, and even unauthorized physical access to premises (you should see us in our blue contractor uniforms and tool belts).
Lastly, it’s certainly wise to know where your potential breach areas are. It’s even better to have policies and controls in place that address them. But ultimately you need to test those policies and controls to see if they are working. That’s Redspin’s forte. In addition to social engineering, we offer a full suite of penetration testing services for your IT infrastructure (external and internal, including wireless), and web applications
In conclusion, if politics makes strange bedfellows, I’d suggest network security guys and risk consultants just stop for an occasional drink at the bar. Most people think of penetration testers as “ethical” hackers. But you can also think of us as the policy-testing dudes.