RealSecurity

In February 2002, California enacted SB-1386, a law requiring companies to disclose security breaches affecting the privacy their customers. Although other, distantly similar conditions existed in EU privacy laws and with GLBA in the US reaching back to the late 90's, few predicted that SB-1386 would become the catalyst for the massive wave of breach notification laws we see today.

Of the many security axioms out there, "Protect, Detect, and Respond" is one that not only permeates many forms of security beyond IT, but one I think summarizes the basics of security quite well. Nevertheless, when played against the history of IT security we can see a cascading of focus moving across this spectrum; are we heading for a future of "respond" focus – are we already there?

It's interesting to have watched the concept of cyberwar develop over the years. I recall giving a number of speeches on cyberwar back in 2000 and 2001 where most of the audience concluded I was simply nuts. The concept that a war could occur in cyberspace eluded most and virtually everyone balked at my suggestion that it will manifest physically. Given the digitally infused nature of how many societies function and have evolved, it was always obvious, at least to me, that issues in cyberspace would have implications in the physical world and the two would eventually become inseparable. With the rash of cyber policies emerging from governments, the recent report that the Pentagon has noted computer sabotage coming from another country can constitute an act of war, is for me completely expected and I'm certain this policy has been in place for quite some time and we're just getting wind of it now – and not for our benefit, but rather for the benefit of our "enemies".

I don't think I'm that old, but I was a young working man at the birth of the Internet. Actually, I remember the birth of the PC. In fact, it seems like just yesterday. In recall the four or five Apple II computers that showed up one day at school and I immediately started writing programs in Applesoft BASIC to make the computer do what I wanted – a geek in the making I guess. Today, I have more power and capability in my TV remote control thanks to Moore's law. As a society we're infatuated with technical progress, but the problems we face in information security are in many ways rooted in our misinterpretation of the assumed alignment of technical advancement and the advancement of security.

Recent events in Egypt, and the not too distant unrest we're seeing in Tunisia, have highlighted certain aspects about the Internet from a social, cultural, technical, and geopolitical perspective that I think is worth touching on. Moreover, it is certainly interesting to watch the world's reaction and even the broadening margins forming between various camps, whether they are communities or countries. I thought I'd try to tackle some of the moving parts – at least from my tiny perspective.

I'm a patriot. I've traveled around the world and experienced some great cultures, met truly wonderful people, thoroughly enjoyed the diversity this tiny planet has to offer, and learned a lot about different countries. Nevertheless, my favorite part of travel is coming home. Despite all our flaws and the great experiences I've had overseas, I do love America. However, there is something quite uneasy about what I'm seeing occur in the name of security in this country.

In the last post I talked briefly about the difference of looking for what is wrong as opposed to looking for what is right. In short, an overly simplistic representation of the difference between security a fraud. Fraud exists in many areas of the business, and as such I expect it to find its way into IT security. During this period we'll see point solutions as the demand increases and as more technology is developed. But if we look way out in front of us we can see this as the beginning of a monumental shift.

In the last post I talked about the trends in the identity and access management space in looking at what is normal. Given the change in threats and most having to accept the risk of more sophisticated attacks, it's inevitable that more and more attacks will appear as acceptable behavior on the surface, but in reality slowly siphoning our valuable assets. But, know what IS normal and detect fraud is not something easily done –if you want to be truly effective. Moreover, if performed, it's a fundamental shift in a security strategy.

In the last post I talked about threats. The community of threats is growing and there is a substantial increase in the number of sophisticated threats that have historically represented acceptable risks. Unfortunately, despite the increase in probability and impact, organizations are still forced to accept expanding risk because the costs to address are greater and there's not a lot of technology available that is keeping pace. As a result, we must acknowledge they are among us and we need to look more closely at what is normal – hence increasing focus on fraud.

I started with the attempted separation of security and fraud in the first post expressing that security are controls that seek to protect assets from an endless sea of threats. Although traditional threats are increasing in number and impact, there is also an alarming increase in highly sophisticated threats that launch attacks in a manner that make typical security controls less effective. Threats essentially are operating in a way that challenges normal expectations.

Formally published just over a week ago, my new book, "Adaptive Security Management Arcitecture" hit the shelves and there are already ways to get early discounts. I'm excited about this book for a number of reasons and I thought I'd share a little insight to those who may be interested.

As I've said many times, if you boil security down it can be defined as the controls we use to protect assets from threats. However, it's become more than that. More than compliance and getting a grip on vulnerabilities, because threats have changed – their tools, tactics, and organization. It's more about fraud than security these days and I think this is worth elaborating upon.

When EMC acquired RSA I said nearly the same thing to anyone who would listen – either EMC made a very smart move or oblivious to what they had just done and completely missed the point. Well, frankly, the jury is still out on EMC and RSA for me. They're doing pretty cool stuff, but not to the degree I had foreseen for them. Now, we have Intel acquiring McAfee, oh my. Friends, this is a serious game changing event, or a monumental cluster that will kill McAfee and cause serious injury to Intel taking years to recover. I think the former.

I'm all for advancements in technology – it helps us stay connected, empowers us, and opens our eyes to opportunities. Advancements in technology have been deeply intertwined with human evolution. From stone weapons, farming tools, transportation, industrial revolution, communication, healthcare, space exploration, and the Internet; you name anything significant in human history and it can be related to some form of technical development. However, throughout history there have been gives and takes with each milestone – there are winners and losers, two sides of the technical advancement coin, some parts in-step and some parts fall behind. Today, security is falling behind... the loser.

Smart Grid (SG) is, in a word: complex; and complexity is security's nemesis. The greater the diversity of systems, devices, and their interactions translates directly to the spectrum of potential error, gaps, and avenues of attack, and more importantly the potential impact of a security breach. SG is anything but a greenfield scenario and represents the convergence of everything from cutting edge technologies and internetworking to vast legacy systems and processes.