Data Security; Are Your Company Assets Really Secure?

Is your data secure? Think again. Securing data is unlike any other corporate asset, and is likely the biggest challenge your company faces today. You may not see it, but almost all of your company's information is in digital form somewhere in the system. These assets are critical because they describe everything about you; your products, customers, strategies, finances, and your future. They might be in a database, protected by data-center security controls, but more often than not, these assets reside on desktops, laptops, home computers, and more importantly in email or on some form of mobile computing device. We have been counting on our firewall to provide protection, but it has been estimated that at least fifty percent of any given organization's information is in email, traveling through the insecure cyberspace of the Internet.

Digital Assets are Unique

Digital assets are unlike any other asset your company has. Their value exceeds just about any other asset your company owns. In their integral state they are worth everything to your company; however, with a few "tweaks" of the bits they are reduced to garbage. They fill volumes in your data center, yet can be stolen on a keychain or captured in the air. Unlike any other asset, they can be taken tonight, and you will still have them tomorrow. They are being created every day, yet they are almost impossible to dispose of, and you can erase them and they are still there. How can you be sure that your assets are really safe?

Understanding Physical Security Architectures

Physical assets have been secured for thousands of years, teaching us some important lessons. An effective security architecture uses three basic security control areas. Let's assume you want to create a secure home for your family; what would you do? Most of us started with the basics; doors, windows, locks, and perhaps a fence. Second, we rely on insurance, police protection, and we may have even purchased an attack dog or a personal firearm. Given these controls, you may have taken one more step to provide some type of alarm. Not trusting your ears to detect an intrusion, you might have installed door and window alarms, glass break sensors, or motion detection. You may have even joined the neighborhood watch program in your area. These are the controls everyone uses, and they are similar to the controls that have been used since the beginning of mankind.

Which is most important? Looking at the three categories of security controls used, the first consists of protective devices that keep people out; doors, windows, locks, and fences. Secondly, alarms notify us of a break-in. Finally we have a planned response control; the police, use of a firearm, or recovery through insurance. At first glance it may appear that the protective controls are the most important set of controls, but a closer look reveals that detection and response are actually more important. Consider your bank; every day the doors are open for business. This is true of just about every business, home, or transportation vehicle. Even the bank safe is generally open throughout the day. You can see it from the bank teller counter, but step over the line and you will find out how good their detection-response plan is.

Evaluating your Company's Approach

Now look at your digital assets; how are they protected? If you are like most organizations, your entire security strategy is built on protection controls. Almost every organization in America today has a firewall, but does not have the ability to detect and respond to unauthorized users. Here is a simple test; run a Spyware removal program on your system and see what comes up. In almost every case you will find software installed on your system that was not installed by an authorized user. In the past this has been an irritation; in the future, this will become the program that links uninvited guests to your data. Bruce Schneier, a well known security author and expert writes in his book, Secrets and Lies, "Most attacks and vulnerabilities are the result of bypassing prevention mechanisms". Threats are changing. The biggest threats likely to invade your systems will bypass traditional security measures. Phishing, spyware, remote access Trojans (RATS), and other malicious code attacks are not prevented by your firewall. Given this reality, a detection response strategy is essential.

It's time to review your security strategy. Start by asking three questions. First, which assets are critical to your business, where are they located, and who has access to them? Second, what threats exist? Determine who would want your data, how they might gain access, and where the possible weaknesses in your security architecture lie. Finally, how comfortable are you with your company's ability to detect and respond to unauthorized access. If someone wants access to your data, preventative measures alone won't stop them.

Begin planning a balanced security architecture. Start by adding detection controls to your prevention architecture. This does not mean simply adding intrusion prevention software (IPS), but rather creating a system to proactively monitor activity. Intruders make noise, just like in the physical world, and with proper event management, combined with zero-day defense technologies of IPS, network administrators can begin to understand what normal activity looks like and what anomalies might be signs of an attack. In a recent interview with Scott Paly, President and CEO of Global Data Guard, a Managed Services Security Provider (MSSP), Scott said, "Threats such as worms and new hacker techniques constantly morph, so the most viable model for optimum security is a blend of preventive and predictive controls based on analysis of network behavior over time". By balancing prevention, detection, and response, companies can defeat most of the latest hacker attempts.

