More Content - Including Podcasts

Friday, February 17, 2012

Cyber Security Panel Debate

Panel B: Cyber Security

Privacy and security are truly symbiotic, yet because each has its own focus and proponents, there is often contention. This esteemed panel of experts will work towards ending some of that conflict. We will begin with a simple question: What are the top 3 things that security experts can offer the privacy sector that have not yet been adopted or integrated? Why are they so important and how can they benefit the goals of privacy professionals? In a PowerPoint free setting, this issues-oriented panel is designed to be highly interactive, encouraging audience questions and spirited debate so attendees come away with new insights and approaches.

Moderator: Winn Schwartau, President, Interpact Inc. Author of Information Warfare, Cyber Shock, Time Based Security & Internet & Computer Ethics for Kids
1. John Engels, Group Product Manager, Enterprise Mobility Group, Symantec
2. Robert Dick, Director General, National Cyber Security Directorate
3. Steve Hutchens, Director, Global Government Industry, HP
4. Paul Laurent, Public Sector Director of Cybersecurity Strategy, Oracle Canada
5. Eddie Schwartz, Chief Security Officer, RSA

Our moderator starts with a position on the critical infrastructure interdependencies between nation states, and the related privacy issues.

Robert rebuts the moderator's proposal that the US invade Canada to protect power reserves with a reference to the 100th anniversary of the war of 1812.
Robert moves on to note the seriousness of command and control infrastructure and the protection thereof, in addition to the protection of Canadian citizens privacy. The solution proposed is to not go alone as a nation state, but to partner wisely to protect national security. Suspects are national state actors as well as private criminal organisations, and failures to infrastructure that may be out of the direct control of Ottawa require clarity of communications between business and government, not draconian gov't actions. Debate on these topics to find collaborative opportunities is encouraged. Need to understand where the responsibility lines are drawn between public and private sectors for the protection against risk to all the infrastructures that support the functioning of our nation.

It is proposed that 70-80% of successful attacks can be defended against by proper infrastructure maintenance (patch management, security controls, audit, etc), but there is a small but vital percentage of very determined and well backed attackers where there is no easy defence, so we need a capable and prepared response.

John spoke to the risk of mobility to not just the PI of average citizens, but to those in positions of pow and leadership in industry and government - consider the risk of the bad guys knowing where the PMs kids are or will be.
There is also a need to be able to manage and secure not only what information is taken, but what information leaks due to unaware consumers of mobile platforms using the technology improperly. Tools and applications are great, but awareness and education are core. John claims that as an industry we must be more advanced in how we manage mobile devices and the data that moves back and forth to them; an auto delete button at central control is great, but not an ideal solution for the consumer.

Steve brings a different perspective, and states that the soft part of IT security is around policy and must be kept in context of the need to use or populate that information in a crisis to maximise the well being of citizens. Understand who are your customers and consumers, and who might might to obtain that information, and why. Steve considers that this is at the root of the risk analysis and management. Balance all of this with appropriate access to the information for the right people at the right time, be prepared to do this with minimal interference in a critical situation. Steve cites the examples of physicians bypassing network security for ease of access when working remotely from the site where the EMR systems are, and that our policies must bridge the need for access with the need for privacy. Steve proposed the concept of "secret shoppers" as employees who will share their feedback on the security of the operational infrastructure and the availability of the information they need.

Paul feels that data classification is the starting point of calculating risk, as you must know what you have before you determine how best to protect it. The extension nationally is how much effort we should place on critical infrastructure versus how much we protect the civil liberties of Canadians. Paul states that in the privacy discussion, the people involved should be outward facing, as public trust is at core.

Eddie has three points to share, to consider security from a perspective of control and visibility.
The first point is that security is broken. The more you invest in technology, you don't really move the security level higher. The prevention game is a game of catch up, but detection and response is a far more useful place to invest. Step back and say what do I have today that was relevant 10 years ago, and what is relevant today? Rethink information security.
Second, if we think there are changes needed in the doctrine of security management, make them. How do we measure usefully our risk level? Almost all metrics available are arbitrary, and don't consider all assets at relative values to the organisation. Eddie cites the recent RSA breach, and asks what was the actual objective? What are your high value assets to you, to your customers, and to the attackers? What is your ability to collaborate outside your organisation in response and in preparation? What is your ability to take what you learn about an adversary or the value of your assets and apply that knowledge dynamically to improve your security stance?
This segues to the third, how do you evaluate your performance metrics? Rate yourself in your effectiveness and continue to move that bar. We cant have compliance be the driver for security and privacy programs; we have to get security right first.

The topic of graceful degradation was brought up by Winn; how much can we consider shooting back as a mechanism of protection. The answer proposed is layers and segregation as a defence concept. Adaptive networking defense is also brought up, but that is at a risk of creating your own DoS on yourself. The rush to shut down, re-image, and other reactive actions is a risk to your business continuity; you need to understand the attack vector and respond accordingly to balance protection and service delivery. Paul brings up a really valid point, which is "what does normal look like?" as a necessary understanding of our own enterprises so that we can not only detect, but understand the scope, impact, and assess the correct response to any information incident.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

1 comment:

Unknown said...

Nice summary of the panel.

I agree that we need to step back and figure things about from the beginning.

We sometimes get caught up in the how, instead of looking at the what.