Archive for June 2009

3 reasons to ask whether anti-virus controls are worthwhile

June 25, 2009

I argued here a couple of weeks ago that Information Risk organizations may be spending too much on security. Today I want to look at a concrete example of possible over-investment: anti-virus. Here are three items that should make you question strong investment in anti-virus controls.

1) Bill Brenner over at CSO magazine wrote a nice article yesterday. In it he quotes a number of security experts who say that–given other controls–traditional anti-virus may cause as much harm as good.

2) In early 2008 IREC addressed the issue of “streamlining” the controls portfolio–basically this means looking for opportunities to cut costs by cutting out controls. The trick of course is finding ways to cut controls without reducing security too much. In the overview of the topic shown below, we cited anti-virus in the Unix environment as an example of an obsolete control that should be considered for retirement. Since then many of our members have reported to us that they have taken this step in the Unix environment, and a couple are considering it for MS Windows. 
(Click image for larger copy.)Streamlining

3) In recently concluded work, IREC studied the relative value of controls as a guide to security investment prioritization. We assessed objective 10.4 of ISO 27001/27002 (“Protection of malicious and mobile code”, which is where anti-virus falls within ISO), along with 30 other objectives, for their power to improve security outcomes. The results were:

  • Overall, this objective was the second weakest of the objectives at driving information protection outcomes.
  • This objective showed severe diminishing returns when organizations increased their maturity past 3.6 on our 1-5 maturity scale.
  • Over 25% of our members have already surpassed this level of maturity (meaning their latest investments have been wasted). Another 15% are pretty much at this level (and thus should not invest any more).
  • Controls like ISO 10.1 (Operational Procedures and responsibilities) not only had more room for improvement (no diminishing returns) but had twice the power to improve security outcomes.

In short, you almost certainly don’t want to invest more in anti-virus, and in some cases you might want to pull back.

Edited July 6, 2009 to add: Here’s a timely article about a downside of AV controls: a bad update can cause massive productivity losses. Do you try to test every signature update (meaning your signatures are even more out-of-date) or run the risk of mass system problems?


User Behavior: The glass is half full

June 16, 2009

User behavior and awareness is an area that always keeps Security professionals up at night because, at some level, they have to trust users to respond with proper behavior.  As such, a recent survey released by the Ponemon Institute showing that user behavior has worsened over the past two years is likely to cause consternation in the Security community.  Although IREC has found that some behaviors have indeed deteriorated, Security professionals should take some comfort that IREC’s research shows that overall behavior related to security has remained fairly constant in the past two years, and some behaviors have actually improved. (more…)

Apple’s iPhone is steadily inching towards enterprise acceptance

June 15, 2009

While large numbers of end users have embraced the iPhone, corporate IT groups, and especially Information Security groups have been lukewarm at best. And lukewarm is already an improvement from the cold reception the device got from CISOs two years ago when it was introduced.

But over the last two years Apple has worked not only on winning hearts and minds of end users but also of corporate IT departments. With the roll out of last year’s iPhone (the 3G version) Apple made it easier to support the device centrally, but still key capabilities were missing. With the new iPhone OS version 3 and the newly introduced iPhone 3GS Apple is addressing some of those short comings, adding more security features, from device encryption to remote wipe.

But the new security features will likely not win over all CISOs, despite winning over ever more end-users — ATT is reporting that pre-orders of the new phone are already sold out. And the question is going to be: does Apple actually need to worry about corporate security offices? By meeting basic security standards like password locks, full device encryption, and remote wipe Apple arms its users with just enough ammunition to make the case for corporate use,  allowing Apple to have end users (rather than enterprise readiness) pave the way for iPhone adoption (or at least acceptance) by corporate IT departments – a strategy which seems to work.

What does this mean for corporate information security groups? A potential loss in authority if they try to swim against the tide. But at the same time, there is an oportunity here for CISOs, to reach out to end-users and explain secure use of the device to them. The good news is that the iPhone is a much more personal device for users than corporate laptops are. This means end users will likely take better care of it, and since the device holds nearly the whole life of a user (from music to contacts to family pictures) the case for information and data security can be made much more easily.

Do we spend too much to protect information?

June 10, 2009

Or: How Should We Interpret Large Data Breaches?

The financial crisis has reminded everyone of the importance of risk management, and of watching out for “black swans.”  It is tempting for CISOs to attach to the recent failures of risk management in the financial world as a way to argue that we are not doing enough to reduce information risk. However, a back-of-the-envelope look at current information risk spending versus residual risk suggests that large organizations may already be spending too much.


Is data loss prevention ready for social media?

June 9, 2009

A recent YouTube video involving a pizza company, where employees were shown mishandling the food, made us wonder whether data loss prevention (DLP) tools can be used to prevent incidents in the external social media and collaboration space.

According to data on emerging social media space by KPMG, usage of social media technologies is on the rise with over 52% of users using at least one of the technologies like blogs or facebook on a daily basis. Couple this with an IREC poll that shows high rate of DLP adoption or planned adoption in the organizations and it would appear that information risk organizations are well poised to take advantage of DLP to enforce polices and prevent incidents related to brand risk or unintentional data leakage on social media sites.

DLP Adoption Rates

However, a look under the hood shows that numerous challenges continue to prevent adoption of DLP in enforcing social media policies:

1) Companies have deployed DLP to monitor and log rather than block. To prevent social media incidents, the DLP would have to be set up to block traffic.
2) In most security organizations social media is not considered one of the major loss channel after email. In our conversations with CISO’s majority of them have prioritized USB and other types of data at rest loss prevention as a threat with higher likelihood and loss potential than social media. They have mostly dealt with social media by blocking it completely.
3) Majority of the organizations have deployed DLP only on email. Web channel is harder because of the latency caused by monitoring activities.
4) Companies have found it harder to deploy context sensitive DLP as there are more false positives in that approach.

DLP Deployment Approach

In fact an IREC peer poll of 25 member companies conducted in February 2009 bears this out. Only a small percentage of the installed DLP base can take advantage of DLP for social media policy enforcement.

So what should information risk organizations do? From a prevention perspective develop a policy/ addendum to AUP that explicitly addresses external social media and educate end users about the potential damage to organizations brand by social media incidents. In addition this is a good time to work with sales and marketing. Research from our Marketing Leadership Council program shows rise in usage of these technologies by the marketing function. Utilize this opportunity to both train the function and partner with them to develop an incident response plan to social media incidents.

Pundits are missing the point on Biometrics

June 3, 2009

We continue to field questions from members about adoption rates of biometrics as part of a multifactor identification scheme.

 Most media coverage focuses on the fact that as a practical matter biometrics does not yet work all that well. Here is a sampling of recent items:

 False negatives:

False positives:

Ease of stealing the information:

However there is a greater problem with biometrics–once your biometric data have been compromised, there is no way to fix things. If my password (what I know) is learned or my token (what I have) lost, those can be revoked and replaced. If someone finds a way to forge my biometric identity for a given biometric authentication implementation, what can I do about that? What I am is a dangerous means of authentication, and we probably shouldn’t even be considering biometrics as a solution so its failings are not news.