Rugged is —
- Knowing the exposure possibilities (internal or external)*
- Examining various impact levels
- Identifying sensitivity levels
- Establishing trust levels
- Reducing exposure level
- Exposure is the degree of physical or logical (digital) access to people, information or computer systems.
- Universality: One concept emerging from the revolution of the last 10 years is Universality and Immediacy: we are able to connect to 1, 999, 999, 999 other people virtually instantly. They can connect to us, to our computer, to our data without us knowing it. This has never before in the history of humanity been possible. We simply don’t know how to deal with the scope of access and communication this vast or …
- Immediacy: …that fast. Communication is virtually instantaneous and can be addictive. Online relationships can develop to startling intensity within days or weeks. Huge amounts of information can be stolen in fractions of a second.
- Anonymity — sitting alone behind a computer screen, does not provide the face to face feedback of reading body language, tonal inflection or facial expressions that temper or change face to face communication. This has led to email “flaming”, brutal “cyber bullying”, an explosion of sexual exploitation, and other abuses that were not as intense or wide spread pre-Internet. Offenders can never come face to face with the victims they exploit. It is much easier to commit an offense or crime without personal contact.
Attack Surface — is an old military term. Shields and armor were used in ancient times to reduce the amount of body surface exposed to enemy swords. The attack surface of a house is the number of easy ways a thief can gain entrance. Attack surface in software development is related to the amount of running code, privilege, anonymous code paths. The Microsoft Attack Surface Analyzer can be used to evaluate code. On a network attack surface is open ports, running services, interfaces, SQL attacks and more. For people it is the quantity of people with access, the number that fall prey to social engineering schemes. Another way is restricting ability to write or change files in a folder. A third way is encrypting data in a folder so that nobody but the person with the encryption key can unencrypt it to read it. The more we restrict what we have to protect, and apply the protection as close to the data as possible, the safer it will be.
Impact — along with estimating the attack surface or likelihood of an event is a good understanding of what the consequences of the event occuring is needed.
Online relationships– Most parents are not yet aware of the extreme importance and impact social media have on their children. If early Web 2.0 was about e-commerce, it is now all about exposure to online relationships and communication through new media like Facebook, Twitter, Flickr and others. Parents and those who did not grow up with new media, should learn enough to understand what their children are doing online. Would a parent give a child keys to a car without lessons? Yet most allow children unrestricted Internet access without understanding the extent of exposure to cyberbullying by their peers, pedofiles, online fraud or identity thieves. Parents can ask children for help as an excuse for engaging in conversation with children; give them a chance to show off how much they know and what they can do. Social norms have not yet been established and disseminated, throughout the population, for digital communication norms. There is no Emily Post of Internet Ettiquette! Parents and teachers don’t have their own experience to draw from to teach positive and safe digital communication behavior. It’s all just too new! So we have to find existing practices we are already familiar with and expand them to the Internet.
Internet safety should not be totally alien. It helps to build on concepts of safety that we already have and expand them to the new digital frontier. A good practical and immediately useful analogy for these principles can be found at ISECOM’s Home Security Vacation Guide
Exposure: Internal/External — Traditionally, focus on protecting computers is on external threats. However, with the advance of infiltration techniques, the ease of using phishing and other browser based techniques to get inside a protected network means we cannot rely as much as previously thought on perimeter protection from external threats. Still, in most organizations as well as homes, the greater threat is internal. Those with the most access to the data on a computer is the greatest threat to it! To best protect against either internal or external threats, the best solution is to protect exactly what has to be protected: data and information.
Sensitivity — Ideally, the best solution wouild be to identify the most important, sensitive, irreplaceable (or too time consuming to replace) data and only spend money on protecting that small percentage of data. At least one major university does that. They have few perimeter defenses since the purpose of a university is exchange of knowledge, information and data. However, they also have top secret government research and the same PII data all businesses have, that they are obligated to protect. At least one major university has developed sophisticated algorithms that monitor the traffic patterns on their network closely. Algorithms sense anomalous patterns, which over time they have matched patterns with various types of intrusions or malicious activity. They can then go directly to the compromised computer and deal with the problem. Feel free to explore the pros and cons of this approach by commenting below. Obviously, this isn’t an option for home computers or small businesses, but it is an interesting idea and a good illustration of having to know exactly what data you have to protect and where it is, either at rest on a hard drive somewhere or in digital transit to an appropriate person or computer.
Trust — One of the biggest problems either in real life (physical) or on a computer system (logical) is deciding whom to trust. There are no good relationships in either without trust. In relationships as in computer security, the goal is to make the right information available to the right person at the right time. With people, we learn to associate a person’s name with their face and come to trust we know who that person is. That’s fine for the few hundred people we have in a social circle. But when there are 1000 people in a moderately sized business, that becomes a problem of a different magnitude. With 2 billion people on the Internet it becomes an enormous problem. Either at home or at work, each individual should have his or her own account, especially on a shared computer and use a password that only that one person knows. Those accounts should only have “user” access, not “administrative” access. Limiting accounts to user access” is an extra layer of security that prevents much malware (malicious software) from being installed.
According to the Internet Crime Complaint Center (IC3) 2010 annual report, Identity Theft is the #1 crime nationwide, in 2010 even surpassing drug trafficking because people’s unsecured PII provides an easy target (attack surface) .
Exposure in the Cloud — numerous large companies outsource maintenance of customer email lists to outsiders. The Epsilon breach in April 2011, exposed the email lists of hundreds of companies’ email subscribers. The prevalent corporate attitude seems to be that consumers don’t care if their information is breached. Until consumers start caring, and contacting legislators, personal data will continue to be exposed without consequence. This is an example of when risk doesn’t work — when nobody is accountable.
The Open Security Foundation is made up of employees and volunteers who search for data breaches current and past. They also use Freedom of Information Act (FOIA) requests to states requesting the breach documents states receive (this varies by state dependant on state legislation).
Several companies publish annual reports summarizing the recent trends they’ve seen. The 2011 Verizon Data Breach Investigation Report prepared by the Verizon risk team with theirs and data from US Secret Service investigations is one of the largest and most interesting. It’s about 74 pages long and well worth reading.