Know your current assets
Chris Schwartzbauer, VP of development and customer operations at Shavlik Technologies LLC, said senior management had been lulled into thinking security was under control because it had spent so much money on security products.
"They have bought the latest and greatest products because they're cool, but they don't look at what the technology is doing for them. They cobble together pieces and pieces, but that doesn't mean it will all work as a complete system," he said.
Schwartzbauer added that companies spend their time chasing threats and plugging holes rather than trying to be proactive in their approach. "Our problems are being compounded. Applications are becoming more complex, and therefore more vulnerable. Virtualisation allows us to run multiple operating systems. And in the third quarter of 2008, there were more vulnerabilities published for non-Windows systems than Windows systems," he said.
Criminals are looking to exploit those other vulnerabilities that may occur in Adobe Acrobat, iTunes, Firefox and other non-Microsoft environments.
His answer is to return to basics, and for organisations to get control over what assets they have, and apply proper policies. "You need to discover your assets to know what inventory you have on each machine -- operating systems, accounts, permissions, services and applications. If you don't know what's out there, then you'll never know how vulnerable you are," he said.
Automation of compliance and risk management
Building on the theme of automation, Ed Cooper, vice president of marketing for Skybox Security Inc., outlined the problem of trying to keep compliant with regulations as systems and networks become increasingly complex. He described the situation as "a perfect storm" where IT is too complex, and companies have too few resources to manage the technology effectively.
"When Patch Tuesday comes, some companies spend a week deciding what to do and what vulnerabilities to prioritise," he said. "It is very labour-intensive, and decisions tend to be subjective and based on educated guesses."
Cooper advocated an automated approach -- called automated risk and compliance management -- which applies business intelligence techniques to security, pulling in information from devices on the network and then using BI-type tools to analyse and present the results.
He added that BI tools also allowed companies to model changes in the security architecture and assess the impact of changes. "We have seen layers of security build up over time to tackle different threats. Much of this could be cut by using automation," he said.
Focus on data classification policies
As Parsons pointed out, the government takes a risk-based approach to classifying data against four levels of security, from "Top Secret" (a danger to the state if disclosed) down to "Restricted" (an embarrassment).
Paul Simmonds, CISO for AstraZeneca Plc and a board member of the Jericho Forum, suggested that even a three-level traffic-light model (red, yellow and green) as recommended by the G8 group of industrialised countries, can be effective -- and is certainly better than nothing.
The importance of knowing what data you want to guard is increased with the growing collaboration between organisations and the sharing of information with partners and sub-contractors. Simmonds said the Jericho Forum has developed a lot of guidance for companies on how to best build a collaboration-oriented architecture, all of which is downloadable from the Jericho website. "You have to architect for this [collaboration]," he said. "It is radically different from what you did before. For the first time in 25 years of information security, the sticking-plaster solution will not work. You need to go back to first principles. It is why the Jericho Forum was formed. Network-based security controls have had their day."
He said it is essential to tell people in an organisation how you expect them to handle data and give them a simple classification scheme. "If it's not simple, they won't use it," he said.
Who watches the IT department?
Several speakers identified the IT department as a potential weak spot for security, with poor separation of duties, and many staff having privileged access rights, all with the same sysadmin identity. As David Hobson, CEO of distributor Global Secure Systems Corp., said: "This is IT's dirty little secret. Most security money is spent keeping out external threats, while the IT people have the keys to the kingdom. They have highly privileged accounts that are not even linked to individuals.