Have you ever thought to yourself: “If only they would build some kind of IDS or something that really works! A little box I could plug into my network that would tell me when someone was doing something they weren’t supposed to do. Then I could just kick back, and let technology secure my data. I wouldn’t have to worry at all!” Do you really think that is true?
During World War II, the Germans thought that their Enigma code machines couldn’t possibly be compromised. After all, the Enigma was the epitome of high tech; years ahead of it’s time! They thought that their advanced technology would keep their data entirely safe. They were sure they didn’t need to worry. Were they right? No! Not only was the Enigma compromised, it was compromised in short order by a combination of espionage, clever cognition and (yes) technology. If this instance of German reliance on high technology didn’t cost them the war outright, it certainly made the war much shorter and cost the lives of thousands of German troops.
In the early 1960’s, the United States Military thought they no longer needed to mount guns on their new F-4 Phantom fighter. After all, the F-4 had new, high tech air to air missiles like the Sidewinder and Sparrow! The Military thought no enemy would be able to get close enough to use their guns. They thought that aerial dogfights were a thing of the past! Were they right? No! The enemy was able to exploit tactical errors and circumstance and get in too close for the vaunted high tech missiles to work! This instance of over reliance on high technology caused the death of American pilots and the loss of expensive aircraft!
In the 1980’s and 90’s, the CIA thought that there was very little need for human intelligence sources anymore. Why put agents on the ground when you can see what other countries are doing from space using high tech satellites and hear what they are planning using high tech electronic surveillance and code breaking equipment? The CIA thought they could save money and avoid putting their agents in danger by relying on these high tech solutions. Were they right? No! During the lead up to the current war in Iraq, the CIA found that all the high resolution photographs and electronic intercepts they had told them next to nothing about the state of the Iraqi nuclear and biological programs. Without agents on the ground, the CIA was forced to rely on intelligence from such shaky sources as Saddam Hussein’s own son in law and the few agents that other countries like Germany and Great Britain were able to recruit. The CIA concluded that Iraq had advanced weapons programs and that the U.S. and her allies were in imminent danger of attack. Were they right? No! The CIA’s over-reliance on high technology and their failure to recruit human agents in the Gulf region helped lead to a full scale war in Iraq that has cost the lives of thousands!
Much the same thing is happening today with distributed computer information systems. Organizations think that better firewalls and intrusion detection systems are the answer. Are they right?
Twenty years ago the Internet was just starting to grow. Personal computers were getting more powerful, faster and more useful every day. Lots of software was appearing that made almost every business task easier to accomplish and keep track of. Businesses were able to streamline their operations and get a lot more work done with a lot less people. Everything was becoming more user friendly. Prices were down and profits were up!
Then the crackers started to appear. Information started to disappear! Computers suddenly stopped working! Data began getting corrupted and changed! Confidentiality was lost! Businesses and government agencies began to panic.
What was the problem? Why was this happening? Well, the main problem was that the Internet and transmission protocols that the Internet is based on were designed for the free and easy interchange of information; not security. And by the time people began to realize the importance of security, it was too late. The Internet was in place and being used by millions of people and thousands of businesses. People were unwilling to just scrap the whole thing and start over again from scratch! And there were other problems. The fact that the most widely used operating systems in the world are based on secret source code is a good example. Clever people can always reverse engineer operating code and expose its weaknesses.
So we are stuck with using an information technology system that cannot be reliably secured. And it cannot be reliably secured largely because of a technological flaw. So why would we think that technology alone could solve this problem ?! It can’t.
What government agencies and business organizations are coming to realize now is the need for a renewed emphasis on the application of operational and managerial security techniques to accompany their technology-based information security systems. A good example of this is the requirement by the FFIEC and the other financial agencies that financial institutions must use something more than single part authentication techniques (user name and password) to protect high risk transactions taking place over the Internet. Did they come right out and demand financial institutions use technology based (and expensive!) solutions such as Tokens or biometrics? No! The Agencies happily, and I think wisely, left the particular solution up to each organization. They simply required that financial institutions protect their customer information adequately according to the findings of risk assessments, and they left plenty of room for financial institutions to apply layered operational and managerial security techniques to accomplish the task instead of once again relying solely on high tech.
And despite the insecurity and frustration this lack of clear guidance initially causes organizations, I think ultimately it will help them in establishing tighter, cheaper and more reliable information security programs. If financial institutions and businesses want to get off the merry-go-round of having to buy new IT equipment for security reasons seemingly every day, they are going to have to bite the bullet and do the security things that everyone hates to do. They are going to have to make sure that all personnel, not just the IT admins, know their security duties and apply them religiously. They are going to have to track the security of customer information through each step of their operations and ensure that security is applied at every juncture. They are going to have to classify and encrypt their data appropriately. They are going to have to lock up CDs and documents. They are going to have to apply oversight and double checks on seemingly everything! And everything will need to be written down.
At first this will all be a mess! Mistakes will be made! Time and money will be wasted! Tempers will flare! But the good thing is that once everyone in the organization gets the “security mind-set”, it will all get easier and better.
The fact is that once an information security program is fully developed and integrated, and all the bugs are worked out, it actually becomes easy to maintain. Personnel apply their security training without even thinking about it. Operating procedures and incident response plans are all written down and everyone knows how to get at them. And when personnel or equipment changes occur, they integrate smoothly into the system. Panic is virtually eliminated! And almost all of this is provided by the application of operational and managerial security techniques. In other words, policies and procedures.
So when your organization gets that required risk assessment done. When you develop your required incident response and business continuity plans, don’t just let them sit in the filing cabinet! Use them, and actually start applying them to your business. It will give your organization a head start on what is almost surely going to be a requirement in the future, and could save you some money in the process!