COMMENTARY

Data security: Why the usual solutions fall short

Shon Harris is a security consultant, founder of Logical Security and a former engineer at the Air Force’s information warfare unit.

With the current buzz around the WikiLeaks disclosures, the U.S. public seems amazed by the type and amount of sensitive information that is available to people who should not have access to it. Security professionals are not.

Traditional data security technologies are running to catch up with the explosion in data dissemination methods. Although data might be secured within a database, people need to use it to carry out operational tasks, which usually means putting the data into Word, Excel, presentation software, e-mail or some other format.

The data can be saved to a thumb drive, DVD, personal laptop or less secure workstation. Or it can be sent to a user’s home computer, disseminated via e-mail to a distribution list or printed. The original database security then becomes useless as that data is passed around in insecure formats via controlled and uncontrolled networks.

Most agencies have policies and standards that outline how sensitive data should be protected, but they are usually ignored and hardly ever enforced. But agencies' systems have passed security audits and met their compliance requirements, you might say, so aren’t they secure? Not even close.

In many cases, an agency can pass a Federal Information Security Management Act audit if it has people who can write great security policies and documentation. But that has no real bearing on what type of security controls are in place. Every agency has a firewall, but the real question is whether it is configured properly for that specific environment and the threats that agency faces. And that takes testing, not policy checklists.

Instead of releasing funds to agencies that simply pass audits and compliance tests, the Office of Management and Budget should evaluate statistics on incidents and successful compromises. If an agency experiences an unacceptable amount of system or personnel compromises, it should fail its security audit, regardless of the other factors. OMB funding should be based on actual security, not just policy compliance.

Another challenge that government agencies face is identifying and retaining employees who have the necessary level of security knowledge and skills. The lack of trained security professionals is a huge gap in our national defense, which is why it is a line item in the Cybersecurity Act of 2010.

To work as a security professional in government, you need a clearance, which is expensive and time-consuming. And people can make much more money in the private sector. Rather than just issuing training mandates to agencies, the government should provide the necessary funding to hire and retain skilled employees.

Security professionals are not surprised by the WikiLeaks issues that the U.S. government is facing because the same type of information is leaked constantly, just not in the same headline-making way. Criminals and countries steal military and government secrets all the time. But they don’t want their activities known, so they work hard to stay under the radar.

WikiLeaks shines a bright light on the technological, policy, awareness, education and enforcement issues that must be properly dealt with if the nation is serious about protecting its classified information.

Reader comments

Mon, May 7, 2012

Disagree with John's comment. That is just one subset of security. Monitoring a baseline is what Retina scans do. The control is both a detective (if changed) and a conformity control. Pen Testing is a Effectiveness control and falls under the Security Improvement catagory. A good security management system should rely on four processes to manage: security planning, security assurance, security controls and security improvement.

Fri, Jan 28, 2011 John California

Current DoD security testing is something of a joke. So called RETINA scans of a system are really just audits of the system's policy settings. We have to take down all of our defenses on our system in order for the IA teams to run their scans. A real test would try and attack our system using all known and even unpublished vulnerabilities with our defenses in place. Then we would have some idea how good are defenses are. These attacks should even include testing of our vulnerability to social engineering attacks (usually the biggest weakness in many systems).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above