ISAlliance Targets Threats to IT Cybersecurity

July 7, 2009 by ADMIN

Share |

Learn More About ISAlliance HERE

What are the greatest problems your company (or industry sector if you prefer) perceives regarding cyber security?

* Increasing complexity and power of external threats that have the ability to target infrastructures and unleash an attack with simple tools which are untraceable.

We must mitigate the ever-increasing abilities of today’s cyber criminals to penetrate the current information security barriers, fire walls, etc. of industry and government organizations in order to gain access to the most sensitive and confidential private information stored in its databases.

* Combating the “Insider Threat”: To date, most of our efforts have been focused on external threats and not internal ones.

We need to reduce the risk of accidental or malicious and criminally-funded access to confidential and private information by inside sources such as employees, consultants or business partners that can be used for extortion or other illegal purposes.

The threat posed by someone who has been deemed trustworthy, and who has authorized access to critical systems or someone who goes rogue and intentionally or accidentally introduces malware into the systems or does things to the systems or customers in a harmful way without our knowledge, is potentially more insidious than the outsider threat.

We need to develop a comprehensive and sustainable system to combat both.

* Getting the attention of board level management to focus on the risks faced by not having an effective information protection program in place and then convincing them to provide enough financial resources to pay for one.

* The Holy Grail would be to develop a single software or hardware solution that can be effectively deployed across multiple platforms and disparate databases commonly used in most commercial and governmental organizations throughout the world and to implement it as quickly as possible.

Until such time as that is practical, a full systems approach to cyber security is necessary.

What are the biggest obstacles you perceive for your company (or industry sector) in addressing the major problems related to cybersecurity?

The biggest obstacle is that many organizations personnel in both the public and private sector are still not doing enough and are not even sufficiently educated to protect information at rest, in transmission or while being shared.

Awareness must be raised regarding the risks businesses, governments and individuals are taking every day by not taking the appropriate defensive actions.

Once this has been addressed, the next steps such as designing the best business processes to employ and selecting the best technical solutions to implement will be easier to accomplish.

However, the very nature of the Internet and related information systems themselves makes the task immensely difficult to resolve with a single magic bullet. The complexity of the technologies being used today coupled with ever evolving threats make the steps needed to confront the threats very difficult to deploy across diverse infrastructures.

This reality argues not for a single all encompassing simple solution but a system of integrated and dynamically evolving solutions deployed in a comprehensive and sustainable fashion. Added to the dual obstacles of a lack of full appreciation of the threat, and the complexity of systems threatened is the huge distraction of compliance.

It is critical to appreciate that there is a difference between regulatory compliance and security.

Currently many businesses spend so much time on compliance measures that may not be related to the major current threat vectors that they fail to address major or even significant threats we need to be focused on.

In a world where the vast majority of the information network is owned and operated by a diverse private sector, security issues cannot be properly addressed with out accounting for their economic impacts.

If compliance regimes take money and resources away from real threats, these efforts are not contributing to solving the problem and may actually make things worse.

What can the US Government do to best assist you in improving your cyber security in the short term?

Government needs to share key intelligence and investigation results to give its partners in industry the needed insights that can be used to address the security threats we all face.

Government should create and sponsor programs whereby commercial and government organizations are made aware of the daily risks they are facing and the consequences of not taking the appropriate measures to protect the private information they are shepherding on behalf of their customers and citizens.

Government can embrace the security standards, practices and guidelines that have been shown to be effective in addressing and mitigating known threats.

To assist the private sector, government must provide incentives to organizations that take the steps necessary to effectively protect their data and systems.

Numerous programs to provide incentives for industry have been used in various sectors to stimulate private actions that have a public interest benefit. Incentives that have historically been used in other portions of the economy need to be adapted to the cybersecurity space.

In addition, government must immediately develop a long term strategy to address cybersecurity and share this with the private sector.

It would be helpful not only for the private sector to know where we have to invest now, but also to address future needs that the government is not yet planning to address in a more efficient and systemic manner.

Moreover, government can partner with industry much more effectively by engaging with us earlier, on a more equivalent basis to address each other’s unique as well as mutual needs.

What can the US Government do to best assist you in improving your cyber security in the long term?

Invest in research. Government funded research has always been the cornerstone of the Internet. There are aspects to the cyber security problem that simply do not have a business case for addressing.

This is the role government must fill and address.

This would include protocol research, specific research into products for secure ID management, encryption etc. One approach might be to develop a modern identity management system to replace the old social security system that was never intended for its current broad usage.

The biggest threat to e-commerce is trust since once a nefarious character obtains key information, identities can be stolen or their data can be manipulated.

For example, a social security number can be used without you — not much of a secret — but it’s a meaningful number someone can use for another purpose without your knowledge.

We need to develop a way to verify identity while not relying on anything except what is actually relevant to the person. If we could create a system that can’t be tied to you except where it is totally appropriate, that would be a major step ahead in security.

These are the kind of things that will provide long term protection against electronic theft while still maintaining privacy and security. Monitor the results that short term solutions produce and continue to educate both private and public organizations to increase awareness of the negative effects a data breach can cause.

If you had 5 minutes to discuss cyber security with President Obama what would you tell him?

The growing cyber threats are the single biggest thing to affect our economy, and perhaps our physical security long term, yet it is not being properly addressed.

The security of information is a fundamental aspect of modern civilization. Without it, or having it in weakened form, we may suffer irrefutable damage that can be quickly and far too easily inflicted massively on individuals, government institutions and business.

Waiting for others to somehow solve such problems is no longer rational in that the problem worsens by the day. Business and government must act in concert to address this issue quickly and we must do so in a true partnership.

Government must first educate itself regarding the extent and the unique and historic nature of the cyber threat. Then, an extensive awareness program can be launched; however awareness alone will be insufficient.

Information security is a global issue for many of the same reasons as is our economy.

Both from the human perspective and that of technology, the United States can and should be the world leader in this matter. Impressive work, particularly in the area of personal privacy protection, is being accomplished around the world.

The United States has the capacity in resources and talent to focus and develop consensus through international agreements plus have the technology to force information security issues back to manageable form.

In conjunction with government agencies and leading industry consortia, programs can be launched and developed to bring about substantial international improvements in information security worldwide.

What is currently missing are United States government programs and necessary industry incentives to raise the required support for the United States of America to seize the opportunity to become the international leader in information security.

The Internet Security Alliance stands ready, willing and capable to assist.

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.