6 Information Security New Year's Resolutions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkcomputing.com/security/6-information-security-new-years-resolut/240165051

It’s that time of the year again: When almost every tech writer and
technologist with a blog shares their “end of the year” lists. We get
opinions ranging from the best tech tools to the biggest industry failures
and predictions for the next year. But I thought this might be a good
opportunity to do something more constructive. I’d like to propose my 2014
New Year’s resolutions for information security.

2013 was a rough year for security pros, leaving reputations bloody and
beaten. Between the awkward disclosures of Edward Snowden’s purloined NSA
documents, to high-profile data breaches such as the compromised
point-of-sale system at Target or user accounts from Adobe, holiday cheer
is in short supply in information security.

As usual, passwords and user data seemed to be the biggest mark for bad
guys, mostly because they’re still so easy to obtain. Seems like we’ve seen
this all before. Why does every year in security feel like we’re watching a
bad remake of a classic TV show, leaving us with that vague feeling of déjà
vu? Maybe it’s because we complain about the same problems without
committing to making changes necessary for improvement. Here are six
resolutions for improving information security in 2014:

1. Ramp Up Encryption

Let’s collectively resolve to encrypt more data, at rest and in transit,
while advocating for more usable and effective methods of managing the
process. Whether the goal is protecting data from the NSA or members of
some criminal underground, there doesn’t seem to be any question that
encryption is one of the best ways to maintain confidentiality of
information. The biggest barrier to the implementation of encryption still
seems to balancing real privacy with ease of use, especially in email. Even
with the difficulties, encrypting data seems to be a no-brainer, but I’m
still horrified by stories of unencrypted data that’s been compromised. And
if you can’t encrypt it, then remove or tokenize it. Can we pledge to treat
all data as if it were our own?

2. End Check-Box Compliance

As for compliance initiatives, can we collectively admit that we’ve been
tyrannized by the checkbox? It’s time to take back our architectures and
start driving the process to build secure infrastructures. It means taking
the initiative in a proactive process, instead of reacting to an auditor
who doesn’t always understand the subtleties of various technologies. It
also means finally admitting we can no longer afford to cut corners on
critical documentation such as incident response plans, network diagrams or
business and service technical catalogs.

3. Improve Communication

Can we agree that we need to start talking “to” instead of “at” our users?
It’s time to retire our knee-jerk reaction to say “no” or any antiquated
communication styles utilizing aggression and hostility towards our
co-workers. It’s insulting and doesn’t accomplish anything. Let’s cultivate
respectful methods of collaboration, which will encourage our user
community to work with us as partners in security initiatives.

4. Cut The Buzzwords

How about those buzzwords? Can we agree to stop overusing terms such as
"next-gen" and APT until we’ve reached a consensus on what they actually
mean? If you’re just using the term to get some attention, but can’t
demonstrate an evolution of the product, then it’s a fail.

5. Just Say No To Vendor Pseudoscience

As professionals in a discipline which is supposed to be grounded in
science, we need to question surveys or reports that have a sample size of
less than 20, but with results preached by vendor marketing staff like
gospel. If performance results for products are presented without providing
testing parameters for the purpose of reproducibility, then it’s
pseudoscience. Can we all agree to demand a greater rigor from the industry
in the data it puts forth?

6. Forget The FUD

And what of the classic FUD (fear, uncertainty, doubt)? Those frightening
campfire stories of foreign espionage, insider threats, and supply chain
vulnerabilities have provided enough paranoia to feed an existential crisis
well into my next life. Maybe we should start focusing on the known dangers
to our organizations instead of leaving business continuity and disaster
recovery plans languishing in a file drawer. Most organizations will have
to deal with a lost backup tape before a foreign spy trying to exfiltrate
data.

I’m proposing these resolutions as a challenge for us all. These are
recommendations you can use to become more strategic in your practice of
information security, which could result in actual improvements, not just
the reactive drudgery of constant firefighting. Wouldn’t it be great to
look back next year without the same angst over failures and lost
opportunities?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.