David Stelzl, CISSP is the owner and founder of Stelzl Visionary Learning Concepts, Inc. providing keynotes, workshops, and professional coaching to technology resellers. David works with executive managers, sales people, and practice managers who are seeking to become market leaders in technology areas that include Information Security, Managed Services, Storage and Systems solutions, and Networking. Contact us at info@stelzl.us or visit http://www.stelzl.us to find out more.

'Special Report' Panel on Obama's National Security Team; Mumbai ... FOXNews - 14 hours ago BRET BAIER, GUEST HOST: President-elect Obama today rolling out his national security team. Among them, Hillary Clinton as secretary of state, Robert Gates ... Video: Obama Picks Gates, Clinton for Foreign Policy AssociatedPress Obama stresses diplomacy with new national security team Los Angeles Times National security in good hands Austin American-Statesman NewsOK.com - MarketWatch all 2,934 news articles

The Miami Herald

Energy, Security and the New Administration New York Times, United States - 15 hours ago “President-elect Barack Obama’s choice for national security adviser, retired Marine Gen. Jim Jones, is giving hope to energy companies that backed ... Obama names national security team including Clinton, Gates Dallas Morning News Obama Turns to Marine Jones to Harness Veteran Security Team Bloomberg Obama Selects Gen. James Jones for National Security Adviser ABC News Voice of America - CNN all 656 news articles

680 News

Obama Names Team to Face A Complex Security Picture Washington Post, United States - 19 hours ago President-elect Barack Obama announces his national security team, including naming Sen. Hillary Rodham Clinton as secretary of state. ... Obama announces Clinton, rest of national security team Newsday Obama's national security team Scripps News Obama taps Clinton, Gates for US 'new dawn' abroad The Associated Press Straits Times - Washington Post all 549 news articles

United Press International

A National Security Team That Looks Like the Nation Washington Post, United States - Dec 1, 2008 But the six folks nominated mirror the national security slates of the last three presidents in one key demographic: age. Obama appointed a record number of ... Choice for UN Backs Action Against Mass Killings New York Times Obama announces National Security team College News Obama Picks Muscular National Security Team, Including Former ... U.S. News & World Report Southern Maryland Online - Gather.com all 276 news articles

ABC News

Napolitano tasked with Homeland Security overhaul USA Today - Dec 1, 2008 At Homeland Security, Napolitano, 51, will be responsible for securing the nation's borders, ports and airports against terrorists, responding to natural ... Napolitano Poised for Top Homeland Security Post Government Technology Obama chooses Ariz. gov. for Homeland Security FOXNews Nominee Would Lead ID Program She Opposed New York Times SC Magazine US - Reuters all 1,055 news articles

Atheists want God out of Ky. homeland security The Associated Press - 10 hours ago (AP) — A group of atheists filed a lawsuit Tuesday seeking to remove part of a state anti-terrorism law that requires Kentucky's Office of Homeland Security ... Kentucky security law violates Constitution, says Reform leader Jewish Telegraphic Agency Atheists sue to get God out of homeland security WVLT Atheists sue to take God out of Kentucky terrorism law Columbus Ledger-Enquirer The Seeker - Chicago Tribune Blog all 95 news articles

Canada.com

Who Can Stop the Pirates? FOXNews - 8 hours ago If they start shooting… now you have an international incident," said Michael Lee, assistant vice president at Miami-based "non-lethal" security company ... UN Security Council Extends Anti-Piracy Measures off Somali Coast Voice of America UN Security Council supports anti-piracy mission Deutsche Welle Pirates don't like loud noises Salon The Associated Press - BBC News all 211 news articles

Xinhua

Tight security for Manmohan's visit to Bangalore Hindu, India - 1 hour ago "We have made foolproof security arrangements for the prime minister's visit. Additional forces are deployed at the two venues where Manmohan Singh will be ... Security Council to discuss global terrorism after Mumbai attacks Monsters and Critics.com Doubts surround introspective Singh's ability to reform security Financial Times India's security minister resigns in wake of attacks MarketWatch Xinhua - The News International all 792 news articles

NewsHour

Obama’s National Security Team Announcement New York Times, United States - Dec 1, 2008 The following is the prepared text of President-Elect Barack Obama’s National Security Team announcement as provided by the Obama team. ... Obama Names National Security Team Washington Post Obama names national security team Boston Globe Obama names Clinton Sec. State MSNBC NewsHour - New York Times all 87 news articles

Infonetics Research: Network security market up 4%; strong drivers ... MarketWatch - 10 hours ago Infonetics' latest report, Network Security Appliances and Software, shows that all world regions -- North America, Asia Pacific, EMEA, ...