Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 9: developing a more proactive layered defense approach

Posted in business and convergent technologies, social networking and business by Timothy Platt on March 28, 2013

This is my ninth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-8.)

I began this series with a brief and selective discussion of our current primarily reactive approaches to information and cyber-security, and then moved from there to at least outline a possible avenue for moving towards more proactive systems that would more fully address current and emerging risk management needs. My goal for this posting is to in effect tie all of this together, with a more explicit discussion of layered and protectively overlapping and redundant security mechanisms and systems. And I at least begin any such discussion from the fundamentals and through construction of a basic conceptual framework, which I would at least generically outline as follows:

• Vulnerabilities and exploitation of them are always going to be a possibility, so it has to be assumed that with time, security breaches will occur and for any information systems or cyber-security mechanism in place.
• So the goal of any effective systems-wide approach to security should be to block any successful intrusion through one defensive mechanism with the protective barrier of another, that does not share any specific same-vulnerabilities with the now failed mechanisms that it is serving as back-up to.
• And when a layer breach does occur, a red flag warning should go out that this has happened and any vulnerable networked computers or subsystems should be firewalled off to limit possible systems-wide exposure.
• This would, of course be followed by a through damage assessment audit and review, and a best practices assessment and review for preventing a repeat occurrence, there or elsewhere in the overall system of at least this type of breach and from this type of exploit,
• And hopefully at least with some generalization of the new protective coverage developed in response to this incident, beyond simply addressing this one now narrowly-identified vulnerability.

That, of course only addresses one part of this overall problem. The outermost defensive layers would all be proactive, and the outermost of them would go outside of the computers and networks under protection, in identifying and tracking the sources of problems before they explicitly, directly strike. That is where social media-oriented threat identification and tracking, as discussed in this series, enters here. The innermost defensive layers that would come into play when unexpected and novel exploitations breach previously unidentified vulnerabilities would of necessity be reactive:

• In limiting range of exposure and impact at the time of a security breach,
• In identifying and developing blocking responses to the threat sources in play there,
• And in understanding the nature and scope of the breach and of the attack that caused it so as to limit and remediate consequential damage.

So for example, if a breach were to expose personally identifiable information such as social security numbers or credit card information, it is vitally important that anyone so affected be identified, notified and protected from consequences of illicit use of their information for identity theft or credit card theft.

• Realistically, the goal here can never be to make security breaches and loss of information and computer systems control impossible. It has to be in making this much more difficult and much more quickly identifiable when it does happen, so the extent of exposure and vulnerability can be limited.
• In this, the goal should be to filter out all but the most disruptively new and innovative of attacks with proactive security systems, and with reactive approaches only actively engaged where necessary and as a last resort – never simply as the only resort where they quickly become overwhelmed.

I am going to end this posting with a final note in which I return to that most ubiquitous and vulnerable face to any information or computer-based information management and storage system: the human user and their actual day to day practices. I have already written in this series about how people take short-cuts and bypass security – and even when they intellectually know that this creates real risks. Many and in fact most people do this right but all it takes is one who does not, and a black hat hacker has a potential route in, ready to be exploited.

I am more specifically going to end this, by considering one of the commonest and most significant generally encountered sources of loss of information control coming from that direction: where people with permissions and legitimate access to sensitive information lose control over it in their possession through carelessness – such as loss of that laptop computer left in plain sight on the front seat of their car when they park it to go into a store for a few minutes. No security system can eliminate carelessness, and even when training is offered to all employees who have secure information access, and with refresher training to keep the message up-front for them. But it should always be possible to preemptively encrypt the hard drive of every work computer, desk top or laptop for these employees, so even if that computer is stolen, its contents will have that layer of protection. UBS ports on desktops can be blocked at the driver software level from accepting flash drives to limit those employees taking this information home with them to work on, on their own computers. Protective layers can be added to cover for ill-considered human decision making and actions. And to cite one of many possible operational scenarios, if someone tries to access information on a laptop without signing in properly, that computer can be set up to seek out any nearby available wired or wireless router to phone home with a breach warning and its GPS location and IP address. And if this call-home app is installed as a “white hat worm”, that tracking capability can be spread to any other computers that this information is installed onto too, revealing their locations too. There are almost always creative ways to reach out to the attacker and bring a security response directly to them and what I suggest here is only one simple variation of a more generally applicable approach.

I am going to follow this posting with what as of now, at least, I see as the last entry of this series. I have been posting so far about reactive and proactive approaches to information and cyber-security, and about specific security mechanisms and processes and combining them into layered defenses. Making any of that work depends on knowing when and where security breaches actually take place on similar computer and information systems, and on what vulnerabilities and attack approaches have been identified. But businesses and individuals alike have been loath to share any information on when and how they have lost control of their computer systems and information resources, so next victims of a same vulnerability exploitation can find themselves viewing it as if it were new and novel. I am going to write in my next series installment about open sharing of this information and its pros and cons, and about building effective vulnerability and protective solution information into shared system owner resource systems. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: