InfoSec Spending: Playing Catchup

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/infosec-spending-playing-catchup-p-1885/op-1

The federal government last year spent $13 billion on cybersecurity, and
President Obama proposes spending $14 billion next year. Will the extra
money make a difference? Perhaps. But it feels as if we'll never be fully
secure regardless of how much money we spend.

Homeland Security Assistant Secretary Andy Ozment gives two reasons for the
need for increased spending. First, government agencies must modernize
their IT to systems so they can be more easily secured. That's the problem
facing the Office of Personnel Management, with its antiquated, legacy
system that got hacked, exposing the personal information of millions of
federal employees and retirees. "We're catching up on many years of
underinvestment," Ozment told the House Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection and Security Technologies on June
25.

The second reason: The bad guys will remain a step or two (or perhaps more)
ahead of us in developing new ways to thwart security safeguards. "As we
improve our defenses, they will improve their offense, so we'll have to
continue to invest to maintain pace with an adversary who is also
investing," Ozment said.

But how should that money be spent?

The Defense-in-Depth Strategy

A popular approach pursued by governments and businesses is the
defense-in-depth strategy, which simply means do everything - hopefully
smartly - to secure IT, including adopting basic cyber hygiene (patching,
for instance) securing the perimeter, implementing two-factor
authentication, encrypting data and continuously monitoring for
vulnerabilities.

"While recent government-wide initiatives hold promise for bolstering the
federal cybersecurity posture, it is important to note that no single
technology or set of practices is sufficient to protect against all these
threats," Gregory Wilshusen, Government Accountability Office information
security issues director, told the subcommittee. "A defense-in-depth
strategy is required that includes well-trained personnel, effective and
consistently applied processes and appropriately implemented technologies."

The problem with the defense-in-depth strategy is that virtually no
organization can afford - or has the talent on staff - to do it all. Risk
assessments help to determine where best to spend limited dollars, but
there's no guarantee that IT would be fully protected.

Besides, spending money even on valuable security tools does not ensure
that an organization will implement them properly. "It will require
effective management in addition to resources to accomplish this,"
Wilshusen said.

Creating Secure Enclaves

As government agencies contemplate how to spend their budgets on IT
security, some out-of-the-box approaches should be mulled. One idea is to
re-architect the Internet, or at least the part of the Internet a
government agency can control. "As recent breaches have demonstrated over
the past several years - with the OPM breach as an exclamation point - it
is time to develop secure enclaves to protect key government information,
data and networks," said David Gerstein, a former DHS deputy undersecretary
for science and technology who conducts research for the think tank The
Rand Corp.

As Gerstein pointed out at the hearing, the same Internet that stores
grandma's cookies recipes also links to control systems that run nuclear
power plants. He said the time has arrived for the federal government to
develop a national cybersecurity strategy for segmenting "the Internet such
that you develop secure enclaves that have a greater degree of security."

It's a similar idea to the one former CIA CISO Robert Bigman proffers in a
forthcoming blog we'll post. He proposes that organizations should isolate
access to the Internet through a VLAN VDI (virtual local area network
virtual desktop infrastructure) connection from their internal network
clients to a protected, internal "demilitarized zone" domain.

Curtailing Data Exfiltration Risk

"All Internet connections terminate in the DMZ domain and data can only be
moved into the organization's internal network via a one-way physical
diode," Bigman explains. "This configuration almost completely eliminates
the data exfiltration risk. Furthermore, instead of having to monitor and
secure every endpoint in the organization, this configuration reduces the
risk to securing and monitoring only the DMZ domain."

Creating enclaves or DMZs are worthy ideas to ponder, and might help
mitigate OPM-style breaches. But in reality they're just another component
of the defense-in-depth strategy that will require more cybersecurity
spending.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!