I think it is extremely important for an organization to account for the reality of doing business (Risk based approach compared to the purist mentality of securing everything) when strategizing an information security plan. It is true that an individual who has a habit of perceiving security issues as purely a technology problem without understanding the business reality is likely to make bad security decisions.
However, I think some people in corporate security take this argument too far and end up awarding critical roles to individuals that do not have the appropriate skill-set and mind-set. More often that not, this happens when organizations responsible for information security misunderstand the argument to mean that you only need to probe for the understanding of business fundamentals and process management when recruiting for talent. Depending upon the criticality of the role awarded, this can deem disaster.
It is my opinion that, in order to construct a talented security team, it is most important to select leaders that have a genuine passion for the technology aspects of information security, yet understand business reality enough in order to serve as liaison between technology and business.
I believe that genuine passion for information security derives from passion for technology, which in turn derives from passion for science. One does not need a degree in science to satisfy this requirement, but only the tendency to indulge into scientific discourse. The following is therefore one of my favorite questions to ask individuals that have progressed in their career in information security:
What have you changed your mind about? Why?
John Brockman has posed this question at http://www.edge.org/q2008/q08_index.html. Richard Dawkins does a fantastic job of explaining why this is such an important question:
When a politician changes his mind, he is a ‘flip-flopper.’ Politicians will do almost anything to disown the virtue - as some of us might see it - of flexibility…. Leading Democratic Presidential candidates, whose original decision to vote in favour of invading Iraq had been based on information believed in good faith but now known to be false, still stand by their earlier error for fear of the dread accusation: ‘flip-flopper’. How very different is the world of science. Scientists actually gain kudos through changing their minds. If a scientist cannot come up with an example where he has changed his mind during his career, he feels the need to apologize. He is suspected of betraying the spirit of science. He is hidebound, rigid, inflexible, dogmatic! It is not really all that paradoxical, when you think about it, that prestige in politics and science should push in opposite directions. I’ll take it no further than just to point it out, with a whiff of irony.
Now that I have brought up the importance of this question, it would be fair for you to expect me to answer it. I can come up with a list of things I have changed my mind about, but I’ll stick to one within the scope of information security:
I used to think that weak security controls and insecure software design are the root-cause for the rise of incidents pertaining to the compromise of PII (Personally Identifiable Information; think Social Security Numbers, etc) and other financial details (Credit Card numbers, bank account numbers, etc) that ultimately leads to the compromise of people’s identities (via stolen or lost laptops, phishing, web-site compromise, etc). Of-course, weak security controls are no excuse: every effort must be made to securely configure systems and to ensure that secure software design efforts are in place. In other words, insecure system and application implementations obviously facilitate the problem but I no longer believe that they are the root-cause.
I believe that the root-cause for the reason why people’s identities are being compromised at an alarmingly increasing rate (data leakage) is that the financial institutions authenticate transactions based on a static identifiers.
To put it another way, think of a scenario where you are given an identifier such as the following: 1R3D1D9JJBKDD2ADCDB09234. You are then told that your identifier is your identity, and it can never be replaced. Having heard this, you do your best to protect its secrecy. However, you are also told that you need to disclose the identifier in order to commit any financial transaction. In other words, you must disclose it every time you apply for a loan, open a bank account, sign a cell phone contract, sign up for cable TV, obtain employment, and so on. After a few years, your identifier is likely to be found persisted on hundreds of databases across the world: your employer, your bank, your cable TV company, and any other organization you have committed a financial transaction with is likely to have a copy of it. The companies you give this information to promise to perform routine security audits to ensure that your identifier is secure.
Here’s another scenario. Let’s assume you live in a world where your email address is also the password used to access your email. You are therefore instructed to only share your email address with people you trust. Your web-based email provider promises to perform routine audits on its applications to give you assurance that they are free of security vulnerabilities.
The examples sound absurd, don’t they? Well, they are good examples of how Social Security Numbers (SSNs) work, and exactly how Credit Card numbers work. You take care not to blurt out your SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases. You take care not to expose your Credit Card number, but you must hand it over to people you don’t know at retail stores if you want to use it.
We aren’t going to solve the problem of online PII compromise and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.
Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost. This is the reason why the system has not changed. Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed (this cost is also shared by other companies that want to have the capacity to process transactions. The PCI standard is a good example of this situation).
