Welcome to our fully functional beta site. We welcome all comments
informed!
The Informatica blog - Authored by Claudiu Popa

Is it time for everyone to start thinking about security in layers?

I'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of immunization. In fact, single-shot protection does exist, and it serves to defuse individual threats with the simple application of patches, firewall filtering or other methods of protecting against individual attacks.
 
What about millions of monkeys creating infinite malware strains?
 
Cakes have layers, GregThe bigger issue is the direct relationship between protecting against an entire universe of threats and the need for security to be applied at various levels, or layers, to anticipate the manifestation of diverse attacks. Why does it have to work that way? Why can't we just deploy a 'suite' of applications to deal with the whole thing? Flip a switch and you're done: it's the 21st century after all!
 
The answer is simple. Computers, like humans, operate in layers. Beyond general healthy measures and safety best practices, threats to those layers must be addressed individually.
 
Take for instance the security - or lack thereof - of retail environments. The overwhelming notion has been that Target and other large retailers have been negligent in protecting the security of customer payment data. There is no argument that when a breach exposes a million, ten million or a hundred million financial records it is safe to say that someone dropped the ball somewhere. But it is precisely that somewhere that represents the very definition of negligence in the security space.
 
Call it the weakest link and you will realize the extent of challenges faced by security professionals every moment of the day. You can protect against 99% of threats, but if that 1% allows attackers to chain together a series of exploits resulting in unauthorized activity, that's called negligence.
 
Lest I be accused of not adequately illustrating the issue, let's have a look at the basic layers required in the protection of a retail environment's Point-of-Sale activities. Just like a human body's organs, these systems are interrelated and to a large extent, interdependent. Here are the 6 risk areas that need scrutiny and vigilance:
 
  1. Legislative: Comply with Canadian privacy law
  2. Industry standards: Adhere to the PCI-DSS 3.0 standard
  3. Tech standards: Adopt EMV/Chip-and-PIN payment systems
  4. IT security: Employ intrusion detection technologies
  5. Administrative security: Conduct employee background checks
  6. Physical security: Deploy video surveillance & access control
 
By looking at it this way, it becomes painfully obvious that organizations whose security mindset is limited to thinking about the problem as purely an IT issue are entirely unprepared for the kinds of breaches we have been seeing and are likely to see in the future.
 
So when you read about ChewBacca, SpyEye, Zeus, BlackPOS and other emerging threats wreaking havoc on the systems and stock prices of venerable enterprises, ignore the word 'sophisticated'. Regardless of complexity, these are purpose built tools created to take advantage of known weaknesses on different layers. String together enough of these holes, and you can automate the process of exploiting a company's information assets for personal gain.
 
It's not rocket science, but it clearly illustrates the following: incomplete vigilance is entirely useless and complete vigilance is unrealistic. Systematic vigilance is where it's at. It is only by monitoring a standardized collection of controls at each layer that organizations can not only thwart the majority of attacks before they occur, but also cut off those 'sophisticated' attacks at the knees before they have a chance to do real damage.
 
How can companies achieve that kind of systematic vigilance?
 
That part is fairly simple: by properly implementing a proven framework of controls and having those safeguards independently verified. That kind of perspective is called risk maturity and when it comes to protecting valuable intangibles, it is the only thing that comes close to the concept of immunizing information assets against emerging threats.

In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on