He offered many tidbits of wisdom.
For example, he talked about endpoint protection. Security best practices dictate that laptops, particularly ones carried by executives or other folks who might be carrying sensitive data, be encrypted with heavy duty encryption stuff. Tippett argues that this practice is silly.
In order for something bad to happen, ALL of the following must be true:
- The individual must lose (by negligence or through theft) a laptop
- The laptop must have information on it that could actually be used in some harmful way
- The person who acquires the laptop (through whatever means) must desire to get data off of the laptop and not just sell the laptop for drug money, which is probably much more often the case.
- The bad guy must have the ability to get through the basic security protection on the laptop
- The bad guy then must have the ability to use that information in some hurtful way
What is the likelihood that even the first three of these things might happen, let alone the last two?
A good security professional will know the potential attacks and best defenses. An excellent security professional will temper the desire to "continually batten down the hatches" by considering the probability of successful attacks and planning accordingly.
Peter was refreshing and fun.
Thanks for the responses.
ReplyDeleteTodd, you mention that a good security design is one where "the maximum amount of security is applied with minimal inconvenience to the user of your system."
Had you asked me last year I would have said the same thing. I need to be careful here because we've assembled a highly competent security team at the Church and they're probably preparing to mutiny as they read this and I don't want to give them or anyone the impression that security isn't extremely important. Security is EXTREMELY important.
The point Tippett makes is that you never want maximum security, even at a cheaper cost. You want enough security given the actual risk. And the risk is an amalgamation of real, practical things--not just theoretical ones.
It's not enough to implement a control because someone, somewhere could do something if X, Y and Z happened. We must implement controls based on the likelihood that those things will actually happen.
I generally have no problem with challenging paradigms. Perhaps Mr. Tippett offered other examples that seem more feasible, but this one on endpoint encryption could be thought out a little more. It is irresponsible to give a blanket statement that endpoint encryption is silly. Each situation/risk level is different, and in some cases it may be silly and in other cases it may be a "duh, of course!" I do not think that the probability of an event occurring (stolen laptop) should have greater weight that the residual risk (ID theft). The bank I work for considers ID theft due to lost/stolen equipment a high risk. Even though the likelihood of it happening is low, we still have a residual risk that needs to be addressed through some policy or procedure. My limited thinking could only alleviate the risk with encryption.
ReplyDeleteAnyway, this discussion probably was not meant to address endpoint encryption, but new ways of think about risk. I would very much enjoy listening to the other ideas like this. Is the general public privy to discussions held by the Research Board, or at least your discussion with Mr. Tippett?
Tippets is just arguing that encryption be used when appropriate and that in most cases, simple encryption is just fine. He goes so far as to advocate (gasp!) standard Microsoft encryption (for Windows, of course).
ReplyDeleteI don't think he's either naive or "blithely ignoring reality." If you google him and read some of his papers, you'll find that he's very well grounded in hard data. However, he is certainly unorthodox.
For example, he recognizes (as you intimate above) that most data and $$ theft occurs by insiders (about 70%, it turns out). Companies spend a disproportionate amount of time and money protecting against external threats when most abuses come from the inside.
In the scenario above, encryption doesn't help. If the guy's got a weak password and someone wants the data on his machine (or in the data center, for that matter) it's there's for the taking.
Woah! Adding 'aggregate risk' is only valid if each of the steps are valid. A couple thoughts on the points outlined by the Security Gugu:
ReplyDelete* The individual must lose (by negligence or through theft) a laptop
>> Yes. Not losing your laptop is a good security practice.
* The laptop must have information on it that could actually be used in some harmful way
>> Any employee who is carrying a work-related laptop is probably carrying it because they do sensitive processing on it. Credit card numbers, names of customers, a password list? Clues about the company's network system, personal details about the employee who owned the computer, hooks that would save a hacker all kinds of work. Trying to keep people from putting sensitive data on their computers is a good idea, where feasible. Expecting them to keep sensitive data off their computers and counting on that for any kind of security is a really bad idea.
* The person who acquires the laptop (through whatever means) must desire to get data off of the laptop and not just sell the laptop for drug money, which is probably much more often the case.
>> Here's where Security Guru falls off track. The threat comes not from the schmuck who found the laptop, but the guy who has put the word out that he's paying, no questions asked, for laptops. This is the guy who is absolutely going to meet all the rest of the threat criteria. The hotel maid is not a threat -- it's her cousin's friend, who will gladly pay $200 for that laptop.
* The bad guy must have the ability to get through the basic security protection on the laptop
* The bad guy then must have the ability to use that information in some hurtful way
Windows built-in protection suddenly doesn't sound so appealing, does it? The free and open-source Truecrypt isn't such a bad trade-off.