The Cyber Security Casino: Betting with House Money

Thursday, December 15, 2011

Kelly Colgan


By Ondrej Krehel, Identity Theft 911

You can’t opt out of real life. Yet often that’s what a lot of cyber security advice sounds like.

It’s true that social networks are a hotbed for malware, hackers and spam. But staying off Facebook — for some people in certain industries — could have real-world repercussions.

Signing up for an online service, participating in an Internet auction, enrolling in a rewards program: it’s almost like playing in a casino. Which is going to lose your data tomorrow? Picking online companies we do business with is almost like placing a bet.

And just like in a casino, there is little a consumer can do to hedge his bets. The house controls the table. That is, the security manager controls the risk.

imageA recent Verizon data breach report pointed out that of 381 breaches investigated, only five were due to un-patched vulnerabilities.

Keeping up with patches, as Dark Reading pointed out, is the “fundamental component” of most IT security programs.

This is the finger in the hole of a leaking dam. When IT teams discover how hackers break into a system, the teams race to “patch” the digital entry point.

I’ve worked closely with dozens of topflight IT security professionals, and this is the bulk of their work. It’s the proverbial camera system in the casino ceiling. One hundred percent of the focus is on vulnerabilities and the means to patch them.

So I agree wholeheartedly with the Verizon report, which emphasizes “balanced priorities.” But that begs the question, What are the priorities?

Good security posture, as I see it, is divided into three equal parts: fortifying vulnerabilities, identifying threats and implementing good data practices:

  • Fortifying vulnerabilities is what IT departments already do well, as I mentioned above.
  • Identifying threats is an offensive tactic. It’s a close monitoring of the system at hand and the cyber news media. It’s easier to be protective when you understand what kinds of hackers, criminal, or nation states are after your system’s data. Know how to handle toxic data.
  • Implementing good data practices is how employees engage system data, from credential management, to software logs. For developers, this includes incorporating a privacy-by-design philosophy. Adjusting to and establishing this new holistic approach takes a team of professionals: data privacy experts, risk managers, cyber security technicians, legal counsel and a data breach response team — all under umbrella and governance of executive management.

As a consumer, you have to trust that the house is moving in a more comprehensive direction with its security practices. As the house, you owe it to your consumers to keep them safe. In the end, it’s the best way to keep them at the table.

To shun this approach is to mettle with the primary forces of the Internet, Mr. Beale. The hackers won’t have it. They’ll take millions out of your business and put nothing back in. It is ebb and flow, tidal gravity. It is the new cyber ecological balance.

image Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Possibly Related Articles:
Information Security
Data Loss Prevention Cyber Security Network Security Attack Vector Critical Patch Updates Fortification
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.