Is anyone in the Hartford, Connecticut area between Boston and Manhattan interested in a CitySec meetup? I'm gauging interest for those located between the two cities (like myself). Anybody care to share a trip report for BeanSec or NYSec meetings?
Last week, I blogged about data classification and how it's difficult for many organizations to gain control of. The next day SearchSecurity published Data classification is first step in successful data protection, an article that addresses the need to classify data to properly secure it. The trouble with it is the enormous amounts of data we create and getting a grip of it all. I see companies begin new "data classification initiatives" and most have ended up failing within a couples years, followed by a new "improved" initiative. We've also shifted from protecting the devices that hold our data to protecting the data itself. Classifying data helps in every respect towards our goal of information security.
The other day, LonerVamp asks how are you protecting your data in use? In some business units, protecting data through digital rights management is a viable solution for enforcing restrictions; such as the number of times a document is viewed, when it expires, whether it can be printed, etc. It doesn't prevent someone from taking a screenshot or reciting its information, but what else is there to do (technically speaking)?
(Continued from Consumerization of IT and state of the security industry and a reply to Low probability but a devestating impact.)
After lunch, we broke up into several groups and I headed to the discussion on "next generation threat analysis," which worked to identify vulnerabilities with a low probability of being exploited, but have a huge impact on business. Some of the vulnerabilities were very sensitive, so I'll be vague here -- sorry guys.
Corporate espionage and planting evidence was at the top of our lists, followed by sensitive unencrypted network traffic, SCADA, legacy applications and weak database security. Also included was sensitive information being stored in clear text, ssh port forwarding and encrypted outbound channels. These are definitely not unique to one company -- I'm sure many companies worry about these exact vulnerabilities as well.
I've seen data classification, knowing what you have and where it is come up in many discussions with folks at conferences and other meetings. Definitely tough with so much data, you have to ask where to start -- usually you have no choice but to start classifying new data. Classifying existing petabytes of information is close to impossible!
Yesterday was a bit of a surprise for me, I met someone I never would have expected to meet and be an actual co-worker too. There were several talks today, focusing on the "consumerization" of IT, the state of the security industry from a Wall Street analysts' perspective, what makes up an effective infosec program, and how to sell security to management.
Consumer trends in IT industry is scary from a security standpoint. Our customers will increasingly expect to use third-party (unsupported) systems and applications and it is important we draw the line now. For example, work email and webmail, Skype and other WebEx type software. Our customers ask why they should pay for email access when they have Gmail or spends thousands per month on conference numbers. We are seeing a shift towards letting users have external IM and we need to decide [quickly] how we are going to prevent intellectual property data leakage through monitoring, encryption, etc.
On Wall Street, we see Symantec and McAfee losing ground to Microsoft and Cisco, who own much of the security space today. Companies are being bought up left and right while customers are shifting away from one company and towards another. It was interesting to hear opinions on some of the recent acquisitions and IPOs that went public. You know there have only been two security IPOs in the past five years? GUID and FIRE
The talk on what makes an effective infosec program had good data, but the information was conveyed poorly and made the presentation very dry. My eyes began to glaze over trying to take in the information (big words), and I soon started to daydream.
In my next blog post, I'll discuss what we thought were vulnerabilities with a low probability of being exploited, but would severely impact the business if successfully exploited.
I've been too busy to blog this week and haven't had any ideas for any new topics. Tomorrow (Wednesday and Thursday) I'll be attending my company's internal security "conference" to discuss the issues and projects IT Security faces. I'm interning at this company, so I'll be all ears for the next two days and just learning as much as I can before my start date on May 30th. One of the more interesting talks I look forward to seeing is on "Next Generation Threat Analysis," which will attempt to identify those areas of risk with low probability but devastating impacts. I've been trying to think of some on my own and come up dry (of course my definition of high probability is someone's low and vice-versa).
Anyone care to share their stories or opinions? Post a comment, I definitely will be following up this post tomorrow night after attending the session.
« Newer entries — 34 — Older entries »