The latest big security breach to hit the news is an important reminder about a couple of key aspect of security. While few details are available as to the nature of the breach, some general security principals apply. Here are a couple that come to mind.
The existence of a security control is not the same as the effectiveness of a control
How Is Information About Me Kept Secure?
We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon. We take reasonable precautions to protect your information both online and offline. Periodically, our employees are notified about the importance we place on privacy and security, and what they can do to ensure our clients’ information is protected. The servers on which we store data are kept in a secure environment.
Our experience is that these kinds of statements on a web site are more marketing anyway – whether detailed like Nasdaq or more general like Epsilon. In reality an effective information security program is more difficult than just words on a page or just dropping in technology or controls. An effective information security program is more of a culture, a lifestyle, a dedication to ideals that transcend lingo such as SSL, 128 bit encryption, intrusion detection system, firewall and multiple-layers-of-security.
An effective information security program takes a risk-based approach in which management understands that resources are limited so security efforts are focused on the most critical areas. That means not only implementing a security control, but also following-up to verify that the control is configured and working effectively, and maintaining the control to ensure that its configuration is still effective in a world of evolving threats and dynamic corporate networks. That’s a lot more commitment than just acquiring technology and dropping it into your data center. A few examples of repeated security risk we see.
- We see many firewalls with ineffective rules because of subtle errors in the configuration
- Its very common to see intrusion detection systems (IDS) that generate so many false-positive alerts, that they are totally irrelevant other than to supply jargon for a company’s website security statements
- Web applications are widely insecure – there is just so much complexity in a full-featured web application and web developers are driven to release features on short time frames and limited budgets – what else would you expect
Time and time again, a key area of risk for an organization’s security are their vendors. Whether you are a healthcare organization, guided by HIPAA, and use the term Business Associate, or you are a financial services player and call it vendor management, or you call it anything else from outsourcing to a business partnership – these other organizations with which you do business create risk. That is not to say you should not work with other companies – its a requirement in business today. However, organizations do need to understand that these business relationships may create additional risk and need to ensure that those organizations have effective security controls. That of course can be difficult. Most companies don’t have the resource to do their own audit of a vendor – though this is not uncommon. Another approach can be to review the company’s security assessment – that is if they even allow you to review it – if they even have one. However, reviewing a security assessment can also be a problem. For example, as we noted above its not the existence of a security control that matters, rather its the effectiveness that is at issue, and that is much harder to test. Many security assessments, whether completed in-house or by an objective third-party often just identify that a control exists: firewall – yep, IDS – check, website with SSL – OK. While your ability to evaluate your vendor might be limited, you can at least attempt to review their security assessment. If you are not satisfied with that and you don’t have the resources to send in a team like Redspin to evaluate their security, you might try to send them a security questionnaire. For example, here is a Business Associate Security Questionnaire we created for our healthcare clients.
So while Chase is one of the biggest banks in the US and likely has the resources to build out a robust information security program, here they are notifying customers of a data breach anyway, all because of Epsilon – who likely had existing-but-ineffective security controls in place.