For the next few years, we are going to continue to apply Band-Aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know we’ve accomplished this when we will be able to publish our credit reports publicly without compromising our identities.
What have you changed your mind about? Feel free to comment below.
[In the spirit of science, I’d like to conclude with a video clip from the TED conference that delights me every time I watch it]:
All security problems are trust problems. All trust problems are people problems. Therefore, all security problems are people problems.
I'm not saying that I'm perfect in my approaches, but since I'm educated about these issues, let me give my perspective.
1) You can usually pay with money order, cash, or check instead of a credit card or PayPal
2) Virtual Visa's (not all of which are good for consumers) can provide protection after their one or two month usage has expired
3) Social security numbers aren't always necessary. Nobody is forcing anyone to put their SSN in a form field online
In the case of #3, the only time I write down my social security number is on a tax identification form. I don't even use my social security card for employment verification, as my passport contains much less detail than even a drivers' license. I never give out my SSN over the phone or allow it to be formed as data for any reason. SSN's should only be used for tax/recipient identification and for those in the US military.
While I realize that my tax id forms and taxes are often faxed or mailed and probably placed in a database somewhere; this is almost completely unavoidable. At least the surface area of attack is limited to only this.
Limiting the exposure of other PII may also be possible by simply refusing to provide it. If I were to use a credit card online, I would try to utilize other safety measures. For example, using my full or initial of my middle name, but never using it elsewhere (printed on the card). Using an address on my credit card that I don't use elsewhere e.g. 101 EAST MADISON STREET instead of 101 E. Madison St. Tying the credit card to a specific phone number that forwards to my other number(s), but is also not used elsewhere. Making sure my credit card has CVC2/CVV2/CID support. And finally, using a Virtual Visa - probably from a well-known provider such as Citi Cards / CitiFinancial / CitiBank.
I don't understand why a formal process for signing up for a credit card doesn't force the above to happen. It's not costly to implement compared to the fraud. A new version of PCI DSS could force merchants, processors, and providers to only accept Virtual Visa with signup practices that include the above.
As for social security numbers - there is a huge marketing incentive for companies to keep using them. The only way to prevent this is by government regulation and enforcement. Somehow, the government was able to regulate and enforce the misuse of SSN's in apartment rental forms. This just needs to be applied universally. In most cases, it is better to send SSN's over E-government portals than by using snail mail or fax. However, these portals should be verified for maximum software assurance practices by multiple, independent third-party security reviews. Continued regulation/enforcement of SSN alternatives such as PTIN's and EIN's is also very important for non-government entities that are involved in the tax identification process.
Anyone else requiring/using SSN's should just stop; we need strict regulation/enforcement of this by our government. For example, there won't be an id-theft problem with SSN's opening new lines of credit or bank accounts if providers/banks don't use SSN's to open new accounts.
Nitesh,
Excellent article. I totally agree with you and i think we will continue to face this problem not only for next couple of years but infact for next 5-7 years.
As you said:
"We will know we’ve accomplished this when we will be able to publish our credit reports publicly without compromising our identities."
This will only happen if we start solving the problem from its root.
Cheers
Shoaib
Excellent article, and very true.
It takes a certain kind of person to work in security one who is constantly questioning. I used to be known at my previous job as a bit of a know-it-all but yet whenver someone fixed something in a way I hadn't thought of I asked to be shown how. I don't think a day goes by when I don't change my mind or have it changed for me on something, whether it be IT related or simply personal belief.
IT Security is an ever changing field, and that is part of what attracts me.
Onto your other topic PII, fortunately in Australia at the moment, we don't have a SSN, about the closest thing would be either a medicare number (public health system) or Tax File Number(TFN), but my employer doesn't have my medicare, they have to have my TFN, but really if anyone knew it the worst they could do would be to get a job as me, and pay tax on that job... they would be found out when I do my tax return and then no harm done.
That being said I am not going to post them online, nor would I tell just anyone them.
I think we need to start getting smart cards with little LCD's and it spits out a hash of our PII salted with the time and date(like SSN and TFN) then we put this hash and the time and date on the form (something like rsa tokens). Then no-one ever knows your number, just a single use hash.
If that hash is ever used again it is blocked, problem solved... till someone makes a rainbow table or reverse engineers the algorithm.
Yeah maybe seperate numbers are the winner.