Information Security: How Can Companies Actively Protect Themselves?
I have long held the opinion that, in order to protect our information assets, sitting back and waiting for something to happen is a poor strategy to follow. After all, “The best defense is a good offense.” You can also feel free to include any other offense inspiring cliché that might fit there. How does a company go about actively protecting itself without breaking laws and putting themselves further into harm’s way?
It was my youthfulness that made me think that if an asset was attacked, then it was acceptable to retaliate in some way. That is to say, if you have the resources and knowledge to do it, regardless of who was attacking the asset, then go out there and retaliate, “eye for an eye” type stuff. This thought changed over time, as I came to realize that a hacker with malicious content has an ample amount of time to retaliate as a result, some refer to that as “spanking”. The inability to go on that type of offensive is really just a pipe dream since most corporations do not have the resources to even consider that, mostly because its illegal, nor would I really recommend it.
My thoughts never changed on the subject, however. I wondered, “Is there something we, as Information Security professionals could do?” Merely resigning yourself to assuming your assets are already compromised or that it’s only a matter of time is maddening.
Recently, I read an article by William Jackson that went into RSA Executive Chairman Art Coviello idea that Information Security should be jumping on the big data bandwagon. That is an interesting thought, and given RSA’s issues I can imagine why they would want to take some sort of proactive stance. The RSA issue I speak of was as a result of a phishing attack that resulted in a zero day vulnerability being installed on a RSA employee machine. This then allowed the attacker to steal user passwords and access sensitive data, which resulted in sensitive files getting spirited away.
Big data is a term that describes mass amounts of data that exceeds the capacity most conventional databases. If a company can manage to analyze mass quantities of data, they can pull out hugely valuable trends and insights. This is an interesting prospect for Information Security; many companies certainly gather a lot of data with the use of SIEMs and other security devices. Think of all the data that could be generated off of routers and switches; information flow, could be, and is endless.
How, though, do companies go about turning that data into, as Coviello says, “actionable intelligence”? For starters, it’s no surprised that corporations are tight lipped about data in general, and in turn won’t simply share security data. Let’s assume though, that by some miracle, companies figured out how to share data. The use of cloud computing, aka shared computing environment could certainly assist if the white hat InfoSec community talked more concerning useable data. The black hat community has already been sharing information for years and has been a huge reason as to why they have been winning the war.
Can we share data successfully across the private sector that could help protect ourselves? Do we have the ability to play well with each other and stop attacks that Google and RSA were victims to?
I remain optimistic that the InfoSec community will be able to pull together and function in such a way that benefits the whole. The private sector needs to, however, come up with something that works together and not have the government force a framework on it. There are a few organizations that provide a forum for the private sector to share information, these include; Infragard, OWASP and PCI Security Council. Although not on the level of information sharing we need to see, it’s definitely a step in the right direction.